23 Essential WordPress Security Tips

Cyber security is an ever revolving field. As system techs work to fix holes and weaknesses to prevent security issues, hackers find more ways around them. For that reason, no website is safe from the onslaught.

Some people mistakenly believe that if they use a trusted website hosting service, such as WordPress, they will be exempt from these risks. However, the opposite is true.

When it comes to web designing in WordPress, there’s much more to think about than getting a great deal on plugins or templates. WordPress, like all hosting services, have unique security issues that must be addressed if you want to ensure the safety of a website or blog. These protection features can’t be ignored, and it’s something that every designer should work in to the concept of their web design.

1. Use Secure Hosting

Yes, you can use WordPress for free, but that just means that you’ll have fewer of the security features and support. When browsing your options, it’s not always beneficial to go for the cheapest option. Take a closer look at the security options each one offers, the reviews and ratings, and the cost vs. risk benefit to help you be smart in your ultimate choice.

2. Screen Before Installing Plugins

Some plugins can come with malicious code that can crumble your website and open the door to hackers. Always check the ratings and read reviews for plugins before installing them. This is especially important to note for free plugins that aren’t created by a trusted developer.

Also, be sure to upgrade your WordPress plugins regularly as well. These updates are made to keep plugins functioning properly and protect them from known vulnerabilities.

3. Limit Access

Be careful about sharing your login information. Too many logins floating around between users can get confusing very quickly, making it difficult to remember who has access. Likewise, you don’t always know who you can trust among employees and fellow designers. Keep access to just a few people, and change the usernames and passwords often in order to avoid giving access to more people than necessary.

4. Hire an Expert

Whether you’re a designer or a businessperson looking to build a website, when it comes to website security, you can’t be too careful. It’s always a good idea to hire an expert to help you determine your security specifications. Go with someone that knows the field well, has plenty of experience installing security features, and has raving reviews and testimonials from previous clients. Your expert can also run tests to ensure adequate protection for your WordPress design.

5. Change Passwords Often

The longer the password stays the same, the easier it is for hackers to take it over. Between the development stages and the operating stages, be sure to change your passwords several times. This will also help to reduce the number of unnecessary people that have access to your WordPress site.

6. Make Passwords Strong

According to a summary from I-Sight.com, it takes a hacker just 10 minutes to crack a password that’s six lowercase letters. If you add just a few uppercase letters, numbers, and a symbol, the amount of time jumps to 44,530 years. In short, it’s better to choose a password that’s more complex than one that you can remember easily.

7. Secure Your Computer

Sometimes Trojans and viruses can sneak onto your computer through an install without you realizing it. It then will allow hackers to access sensitive information stored on your computer. Keep your computer locked down with up-to-date software, virus protection, and safe browsing history.

Other times these viruses will debilitate your computer. Once it’s not functioning properly, the hacker will be able to retrieve precious information from the hard drive, and you won’t be able to do anything to stop the attack.

8. Keep Software Updated

Updates are made for a reason. They’re there to build up protection and fix weaknesses in the software that’s vulnerable to buggy code. As a caution, only download updates from WordPress.org to void installing something that will turn into a virus or worse.

9. Assign a Real Username

To make it harder for unwanted visitors to access your website, choose a username other than “admin.” This is the default username for all WordPress sites, but it’s risky to use. Robotic hackers often begin their attacks on websites that are still using the “admin” username because it’s easier to crack.

There have been many hacking attempts that target the username “admin” and pair it with common passwords in order to hack thousands of WordPress accounts. It’s one weakness that’s way too common compared to how easy it is to fix.

10. Separate Your Username from the Site’s URL

If your username is in the author archive URL on your site, they will have an easier time accessing your page. It’s best to hide your username in your database.

11. Add a Captcha on the Login Page

Captchas are annoying, but they do a good job of protecting your page from robots. It can also help to protect your website against a brute force attack. A captcha is a great way to add another layer of defense on a WordPress site.

12. Hold a Security Audit

A security audit is the best way to find weaknesses and vulnerabilities and offer a few suggestions for fixing them. It will expose software and hardware security holes that would otherwise affect the content managment system itself.

