Keeping your website secure is something every website owner worries about. And for good reason: if your site is hacked or goes down, you could lose business.
WordPress used to have a reputation for being insecure. But these days, it's no longer true. Some of the world’s largest brands, including major news corporations and government departments, use WordPress for their websites. They wouldn’t use it if it weren't secure.
But WordPress is open-source software, which means anyone can access the code. And that means hackers can try to identify vulnerabilities and exploit them. Luckily, the WordPress community is on top of this, and security updates are released regularly to fix any vulnerabilities. So as long as your site’s up to date, you have less to worry about.
In this post, I’ll show you some ways to make your site more secure. I’ll include best practices for security and show you how to make your site less vulnerable to hackers.
Let’s start with some best practices.
WordPress Security Best Practices
Before you start installing security plugins or tinkering with your wp-config.php file to make your site more secure, there are some simple best practices you can follow to enhance security in your WordPress site.
- use strong passwords
- keep your site up to date
- only buy plugins and themes from reputable sources
- use secure hosting
- disable the theme editor
- take regular backups
- use SFTP to upload files to your site
- add SSL to your site
- install a security plugin
- use a security service
Let's take a look at what each of these means.
1. Use Strong Passwords
Using strong passwords is the simplest and one of the most effective lines of defense against hackers. You should always use passwords that include a combination of letters, numbers, and special characters, and make sure other users on your site do so too.
You can check your passwords on the How Secure is my password? site to find out how long it would take an automated system to crack your password. The password I use for my site would take 16 billion years to crack, so I don’t think there’s much chance of anyone guessing it.
You can also force other users of your site to use strong passwords using a plugin like Force Strong Passwords. Alternatively, if you have Jetpack installed, you can force strong passwords using that plugin.
2. Keep Your Site Up to Date
Another simple but very effective way to keep your site safe is to ensure it’s up to date.
Some WordPress updates are to introduce new features. Others are to fix bugs. But plenty of them will add security patches, and you want to make sure your site has those.
Make sure you update your site whenever the dashboard tells you to, and diarize to check it regularly. This applies to themes and passwords as well as to WordPress itself.
Alternatively, you can install a plugin that will manage and automate updates for you. The Easy Updates Manager plugin lets you choose which themes and plugins to keep updated and will run a regular check for you and run updates.
If you do automate updates, make sure you take regular backups of your site in case an update causes problems.
3. Only Buy Plugins and Themes From Reputable Sources
When you’re choosing themes and plugins, it’s important to only install ones that you are confident will be free of bugs or malicious code.
With free plugins, it’s a good idea to only install plugins and themes you find in the theme and plugin directories (which you access via your WordPress admin). These themes go through quality checks, so you can be confident they’ll be well coded and free of any malicious content.
If you’re ever tempted to download a free plugin from anywhere other than the theme or plugin directory, stop to check the source carefully first. If the provider is offering the plugin for free and hasn’t submitted it to the official directory, ask yourself why they might be doing that. There’s a chance they could be doing it because they want to introduce vulnerabilities to your site or at the very least insert spammy content or links.
The Best WordPress Themes and Plugins on Envato Market
Explore thousands of the best WordPress themes ever created on ThemeForest and leading WordPress plugins on CodeCanyon. Purchase these high-quality WordPress themes and plugins and improve your website experience for you and your visitors.
4. Use Secure Hosting
When choosing your hosting provider, take the time to find a reputable provider who will provide guarantees about security and uptime. A dedicated WordPress hosting provider like SiteGround will be able to help you with any security issues you might have, and will take steps to keep their servers secure.
The hosting plan you go for will also have an impact on security. The cheapest hosting plans are cheap because they have hundreds or thousands of clients and websites on a server. The more people using that server, the more opportunities there are for introducing security problems.
So before you go with that ultra-cheap hosting provider, ask yourself if it might cost you more in the long run.
Special Discount for WordPress Hosting
For secure hosting, take a look at SiteGround. It comes with an easy installer, free support, and automatic updates. We're happy to be able to offer a huge discount of 70% off self-managed WordPress hosting, thanks to our partnership with SiteGround.
5. Disable the Theme Editor
The theme editor, or visual editor, is a screen in your WordPress admin you can use to edit the code in your theme.
It might look like a really handy way to tweak your code, but it has some serious risks attached to it. When you edit code using the theme editor, the old version is not backed up. You have no way of rolling back your changes if you do something that breaks your site or introduces vulnerabilities,
If you want to edit the code in your theme (or create a child theme to modify your theme, which is better), then you should use a code editor and SFTP.
You can disable the theme editor by adding two lines of code to your wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true ); define( ‘DISALLOW_FILE_MODS’, true );
That way, you and other users of your site won’t be tempted to use it to make quick tweaks that could cause you big problems.
