11 Steps To Improve WordPress Security And Protect Your Website

Learn simple things you can do to protect your website from malware, spyware, hacking, and security vulnerabilities.

collection of security locks

WordPress has been the platform of choice for my creative agency and consulting company since Version 2.8. We have built hundreds of WordPress websites and worked with hundreds of clients, and every time we share the same advice:

WordPress security starts with you.

I can’t emphasize enough how important your own actions are when it comes to maintaining, taking care of, and protecting your website.

Far too many people think that the majority of the work that goes into making a website successful happens before the website launch — during the strategy, design, and development stages of the website build process.

But that’s a myth. While a website launch is the last step of the website design process, it’s the first step of website ownership and website ownership comes with serious responsibilities:

  • Marketing and optimizing the website to grow your platform, expand your reach, drive traffic, and increase visibility.
  • Keeping the website software — WordPress and plugins — updated to the most current versions to protect your website from security vulnerabilities.
  • Ensuring decisions made keep the website performing as well as (or better than) it did the day it launched.
  • Being careful about what plugins are used, monitoring the impact of newly installed plugins, and removing any unused plugins.
  • Testing all changes made to the website and testing primary features tied to lead generation and revenue generation on a regular basis.

Owning any website, especially a WordPress website, requires regular, ongoing website maintenance and care. The good news is that you don’t have to be a tech wizard to improve website security and keep your WordPress site safe and secure.

Review this WordPress security checklist to get started…

How To Improve WordPress Security

Even with little to no technical prowess, you can protect your WordPress website from security vulnerabilities and prevent your WordPress site from being hacked with these security tips:

  • Use strong passwords and a password manager.
  • Don’t share your password, embrace user accounts/roles.
  • Update WordPress every time there is a release.
  • Update plugins when updates are available.
  • Update your theme files when updates are available.
  • Be smart about your WordPress plugin choices.
  • Invest in managed WordPress hosting.
  • Actively manage cPanel and/or FTP access.
  • Keep your operating system, software, and browsers current.
  • Encrypt your home WiFi network and/or office WiFi network.
  • Invest in website security services.

With this WordPress security checklist, you can improve WordPress security — even if you’re a non-technical website owner.

1. Use Strong Passwords And A Password Manager

The most simple thing you can do to improve website security is to use strong, unique passwords. This means skipping your dog’s name, kid’s name, birthdays, anniversary, and common words, including the word password.

When creating your password, make sure it includes:

  • More than eight characters
  • A mix of uppercase and lowercase letters
  • At least one number
  • At least one special character

You should also make sure that every password you create is unique. Do not use the same password for multiple websites or online profiles, and do not use your WordPress password for anything else — especially for a social media profile. To keep all of your unique passwords straight, consider using a password manager like LastPass or 1Password.

2. Don’t Share Your Password, Embrace User Accounts/Roles

Your WordPress password is your WordPress password. Do not share it with anyone else, not even your team members, virtual assistant, or business partners. Instead, maintain the integrity of your account by:

  • Setting up any additional users who need access to your site with their own unique user account and password.
  • Give each user account the minimum level of access required to complete their assigned tasks. Do not give everyone Administrator-level access.

When everyone who has access to your site has their own unique user account, it’s easy to remove access when a team member no longer works for you or you end a relationship with a subcontractor. With separate user accounts, you’ll also be able to track each user’s activity on your site, seeing when they last logged in, what they did, and more.

3. Update WordPress Every Time There Is A Release

While incremental WordPress updates are handled automatically, major updates always don’t work the same way. For major releases, it is up to you to update WordPress to the latest version or to give your hosting provider permission to update WordPress for you.

Each time a new version of WordPress is released, a log is published noting everything new about the latest release, which includes all bugs and security vulnerabilities that were patched. This means that the security vulnerabilities of past versions of WordPress are made public.

Ignoring WordPress and plugin updates can cause a bevy of problems:

  • You don’t have access to new features that make using the software better and easier.
  • You don’t benefit from bug fixes that solve problems in the software.
  • You don’t get compatibility fixes, like those that ensure a plugin plays nicely with the other plugins installed on your website.
  • You don’t benefit from security patches that fix vulnerabilities in the software, which means your website is vulnerable.

To protect the security of your site it is best to always keep your sites updated to the most current version of WordPress.

4. Update Plugins When Updates Are Available

Just as a log is published with each release of WordPress, similar logs are published for plugin updates that disclose also information regarding bug fixes and security patches.

If you have plugins installed on your WordPress site that are out of date, each one could pose a security threat. That’s why plugin updates need to be handled in a timely manner. This means backing up the entire site, performing the update, and checking to ensure the update didn’t cause any problems.

5. Update Theme Files When Updates Are Available

WordPress themes, parent themes, and frameworks also have periodic updates that must be managed — and again, because the details of each release are disclosed publicly, these updates can’t be ignored.

Before updating your WordPress theme, make sure you understand the architecture of your theme and the impact performing an update may have.

For example…

  • If you have directly customized a commercial WordPress theme, like those from StudioPress and BizBudding, updating that theme could overwrite and erase all of the customization work you have done. It depends on how and where the customizations were done.
  • If you are using a framework with a parent/child theme approach, like the Genesis Framework, the customizations happen in the child theme, while the parent theme handles the functionality. In most cases, you’re safe to update the parent theme and turn off updates to the child theme.
  • If you invested in a custom theme, it likely won’t have updates. Updates and changes to the site will be made under your direction by your team.

