This article was updated on Oct. 11, 2017.
At Bourn Creative, we have been building websites for 11 years and working solely with WordPress as our platform of choice for eight years. Throughout the past eight years we have said the same thing to every client we work with: WordPress security starts with you.
It’s true. If you want to know how to improve WordPress security, just look in the mirror.
I can’t emphasize enough how important this idea is when it comes to caring for and maintaining your WordPress website.
Many website owners think that all of the work to build their WordPress website happens up front, but in reality, the design, development and creation of a WordPress site is just the first step. When you launch a new WordPress site, you become a website owner, and as a website owner, it is your responsibility to take care of it, to care for it, and to keep it safe and healthy.
Owning any website, not just a WordPress website, requires ongoing maintenance. Your WordPress website is powered by the WordPress software, and all software — like Adobe Photoshop, Microsoft Word, Apple iTunes, and all of the Apps on your phone — has ongoing updates that you must manage.
Ignoring software updates can cause a bevy of problems:
- You don’t have access to new features that make using the software better and easier.
- You don’t benefit from bug fixes that solves problems in the software.
- You don’t benefit from compatibility fixes that helps the software play nice with other software.
- You don’t benefit from security patches that fix vulnerabilities in the software, which means you’re leaving your website and/or your phone or computer open to being attacked or hacked.
The good news is that you don’t have to be a tech-wizard to keep your WordPress site secure. Even if you’re non-technical, you can learn how to improve WordPress security. Just review this WordPress security checklist to get started.
How to improve WordPress security in 11 steps
Even with little to no technical prowess, you have the power protect your WordPress website from security vulnerabilities and help prevent your WordPress site from being hacked.
- Use strong passwords and a password manager.
- Don’t share your password.
- Update WordPress regularly.
- Update plugins consistently.
- Keep your theme updated.
- Disable and delete all unused plugins.
- Invest in managed WordPress hosting.
- Actively manage cPanel and/or FTP access.
- Keep your OS, software and browsers current.
- Encrypt your home/office WiFi network.
- Invest in website security.
With this WordPress security checklist, you can improve WordPress security — even if you’re a non-technical website owner.
1. Use strong passwords and a password manager
The most simple website security measure you can take is to use strong, unique passwords. This means skipping your dog’s name, kid’s name, birthdays and common words, including the words password.
When creating your passwords you should make sure they include:
- More than eight characters
- A mix of uppercase and lowercase letters
- At least one number
- At least one special character
Do not use the same password for multiple websites or online profiles, and do not use your WordPress password for anything else — especially for a social media profile.
I know managing all of the different passwords can be tough, especially when you avoid any common words and add in numbers and special characters, but there is an easy solution. Use a password manager like LastPass or 1Password to manage all of your unique passwords and provide you with one master password.
As of WordPress 4.3, passwords are strong by default. Before users were presented with an empty box and created a password from scratch, which allowed them to use weak passwords. As of WordPress 4.3, strong passwords are now created automatically for users, who can then choose to keep it or edit it. As the password is edited, the password strength meter will communicate how strong your new password is.
WordPress 4.3 also saw the end of emailing passwords, with password reset links now emailed that expire in 24 hours by default.
2. Don’t share your password
Your WordPress password is your WordPress password. Do not share it with anyone else, not even your team members or business partners. Instead, maintain the integrity of your account by:
- Setting us anyone else who needs access to your site with their own user account and password.
- Give each user account the minimum access needed. Do not give everyone Administrator-level access.
When everyone who has access to your site has their own unique user account, it is easy to remove access when a team member no longer works for you or you end a contract with a subcontractor.
With separate user accounts, you’ll also be able to track each user’s activity on your site, seeing when they last logged in, what they did, and more.
3. Update WordPress regularly
While incremental WordPress updates are pushed out automatically so you don’t have to lift a finger to update your site to the newest version of the software, the major updates don’t work the same way. For major releases it is up to you to update WordPress to the latest release.
When a new version of WordPress is released, a log is published noting everything new about the latest release. This includes all security vulnerabilities that were patched, which means that the security vulnerabilities of past versions of WordPress are made public.
To protect the security of your site it is best to always keep your sites updated to the most current version of WordPress.
Note: GoDaddy Managed WordPress offers automatic core WordPress software and security updates.
