UPDATED FOR 2022:
I love WordPress–and so do a lot of other website owners as it continues to be the most popular content management system. But now that WordPress powers about half of the internet or more, it’s also a prime target for hackers and malicious attacks. That’s why it’s extremely important that you do all you can to protect your website. Here are some of the best ways you can secure your WordPress site.
Back Up Your Website – The Best Protection
My first recommendation for website security is always: Back Up Your Website. Or, as one web hosting customer support supervisor put it to me, “Back Up, Back Up, and Back Up your website again!”
It’s true. The best security for your website is to make sure you have a backup copy just in case something happens to your live production site. Fortunately, in the case of WordPress, there are plenty of ways for you to back up your websites.
Web Hosting Account Backup
First off, I definitely recommend that you get a WordPress host that includes both daily and on-demand backups of your website. All of the premium managed WordPress hosting providers will include automatic backups, and even some shared web hosting services also include this feature at no extra charge.
For automatic website backups, I would recommend the following web hosts.
They key to remember is that you should not rely solely on your web hosting company for backing up your websites. Always make sure you perform your own data backup as well to cover yourself.
Backup Plugins and Services
There are plenty of plugins and services you can use to perform your data backups. Just do a search in the WordPress.org repository and you’ll find a lot of backup plugins such as these. Be aware that some plugins may require you to purchase an additional service for complete backup maintenance.
Manually Backup Your Website
And if you want to save money, you can actually do your own manual data backups of your WordPress site. It’s easier than you might think. Just remember to make a backup copy of both your website files and your WordPress database.
For example, if you have a cPanel hosting plan, you can use the File Manager or FTP to copy your WordPress website files, then use the phpMyAdmin tool to back up your database.
Free SSL Certificates
Using SSL/TLS is no longer optional as far as the search engines and web browsers are concerned. Without using https, your site is not only more vulnerable, but it is now flagged as unsafe or unsecure. The good news is that most web hosts such as A2 Hosting, InMotion Hosting, and GreenGeeks are now including free SSL certificates with their web hosting plans. In fact, most hosting providers include auto SSL installation and renewals, so you don’t need to worry about setting up or renewing your SSL certificate.
With an SSL Certificate, your site can utilize the https protocol for better security. Https has definitely become the standard for running your websites. Even Google considers it extremely important.
If you’re looking for the easiest way to include SSL with your WordPress website, I would recommend using a managed WordPress host such as WP Engine, WPX Hosting, or Nexcess. In my experience, I’ve had the most problem-free experiences with SSL certificates when using managed WordPress hosting.
For a more detailed look, check out my article on the Best Hosting with Free SSL.
Web Hosting Security
While we’re on the subject of web hosting, your web hosting company should have a number of security measures in place—both for WordPress and non-WordPress sites. Look for features such as malware scanning, DDoS mitigation, as well as WordPress environments optimized for security, and other pro-active security features.
While nobody can 100% guarantee that your website is going to be bullet-proof or hack-proof, one of the features you want to look for when choosing your WordPress hosting is pro-active monitoring and scanning of your web and database servers to protect against malicious attacks.
Shared Web Hosting plans remain the most popular and affordable for WordPress site owners. In the past, Shared Hosting often got a bad reputation as sometimes someone else’s website could cause problems for your websites—both from a security and resource standpoint. Fortunately, these days that’s no longer the case.
Today, most web hosting companies do a really good job of insulating your hosting account and files from others that may be utilizing the same Shared Web Server. Take a look at my video below for more information.
WordPress Admin Security
Next, let’s look at working within WordPress itself. Most people are aware of the importance of usernames and passwords, but it warrants repeating here. Always create your own Admin username, don’t use the default “admin”.
When it comes to passwords, most people know it isn’t a good idea to have a password such as “password” or “12345”. But with the increasing threats directed at WordPress sites, it’s better to have an even more sophisticated password. You definitely want to include upper and lower case letters along with numbers and at least one special character (@#$%^!&). It’s also a good idea to make your passwords longer if possible.
You can let WordPress generate your passwords for you. But while these generated passwords are the most secure type, they aren’t the kind you can easily memorize. I prefer to use longer phrases with numbers and special characters mixed in. They’re usually secure enough and you’ll be able to remember them.
One more tip concerning your WordPress Admin accounts. It’s always a good idea to do as little as you can using the all-powerful admin account. That is, because your admin account has full access to all of your website, you don’t want your admin username floating all around where it can be easily discovered by hackers. So for example, use a different account with only Editor access for creating your blog posts and pages.
Password Protect Directory
You can further protect your WordPress site by password protecting your website’s directory. Your web hosting control panel should have an option to password protect your directories via your .htaccess file. If you’re unsure of how to implement password protection, contact your web host’s customer support department. Also, some web hosts now offer multi-factor authentication.
Premium Security Services
For maximum website protection, you can opt for a service such as Sucuri. Often overlooked in the website protection process is security at the application level. When I interviewed Sucuri’s Co-Founder Dre Armeda, he spoke about this issue and how Sucuri can help website owners that use content management systems such as WordPress. You can read the interview here.
By incorporating the above items, you’ll definitely be ahead of the game when it comes to securing your WordPress site.
Video: How to Secure Your WordPress Website
Here’s a video I recently posted that covers securing your WordPress sites.
1 thought on “How to Secure Your WordPress Site”
Excellent tips Michael. Just to add a bit:
According to the co-founder of Sucuri – A well-known Website Security Platform:
“People Are And Will Continue To Be The Biggest Security Issue With WordPress.”, Dre Armeda Discusses WordPress Security
This proves that the WordPress users should put some efforts to secure their websites.