wordpress designer setting up wordpress website security with client in raleigh office

filed in:

8 Best Practices for Better WordPress Site Security

Picture this: you’ve just settled into your work chair with a fresh cup of coffee and logged into your WordPress site to start the day…only to find it’s been hacked! Data is lost, customer trust is on the line, and you’re left with that cold “oh no” feeling in the pit of your stomach. While thinking about the potential worst-case scenario can be gut-wrenching, preventative maintenance for WordPress security issues can go a long way! So let’s kick this potential disaster off your worries list by moving “WordPress site security” to the top of your to-do list.  


Is WordPress Secure?

Yes, as long as you stay on top of website maintenance and security! Since WordPress is the most popular way to build websites on the internet, it’s also the most popular target for hackers. However, that definitely doesn’t mean that there are WordPress security issues within the platform itself. It’s just that WordPress site security (and website security in general) isn’t really a set-it-and-forget-it kind of thing. It’s an ongoing process that you’ll need to stay on top of to minimize your risk in the face of potential WordPress security vulnerabilities.


The truth is that WordPress security issues are the most common when sites aren’t updated regularly. In fact, a whopping 61% of all attacked websites are outdated. That’s a big yikes! But here’s the silver lining: with just a smidge of your time and a little know-how (that’s where I come in 😉), you can easily make some website tweaks that will head those worst-case scenarios off at the pass.  


8 best practices for better WordPress site security 

By far, the best way to stay on top of security for WordPress websites is to set up a weekly and monthly WordPress security scan to help you stay on top of things and make sure everything is running in tip-top shape. Let’s dig into WordPress security best practices that will help protect you from having your WordPress website hacked.


Choose a Reputable Hosting Provider

Building your website on a shaky or shady hosting provider is a little bit like building a house on quicksand. Sure, things might seem OK for a while, but ultimately it’s not the most solid foundation for your website. Your hosting provider is the first line of defense against online threats, and a quality managed hosting provider like Flywheel or Kinsta comes with extra security features like firewall protection, malware scanning, and automatic backups. The last thing you want in a worst-case website scenario is a hosting provider that will leave you high and dry, but a quality one will have your back with extra security measures!


When to do it: Every time you choose a hosting provider. If you need help finding the best one for your business, click here for my top tips!


Change up your admin login

The admin area is a WordPress site’s command center, which makes it a prime target for hackers. The problem is that most websites default to a generic WordPress login page URL and super-obvious user name. To start, don’t use “admin” as a username (it’s a little bit like leaving your house keys right under your doormat!) Next, use the WPS Hide Login plugin to redirect your admin login page to a URL that only you know. If your login page is harder to find, it will be more secure from potential threats!


When to do it: Do it once, during website setup. (Don’t forget to bookmark it so you don’t forget the new secret URL!)


Choose stronger passwords

You want to make your password as unique and strong as possible (that means no “password123”, please!) People tend to gravitate toward the same handful of passwords that are easy to remember, but this is one case where you definitely want to use something unique and hard to guess. Password managers like 1Password and LastPass can help you generate unique password options and store them in a secure place.


If you want to add another layer of protection (highly recommended), you can always enable two-factor authentication (2FA) for your WordPress login. Once you’ve turned on 2FA for your site, you log in to WordPress with your username and password as usual, but a code is also sent to you via text. You’ll have to enter that code into WordPress to completely login. 


How to turn on 2FA in your WordPress website

  1. Log into the site and access your WordPress admin dashboard.
  2. Go to the sidebar and navigate to Users → Your Profile.
  3. Enable the preferred authentication methods in the “Two-Factor Options” section.
  4. Select the “Update Profile” button to save your new settings.

When to do it: Enable 2FA right away, and change up your password every few months.


Use Security Plugins

Just like setting up a few Nest cameras can give you peace of mind and add an extra layer of security for your home, the right plugins can protect your website. Use plugins like Sucuri, Malcare, or WordFence to limit login attempts, scan your website for vulnerabilities, and shield your site from brute-force attacks. Once you’ve installed them, you’ll be the first to know if anyone is sneaking around your website and doing suspicious things…and you can nip any problems in the bud! 


When to do it: Install your chosen plugins when setting up your website.


Create Regular Backups

Sometimes, despite our best efforts, something goes south with our website data. That’s where website backups come in handy! Backups are like a big safety net, allowing you to roll back the clock to an earlier version of your site and restore everything to how things were before whatever happened…happened. My favorite backup plugin is UpdraftPlus – just be sure to set a regular automatic backup schedule to get things running on autopilot!


When to do it: At least once a week, but if you have a membership or online store, once a day is even better. (Psst! Want a step-by-step guide to backing up your WordPress website? I have a blog for that!)


Keep your plugins updated

Plugins are one of the best things about building in WordPress, and they’re how you add extra functionality to your site. But just like any software or code, they can open security loopholes if they’re not updated regularly. Having the latest version of plugins makes sure you’re patched up against any vulnerability (and that your website will functionally stay in top-notch shape.) It’s a small task, but it can save you from a HUGE headache down the line!


When to do it: Once a week is best, but don’t put it off any longer than once every month!


Manage access and permissions

If you have a team helping you manage your site, make sure each team member only has the level of access they need. Every month or so, audit your team’s user roles and permissions to keep your site as secure as possible. Adding and removing team members with appropriate permissions can be built into your onboarding and offboarding SOP to streamline the process and help you remember to do it. Even if someone is totally trustworthy, an unused profile is at risk for hacking attempts. 


When to do it: Once a month, whenever you onboard or offboard a new team member.


Get an SSL certificate for your website

Have you ever noticed how some websites have a little padlock to the left of the URL in the browser? That’s a sign that a site has an SSL (Secure Socket Layer) certificate. SSLs add another crucial layer of security to your site, encrypting data transfers between your site and visitors. In practice, that means sensitive information (like credit card numbers and membership passwords) are safe from prying eyes. It also builds a layer of trust with website visitors that your site is operating on a secure connection.


Without an SSL certificate, many browsers will flag your site as “not secure,” which could potentially turn visitors away. On top of that, Google’s ranking algorithm considers SSL certificate status, meaning that having a secure site can make your site more likely to appear in search results. If you sign up for hosting with a site like Flywheel or Kinsta, you’ll usually be able to get set up with an SSL certificate for free. It only takes a few minutes and is well worth the extra effort! 


When to do it: Once, when setting up your website (or immediately if you have a website without an SSL certificate).


Better WordPress site security is only a few steps away!

Maintaining your WordPress website’s security isn’t rocket science; it just takes consistency. With a proactive approach, your site security will be miles better at protecting you from losing data to viruses, crashes, and hackers. It’s a small investment of your time and effort in the short term that pays off in better WordPress site security in the long term. 


Want a more secure WordPress website but thinking about handling the details yourself makes your head spin? We have monthly WordPress site maintenance packages to make updates a hands-off process – book a call now! 




*This post contains affiliate links, so I may earn a small commission when you make a purchase through links on my site at no additional cost to you.

Steph O'Keefe, SEO strategist and WordPress designer sitting at desk wearing a white shirt in Raleigh, NC.

I'm Steph!

I'm the Founder and creative Director behind Southern Creative, a.k.a. your SEO strategist and web designer.

My passion is crafting websites rooted in strategy so you can put your focus where your heart is while we launch your dream website that shows up online.