8 Things You Should Always Do For A Secure WordPress Site

An image of a mountain with the text "WordPress Security Best Practices - Caldera Forms"

By David Hayes

Posted On:

In the previous posts (you can read them here and here), I’ve talked about the importance of security for WordPress sites and the unnecessary security tips you’ve heard all the time. In this post, I will be sharing with you the things that you should always do. These aren’t in the most exacting of order, but they’re roughly in the order of relative importance I think you’ll want to give them.

I’ll also add that if you just do the first few of these, you’re ahead of 50% of the WordPress websites online. If you do the first five it’s unlikely that you’ll ever have an irrecoverable security problem on your WordPress site, and if you do them all I’d be pretty surprised if you had a site compromised. That is not a guarantee, it’s just how I think about it.

Do: Have Good Passwords For WordPress

The basic way that every WordPress site on the internet could be attacked is pretty simple: bots guess account passwords regularly, on almost every WordPress site online. You have a bad password, you’ll likely lose your account, and thus your site. Some obviously bad passwords:

  • Password
  • p455w0Rd
  • [sitename]
  • charlieiscute

There are lots of different schools of thoughts about what makes a good password. But pretty much everyone agrees that these are bad. All of these are bad because it’s pretty easy for a password-guesser to hit them. “password” and it’s variants—even those cool, clever, character substitutions—are always high on password-guessing script’s list to try. Site names are also great to guess. And by “[sitename]”, I mean something like “WPShout” or “wpshout” as the password Fred or I have on WPShout.

A picture of a list of hard-to-guess passwords.“charlieiscute” has some big advantages over the others. It’s not a dictionary word, for one. It’s longer as well. And after all, most people think that Charlie is handsome and not cute. (That is a joke. I don’t know Charlie.)

The nice thing about “charlieiscute” is that it’s long. It’s also a little unique. But it’s not terribly hard to guess. It’s purely using lowercase letters. No uppercase, no numbers, no special characters. While the attacker is unlikely to know that, when you include other classes of characters, you make it more likely that a random guessing system will hit your password faster.

Steps To Beef Up WordPress Password Security

There are a number of things to improve your password security in WordPress. But here are the big three:

  • Have a hard-to-guess password. Good passwords look hard to read and complex. Something like “RP@yu3ohd&LtpwzM}rWhgp6#AtY6HAzjvxKnz9zh”. This password is long, random, and unique. The likelihood that any attack script could guess it is low. And because it’s unique—it’s not also my password on Facebook, ArtWorld, RandomInternetReseller, or anything else—a compromise of them won’t compromise it.
  • Slow down password-guessing attacks. By default, a bot can guess 1000 passwords per minute (roughly) on your WordPress site. That’s a lot. If you block people from continuing to try to log in after a set number of failed attempts–3, 5, 10, whatever–you’ll slow down an attacker a lot. My favorite way to do it is “Limit Login Attempts.” Here’s a Quick Guide explaining limiting login attempts in more detail.
  • Use a password manager. If you’ve done the first thing above, you’re going to quickly get tired of typing that password, or you’ll forget it. This is where a password manager comes in. There are too many types of password managers for me to tell you which to use and why. I personally use and like 1Password, but your mileage may vary. KeePass and LastPass are other popular managers.

Do: Keep WordPress, Plugins, And Themes Updated

The other way that every WordPress site online is almost guaranteed to be attacked by the swarming botnets is via attacks against known exploits in software it may be running. Whether or not you ever used Revolution Slider, TimThumb, or another famously hacked WordPress plugin, a bot likely tried to make use of the known issue in the old version of that software on your site. There’s a good chance that even though those exploits are now quite old, a bot is trying to attack a WordPress site with them now.

This is why you must keep WordPress up-to-date. And not just the core WordPress, but all the plugins and themes you use too. It’s more common for plugins to have security vulnerabilities today than either WordPress core or themes, but all three can. And when an outside researcher or inside developer realizes there was a security problem in some code in their thing, their most responsible course of action is to create a new version that doesn’t have that vulnerability. Most players in the WordPress ecosystem are good at doing this.A screenshot of WordPress screen showing plugins available to update.

This is why you must do your part. When they offer updates with bugfixes or security patches, you must install them in a timely way. You can have WordPress install these updates for you, do it yourself, or use a remote WordPress management plugin like ManageWP. “Managed” WordPress hosts will take care of these kinds of things for you (we use and like SiteGround – see our SiteGround review for more info). You can also just hire someone to do it, if you can’t be bothered. But you really must do this if you’re serious about WordPress security.

Do: Make Sure You’re Creating Regular, Automated WordPress Backups

One of the best things you can do to keep your site secure is to make sure that you’ve got data security for when something bad happens. What this means is that you should have at least one recent backup of your site that you can use to rebuild or restore if something bad happens.

The only way, I believe, to reliably have a recent backup of your site is to do it automatically. Because we’re human, and thus fallible, it’s highly likely that if you required that you hit 1-10 clicks in your WordPress site to have an up-to-date backup, you’d sometimes skip doing it.

That’s the reason that you should try to use a backup plugin. It should also, ideally, be one that backs up both your files (photos, PDFs, etc) and database. And it’ll ideally push that data off the server you’re hosting on, as that does the most to assure that a hack can’t easily drop your backups as well.

Because this is a post about WordPress security and not backups, I’m not going to make you a full list of all the options and what their trade-offs are. But I think that Updraft Plus, Jetpack/Vaultpress, and Backup Buddy are the ones that come to mind for me.