13. Use Online Tools

Ever since the web became aware of cyber security threats, it’s blown up with solutions to fix them. While not all online tools will be helpful, the better known tools with high ratings will help to secure a site. Read reviews and check out ratings before downloading any tools.

14. Protect from Malicious URL Requests

Malicious URLs are created with the intent of breaking down a website. They’re often contained in spam or phishing messages and can sneak up on your website without your knowledge. Find snippet solutions, tools, and other software formulated to protect your website from malicious URL requests.

15. Be Wary of Free Themes

As mentioned previously, the word “free” isn’t always a good sign for web designers. There will be good quality and high security associated with many of the themes, but it’s often hard to tell which of these themes will fully protect your site. Whenever possible, avoid using free themes, particularly those not created by a reputable developer.

Many free themes will contain spammy content like base64 encoding, which can come attached with spam links and malicious code. One study showed that 80 percent of all free themes had this type of code. To avoid the headache, purchase themes with high ratings and raving reviews.

16. Have Adequate Storage and Backup

Too many developers and companies put off backing up a website until it’s too late. Because of the risks associated with the internet and network security, you simply never know if a hacker will begin a brute force attack on your website.

Keeping data stored and backed up properly is integral to business and website success. One study found that 60 percent of companies that lose data from their website fail within six months of the incident. Be proactive and install a backup system that will keep constant records of important data.

17. Carefully Add Security Plugins

Security plugins are an excellent way to protect your website from harm, but they can also cause damage if they aren’t added properly. It might seem easy to add a security plugin, but if you don’t know what you’re doing, you can just as easily develop more vulnerabilities in your website. If you have little experience with installing security plugins, it’s best to seek the help of a professional.

18. Avoid File Uploads

As a general rule of thumb, ban file uploads from your website. Even if your users are simply uploading a profile picture or a different avatar, the files have a greater chance of putting your website at risk from malicious or unknowingly bugged files. Likewise, be careful when uploading things to your site personally. Only upload authentic content to avoid attacks on your code.

19. Disable Directory Browsing

Many bloggers and web designers don’t think about protecting access to their WordPress plugins directory, which leaves the site vulnerable. It’s like leaving the door unlocked when you go to sleep at night so that thieves can roam freely. Block access to these directories by using a ‘.htaccess file’ or uploading a blank ‘index.html’ file to the directory. That should keep the door locked to intruders for good.

20. Employ SSL Encryption

Most websites and blogs send and receive data, and if that data is unprotected, it can bring back viruses, buggy codes, and malicious spyware. Likewise, if you’re transferring sensitive data and it’s not protected, anyone can gain access to it. Usually the WordPress SSL encryption feature is entirely free and easy to install, which means that you really have no excuse for not protecting transmissions.

21. Delete Extra Accounts

It’s important to frequently take inventory of the accounts attached to your website and delete all extras. In fact, if possible, it’s better to use just one, air-tight admin account that you share with those who need access than it is to use multiple accounts. At the very least, always delete outdated and unused accounts. Letting them sit unused will make it easier for others to steal information.

22. Locate Hacked Files

If you suspect your WordPress files have been hacked, it’s a good idea to employ a few tools to eliminate the problem. Exploit Scanner, Sucuri, Wordfence, and WordPress File Monitor Plus are all excellent options for recovering the files and adding extra protection.

23. Change the Database Prefix

Setting up a basic WordPress site is very convenient, but that convenience can be a web designer’s downfall. It encourages laziness, and as a result, you’re more likely to miss things such as changing the database prefix, which is one common hacking point. Always remember to check that the database prefix is changed in order to protect the table names of your site’s database. This simple step won’t stop the most experienced of hackers, but it will at least halt robotic attacks.


Contrary to the belief of many web designers, installing certain security features and taking certain measures to protect a WordPress site is your responsibility as a web designer. There are too many threats to ignore the cyber network risks. It’s true that an experienced IT department or security guru can come in later and add each of the features listed here, but it’s better overall to simply have these features installed in the beginning. If every web designer took the time to secure their WordPress sites before releasing them, the number of successful hacking attempts would easily be cut in half.

Like the article? Share it.

LinkedIn Pinterest

Leave a Comment Yourself

Your email address will not be published. Required fields are marked *