One of the responsibilities that comes with running a self-hosted WordPress site is managing your own security.

Let’s be honest: WordPress security is not an exciting topic. So it’s understandable that most people tend to put it off, or neglect it completely.

It’s only when your website gets hacked that you realize the true importance of security. I know this because it happened to me—and it was an absolute disaster.

The good news is that most threats can be avoided by simply implementing a few key strategies, which we’ll outline in this step-by-step guide.

Why Is WordPress Security So Important?

A compromised website can hurt your revenue, damage your reputation, and put your visitors and customers at risk.

Tens of thousands of websites are hacked every single day, and many of those are powered by WordPress.

WordPress is the most popular content management system in the world, powering more than 33 percent of the web—which makes it a prime target for hackers.

That’s not to say that WordPress itself is unsecure—it’s actually very secure, thanks to the enormous community that maintains it. In most cases, newly-discovered vulnerabilities are patched swiftly and automatically, with no user action required.

The real risks come from other variables on the individual site level: user accounts, passwords, web hosting, outdated software, bad plugins, and so on.

As the owner of your WordPress site, these things are your responsibility—and they can literally make or break your security.

With that in mind, let’s take a look at some concrete, actionable steps that you can take to build a tight wall of security around your site.

WordPress Updates

WordPress is an open-source platform with hundreds of people contributing to its development.

When a security firm discovers a vulnerability in WordPress, the lead developers are notified, WordPress gets patched, and millions of websites are updated before the company makes a responsible disclosure.

With that disclosure, the vulnerability becomes public knowledge—meaning hackers essentially have a recipe to exploit websites that haven’t yet been updated.

The moral of the story: keeping your software up to date is vital to your security.

Install Security Updates Automatically

Since the release of WordPress 3.7, automatic updates for minor/security releases have been enabled by default. Most likely, your site is already receiving these.

Some web hosts block automatic WordPress updates. If that’s the case with your host, you may want to try a different host—or at least be sure to install updates promptly when they’re available.

Keep WordPress Core Updated

For major WordPress releases, you’ll have to initiate the update manually.

When a major update is available, you’ll see a banner at the top of your WordPress dashboard:

Always be sure to install core updates as they become available.

Keep Your Themes & Plugins Updated

Theme and plugin updates also have to be initiated manually. These are easy to forget, but they’re equally important.

To check for available updates, go to Dashboard > Updates in the main WordPress menu.

Advanced Automatic Updates

If you want to fully automate your WordPress updates, you may want to install the Advanced Automatic Updates plugin.

This plugin supports automatic updates for security updates, major core releases, plugins, and themes.

Advanced Automatic Updates is perfectly safe for most sites, but exercise caution if you’re using any customized themes or plugins, as an automatic update could overwrite your changes. You’ll also want to back up your site regularly, just in case something goes wrong. (More on that below.)

Passwords & User Accounts

User accounts are often the weakest link in WordPress security. If your administrator account isn’t secure, your website isn’t secure.

Use Strong, Unique Passwords

The easiest way for a hacker to gain access to your site is by stealing (or guessing) your password.

You can make that more difficult by creating a strong password that’s hard to guess and that you don’t use on other websites.

The ideal password would be a complex mix of letters, numbers, and symbols. For example: aPBom^#60$4v

The reason most people don’t use strong, unique passwords is because they’re hard to remember. That’s why I recommend using a password manager like LastPass (free), which generates and stores secure passwords for all of your accounts.

It also doesn’t hurt to change your password on a fairly regular basis (every few months or so).

Note: This applies not only to your WordPress admin account, but also your web hosting account, FTP account, email account, SQL database, and so on.

If your site has multiple users, you can enforce strong password security for everyone by installing the Force Strong Passwords plugin:

Be Mindful Of User Privileges

Even if you’ve got your main administrator account locked down, other user accounts could still pose a risk to your site’s security.

Whenever you add a new WordPress user, make sure to give them an appropriate user role.

The Administrator role should rarely be assigned to any other account. If you give someone else this role, you’re giving them unfettered access to make changes to your site, with the exact same capabilities that you have.

If you do give someone else administrator access, e.g. your business partner, make sure you both have strong passwords and good security habits.

Preventing Brute Force Attacks

Using a complex password will protect you from the vast majority of bad guys trying to access your account, but you’re still not completely safe from a brute force attack.

