How to secure your WordPress Website

How to secure your WordPress Website
  • 28

How to secure your WordPress Website

4 Simple tactics to secure your WordPress Website

Internet and website security is becoming more of priority in user’s mind as more high profile incidents fill the media headlines.

Before all the howls “It is not secure”, from anti-WordPress or anti-any-other-CMS, let’s be clear about one thing. A secure website that nobody can hack has not yet been invented, so if Governments and Security forces websites could be hacked, then your website is just easy meat no matter what you use. We live in a real world and we want to help you secure your website in a practical terms and as much as possible without having to employ an army the size of NSA or GCHQ to manage it.

How can you make your WordPress Secure?

There are no silver bullets for securing any website, let alone an open-source CMS such as WordPress, Joomla, or Drupal, so don’t let anyone tell you otherwise.

There are series of actions you can take to secure your WordPress (the same applies to any other CMS based website), but none of them on their own will save your website. So here are in order of importance what you need to do.

1. Managing Access

Manage your WordPress Password

This is your first and most effective protection. Use complex and long passwords, or better still, use WordPress’s own password generator. The longer the password and more random the characters, the more difficult it is to crack it. You should also change your password regularly, Try changing at least once every 6 months.

Manage WordPress Users

You do not have to give Administrator level access to everyone that contributes to your website. Use access level appropriate for the user’s work and needs.

Lock Your FTP

If your hosting company allows you to lock your FTP, then do use the feature. FTP ports that are permanently open are one of the main points of attack as they are exposed to limitless try-and-error. Click here to read more on this on FTP security.

Issue Unique Credential

Do not share your username and password with other people who may need to work on your website. If you have website developer or your theme developer needs access to fix a bug or issues, then issue a new username and password, and make sure you kill it after they are done.

2. Keep WordPress Up-to-Date

Update WordPress CMS

This is not as simple as people think. Just clicking on that “Upgrade Now” button could cause you more trouble than you have imagined and here is why.

Websites include Plugins and customisation, which all need to be able to work with the latest version of WordPress, so before you upgrade you need to make sure they are all updated and compatible otherwise you could break something on the website.

Your customisation can also be wiped out if you had made changes to the core files or theme files. There is nothing wrong with doing this kind of customisation as long as you have a record of what you had done in the past, so that you can replicate the changes after the upgrade to the WordPress engine (or Joomla if that is what you are using). Better still if you are using WordPress, then deploy a Child Theme.

Make sure you have done a backup and all other steps as above before you update the WordPress engine.

Update your Plugins

Make sure all your WordPress Plugins are updated and are compatible with the latest version before you upgrade the main WordPress engine.

It is best not to use the Plugin management page to upgrade as it is easier to find compatibility with WordPress versions using “Update” section which you will find under the “Home” section in your admin panel. Here you get a list of all available updates including Plugins, Themes, Translations, etc. together with Compatibility note for each Plugin. You can upgrade the Plugins without (or before) upgrading WordPress version, but good practice is to upgrade the WordPress engine only after you have updated all your PlugIns unless it is a major security update such as WordPress 4.7.2.

Remove unused Plugins

If you are not using a Plugin, then remove it. You do not get extra points by having longer list of Plugins in your Admin section. All you are doing is leaving open more points of vulnerability and in some cases slowing down your website.

Don’t Overdo Plugins

There is a Plugin for everything but you do not need half of them. Plugins come with their own vulnerability so if you can do something with editing PHP or CSS, then for goodness sake do it. I have seen people using Plugin to change the year on their Copyright statement! Honestly, this is so simple that it is embarrassing, so why are you using a Plugin for it?! If you can’t manage simple PHP editing such as this, you should not be managing our own website for your own sake.

3. Prevention is better than Cure

Protect your WordPress Config File

This is one of the first ports of attack and very easy to block. All you have to do is to deny access to wpconfig.php in your HTACCESS file. It takes less than 10 seconds and it is very effective.

Use Anti-Hacking Software

There are lots of Plugins that allow you to detect and block bad IP addresses, login attempts, bad robots, and other nasties out there. For example you can stop bad robots by using “All in One SEO”. It is a great SEO Plugin but also has some neat blocking functions.

You should also consider using anti-hacking Plugins which are very effective and block attempts of remote injection on MySQL, as well as login attempts, and attempts to access other sensitive files. These are active Plugins so they do not just report on hacking attempts but also block the IP of the source. Here are a few that you could try:

  • iThemes Security (formerly Better WP Security)
  • Wordfence
  • Sucuri WordPress

Change your Login Page

We have a mixed feeling about this and there are a lot of debates on this on forums. If you have a strong password, you change it regularly, and are using anti-hacking Plugin, then we are not sure how much this helps. You need to be aware this can break some Plugins so you need to really think about this carefully. In principal, it sounds like a good idea and logical, but remember this on it’s own it is useless.

We recommend that you do not use a Plugin (remember the above) and for goodness sake remember what you called your admin page!!! Also remember, if this is your only line of defence, then good luck because brute force hackers will get in if no-one is watching the door no matter what you call your login page!

4. Back up Your Website

You should back up your website regularly so that you can always restore your website back to the last known state. This is just good website management practice. Check with your hosting company and see if they offer nightly back up. If they don’t, find a new hosting company next time you come to renew your hosting package. However, for now try making a manual back up of your website including your databases. Backing up your website without the databases is a bit of a pointless exercise!


All websites are prone to hacking and those with open-source CMS such as WordPress, Joomla, Drupal, etc. need to be particularly vigilant. Running your website along the lines of good business practices will go a long way to protect you, but you need specific actions to ensure safety of your website when using any CMS including WordPress.

If you do not have the time, the inclination, or the skills to carry out this work, then look for professionals to manage your web hosting including running anti-hacking programmes.

Comments are closed.