Select Page

WordPress security is a serious matter. Don’t ignore this issue!

Like any popular Internet software, WordPress is subject to attacks by hackers. Any responsible person running a WordPress site needs to know and employ at least certain basic security measures. An insecure site can mean your own site gets damaged, and even affect lots of other WordPress sites.

Decide now that you will take security seriously and stay informed about best practices throughout the life of your website. By following some basic security measures, you’ll greatly reduce the changes of this ever happening to you, and be prepared to recover if it ever does.

The short list below is a good basis for a secure site, although of course employing these strategies is not a guarantee. You can do even more; please see the resources list at the end of this lesson. As the administrator of a WordPress website, it will be your responsibility stay aware and informed about security.

Basic WordPress security measures

1. Always use strong passwords

This applies to any login associated with your WordPress website. If you haven’t yet gotten past using easy passwords, now is the time.

Don’t use any version of your own name, address, website name, family members’ names, or company name, or even any word in the dictionary in any language. A strong password should be at least 8 characters and contain uppercase letters, lowercase letters, numbers, and special characters. 10 or 12 characters is even better.

When you create a password within the WordPress Admin Screens, a new, stricter “password meter” tells you how weak or strong it is. It’s only a guide, but paying attention to it could keep your site from being hacked.

Please give up on the idea of being able to remember passwords, and develop a system for keeping track of them instead. A good aid for managing passwords is LastPass, a free program you can download from

2. Set up a system to back up your whole site, files and database, on a regular basis

If you do get hacked, or even if you just damage the site yourself, those backups will be like solid gold. There are some good free plugins for creating backups of a WordPress site; please find one that you like and use it regularly. A paid plugin like BackupBuddy can streamline the whole process greatly. You will also need to save your backups to a location more secure than the hard drive on your computer, which could be lost or broken. An external hard drive is a step better than your computer itself, but an off-site “cloud” storage location such as DropBox, Google Drive or Rackspace is even better.

3. Always keep the WordPress software itself up-to-date

When there’s a new release, fixing security vulnerabilities is usually one of its purposes, so if you delay in updating, you leave your site open to those vulnerabilities.

WordPress 3.7 introduced a significant new feature: certain updates now happen automatically in the background for most WordPress installations.

Only updates from (for example) 3.7.x to 3.7.y will happen automatically. Major releases like (for example) 3.7.z to 3.8 will still require you to perform the update manually.

For major releases, you’ll receive a notification right in your Dashboard, and can update right there with one click. If you’ve used best practices in how you customize your site, updating WordPress should not break anything or cause any problems whatsoever.

Having regular full backups ensures that you can recover from a worst-case-scenario in which an update breaks something on your site.

4. Use the best quality web hosting you can afford

Before you sign up with any web host, get as much information as you can about the different companies. Read reviews; ask people you know. Call or email the host company and find out about the difference types of accounts offered, and ask about measures they take to keep WordPress sites secure.

5. Use only good-quality themes from established, reputable authors

Research the author or company behind any theme you’re considering, and be sure they plan to continue supporting the theme as WordPress continues to evolve. Also be sure they offer customer support for the use of the theme. [See our lesson on Choosing a Theme.]

6. Choose plugins carefully

Use plugins only if they have been tested by a lot of users, and comments and ratings are mostly good.

7. Keep themes and plugins up-to-date

This is for the same reason you keep WordPress itself up-to-date: coders release new versions in response to security threats, among other things, and using an old version of a theme or plugin can leave a security vulnerability open.

8. Delete any themes or plugins you are not using

Even inactive themes and plugins can be targets for hackers.

9. During the WordPress installation process, when you edit the wp-config.php file…

…there are two steps useful for security: setting the SALT strings, and giving the WordPress database tables a custom prefix. These steps are easy, and so there’s just no reason to ever leave them out. We explain how in the lesson on Installing WordPress.

Unfortunately, there are no magic bullets

There are lots of plugins whose purpose is to help you improve security, but there are none which improve your security just by being installed. Before you get into security plugins, make sure that you’re doing all of the basics (above). Then, only install a security plugin if you understand what it does and have the willingness and time to configure and monitor it regularly.

Once you’re doing all of the above, you can think about upping your security level in whatever ways you can. Please see the articles referenced under Further Reading for more information on WordPress security.