A brute force attack is a tactic where a hacker uses a special computer program to try an endless number of username and password combinations until one finally works.

An example of a basic brute force script in action

This is far more dangerous than a human trying to guess your password, because while a human can try a few passwords per minute, a brute force script can try thousands of passwords per second.

Thankfully, there are steps you can take to protect your site from brute force attacks.

Don’t Use The Default “Admin” Username

In the early days of WordPress, the default administrator username was simply admin. Today you can specify a custom username during the installation process, but some autoinstallers still use the default admin.

Because your username is essentially half of your login credentials, using something as common as admin makes brute force attacks a lot easier.

By default, WordPress doesn’t allow you to change your username—so you’ll have to use one of these alternative solutions:

  • Create a new administrator account and delete the old one
  • Install the Username Changer plugin
  • Manually update your username in your database

Change Your Login URL

Much like the default username, the default login URL adds a great deal of vulnerability to your website. Even the most inexperienced hackers know exactly where to find your WordPress login page: /wp-admin/ or /wp-login.php.

By changing these URLs, you can obscure your login page and ward off all but the most determined brute force attackers.

You can accomplish this pretty easily with the WPS Hide Login plugin.

Limit Login Attempts

The most effective way to combat brute force attacks is by limiting the number of failed login attempts permitted from a single IP address.

You can do this with a plugin like Loginizer:

If an attacker starts attempting a bunch of incorrect username and password combinations, Loginizer will automatically lock them out.

Back Up Your Site Regularly

Nothing is ever 100 percent secure. No matter how much you prepare, there’s always a chance your site will be compromised one day.

However, you can minimize the potential damage by using a reliable backup solution.

The idea behind backing up your site is to create a copy of all of your data and store it somewhere safe. Then, in the event that something goes wrong, you can quickly restore your site and get it back up and running ASAP.

You’ll most likely want to do this with a plugin.

There are a number of backup solutions out there, including Jetpack’s integrated backup module (aka VaultPress), which starts at just $3.50 per month. That particular plan includes automated daily backups, one-click restores, and a 30-day backup archive.

Alternatively, you could use a free plugin like UpdraftPlus. Just make sure you’re storing your backup data in a safe, offsite location (not your hosting account).

Scan Your Site For Threats

In addition to regular backups, it’s important to have a system in place that scans your files and database for malware and security threats.

The Jetpack plugin also offers daily automated scans for malware and infiltrations, starting at $9 per month (this plan includes the aforementioned backup features as well).

Use SSL Encryption

Implementing SSL/TLS and delivering your site over HTTPS can improve your security by encrypting your site’s data while it moves between the user’s browser and your server.

This can prevent a man-in-the-middle attack, where an attacker intercepts and/or manipulates a data exchange between two parties. A hacker could use this tactic to obtain your WordPress login credentials, or to steal private information from your website visitors.

When you use SSL, your data is effectively carried through a private tunnel from your server to the user’s browser, and back.

To use SSL, you’ll need to obtain an SSL certificate through your web host. Certificates can be expensive, so I recommend using a host like SiteGround that provides free SSL certificates to all customers.

SSL encryption can also benefit your WordPress SEO, as Google now uses HTTPS as a ranking signal.

The Security Risks Of Plugins

Along with regular updates, it’s important to exercise caution and common sense when installing WordPress plugins.

Because plugins modify and extend the functionality of your website, they can introduce unique vulnerabilities that aren’t present in the WordPress core.

Ultimately, your website is only as secure as your least secure plugin.

Be Selective In Your Choice Of Plugins

When you install a plugin, you’re adding new code to your site that may or may not be secure.

Before installing a plugin from WordPress.org, take a look at the reviews, see how many other sites are using it, and make sure it’s being actively maintained.

Before purchasing a premium plugin, do some quick research to make sure the developer is reputable.

If you’re no longer using a plugin that you’ve installed, it’s a good idea to delete it from your site.

Don’t Download Premium Plugins For Free

There are a lot of shady sites out there that distribute premium WordPress plugins for free. If you’re a bootstrapped business owner or hobbyist blogger, grabbing a plugin from these sites can seem like a great option—but it’s one of the riskiest things you can do.

This is because:

  1. You won’t receive important security updates from the developer
  2. The plugin could have been modified to contain malware

For the safety of your website, be sure to only download plugins from the official source.

I hope this guide has been helpful! If you have any WordPress security questions, please feel free to leave them in the comments below.