WordPress is the most popular blogging and CMS system on the Internet. This makes it a favourite target for hackers.

Having a WordPress site means that you have to take some extra efforts in order to protect your and your visitors data. Here is a summary of the best practices for securing a WordPress, that will help you do that.

It is important to mention that these measures don’t guarantee a 100% protection against hacking attempts, mostly because a 100% secure website doesn’t exist, but they will protect you against the majority of attacks

1. Update Plugins and WordPress

Updating plugins and the WordPress core is very important in keeping your site secure.

Plugin and theme developers do not provide security patches for outdated software, and you should ideally update your plugins at least once every two weeks.

Before updating anything on your site, always make a backup.

2. Maintain Strong Passwords

Generate strong user passwords, and change the passwords frequently. Strong passwords will ensure your WordPress site doesn’t get hacked as easily.

If you use a host which has cPanel or a similar hosting management console, update these passwords regularly as well.

3. Don’t use the default “admin” username

Usually the default login username when setting up WordPress is automatically set to “admin”. Many hackers will assume that you haven’t changed the “admin” login, and try to login to your site.

You can easily block a lot of brute-force and other attacks simply by naming your admin username differently. If you’re installing a new WordPress site, you will be asked for username during the WordPress installation process.

If you already installed WordPress, you can change your username by following details on this site: http://www.wpbeginner.com/wp-tutorials/how-to-change-your-wordpress-username/

4. Install a security plugin like WordFence

The free version of WordFence works really well “out of the box”.  It will block a user/IP when there are many failed login attempts.  It also does regular scans of your theme, plugin and other files to detect malware.

You can set notifications to be sent to your email, allowing you to take action.


5. Avoid “free” themes

If you are using a theme “as is”, or a know theme “framework”, always opt for “premium” themes which are well coded.

Free themes can contain embedded links to other sites for SEO purposes.

6. Keep multiple backups

Do manual backups, and make sure your hosting company does regular backups.  Backup both files and database.

In case something goes wrong, you can restore a clean copy of your WordPress site.

7. Ensure your computer is free of viruses and malware

This seems obvious, but many hackers gain easy access to your WordPress site by simply hacking your computer, and stealing the login details.

Always ensure your computer is free from any malware or viruses.  If you use a FTP program like Filezilla, never store sensitive information, as hackers know where to find these details in your FTP program.

Headway Digital offers monthly WordPress Maintenance and Security Services on retainer.  Please contact us if you are interested in this service.