I know quite a few people who say that WordPress isn’t secure.
But in reality, WordPress itself is very secure. It’s just everything else that isn’t.
The biggest reason for WordPress sites getting hacked are weak passwords and inferior or outdated themes and plugins.
And don’t lay the blame on your hosting either. The job of your host is to keep their own servers protected. That is their goal. And since they have thousands of websites on their services, they can’t keep track of every individual site to make sure they’re doing everything right.
So here are some tips that you can do to help secure your site.

  1. Don’t Use the Default Admin User Name
    • If you are still using Admin to sign into your dashboard, it’s time to change that. Because usernames are not encrypted and can be fairly easy to discover, if you leave it as Admin, you are giving those hackers 50% of your login without them having to do one thing extra. In fact, when they send out their little malicious bots to attack sites, they will have it set to get in using Admin as the username. Don’t make it any easier for them.
  2. Use a Strong and Unique Password
    • A weak password is by far the biggest reason sites get hacked. Make sure your password is strong and don’t use the same password for more than one login. An example of a password I would use: JKIpDcV3PQc^kG5v6w$r#0h*If you have a lot of passwords, I would highly recommend getting a password keeper software to help you organize, create and easily remember your passwords. At their most basic, every password manager worth its disk space will generate secure passwords in just a few clicks, and save them all in a database encrypted behind a “master password”. And usually, it will automatically enter them for you on all your favorite websites so you don’t have to.
  3. Keep WordPress Up-to-Date
    • This is a critical piece to keeping your site secure. WordPress does update a lot. They issue major updates 3-4 times a year, for example, updating from version 4.2 to 4.3. But in addition, between those updates are minor updates, for example, from 4.2.1 to 4.2.2. Often these smaller ones are security updates. Whenever they find a security hole, they push out an update almost immediately and yes, with this, you do need to update your site. Fortunately, some hosting companies now will automatically do those small updates for you. In any case, make sure they are done. You can read more about this in my post about updating your site.
  4. Keep Themes and Plugins Updated
    • Just as you should keep your WordPress version updated, you will also need to keep your theme and all plugins updated. New versions come out with new features, but at the same time they will also push them out if a security fix is needed.
  5. Delete Unused Themes or Plugins
    • I recommend keeping only one theme other than the one you are using installed. That way if your theme breaks, your site will revert to that default theme, so you can start to troubleshoot. I recommend keeping the latest WordPress default theme as your backup (right now it’s twentyseventeen). Delete any other themes and any plugins that are not activated. We tend to install them thinking we will eventually use them, but as time passes, we don’t always think of keeping them updated. An outdated plugin that is not active is as much of a security risk as one that is activated. If in the future it turns out that you need them, you can always install them again
  6. Be Careful When Giving Out Your Login Info
    • This should be a “Duh!” point, but it’s amazing to me how often a client wilI tell me that they shared this information with someone who is not associated with the site. So at least try to follow these rules:
      • Know the person you are sending it to and be sure that you can trust them.
      • If they need access to your dashboard – for example if a theme developer needs to access it to help troubleshoot something, create a username just for them, give them administrative rights, and be sure to delete it when they are finished.
      • If you think your login has been compromised in any way, change your password. In fact, you should change your password frequently as a matter of course. I like to use New year’s and Canada Day as reminders to change mine.
  7. Back Up, Back Up, Back Up!
    • I cannot stress this enough. You need to have a good backup system in place. And it needs to be a full backup, which means both your database and all your files. I also include a full WordPress Export of all my posts and pages as well – the suspenders to my belt, as it were. Check with your host to see what is being backed up, if they archive and if so, for how long. There are also a number of plugins available to help you do the backups yourself – Updraft Plus and BackupWordPress are two of the free ones I have used, and Backup Buddy is a premium (paid) plugin that works very well.

There are quite a few security plugins available as well, and to do them justice they deserve an article all their own. That will be my next post.

Until then, I hope this article was helpful to you. If you know someone else who could use the info, please share!

Any questions? Use the comments below.