WordPress Website Security

Everything on the internet is vulnerable to being hacked. If you have a website, you can get hacked.

It can feel very very violating to have your website hacked. Not only do you have unanticipated work to do to clean up your site and get it secured, you also get that “why me!?” feeling. Someone or something just messed with your things and invaded your space.

Try your best not to take it personal. It happens to the best of us.

But what can we do to protect ourselves from getting hacked? If you are among the nearly 20% of people running their website on WordPress, this post will give you a quick overview on WordPress website security: what you can do, things to consider, and where to go for help.

What You Can Do

1. Backup your website.

The best security is to backup your website regularly. Your database and content files, which includes all of your uploaded media, should be backed up as regularly as you update your content. If you update your website with fresh content and blog posts about once per week, then you should backup your website once per week minimum.

Many website hosts do offer backups as part of your hosting but keeping only one set of backups is risky. Double or triple up on where your backups are stored.

Here are two options for backups:

  1. DIY with a free plugin. I recommend Updraft Plus as pictured in the below screenshot.
  2. Or pay a monthly fee with something like VaultPress

Updraft backup screenshot

2. Update all the things!

Your WordPress, WordPress themes, and WordPress plugins all need to be kept up to date. In addition to new features and bug fixes, updates may include important security fixes. Like laundry, keeping things up to date is a task you must do frequently (but luckily it doesn’t involve stinky socks from that weekend hike and typically only consists of a few clicks per month).

kat-love-update-wordpress-security

3. Only download themes or plugins from trusted sources.

Trusted developers update their themes and plugins to include the latest security features and they stick around to support their work. This means that you ought to be able to get in touch with the team behind the theme or plugin at any time for support. One way to check up on developers is to see if they participate in the WordPress community. Have they spoken at a WordCamp? Do they contribute to WordPress core? You can also search google for the word on the street as to whether or not the theme or plugin is well supported. If the developers have a reputation for taking money for their product and then disappearing, then that’s probably a bad sign for the existing and continued security of their product.

If you are unsure if a theme or plugin is safe, and haven’t been able to research it yourself satisfactorily, ask a WordPress developer before you install. Many developers, including myself, are available for consultation.

4. Use a very secure password.

If you are using “password” or “123456” or any password that is similar to the most popular passwords used then you should change your password immediately. A very secure password is one that includes upper and lower case letters, special characters, is 7 characters or longer, and is changed every 5 or 6 months. Use the built in password strength indicator to test the strength of your passwords.

WordPress Password Strength

5. Delete “admin” as a username.

Because of it’s popularity, using “admin” as a username leaves you vulnerable to a brute force attack. To delete “admin” as a username, log in, create a new user with Administrator rights. Then log out and back in as your new Administrator and delete the “admin”. Here is a good walk through of how to delete “admin” as a username.

Don't use admin as your WordPress username

Make sure you are doing what you can to keep your WordPress secure. Backups, updates, researching what you download, secure passwords, and not using “admin” as a username can all help lower your risk of being hacked or, in the case of your backups, ensure you have something to back up to in the case of anything going wrong.

Do you need a developer’s help?

Some security measures for your WordPress website may need to involve a developer. If you have had a theme custom built, your developer ought to have included reasonable security measures. If you are using a theme made by developers that may or may not be trustworthy, it may be worthwhile to hire a developer to go through and strengthen your codes and installation.

Further Security Measure

If you want to take your security to a whole new level, I recommend Sucuri. I got introduced to a few members of their team at a WordPress conference last year. In addition to being cool people, their services are great. Currently, the basic package is $200/year, is a reasonable cost for the peace of mind. (I am not affiliated and do not earn any money off of recommending them).

If Your Website Gets Hacked

Again, I would recommend Sucuri. Companies like Sucuri are excellent at cleaning and securing websites and, in most cases, will charge less money than a web developer. It’s a no brainer. (Again, I’m not affiliated, just trying to recommend the best).

So I hope these insights into WordPress security, although not exhaustive, help you stay secure. The hope is that you’ll never have to deal with a hacked website. But if you do, there is help out there! And it’s the reason you must start backing up your WordPress website regularly.

If you have any questions Let me know by contacting me or tweeting me anytime. I would love to hear from you.

Photo by Life of Pix

Kat Love

Hi, I'm Kat! I'm the founder and lead designer here at Empathysites. Therapists helped me heal from childhood sexual abuse so now I help therapists with creating their websites. I write on topics like website design, strategy, and turning website visitors into clients. Reach out anytime if you'd like to say hi. Pronouns: they/them/their