As always, before performing any updates, back up your website completely. This way if something goes wrong, you can quickly restore the site to its previous version.

Also, consider deleting “extra” WordPress themes that are installed but inactive on your site. Keep only your primary theme and a single, trusted fall-back theme. Just be careful that if you’re using a parent/child theme approach, you keep both the parent and child theme installed and active.

6. Be Smart About Your WordPress Plugin Choices

With 58,000+ plugins in the WordPress.org Plugin Repository, and even more available to download through third-party marketplaces, GitHub, and premium plugin developers’ websites, there are a lot of plugins available to use on your website. But not all plugins are created equal.

In the chatter about plugin use, you may have heard advice like, “Use as few plugins as possible,” or, “Using a lot of plugins is dangerous.” But the truth is that the number of plugins used isn’t what matters. What matters is the quality of the plugins you use.

One plugin, if it’s the wrong plugin, can be “too many” and it can negatively affect site performance or even break the site.

I’ve worked on sites with more than 50 plugins installed that ran beautifully and sites with five plugins installed that had serious performance problems. This is why it’s critical to research plugins and test their impact before using them.

Now, at some point, you may want to test a few different WordPress plugins that have similar features so you can decide which one you want to use on your website. The best practice is to test these plugins in a staging environment, on a sandbox site, or in a local development environment, and not on your live website.

With that said, I know many site owners don’t know how to do that. If you’re going to install and test plugins on your live website:

  1. Back up your complete website as a safety precaution.
  2. Install, test, then deactivate the plugins one at a time.
  3. Choose the plugin you want to use and activate it.
  4. Deactivate and uninstall the plugins you aren’t going to use.

Trust me, the last thing you want to deal with is updating plugins you’re not even using.

7. Invest In Managed WordPress Hosting

Not sure how to perform a full backup of your website?

Don’t want the stress of keeping WordPress up to date?

Want better security, speed, and performance?

Invest in a managed WordPress hosting solution and build a relationship with a quality website hosting provider.

Managed WordPress hosts configure their platforms specifically for WordPress to optimize speed and performance. Many also offer automatic daily backups, a one-click restore, automatic WordPress core and security updates, content delivery networks, site monitoring, security services, and more.

My top managed WordPress hosting companies are:

8. Actively Manage Cpanel And/Or Ftp Access

Just as you should never share your WordPress password, you should never share your cPanel or FTP password. If a partner or a member of your team needs access via Cpanel or FTP, create a unique user login for them on your account. Again, this gives you the ability to revoke access when they no longer need access or you part ways without requiring you to change your account information.

Also, never log into your site via FTP on an open, unsecured WiFi network, never allow your FTP clients to save and store passwords, and always use SFTP if you can. Here’s a quick, true story to illustrate why this is important:

A developer, who was managing several websites, stored the passwords for each site in their FTP client to make updating files easier. One of those sites got hacked and malware was installed. When the developer logged into the site via FTP, the malware used the FTP client and stored passwords to infect each of the other sites. The developer was then responsible for fixing all of the hacked sites.

9. Keep Your Operating System, Software, And Browsers Current

It’s easy to think that malware, spyware, or other types of website attacks only come from outdated versions of WordPress and plugins, but that’s not the case. Your WordPress site can become vulnerable to malware attacks and security threats through outdated software on your computer, including out-of-date operating systems, browsers and browser extensions, apps, and other software installed on your devices.

10. Encrypt Your Home Wifi Network And/Or Office Wifi Network

When your home WiFi network and office WiFi network are unencrypted, data is passed through the network in plain text and anyone can log into your network and see all of the data that is being transferred. That means your usernames and passwords are being transferred in a way that allows anyone to access them. This leaves your personal information and accounts vulnerable.

When your home WiFi network and office WiFi network are encrypted, data is passed through the network more securely, preventing others from accessing sensitive information, including your passwords.

11. Invest In Website Security Services

Regardless of the size of your WordPress website, you could be a target for hackers. To proactively and consistently protect your website from malware and security threats, it’s a smart idea to invest in a website security service or a managed WordPress hosting plan that includes advanced security services.

For example, GoDaddy Website Security, powered by Sucuri, provides powerful, round-the-clock protection for your WordPress site. It automatically scans for malware and continuously monitors your website for any anomalies.

Protecting Your Website Requires Vigilance

When your website is launched, you become a website owner with responsibilities to not only market your website but to care for, protect, and maintain the site properly. These responsibilities will require vigilant attention for as long as the website exists.

From using strong unique passwords and a password manager to keeping WordPress, plugins, and themes updated to actively managing user access to your site and investing in managed WordPress hosting, you have the ability to ensure that your site runs smoothly and avoids security issues.

Hopefully, this WordPress security checklist provided a greater understanding of how to best protect your website. After all, WordPress security starts with you. But, if you’re feeling a little nervous about being responsible for all of these tasks and keeping your website safe, secure, and performing well, you don’t have to do it yourself. Consider signing up for a website care plan instead and let your designer or developer take care of everything for you!

This is an updated version of this post written for GoDaddy.