Best Practices for WordPress Security
Albemarle PR may earn a small commission for our endorsement, recommendation, testimonial, and/or link to any products or services from this website. Your purchase helps support our work.
According to W3Tech, WordPress has a 63.5% CMS market share and is used by 37.8% of all the websites. WordPress 5.4 has been downloaded over 57,749,551 times according to the WordPress counter.
Most WordPress sites get hacked due to a site owner’s lack of attention to preventable problems. Follow this guide to learn best practices for WordPress security.
Run the current version of the WordPress core
WordPress is actively maintained by developers from all over the world. These developers find and fix bugs, add new features, and hunt down security vulnerabilities on a regular basis. These changes are then released in a new WordPress version. According to an annual report by Sucuri, 56% of all CMS applications were out of date when infected in 2019.
You can view the tentative release calendar for WordPress updates that will occur in 2020-2021 here.
Major and Minor WordPress Updates
I prefer to complete a major WordPress update a few days following its release. In some cases, your WordPress site may have unexpected problems after an update. For example, some of your plugins may not work correctly if they were not updated ahead of a major WordPress release. By delaying a major update for a few days, I can scan the WordPress forums ahead of time and have a better idea of what to expect.
Siteground offers a smart update tool that will always create a backup before updating WordPress. If it detects issues, it will change back to the previous version of WordPress.
Minor WordPress updates often fix crucial security issues and vulnerabilities and can be set to auto update.
WordPress Backup Files
You should always have a complete WordPress backup prior to running a major WordPress update. Most hosting providers offer free backup solutions and you can also use a plugin to run automatic backups of your entire WordPress site. In addition to keeping daily backups on my server, I use Dropbox for storing monthly backups. I periodically transfer backups to a USB as well.
Use Current Plugins from Trusted Developers
There are 54,000+ plugins available in the official WordPress.org repository and they have been downloaded over 1.5 billion times. An eCommerce plugin called WooCommerce runs over 1.5 million active online stores and is a leading choice among site owners that use WordPress.
Plugin Installation
Choose plugins with positive reviews, many active installations, and a good track record for providing updates. This can help you evaluate if the plugin authors are maintaining the plugin and responding to requests for help. Install plugins with caution. Ask yourself if you really need a plugin and uninstall any that you are no longer using.
Update Plugins
Anyone can run a scan on your WordPress site to get a list of all of the plugins used on your site. If plugins with known vulnerabilities are found, hackers can exploit them.
For plugins that are installed using the official WordPress.org repository, you will see update notices in your WordPress dashboard. However, you can change the settings to push plugins to update automatically. With commercial plugins sold in a marketplace or from sites of the plugin developers, you usually have to manually install plugin updates.
Use Themes from Trusted Developers
Although there are many free WordPress themes available, many are coded and abandoned by their developers. When you choose a theme that is not actively maintained by the developer, you will likely run into conflicts with plugins, major WordPress updates, and even have your site hacked. When you use a theme from a well-known development team, you will also have access to support from thousands of others that are using the same theme.
Recommended Themes
Use Strong Passwords
Your password should not include information that someone can learn about you. Use lowercase, uppercase, special characters and numbers to set the strong password for your account.
Do not use the same password that you have used on any other site. If a site or your email account becomes compromised, your password may end up on the dark web.
Anyone that has admin, editor, or author privileges on your site should be required to have a strong password.
Change Your Admin Username
Avoid using your name, email address, domain name, admin, or any other name that could be easily guessed.
Move Login Page
When used in combination with other WordPress security steps, changing the default WordPress login page URL will make hacking your site more difficult. By default every WordPress installation has two login URLs: yourdomain.com/wp-admin.php and yourdomain.com/wp-login.php. Rather than manually changing code in your WordPress core files, the safer and better way to change the WordPress login URL is to use a plugin.
Use Two-factor Authentication (2FA)
By using two-factor authentication, a WordPress user can combine a strong password with a smartphone app that sends a time-based one-time use password.
Recommended Plugins
- Duo Mobile
- Google Authenticator here or here
Use a Virtual Private Network
If you access the internet through public wifi hotspots, shared internet routers, or even through your very own provider, your data, files and privacy may be at risk. When you use a virtual private network (VPN), your traffic goes through a VPN server before it goes to your target destination. Your data is encrypted so it cannot be intercepted by someone else. I use Private Internet Access so I can protect multiple devices and still have a fast internet connection. You can use my referral link to get 30 days free.