The Basics of WordPress Security

The basics of WordPress security begins with your hosting platform. I use HostGator. Use a non-shared hosting plan. If you can afford the bill, sign up for Managed WordPress or VPS account. If you’re the WordPress designer and you can’t afford those hefty prices and you like to learn everything you can about WordPress (even what to do when your site gets hacked), then get started on the Hatchling plan with HostGator and make backups every week so you can always restore your site. You’ll learn how to fix those hacks, if that’s your thing. If it’s not your thing, make it so…so that you know how to fix your clients’ hacked sites. Here is my affiliated link, give me some luvin’ and get yourself a discount on HostGator when signing up or use this coupon code on checkout, lionsdendesigns.

Why should you use a Managed WordPress or VPS account? First, it’s your own server, no one else is getting hosted on it as your neighbor such is the case with shared hosting. If that neighbor gets hacked, it’ll slow down your site or the hack may come across to you. Second, Managed hosting means that there is a dedicated team watching your server, keeping it as secure as possible and Managed WordPress is that same thing plus tech gurus who are passionate about all things WordPress. A VPS account, correct me if I’m wrong, doesn’t have a special team behind it but you are the person who works on everything even when it breaks. You still have tech support available in a chat window, a phone call away or a support ticket away. I find the former two are faster in response time and the latter is best when you need to pull up a history of activity on the ticket. Hosting, the kind you choose should be a no-brainer, but when you’re new you don’t know where to start and you usually choose what is the cheapest solution and some fall for the FREE deals.

The first line of defense in all of hosting and following sections I’ll write about, this being a subtle ‘zero’ or the least thought about topic of consideration, is your choice of usernames and passwords. I’ve had way too many clients always default to these two habits. The first is choosing a username that the whole of WordPress new sites used to have on install, ‘admin’ (no longer the case) and second, choosing a password that was easy for them to remember from anywhere. And then using that same combination on every single online account they had, even their personal accounts. Yikes! And even after I had generated a secure password for them, they changed it to something “easier” to remember. That always makes me feel extremely uneasy because I already can guess what’s in their site’s future. I have my clients’ best interest in mind when I generate those cumbersome passwords.

Over the years, I moved away from usernames and passwords that were too simple to remember. I recommend using a password manager that’s encrypted and you pay for some portion of it. There’s 1Password and LastPass, to name two. I’ve moved across multiple operating systems, many a time. These systems require you to remember a single username and password (which I’ve made long and complicated), then you store all your sites usernames and passwords in an encrypted file. In other words, it uses your login as a key to access the encryption and decrypt it for your eyes only. Within the manager, I generate usernames and passwords for clients, starting at 20 characters or above. The longer, more complicated to remember, less repeats in a row, no patterns, symbols, capitalization, etc., the harder it is crack. Mind you, the cracker is a bot or program, not a human being. The easier you make the password for you to remember, the shorter amount of time it takes to crack it. I also encourage that you setup two-step authentication wherever it’s made available as an added security level.

The second line of defense is your installation of WordPress. I’ll cover the basics here and in a future post, I’ll get into the nitty-gritty of installation. You all know about those easy-to-use install services on your hosting platform for installing WordPress. Where you put in the directory, the name of the site, the username and password, and you’re done under five minutes. Those services, if used, are not providing you with a secure install. They are not using multiple passwords for all doors, they are leaving some settings insecure. Most WordPress installs are found in the root, the public folder, instead of in a nondescript subfolder.

The third line of defense is keeping your WordPress backed up regularly, keeping your WordPress platform updated, keeping your plugins updated and keeping your themes updated. Use themes from a trusted source, proven WordPress theme designer, or the WordPress themes directory.

The fourth line of defense is to install safe and secure plugins that provide automated scanning for viruses, provide a firewall, have other settings that close all “holes” in your WordPress platform, and provide a weekly to bi-weekly backup of all files in your site and database, and can be extended with a paid service to monitor your site for suspicious activities. Not knowing what you’re doing when you use these plugins and their settings can cause you to break your site. Avoiding them can leave you open to vulnerabilities. To name two, Wordfence and Shield WordPress Security.

The fifth line of defense is to verify your site with Google Webmaster Tools so you get a notification when your site has gone down or Google is seeing a virus or malware, and can also provide you with solutions.

The sixth line of defense is to use an SSL with your domain name. If you only use the root domain, then a Single-site SSL is just what you need. If you plan to have subdomains, such as or, then a Wildcard SSL is your choice. Expect to pay $50+ per year. Having an SSL changes your site’s address from HTTP to HTTPS. It also is great for boosting your SEO by Google’s standards.

The seventh line of defense is to keep your computer, on which you do all your work, clean and up-to-date. Some viruses or malware have been written about to traverse across and infect your site. Keep your Wi-Fi secure with WPA2 instead of open for any Joe or Jill to access it. Turn on NAT control and AP isolation. If you’re running a home-based local server, you should already know that it should be on the wired DMZ of your router and be using a dedicated IP address line (a separate internet line from your home’s use).

If you need help implementing these WordPress security tips, I am available for hire.


Written with Desk PM.


Leave a Reply