7 Essential WordPress Security Tips
Keeping a WordPress website secure is crucial, as a data breach could significantly damage your business’s reputation and revenue. Without proper security, hackers could steal information, install malicious software and distribute malware to your users.
However, securing your site isn’t a one-time thing. It’s an ongoing process you should always keep in mind when taking actions on your site, such as installing new plugins. To better protect your WordPress site from hackers, here are seven WordPress security tips you should follow.
1. UPDATE REGULARLY
Updating WordPress on a regular basis is the most important thing when it comes to your site’s security. Updates fix vulnerabilities in WordPress, so if you fail to update your site, you’re leaving it at a greater risk. Keep in mind you’ll need to manually start updates for major releases.
Don’t forget about your plugins and themes when you do the updates. If these aren’t secured, they give hackers easy access to information. Hackers often rely on out-of-date plugins and themes, exploiting their vulnerabilities.
2. DOWNLOAD ONLY FROM WELL-KNOWN SOURCES
The most secure option when downloading plugins and themes is going to WordPress.org. WordPress checks all plugins and themes before admitting them into its directories.
If you go elsewhere, stick to reputable sources such as Themeforest or the websites of respected developers. Before you download anything, check the reviews and comments by previous users. They may have mentioned vulnerabilities or any issues with the plugin/theme author.
3. DELETE ALL UNUSED PLUGINS
Having fewer themes and plugins installed makes it less likely that hackers can hit your site. If you’re not using a theme or plugin, delete it to avoid the security risk, especially if you haven’t updated it. Themes and plugins can still pose a risk if you simply deactivate them, so you need to fully delete them from the site.
It’s also good to do this to clean up your site. Having many unused themes or plugins can impair performance, and it makes the job of a security professional much more difficult if your site becomes compromised.
4. CHANGE YOUR ADMIN USERNAME
Admin is the default WordPress username, which makes it a poor choice, as it’s one of the first things a hacker guesses. Make sure your admin username isn’t too simple or common.
If you chose a poor admin username, create a new user with admin privileges. Assign all your current site content to the new user then delete the previous one.
Email IDs work well as admin usernames because they’re harder to guess. Since WordPress already requires a unique email address to create an account, an email ID is valid as a login identifier.
5. IMPROVE YOUR PASSWORD STRENGTH
The most common way hackers access WordPress sites is through compromised or stolen passwords. Setting up weak, easily guessed passwords is a big risk for your site’s security.
You should always make sure you and your employees set up strong passwords, which are those that include a combination of at least 12 letters, numbers and symbols. If you have trouble thinking of passwords, there are plenty of password generators available. Additionally, make sure to change your password every few months because the longer you have one, the more likely it is to become compromised.
An important thing to remember is you and your employees should never login to the dashboard while connected via public Wi-Fi. Your password could be stolen by hackers if they are connected to the same network. Instruct your employees use a VPN if they cannot avoid connecting via unsecure public networks.
Have in mind, by default, WordPress will provide a hint on failed login attempts when it tells the user the username is wrong or the password doesn’t match. Disable this feature to avoid giving hackers any information they can use when trying to access your account.
6. CHANGE FILES AND DIRECTORY PERMISSIONS
File and directory permissions determine which users can read, write, modify and access those files and directories in your site. Improper permissions present a huge security risk for your website.
Permissions use a number system, and each permission includes a three-digit number. You can set permissions manually using the WordPress File Manager in your control panel or through your terminal.
Use 640 or 644 for files and 750 or 755 for directories. Avoid 777 for anything, because this gives any user full privileges.
Finally, if all else fails and your website gets hacked, you need to make sure you have a backup. When you have a backup available, you can restore the site to the way it was before an attack.
Make sure you save full-site backups to remote locations, which means somewhere other than your hosting account. There are site backup plugins available to handle this for you.
How often should you back up your site? This depends on how often you update it, but daily and real-time backups both work.
WordPress is a popular site platform, and because of that, WordPress sites are also popular targets for hackers. Keeping everything up to date, choosing the right username and passwords, and being careful with themes and plugins will make it much harder for hackers to access your site. In case something goes wrong, have a backup ready to get your site up and running again.
Editor’s Note: This post was originally published by wMainstreet Host.Lisa Michaels at