Securing Your WordPress Site

If you have a self-managed, self-hosted WordPress website, are you keeping it as secure as you can?

WordPress is a wonderful open-source platform with so much to offer, but having a lovely website and knowing how to update it isn’t the end.  You need to keep it secure.

Here are some tips to help you:  

  • Get a SSL certificate (Secure Sockets Layer).  This puts the ‘S’ in ‘HTTPS’ and it shows your website visitors that your site traffic is encrypted.  Your web host should provide you with a certificate, most offer a free certificate, though you can purchase a dedicated certificate too.   Having a HTTPS site is becoming increasingly important, particularly as Google marks sites without a certificate as Not Secure.


  • Install a Security Plugin.  One of the first, if not the first, plugins you should have on WordPress is a security plugin to look after your site.   Among other features, it should protect your site with a firewall, block malicious computer bots from hacking in, and block ‘brute force’ attacks.  There are some brilliant plugins out there. I use one called Wordfence, but there are others such as Sucuri and Shield.


  • Login security.  Install a plugin (or use the option in your existing security plugin) to change the Login URL for your site, making it harder to guess. Configure your security settings to limit the number of failed login attempts and to block IP addresses that try to log in maliciously.  You can also use other means to secure your login process, such as enabling a security question to be asked before you can access the site.    Make sure your passwords are really strong and consider using Two Factor Authentication to access your site.  Don’t have more admin-access users than you need, keep the number to the minimum to ensure security of logins.


  • Stay up to date.  Developers keep plugins updated and release new versions as they make changes. You can auto-enable minor updates on some of these but it is good practice to check your site dashboard for updates regularly and make sure all plugins and themes are up to date. Minor changes to WordPress core software are implemented automatically but you will need to manually update when WordPress release a major new version.


  • Back up.  Don’t lose your site if it is breached or goes down, make sure you have it backup in place from the beginning, preferably to a cloud-based backup provider. 


  • Host.  Keep in contact with your hosting provider.  Check their security credentials and support offering and don’t be afraid to ask for help if there is something concerning you.   A good host will be constantly scanning sites it hosts on its servers and will notify you if there are any issues that need resolving.


These tips should help you to stay secure.   There is of course a wealth of knowledge and expertise on the web and it pays to stay up to date.  Sign up to WordPress blogs and updates to help you do this. 

Image credit: 

Laptop header image – Alex Knight on Unsplash