15 experts weigh in with their top WordPress security tips

Products mentioned
Does your WordPress site measure up?
Archive Product Disclaimer

The GoDaddy product information in this article is outdated and currently under review for accuracy. For the latest up-to-date product information please visit godaddy.com

Security is extremely important for WordPress website owners. Having a security plan in place allows you to protect the time and money spent in creating and maintaining your website. Unfortunately, not everyone has been sold on adopting their own security plan — and most of the time it falls on how the end user learns WordPress. Often website owners learn how to set up their site, how to use it, and how to market it, but nothing about security. This article rounds up some of the best WordPress security tips from WordPress experts.

These WordPress pros have presented at WordCamps, other social media and blogging conferences, and are active members of well-known WordPress-related communities and websites. They range from power users and bloggers to designers and developers, so their advice ranges from WordPress security tips for beginners to advanced users — basically, it touches on security for WordPress websites for all users.

WordPress experts and their top WordPress security tips

The experts are listed in alphabetical order. Please feel free to follow them on Twitter.

1. Syed Balkhi

Syed BalkhiSyed is the founder of WPBeginner, the largest free WordPress resource site for beginners. You can find Syed on Twitter at @syedbalkhi.

Syed recommends:

“You should choose a good host, create backups, and also make sure to install a Web Application Firewall. For beginners, I recommend reading my WPBeginner WordPress security article, which shares more of my security tips.”

2. Michele Butcher

“Nothing is ever permanent if you have a backup.”

Michele ButcherMichele is the accounts lead for Valet.io, providing an exceptional WordPress experience for their clients. She hails from Carbondale, Ill., (the Southern, prettier area of Illinois.) Michele is also the Lead Organizer of The Southern Illinois WordPress Meetup, and teaches beginners WordPress for John A Logan College. She always has a book in one hand, and a camera in the other, while taking in all that life has to offer. Find Michele on Twitter at @michele_butcher.

Michele talks about creating backups for WordPress:

“Always have a schedule for site backups and keep them in a place other than your server. Nothing is ever permanent if you have a backup.”

3. Emanuel Costa

Emanuel CostaEmanuel builds professional websites and help companies grow online. He also helps organize meetups, and whenever he is able, he likes attending WordCamps and other tech events. Find Emanuel at his blog or on Twitter at @emanweb.

Emanuel explains that, when it comes to security for WordPress websites, even if you have a backup plan, you should be testing your backups and making sure they restore well:

“Have a scheduled backup and restore plan. It is a bad thing to happen if you get hacked and take too long to have the site back up. With a restore plan you could not only test if your backups are good but also minimize the downtime, in case something happened.”

4. Matt Cromwell

“Paying for security is always a worthy investment.”

Matt Cromwell

Matt is Head of Support and Community Outreach at WordImpress.com. He’s the author of many free WordPress plugins, a popular blogger at his website, an admin of the Advanced WordPress Facebook group, co-organizer of the San Diego WordPress Meetup, and a frequent WordCamp speaker and attendee. You can find Matt on Twitter at @learnwithmattc.

Matt had a wealth of WordPress security tips, ranging from hardening your installation to learning about your hosting:

“Security isn’t easy, and it’s getting more challenging and necessary by the day. Paying for security is always a worthy investment. With that in mind, I find the following to be indispensable practices with regard to WordPress security.

Learn what hardening is and why it works. In many ways, it just comes down to learning about file permissions. 777 is never good. Some things need and deserve 444. The article on hardening also touches on a lot of solid common-sense items, like using your computer securely. Users and their simple passwords are the biggest problems in security, by far.

You should also learn the difference between server-side security, app-level security, and domain- or DNS-level security. Basically, where does the line between your host’s responsibility, your security plugin’s responsibility, and your domain’s responsibility start and end? They are different things and often you can’t just point and click your way into making them all work nicely together.”

Matt also goes on to remind us that security for WordPress websites is even good for SEO, like using SSL for your website.

“SSL all the things! Within just a few years we’ll all look down our noses and run away in fear at any website that doesn’t have the famous Green Lock in the address bar. There’s no reason any longer to NOT have your WordPress website loaded over HTTPS. Between HTTP2 and the freely available Let’s Encrypt SSL certificates, and Cloudflare’s free support of SSL, you make great gains just by leveraging this relatively simple protocol.”

