WordPress security tips and best practices

6 WordPress security tips & best practices every site owner should know

Morgan Smith's Layout avatar

WordPress security is one of the most important topics for every single site owner to understand the basics of. Whether you’re managing a boutique eCommerce shop or 50 client sites, having a site get hacked can mean a loss in time, money, and credibility – all things no one wants to face.

While there’s no “one-size-fits-all” security solution for all WordPress sites, there are a few best practices that make a big impact. In this article, I’ll explain why sites get hacked in the first place, share security tips that are easy to implement in your workflow, and share how Flywheel can help (beyond keeping your server secure). Here’s a quick overview.

Follow these WordPress security best practices to keep your site secure:

Ready to boost your WordPress site’s security? Let’s start at the beginning!

Why do WordPress sites get hacked?

Why do WordPress sites get hacked?

Before we jump straight into our security best practices, it can be helpful to understand why websites get hacked in the first place. Generally speaking, there are three main goals of hackers:

  • To send spam email through your site.
  • To steal your information, such as data, mailing lists, stored credit cards, etc.
  • To trick your site into installing malware on your users’ machines (or your own).

While having a site get hacked might feel like a personal attack, often it’s part of a larger scale plot, such as a Distributed Denial of Service attack. Instead of targeting a single site, hackers might target the infrasture your site is operating on, in turn affecting lots of sites at once. That’s why it’s important to know some basic security standards, even if you’re just running a personal site.

This is also why some hackers will target WordPress specifically; since it powers over 30% of all websites, it’s a large “area of opportunity.” Don’t let that worry you, however. WordPress is open source software with a very involved community, which means there are a bunch of people working to continue improving the security of the platform.

WordPress security best practices

The bottom line is that your WordPress site could get hacked at any moment, which is true for any website. Luckily, there are several tips you can follow to increase security and make a lot harder for hackers to mess things up.

6 WordPress security best practices

1. Keep your themes, plugins, and WordPress version up to date

One of the easiest ways to give your site an extra security boost is to keep everything updated. While it might feel tedious sometimes to keep up with plugin updates (especially if you’re trying to manage multiple WordPress websites) those updates are published for a reason. (And that reason is often security.)

If developers discover a vulnerability in their code, they’ll usually push an update to fix it. The longer your site remains on the outdated version, the more at risk it is to be targeted by hackers.

So while it might take some time, stay up to date with all plugins, theme, and WordPress core updates. If you’re using a managed WordPress host like Flywheel, we’ll take care of the WordPress updates automatically, so you can cross those off your list.

Flywheel also offers a Managed Plugin Updates Add-on, so you can offload this tedious task to our team. We’ll always inspect your site after updates, so if anything looks wrong, we’ll roll back the update and contact you. It’s an easy way to increase the security of your site while decreasing the work it takes to maintain it – a win-win for you!

Pro tip: If you’re managing updates for multiple client sites, you may want to consider bundling this work into a security package that you sell on a recurring basis, that way you’re getting paid for this simple but tedious task!

2. Use username and password best practices

There’s nothing new about this security tip, but it’s absolutely worth a reminder:

Use unique passwords. Use strong usernames. Use a password manager.

Hackers weren’t born yesterday; they know all the most common passwords and will test every single one with the username “admin.” So, do a quick audit.

  • Are your usernames hard to guess?
  • Are your passwords unique?
  • Have your passwords been updated recently?

If you’re feeling overwhelmed trying to remember all these login credentials, I highly recommend a password manager, such as 1Password. Not only will it help you create and store complex credentials, but it makes logging into sites a breeze. (Especially if you’re working with a team!)

3. Limit login attempts

Now that your credentials are nice and strong, take your login security one step further by limiting the login attempts! This is one of the best ways to defend against brute force attacks trying to gain access to your site.

To do this, you can use a plugin like Limit Login Attempts. It’ll block any attempt to log into your site after three errors, putting a block on it for twenty minutes.

Limit login attempts to keep your site secure

Sure, it might get in your own way if you forget your password, but that’s what password managers are for, remember? 😉

4. Move the WordPress login URL

Another way to make your WordPress site extra secure is to change the login page. It’s pretty common knowledge that to log into a site, you just add /wp-admin to the end of the URL. By changing that link, it’s like you’re hiding the door to your site, making it harder for hackers to find.

There are a variety of different ways you can swap that link, but the WPS Hide Login plugin is a good place to start! Just don’t forget what you change the URL to, and remember to share it with any other site collaborators or clients.

5. Use two-factor authentication

Another great way to make your credentials more secure is to use two-factor authentication. This security method acts as a temporary second password that updates every 30 seconds or so. To gain access to your site, hackers would have to guess both your true password and the temporary security code within that 30 second timeframe, greatly increasing your chance to block them!

Two-factor authentication is great because you can use it on a variety of logins related to the sites you manage and the business you’re running. For example, Flywheel allows you to enable two-factor authentication on your hosting account, and you can also add it to individual WordPress sites.

6. Add Captcha to your forms

As you’ve probably gathered, locking down your site’s login page is incredibly important. That isn’t the only form you should think about, however. Don’t forget about blog comments, checkout pages, or any other open form on your website!

These are opportunities for hackers to submit information to your site, such as malicious links in a comment. Even if it doesn’t directly affect your site’s performance, having shady links will create a confusing user experience, and may even hurt your business.

To prevent this, you can install a WordPress plugin like Google Captcha (reCAPTCHA) by BestWebSoft.

WordPress security is an important topic for each and every site owner to understand. What else are you doing to keep your site secure?

Offload plugin updates to Flywheel

As you’ve learned, updating plugins is one of the simplest ways to keep your site secure – but it’s also one of the most time intensive. (Especially if you’re managing lots of WordPress sites.)

When you host your sites on Flywheel and use our Managed Plugin Updates Add-on, you’ll be able to rest easy at night knowing we’re doing a bunch of the security work for you. We’ll keep your plugins up to date, on top of handling WordPress core updates, taking automatic nightly backups, and keeping your sites on servers that are specifically optimized for WordPress security.

This article was originally published January 24th, 2019. It was last updated November 2nd, 2020.

Comments (2 )

  1. CL King

    January 30, 2019

    These tips are sufficient to decrease the chances of getting hacked. Thanks for sharing...

  2. Keegan

    April 17, 2019

    Excellent read 🤘🤘🤘
    I'm always looking to continue either reinforcing what I know about WordPress security or learn new best practices. 🙏

Join the discussion