Home » Guides » How to keep your WordPress website secure

How to keep your WordPress website secure

Security still isn’t high on the agenda of most businesses, even though WordPress attacks are becoming more and more common. Yet most have spent a lot of money designing, building and maintaining their websites.

No successful attacks isn’t proof you’re secure, and we’ve seen too many hacked WordPress sites to be complacent anymore. Don’t panic though, if you take some reasonable precautions you can reduce the risks.

Below is our checklist of suggestions for you to follow yourself. It’s common sense stuff and doesn’t need high technical skills. Allow an hour for someone to run through it once each quarter for peace of mind, or ask us to do it for you.


Note: Your website will never be 100% secure, as hackers keep trying new ways to exploit vulnerabilities. However the tips here are about minimising the risk as best as possible, without strong technical skills.

1. Use strong passwords

Your WordPress security is only as good as your worst user password. You should have passwords with a mix of letter / numbers and capitals / lower case. They should also be 8 or more characters long and not used anywhere else.

Check your other users are doing this – all it takes is one weak password and all the rest are pointless.

2. Keep WordPress updated

Keeping WordPress up to date means you’re getting all the latest security protection. There’s no excuse if you’re not bothering to do this. If WordPress is prompting you to update in your dashboard, first consider these points BEFORE updating:

  • Make sure you have a current backup of the website
  • Update plugins first (or at least the important ones)
  • Make sure your website isn’t dependent on an old theme framework or plugin that may not be compatible with the latest WordPress.

Then, run the update and check your website in a browser.

3. Keep plugins updated

Keeping plugins up to date is as important as keeping WordPress up to date. Older versions can sometimes have loopholes in them that can be exploited without an update that fixes them. If plugins are prompting you to update in your dashboard, update them at least once a month. As a precaution, you may want to consider these points BEFORE updating:

  • Make sure you have a current backup of the website just in case
  • Keep WordPress updated too. Sometimes plugin updates are only supported by the latest WordPress version.

4. Limit login attempts

Install and activate the Limit Login Attempts plugin. It reduces hacking by locking your Login panel after a set number of failed attempts. Also, keep the number of people with access to the site as low as possible. The more the more likely someone will be a weakness with their security.

5. Remove ‘Admin’ as a username

Installing WordPress creates “Admin” as a username for you, by default. This makes it easier for hackers to use in combination with guessing your password. It’s doing half their job for them. To fix this, create a user with another name and give Administrator privileges to that account. Logout and and then login using your new account.

First, if you had any Posts assigned to the “Admin” account then reassign them to your new account by editing each one. Then, delete the old “Admin” account in Users.

6. Use decent hosting

If you bought the cheapest possible web hosting package you could find, you can’t expect your website to be as secure as it can be. These packages are cheap for a reason.

We currently recommend TSO Hosts. If you suspect yours isn’t up to scratch we suggest you migrate to a better host, as and when you can.

7. Create regular backups

This doesn’t improve security as such, but it’s important in keeping your website content and the time you’ve invested in it secure. Set up a robust backup system running on your website. We recommend VaultPress.com which is about £3 /month for the Lite plan.

Once you do have a backup system running, set it to a schedule that suits how often you update your website. Ask yourself, how much would I tolerate losing should the worst happen?

8. Use our maintenance list regularly

Run through our list of regular maintenance checks to keep your WordPress website in good shape too.

Other ideas

These are some extra things you can do if you’re slightly more technically skilled:

  • Install and set up Sucuri or Wordfence plugins, for a little extra protection
  • Every 6 months check your hosting is running the latest version of PHP
  • Enable Google Search Console, as it will advise you if it detects problems
  • Monitor WPTavern for early notice of issues – they tend to break news of issues fast.

Want some help with this? Ask us for a quote ›