Do: Regularly Check Up On Your WordPress Site

This isn’t really something that can stop the first bad thing from happening on your site. In fact, the reason it’s important that you stay abreast of the state of your site is, mostly, to stop worse things from happening. When you see weird things happening on your site, it’s easier to fix early. And the less bad effect—Google warning visitors about you, for example—that can happen from a site-takeover.

If you’re not regularly logging into your sites to update them, you should at least make sure that the public side of them looks good on a regular basis. And if you’re not able to do that, you should at least make sure that to an external service (like Pingdom) the site appears to be online.

What these things will do for you is make sure you can restore your backup into a new iteration of the live site if something bad or weird does seem to be happening. It’s not as good as nothing bad happening, but it’s vital for the site’s long-term health.

Do: Avoid Untrusted Or Pirated WordPress Code

It was extremely easy to find pointers on pirated WordPress themes. You shouldn’t do this.

This one is not super important for most people. Most of us are using only software from WordPress.org, or developers we’ve hired/worked with, or from other reputable sellers. If you do all of those things, you can nearly not worry about this one.

This is mostly for people who are trying to save money by pirating plugins, themes, etc. Or people who are trying to save money by getting a code from “plugin clubs” or other less-than-stellar sources. If you do that, it’s possible that that code is free precisely because someone has already put a security back-door inside of it.

It does, sometimes, happen that free WordPress.org plugins are taken over by bad actors and bad things are done with them. It’s fortunately rare, and the maintainers of WordPress.org are pretty good about making it right. But if you’re worried about it, the best step is to be a little more thorough in your consideration of whose plugins you’ll install.

Do: Further Enhance WordPress Log-In Security (HTTPS, 2FA)

One of the most common pieces of WordPress security advice is to get an SSL certificate. And it’s definitely a good step (and another reason we like SiteGround – they make this easy). But an important thing that too few people realize is that HTTPS/SSL doesn’t really secure your WordPress site, but rather communication between your site and you and your other users (read: buyers). So it’s super valuable, but not everything.

At heart, HTTPS should be thought of as a secure tunnel between your site and anyone viewing it in a web browser. HTTP connections can be snooped by any of the various devices sitting in between a visitor and server. With HTTPS it’s (nearly) impossible for those people to snoop.

So the most immediate benefit of HTTPS is that your log-in credentials (or credit card credentials, etc) are safer. It’s less likely that someone snooping on coffee shop wifi, for example, will see your password. So you should, by all means, get an HTTPS certificate. But don’t think that’s it’s securing your real WordPress installation on the server in any way, because it’s not really.

A screenshot of the Two Factor Authentication plugin page.Another step which is good but slightly inconvenient is to use two-factor authentication on your site. When you do this, you’ll need three things to log in, rather than two. Typically, we log in to a site with the username (or email address) and password. With 2FA you also need “something you have”, which today usually means a smartphone that can either be sent text messages or generate time-series code. In both cases, you’re most secure because a compromise of your password is insufficient to take over your account; they’ll need that 4 or 6 digit code too. There are constantly changing sets of plugins which give this feature in WordPress. At present, Jetpack offers this or you can use a standalone plugin.

Do: Control Access You Provide To Your WordPress Site

Another really useful security practice is just to be really thoughtful about who you provide what access to your site. This is more a combination of different steps than it’s any single one. But things that I think fit under this title are things like:

  • Provide each user with a tailored account. Don’t have Jamal and Estrella both log into your site with an account with a username like admin or wpshout. Give each of them an account, and only offer their account with the access rules they need. Using WordPress’s user roles and capabilities, give Jamal the writer an “Editor” account, but Estrella your developer the full “Administrator” access. This is based on what’s called the principle of least access.
  • Don’t let people have weak passwords. If you follow the advice above, you’ll also want to make sure that Jamal and Estrella don’t use passwords like newyork or gogators. You can do this via social pressure—just ask or tell them not to—or via a real enforcement mechanism, like a plugin.
  • Don’t give too much access. By this I mean more obscure advice, mostly made easier with a security plugin. (Or if you’re a developer, setting some WordPress constants.) Things like disallowing file editing in the WordPress administration area, and making sure that you don’t give people web hosting or SFTP access who don’t need it also fit in this general umbrella.

Do: Install A WordPress Security Plugin

There are a number of good WordPress security plugins. Which specific one you should use is a topic for a possible future article I write or public resource I create. But a good security plugin is likely to help you with a number of common security needs that we’ve list above (and a number will help with things I’ve omitted from this article, or put in the not-useful class).

Names that immediately come to mind for me a Sucuri, WordFence, Jetpack Protect, and iThemes Security. There are others, and as that list is meant as a starting list for your research, not the final list, please don’t read meaning into its order.

Plugins will do many things for you. They’ll make access logs for you, block known bad actors, can limit login attempts, and can help you fix more esoteric things like file permissions issues on your site. WordFence and Sucuri (in different ways) also provide a helpful bad-traffic-blocking mechanism for getting rid of botnets called a “Web Application Firewall.”

Implement These Tips To Protect Your WordPress Sites

I hope you take the good advice here to heart. WordPress security starts with being up-to-date and using strong passwords. From there, most of the rest is useful but not necessary, because WordPress itself is pretty secure. But backups are required for real confidence, as is watching your site, being proactive about user controls, and having a security plugin.

But there’s a lot more advice you’ll hear out there in the world, and while it’s not useless, I really don’t recommend you spend time focusing on it.

This series of posts has syndicated some content from my site, WPShout. For the full piece, have a read of The Complete Guide to WordPress Security. If you want to truly get to the bottom of this, then I can recommend my course WordPress Security with Confidence, which helps WordPress developers really understand WordPress security.

For more of my writing, you can find me every week at WPShout, where we teach WordPress development! Thanks for reading, and hopefully these security practices have been helpful for you.