There’s no way around it. If you have a web presence, you’re at risk of someone breaking into your website. It might be to steal your customers’ data, it could be to push a political agenda or just because they can. But following these security steps will help your WordPress site weather almost any attack any ne’er-do-well might throw at it.

1. Always keep your WordPress core, theme and plugin versions up to date

According to a scan done by The SSL Store, a full third of all WordPress sites are out of date and vulnerable to hackers using exploits that have been patched.

The five main reasons for keeping every aspect of your WordPress site up to date are:

• Security
• Performance
• Bug fixes
• Compatibility
• Features

Keeping WordPress, its themes and plugins up to date is an essential part of managing any WordPress site. This ensures that your site performs as efficiently as possible and guarantees that your site always receives the latest bug fixes and security patches. Keeping your WordPress core, theme and plugin versions up to date is one of the most effective methods of enhancing security and keeping the hackers at bay. Best of all, WordPress makes it easy to do this automatically, so you don’t need to constantly keep an eye out for their update schedule.

2. Don’t make changes to the WordPress core files

The moment that you or your developer edit the WordPress core files, you are no longer able to automatically update WordPress to the latest version. This feature is to stop you losing custom changes made to your site, but at the cost of the added security the updates offer.

If you need to change WordPress functionality, you’re far better off creating a plugin which gives you the ability to do whatever you need without compromising WordPress core.

The same logic applies to plugins and themes. The moment you perform any core tweaking of plugins and themes you lose the ability to update to the latest version, thus exposing your site to hackers.

3. Deactivate and remove any unused plugins and themes

With every additional plugin and theme installed on your site, the risks of a vulnerability being discovered in one of these plugins and themes increases. If a vulnerability is discovered in one of these plugins or themes, your site becomes a sitting duck.

While most major plugins have crack teams of developers keeping an eye on security, some plugins are made by one person in their spare time. They do not have the resources to deal with every vulnerability proactively. Your WordPress site is still left vulnerable even if the affected plugin or theme is installed but inactive. The safest way to mitigate risk is to deactivate and completely remove any plugins and themes that you are not using.

Security aside, poorly coded and unnecessary WordPress plugins and themes can cause all sorts of other issues like memory leaks, which negatively affects the performance of your WordPress site for your users.

When testing plugins and themes, avoid testing them on your live site. Instead, create a copy of your site on a staging environment and test your plugins and themes with absolutely no risk to your live site.

4. Only ever install themes and plugins from their official source

No matter how tough times may be, avoid downloading premium plugins and themes from pirate, torrent and warez sites. Many of these pirated themes and plugins have been maliciously tweaked to contain back doors for hackers to come and go as they please.

Remember, if the service is free, you are usually the product!

WordPress.org is the most common place to find free, reputable plugins and themes for WordPress. Commercial plugins or themes can often be purchased from the developers themselves or through sites like WordPress.com, ThemeForest.net or CodeCanyon.net.

5. Choose a secure WordPress hosting service

A great WordPress hosting service goes a long way towards protecting your site from attacks. The allure of free or cheap hosting can be enticing to say the least, but with the wisdom of hindsight, you’ll quickly learn that hosting isn’t an area to skimp on.

The free option on many of these services are usually there to entice you to a premium service. As such, the free option usually doesn’t include active monitoring of services, backups or customer service that you can reach should the worst scenario occur.

If you value your website, and your customers, it’s worthwhile investing in a specialist managed WordPress hosting company that is able to support both you and your WordPress site.

6. Ensure that your site is running on the latest version of PHP

According to Cloudways.com, less than 3% of WordPress sites are using PHP 7.2, and a shocking 32,4% are using versions no longer supported by WordPress itself! Additionally, Sucuri reports that 71% of all compromises had a PHP-based backdoor hidden within the site in 2017.

If you are still using an outdated version of PHP, not only is your site not benefiting from performance features released with latest versions, new vulnerabilities that are discovered will not be fixed. They will remain in the wild, ready for exploitation by anyone with ill-will and access to the internet.

Updating your PHP version depends largely on your hosting service. A good hosting service should make the latest PHP versions available for use with your WordPress installation.

7. Choose obscure WordPress admin usernames

If your WordPress admin username is currently “admin”, you should immediately create a new administrator user.

Your credentials have two parts, the username and the password. If you use the default “admin” username, hackers already have half of the keys to your whole website!

Choose a username that is less obvious, then delete the “admin” user. This quick and easy WordPress security trick can thwart many simple hacking attempts.

8. Always use strong passwords and never reuse passwords

You’ve no doubt heard it before, and you’ll no doubt hear it again…

Don’t choose simple and easy to guess passwords. The simpler your password, the easier it will be for hackers to brute-force it and gain access to your WordPress site. This is especially true if your admin username is something simple like “admin” or “admin123”. Hackers attempting to brute-force your WordPress password will have a list of the most commonly used passwords, which they try over and over again.

An example of a strong password is:

Thi5I5al0ngstr*ngp4zzw0rd$

The longer the password, the longer it will take to brute-force a solution.

Avoid reusing passwords at all costs, regardless of where you use them. If one of your accounts has been compromised, the hacker has probable access to ALL of your accounts that uses the same password.

We know that it’s tough, even impossible, to remember different passwords for every account. Luckily there are plenty of password managers out there that will allow you to create different passwords and store them securely.

9. Use an SSL certificate to encrypt all data being transmitted

Implement HTTPS on your WordPress site, particularly on your backend, to avoid data being sent in plain-text. We have a guide on our Knowledge Base that will show you how to enable a free Let’s Encrypt SSL certificate within your Mshini control panel. Once your SSL certificate is enabled, check that your site has the coveted Green Padlock icon marking it as “Secure” next to your URL.

10. Secure WordPress with a reputable WordPress security plugin

Anyone can list a plugin with WordPress, even those with a vested interest in getting into your site. Just as you wouldn’t give a stranger the keys to your physical office building, make sure that you vet any security plugins carefully before installing them.

Check out reviews from multiple sources before making a decision, as user reviews are easily manipulated by sock-puppet accounts.

11. Enable two factor authentication (2FA) for your WordPress site

You can easily add an additional layer of security to your login details by setting up Two-Factor Authentication within your WordPress dashboard. By doing so, any potential hacker now needs access to your Username, your Password and your phone!

12. Only ever access your WordPress dashboard from a trusted device

Accessing your dashboard on a public terminal, such as a library computer or an internet cafe, means you do not have control of the software that is installed on that device. Malware, such as Trojans and Keyloggers, are able to capture passwords and send them to a third-party without your knowledge. An easy rule of thumb is: If you wouldn’t trust a device to do your internet banking, don’t trust it with your website.

Any questions? Feedback? Give us a shout! We’re friendly! Promise!