Note: only modify your wp-config.php file if you’re confident doing this sort of thing.
6. Take Regular Backups
It’s good practice to keep your site backed up regularly. This way, if your site is hacked or it breaks after an update, you have a recent version you can restore.
Install a backup plugin and set it to automatically back up your site at least as often as you update the site. So if you’re adding to your site every day, back it up every day. That way, if you do have to restore the most recent backup, you won’t lose much content.
The same goes for automatic updates: if your updates plugin is running updates every day, you should also back your site up every day.
- WordPressHow to Backup Your WordPress SiteAdi Purdila
- WordPressChoosing the Best Free WordPress Backup PluginRachel McCollin
7. Use SFTP to Upload Files to Your Site
If you’re editing and uploading files to your WordPress site (e.g. theme and plugin files), then it’s important to do this in the most secure way you can.
Using SFTP instead of FTP means that the files will be encrypted before you upload them. So no one can access them while you’re transferring them to your site or downloading them to your computer.
This is particularly important if you do this kind of work on a public network, such as coffee-shop Wi-Fi. Ideally, you should avoid using public Wi-Fi to manage the files in your WordPress site, but in reality we’ve all had times when we’ve needed to upload a file urgently and can’t wait till we get back to a more secure connection.
A good hosting provider will provide SFTP as part of their service—ask them to tell you how to access it and set up keys for use when transferring files to your site.
8. Add SSL to Your Site
Adding SSL to your WordPress site means that the https:// at the beginning of the domain name will be replaced by https://.
Adding SSL to your site is free with Let’s Encrypt and will give you two benefits:
- It’ll enhance your search engine rankings. Google gives greater weight to sites that have been made secure with SSL. So it makes sense to add it to your site.
- It will make your site more secure. Adding SSL means that data sent between your server and the user’s browser is encrypted. This is essential for any sites where users are asked to input personal data, even an email address. And for e-commerce it’s even more important. In fact, if you install WooCommerce on a site without SSL, the plugin will repeatedly warn you that the site isn’t as secure as it should be.
You can install a free SSL certificate with Let’s Encrypt, either via your hosting provider’s dashboard or by using a plugin. See our guide to SSL to find out how to do it.
9. Install a Security Plugin
If you want to have ultimate control over security on your site and monitor it for any problems, then it’s a good idea to install a security plugin.
Security plugins will monitor your site for downtime or security breaches and email you if there are any problems. They’ll also let you configure security settings to harden your site and make it even tougher for hackers to get in.
There’s a range of free security plugins available via the plugin directory, but if you want extra protection, it can be a good investment to install a premium plugin. This way, you get access to advanced features like enhanced firewall protection, IP and country blocking, and help getting your site back online if it’s hacked.
You can learn more about security plugins in a lesson from my free course on Essential WordPress Plugins: Why You Need a WordPress Security Plugin and Some of the Options.
10. Use a Security Service
You can also sign up to a security service like Sucuri that will monitor your site and help you fix it if it’s hacked or goes down. This can seem expensive—but if your site is breached, the time you will save and the potential business you might lose will make it worth your while.
Cloudflare is another service that was initially designed to help boost website performance, but also has a security service that will monitor your site, help you keep it secure, and fix it for you if it’s hacked. This is a good option if you also want to take advantage of Cloudflare’s content delivery network, which will help your site run faster.
Keeping your WordPress site secure is an essential part of website management. If your site were to be hacked or break after an update, you could lose hours or maybe days fixing it. And if you have to pay someone to fix it for you, that can be expensive.
If you follow the tips above, you’ll be able to protect your site from the majority of security risks and rest easy in the knowledge that your site is running smoothly and not being hacked. How far you decide to go and how much you can spend on security will depend on your site and your budget, but you should certainly use secure passwords and keep your site updated as a bare minimum.
The Best WordPress Themes and Plugins on Envato Market
Here are a few of the best-selling and up-and-coming WordPress themes and plugins available for 2020.
- Inspiration23+ Best WordPress Portfolio Themes for CreativesBrenda Barron
- WordPress25 Best WordPress Slider & Carousel Plugins of 2021Daniel Strongin
- WordPress20 Best WordPress Calendar Plugins and Widgets (+5 Free Plugins)Daniel Strongin
- WordPress Themes31+ Best Responsive WordPress Themes (For Sites in 2021)Brenda Barron
- WordPress22 Best WPBakery Page Builder (Visual Composer) Addons and Extensions of 2021Daniel Strongin
- WordPress Themes30 Best Coaching & Consulting WordPress Themes for 2021Brenda Barron
Subscribe below and we’ll send you a weekly email summary of all new Web Design tutorials. Never miss out on learning about the next big thing.Update me weekly
Envato Tuts+ tutorials are translated into other languages by our community members—you can be involved too!Translate this post