5. Bob Dunn

Bob DunnBob Dunn is a down-to-earth kind of guy who is a fan of non-geek things, content, and animals. He runs BobWP — where he teaches WordPress in a non-geeky way — and is a regular contributor to the GoDaddy blog. Find Bob on Twitter at @bobwp.

Bob stresses to stay calm if you’ve been hacked, and hire a professional if you don’t know how to clean up your website:

“Unless you really know what you are doing, if your site ever does get hacked, call in a pro. Don’t follow some crazy directions you found by Googling.”

6. Chris Flannagan

“Turn off FTP.”

Chris FlannaganThe Director of Digital Technology for Quasar Bio-Tech, Inc., Chris is a WordPress engineer specializing in custom WooCommerce functionality and back-end development. He lives in Sarasota, Fla., with his wife, daughter and soon-to-be son. Find Chris on his website and on Twitter at @ChrisFlanny.

Chris has a tip for advanced WordPress users regarding FTP:

“Turn off FTP. Using an SSH key pair to manage your server files can seem intimidating. I know I avoided it for a very long time because I was so used to straight up, normal FTP, and more than a decade of using it and only it. But again, there are some very straightforward guides online, often provided by your specific host for setting it up. All it takes a quick command in the CLI to generate and get the process started. Enabling FTP is a security risk, especially for brute-force attempts.”

7. Jarrett Gucci

Jarrett GucciJarrett comes from a retail background that started at Home Depot in Buffalo as a cashier; 18 months later he was asked to be a project manager in California with a goal of opening 12 stores in 14 months. He accomplished that goal. He said goodbye to retail in 2007 to pursue a hobby of website development with the hope he could make some money doing it. After four years of building and managing WordPress sites, he founded a company called WP Fix It. Since 2011 his company has serviced more than 48,000 WordPress support tickets. Find Jarrett on Twitter at @wpfixitfast.

Jarret referred to his post on understanding security and said:

“Securing WordPress is like the process of securing your home. You’ve got to pick a location that is safe, set up security for your home, and only give access to people you trust. With WordPress, you want to pick a reliable location, or web host so your site is safe, set up secure plugins and themes, and then, only give access to people you trust.”

8. Logan Kipp

Login KippLogan has been an intermittent WordPress user since “Strayhorn” 1.5 in 2005 and has used WordPress as a primary platform since “Coltrane” 2.7 in 2008. He counts more than seven years’ experience in the website hosting and security technology field, starting with three years at GoDaddy, followed by four years at SiteLock. Logan most recently served as SiteLock’s Lead Security Analyst before taking his current role as a Product Evangelist – WordPress earlier this year. You can find Logan at WPDistrict. 

Logan’s WordPress security tips focus on scanning your website and using a firewall:

“You should use a web application firewall to help protect the website against attacks. Also, don’t forget to scan your website daily for changes and analyze any changes for malware.”

9. David Laietta

“Upgrade early, upgrade often.”

David Laietta

David has his own maintenance service for clients where he handles security as well as updates, backups, and ongoing maintenance. The service is getting a rebrand and launching under the new name FixUpFox. Find David on Twitter at @davidlaietta.

David’s top WordPress security tip is:

“Upgrade early, upgrade often. Upgrade your themes, plugins, and for goodness sake update WordPress core. It’s true that sometimes an update can cause a break of something that you use, but this problem is very rarely ever caused by WordPress itself, and most often is third-party code — indicating that it’s probably not written well to begin with.

Try sticking with popular plugins with a lot of feedback when they’re necessary, and focus on finding a well-tested tool, not just the first free piece of code that purports to solve your needs. Along with this comes with doing a regular audit of your website tools, and removing things that are no longer needed.”

10. Joe McGill

Joe McGillJoe works at Washington University in St. Louis as the Director of Web Development for the Office of Public Affairs and is a Contributing Developer to WordPress Core. Find him on online at joemcgill.net and on Twitter as @joemcgill.

Joe touches on disabling the file editor to keep your website a little more secure:

“Disable the file editor in WordPress. If someone is able to guess a user’s password and get access to your site, they could easily add malicious code to your site using the built-in file editor. It’s probably best to disable this feature altogether, which is as easy as adding `define(‘DISALLOW_FILE_EDIT’, true);` to your wp-config.php file.”

11. Andy Nathan

“Get the best hosting possible.”