4. Update plugins consistently
Just as a log is published noting everything new about the latest release of WordPress, a similar log is published for every plugin every time it is updated. This also means that all security vulnerability information about previous plugin versions are made public.
If you have five plugins installed on your WordPress site that are two to three versions out of date, everyone of those plugins could post a security threat to your site.
Every time a plugin releases an update, you should back up your site and update the plugin, keeping all installed plugins current.
5. Keep your theme updated
WordPress themes and parent themes also have periodic updates you must manage.
As with the WordPress core software and WordPress plugins, when new versions of themes and parent themes are released, information about bug fixes and security patches are published, making the security issues with the previous version public knowledge.
It is also important to delete any WordPress themes that you are not using from your site. But be careful, if you are using a parent/child theme setup like the Genesis Framework by StudioPress, be careful not to delete the parent theme (Genesis).
6. Disable and delete all unused plugins
With more than 46,000 plugins in the WordPress.org Plugin Directory, you have a lot of plugins to choose from and try out.
It is inevitable that at some point you are going to test out a few different plugins that all do the same thing to see which one you like the best and want to use for the long term.
While it is best to test these plugins out in a staging environment or local development environment, not everyone is that tech savvy. If you’re going to test new plugins on your live site, first performs a full backup of your site just in case anything goes wonky, then test away to your heart’s content.
If you test out three different contact form plugins and decide on one of them, disable and delete the other two from your site. Trust me, the last thing you want to deal with is managing and keeping plugins you’re not even using up to date, yet if you don’t a plugin you’re not even using you create a backdoor into your site for a hacker.
7. Invest in managed WordPress hosting
Not sure how to perform a full backup of your site? Don’t want the stress of keeping WordPress up to date? Want better security, speed, and performance? Skip the shared hosting and go with a managed WordPress hosting solution.
Managed WordPress hosts are configured specifically for WordPress, optimizing speed and performance. They also offer automatic backups and a one-click restore, and automatic WordPress core software and security updates.
8. Actively manage cPanel and/or FTP access
Just as you should never share your WordPress password with someone else, you should never share your cPanel or FTP password with anyone else. Instead set them up with their own user account and password. This again gives you the ability to revoke access when they no longer work for you or you part ways with a subcontractor.
9. Keep your OS, software and browsers current
It’s easy to think that malware or a website hack can only come from outdated WordPress installs and outdated plugins, but that just isn’t the case. Your WordPress site can become vulnerable to malware attacks and security hacks through outdated software on your computer, including old operating systems, and old browser versions.
There have even been instances where a malware virus traveled through FTP clients to infect sites. So if one person had passwords for multiple websites stored in an outdated FTP client and one site got infected, the malware could spread to all of the other websites.
10. Encrypt your home/office WiFi network
When your home WiFi network and office WiFi network are encrypted, the data is passed through the network more securely.
When your home WiFi network and office WiFi network are unencrypted, the data is passed through the network in plain text and anyone can log into your network and see everything that is being transferred.
That means your usernames and passwords are being transferred in a way that anyone can access them, leaving your accounts personal information and accounts vulnerable.
You should never log into your WordPress site on an unencrypted WiFi network, and again, always use a strong, unique password.
11. Invest in website security
No matter the scale of your WordPress website, you could be a target for hackers. In order to proactively — and consistently — protect against malware, viruses and other online threats, a website security service is a must.
GoDaddy Website Security, powered by Sucuri, provides powerful, round-the-clock protection for your WordPress site. It automatically scans for malware and continuously monitors your website for any anomalies. If you want to improve WordPress security, then signing up for a website security service such as this is definitely the way to go.
Continuously revisit your WordPress security checklist
Remember, when you launch a new website, you become a website owner with responsibilities to not only create an awesome design, publish new content, and drive traffic to the site, but to care for and maintain your website. It’s an ongoing practice.
From using strong unique passwords and a password manager, to keeping WordPress, plugins, and frameworks updated, to actively managing user access to your site and investing in managed WordPress hosting, you have the ability to ensure that your site runs smoothly and avoids security issues.
Hopefully, this WordPress security checklist helped you understand the steps you must take when learning how to improve WordPress security. Your actions are the first step to keeping your WordPress website safe and secure.