LIMITED TIME ONLY! Get 3 months free on any new annual plan

See pricing
Menu

How can I further increase my Flywheel site’s security?

Updated on May 20th, 2020

At Flywheel, we take care of general site security for you. However, there are certain added pieces of security that are optional or simply not needed by all sites. Here’s a list of some of those extra ways to enhance your Flywheel site’s security, starting with the most basic (and essential), working up to the more advanced options that may not be necessary or practical for everyone.

Note

 This help doc exclusively focuses on adding additional security measures to your individual WordPress sites. For Flywheel account security, check out our doc on enabling two-factor authentication to make sure the only person getting into your Flywheel account is you.
1

Always use strong passwords


It seems obvious, but many WordPress users overlook this vital security measure. Your password is to WordPress what locking your front door is to home security – and it doesn’t matter how good your security system is if you leave the door open for anyone to walk through.

It’s not possible to overstate this crucial point:

If your WordPress password is short, if it’s something readable, if you use it on multiple sites, or if somebody who knows you well could potentially guess it, then chances are it should be stronger.

If you have a site with several WordPress users or allow visitors to create their own accounts, you can add the Force Strong Passwords plugin to make all users keep their passwords beefy. 

2

Keep your themes and plugins updated


This is another obvious one, but themes and plugins can occasionally have security vulnerabilities, which are patched by the developer as soon as they’re discovered. It’s important to update regularly because many malicious bots specifically search for out-of-date plugins and themes with known vulnerabilities.

We take care of WordPress core updates for you, but if you’re not also updating your themes and plugins regularly, you risk leaving your site exposed. Plus, updates often patch other bugs and enhance usability, so it’s a win all around. 

3

Uninstall inactive plugins and themes


Even deactivated plugins and themes can have vulnerabilities, and for that matter, can still take up your server’s resources, so they can sandbag site performance. It’s best to simply uninstall any plugins or themes that aren’t consistently active. You can always reinstall them later if you need to. 

4

Avoid obvious WordPress user names


This is less important than having a strong password, but it’s still helpful. A generic WordPress username like “admin” will be one of the first things any hacker or bot will try. If somebody could guess your username just by looking at the site, it’s not a bad idea to update.

Unfortunately, WordPress doesn’t allow you to change your username by default, but if you’d like, you can create a new WordPress user and then delete your old one from the ‘Users’ area in the WordPress admin sidebar. (You’ll have to use a new email address to do this, since two WordPress users can’t share the same email address, but you can always change that later.) 

5

Add Captcha


There are several variants of Captcha out there, but the idea is the same between plugins and methods: force any site visitor who tries to fill out a form to first prove they’re human.

While it was once a troublesome and inconvenient option, Captcha has improved greatly in recent years. Plus it protects all kinds of forms on your site, so it does double duty by helping to stop hackers and prevent spam. Google reCaptcha is the least intrusive option, and there are several plugins available to implement it, including Google Captcha (reCAPTCHA).

6

Move your WordPress login screen


Many WordPress hacks come from malicious bots that are programmed to crawl the web looking for WordPress sites. Once they find one, they’ll add “/wp-admin” to the end of the site’s URL to get to the login screen and try to force their way in.

Flywheel already protects against this kind of behavior, but you can add an extra layer of security by making your login screen harder to find in the first place.

The WPS Hide Login plugin allows you to change the location of your login screen from “/wp-admin” to whatever you want. You could use something like “/mysitelogin” or “/open-sesame” or anything else. Whatever you choose, any user who tries to use the old “/wp-admin” link will just see an error message, stopping bots and would-be hackers in their tracks. 


Note

Moving your WordPress login screen will mean that you’ll have to share the new login URL with anyone who logs into WordPress on your site, or they won’t be able to access the admin area.

7

Add two-factor authentication


More targeted and secure on login screens than Captcha, two-factor authentication allows you to verify your identity through any number of methods: by scanning something on your smartphone, by receiving a code via text message and entering it on the site, and others.

Whatever the method, two-factor authentication is generally much harder to fake than traditional login credentials – and doing so while also logging in with a password is virtually impossible for a hacker, so this is an extremely powerful security solution.

Popular two-factor authentication plugins include Google Authenticator – Two Factor Authentication (2FA), Unloq, and DuoJetpack by WordPress.com also includes 2FA, among many other useful features.

8

Add an SSL certificate


While this isn’t necessary for all sites, it’s essential for any WordPress site collecting sensitive user information. But even if that’s not the case, an SSL certificate still helps to secure your site’s transmissions. Plus, Google ranks secure sites higher in search engine results, so you get a little SEO boost with a secure site as well!

Even better, Flywheel offers free SSL certificates for all plans.

To enable this, head to the Overview tab of the site’s Flywheel dashboard and click the Enable SSL link under your Domains list. More on SSL installation here.

9

Track WordPress User Activity

WordPress does not offer an audit trail or log out of the box, so it can be helpful to add a plugin such as Simple History or Activity Log to track changes made to your WordPress site.

From a security standpoint, activity tracking provides a record of newly created users, failed logins to WP Admin, and repeated requests to pages that do not exist. Any of these could indicate malicious activity on your site, in which case our support team would be happy to provide assistance!

Other benefits include tracking plugin activations and post or page updates, which can be especially helpful when debugging problems on a site with multiple admins when “nobody touched anything” :).

One thing to keep in mind, depending on the amount of activity on the site these plugins may consume resources, something to consider as you maintain your site’s performance!

Note

Looking at the Site Health Checker? Check out this help document.

Was this article helpful?

Getting Started

New to Flywheel? Start here, we've got all the information you'll need to get started and launch your first site!

View all

Account Management

Learn all about managing your Flywheel user account, Teams and integrations.

View all

Billing

Everything about billing, invoices and payments can be found here.

View all

Features

Flywheel hosting plans include a ton of great features. Learn about how to get a free SSL certificate, set up a staging site, and more!

View all

Platform Info

All the server and setting info you'll need to help you get the most out of your Flywheel hosting plan!

View all

Site Management

Tips and tricks for managing your sites on Flywheel, including going live, troubleshooting issues and migrating or cloning sites.

View all

Flywheel help

Help is just a click away! Log into the Flywheel dashboard to instantly chat with an expert, open a ticket, or follow along with in-depth documentation. We happily offer support 24 hours a day, 7 days a week, 365 days a year!

Log in

Try Flywheel today

Launch your next WordPress site in minutes.

 Free migrations  24/7/365 support  14‑day demo sites