Andy NathanIn the last five years, Andy has worked with hundreds of clients in more than 75 different industries, helping them improve their blogging and social media. In that short period, he’s also personally written more than 4,000 articles for clients and his own projects. That level of productivity has drawn Andy a lot of attention from news organizations of every size, including some major players: on the national level, Fox News and WGN have interviewed him about his approach to content. Closer to home, AM 560 the WIND and many more have brought Andy’s story to their audiences. You can find in on his website or Twitter as @andynathan.

Andy stresses that choosing a good web host is a great foundation for better security:

“The biggest security tip I can provide is get the best hosting possible. Personally, I just upgraded to a VPS with my web host in order to have more secure hosting because they have a number of features that make the website safer.”

12. Kate Newbill

Kate NewbillKate has been building websites since she taught herself HTML and CSS to dress up her eBay listings in 1999. She flirted with a few primitive content management systems before finding WordPress in 2004 (version 1.2) and hasn’t looked back since. Today she runs 2FishWeb LLC, a general WordPress consultancy offering design, development, security, and maintenance services, and teaches classes on WordPress. She lives in Birmingham, Ala., with her husband, two dogs, and a cat, and is currently planning zero trips in hot-air balloons. Find Kate on Twitter at @2fishweb.

Kate’s tip is about keeping websites separate from each other, and not using plugins that open a door directly to your hosting account:

“You really should only install only one WordPress per hosting account, unless you are with a host that offers staging setups for testing. No add-on or subdomains.

Also, don’t use a database or file manager plugin. If someone were to gain admin access to your WordPress, this would give them additional access to change, upload, and delete files in your hosting account.”

13. Josh Pollock

“Too many people think a security plugin is a magic amulet of protection or something.”

Josh PollockJosh is the co-founder for Caldera Labs, which offers fine WordPress plugins, including Caldera Forms and training for WordPress developers. Find Josh on Twitter at @Josh412.

Josh’s tip covers your security plan, especially when it comes to using plugins:

“If you run a website, think about your security strategy: Where are you getting plugins and themes from? Is it a reputable source and can you get upgrades when (not if) there are security issues in them?

Also, too many people think a security plugin is a magic amulet of protection or something. Security is mainly a server-level issue and it’s very complicated to secure a server, but if done right, a security plugin should be unnecessary.”

14. Heather Baker Steele

Heather Baker SteeleAfter almost a decade of marketing in a corporate setting, Heather, owner and CMO at Blue Steele Solutions, tired of being a corporate cog and decided to go it alone. She bootstrapped a WordPress marketing firm based on one simple principle: Partnership.
Today, her team produces a wide variety of marketing products and services, from WordPress website development and design to their most popular product, the Business Marketing Analysis. Learn more about Heather and her marketing crew at bluesteelesolutions.com. You can find Heather on Twitter at @heathersteele03.

Heather explains a really good point about choosing a secure web host:

“Get a trusted web host and learn exactly how they protect you, and how they don’t.

Hacks don’t always affect a single website or attack you through your website — and if a hacker is able to break into a server, you may find yourself the victim of someone else’s bad security habits.

Make sure you host your website with a reputable hosting company, but just as importantly, make sure you understand exactly where their security responsibilities end and where yours begin.”

15. James Tryon

“Make sure you have a very strong password.”

James TryonJames is the founder of a Florida-based custom WordPress development company named Easily Amused, Inc. He has also been a co-organizer of WordCamp Orlando. Find James on Twitter at @jamestryon.

James recommends that you use a strong password:

“Make sure you have a very strong password. I recommend 1Password or LastPass to store all your passwords. These services are great and will sync between devices. Or, if you don’t want to invest in a password management tool, use a short phrase. Try to get at least three words in there — the longer the better.”

WordPress security takeaways

How about those WordPress security tips?! Each expert offered up a wealth of info, so here’s a summary of basic takeaway tips for WordPress security.

  • Choose a secure and unique password.
  • Don’t use “admin” as your username.
  • Know your WordPress roles, and only give access to those you trust.
  • Choose a safe and secure web host for your website.
  • Use SSL.
  • Always keep the WordPress core software, your themes, and plugins up-to-date.
  • Make sure to create backups of your website.
  • Choose themes and plugins that are popular and have reviews that will help earn your trust.

Plus, if you’ve not adopted your own security plan, you will need to do so.

How useful was this post?

Click on a star to rate it.

As you found this post useful...

... why not share it?

Image by: JanetR3 via Visualhunt / CC BY