16 WordPress Security Tips to Keep Your Site Safe

WordPress has become one of the most popular CMS platforms for web design because it’s so easy to use. The downside, however, is that WordPress sites are also extremely vulnerable to attacks.

With this in mind, it’s important you take a few simple steps to increase security before your site goes live. In this article, we will outline numerous tips that will help keep your website secure and safe from hackers!

Our Recommended WordPress Security Tips

1.) Install a WordPress security plugin

We recommend iThemes Security Pro, but there is a lot of recommendations out there for Wordfence too. If you choose a security plugin like iThemes, you’ll be able to greatly improve the default security posture of your WordPress installation. You can use iThemes Security to scan for vulnerabilities, prevent session hijacking, enable two-factor authentication, reduce brute force attacks, monitor for changed files, log security events, and much more!

2.) Update WordPress regularly *

It’s important that you keep your WordPress installation up to date so it has the latest security fixes. This will help protect against many forms of attack, including SQL injection and brute force attacks. If you are on a WordPress management plan, your website can be updated proactively each month.

Person wearing a WordPress shirt working on a computer

3.) Don’t install plugins or themes from untrusted sources *

It’s always a good idea to only use plugins and themes provided by WordPress as they are more trustworthy than those found elsewhere on the Web. If possible, download them directly from within your admin panel.

Screenshot of plugin browser screen in WordPress

4.) Create strong passwords for everything *

Your accounts should all have different passwords with complex combinations of letters, numbers, and symbols. Although these passwords can be hard to remember, it’ll make it a lot harder for others to crack! Avoid using the same password in multiple places, otherwise just one compromise can result in massive losses.

5.) Protect sensitive data *

There are many plugins available that can help you protect sensitive data, such as credit card numbers and passwords. These security plugins will help protect your site against hacks, malware, brute force attacks, SQL injection, and more.

6.) Train staff on information security basics *

It’s a good idea to provide some basic training for your employees so they know how best to keep their data safe when using company computers or accessing websites like yours!

7.) Backup files and databases regularly *

One of the best ways to protect against data loss is to back up everything regularly. You can either do this manually or with a plugin, though make sure you store your backups in an encrypted location! If you have a website maintenance expert available to you, ask that person what your backup schedule looks like.

Server Stacks

8.) Don’t share login details with anyone *

If you give out the password to someone you know, you should be mindful that this information can leak, which could lead to dangerous people gaining access to all of your information!

9.) Change your /wp-admin URL

The default admin URL for WordPress is /wp-admin, but you can change this to something custom. Moving the admin URL to a different location will help minimize brute force attacks since automated scripts won’t be able to find your admin location as easily. If you installed iThemes Security, you’ll be able to follow their documentation here about hiding your WordPress admin URL.

10.) Disable XML-RPC API access

The WordPress XML-RPC API allows third-party services to access and modify content on your website. For example, XML-RPC is used by the Jetpack plugin, the WordPress mobile apps, and pingbacks. If your website doesn’t use such services, then you should consider Disabling XML-RPC. This can be done within the Advanced settings of iThemes Security, within the WordPress Tweaks section.

11.) Protect yourself on public Wi-Fi networks *

Public Wi-Fi is a great way to save money on data but it’s not always safe, especially when using websites like Facebook or Gmail which can provide login details if they aren’t protected with two-step verification! Consider creating an encrypted connection over the network by installing virtual private networking software before logging into anywhere important.

12.) Don’t use “admin” as a username *

It’s important to choose an individual user name that isn’t so easily guessed. If you must learn how to protect your WordPress site from brute force attacks by using another layer of security on top of passwords such as CAPTCHAs and rate-limiting.

13.) Enable SSL where possible *

This will make sure the user data is encrypted during transfer and provide an additional security layer should any session cookies be intercepted by third parties (this may happen when someone is in possession of both your PC and device). This step might require some technical input but shouldn’t take too long!

14.) Enable two-factor authentication (2FA)

The iThemes Security plugin includes a two-factor authentication integration that you can enable in the “Features > Login Security” section. This will greatly improve your security, since it will require both your admin credentials and a special code sent to your email address or mobile authentication app.

15.) Scan your website regularly

You can use the File Change feature in iThemes Security, within the “Features > Site Check” section, to monitor for unexpected changes to core files. You can also enable Site Scan Scheduling in this section. Both of these are great features for monitoring for unauthorized changes to your file system.

16.) Restrict users after too many failed login attempts

Another useful setting within iThemes security is the ability to temporarily ban an IP address after numerous failed login attempts. You can tweak this configuration within the Global Settings of iThemes security, within the Lockouts section.

5 Essentials for Keeping Your Website Safe

Final Thoughts on Securing WordPress *

In conclusion, there are a lot of things you can do to protect your WordPress site from attacks. These include using strong passwords, backing up regularly, and installing plugins like WP Firewall Pro that will help keep hackers away!

Like most other things, nefarious people probably wouldn’t want much to do with a website that both looks bad and doesn’t have many users, even if it isn’t protected very well.

Disclaimer: WebCitz, LLC does not warrant or make any representations concerning the accuracy, likely results, or reliability of the information found on this page or on any web sites linked to from this page. This blog article was written by David W in his or her personal capacity. The opinion(s) expressed in this article are the author's own and may not reflect the opinion(s) of WebCitz, LLC.