How to secure WordPress websites

By it's very nature, the internet is open - and is therefore under threat from hackers, brute-force attacks, malware and phishing.

Security is imperative when running a website, and needs to be considered at every stage. Website security includes your web server, the CMS, your additional files, database structure, password length and staff awareness.

For example, 8% of hacks happened because of weak passwords. This is a easy and quick fix for anyone to do.

Here's a quote from the WordPress codex.

Security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.”

HandCoded design and build websites, but we also help with security and maintenance. In this brief blog post we'll explain a few methods of keeping WordPress CMS secure.

Update WordPress

WordPress CMS is updated regularly, to add new features and fix security vulnerabilities. Stay up to date. Admin users will just need to click the "Update" button after performing a backup.

Plugins and Themes

It's also advisable to update website plugins and themes, as these may have security patches too. It's best practice to delete unwanted and unused plugins and themes. Don't just deactivate them - delete them completely.

Disable PHP errors

PHP error messages can expose too much useful information to hackers. Add "error_reporting (0);" to your wp-config.php file to switch off PHP errors. This if often overlooked by junior developers.

Use secure passwords

Use a complex password on WordPress that's hard to guess, and not used on other websites or applications. Don't use dictionary words. Instead consider using random characters. You may want to use a service such as LassPass to secure your online credentials.

Enable SSL

A 'Secure Sockets Layer' encrypts all information sent to, and returned from, your website server. This will prevent man in the middle attacks, and will usually improve your Google rankings.

Limit login attempts

Most hackers will try to brute force their way into your WordPress account by trying thousands of combinations of usernames and passwords. To avoid this you'll need to limit the number of login attempts in quick secession. Try the free "Login LockDown" website plugin.

Secure the MySQL database

Use a strong password to protect your MySQL database. Hackers may bypass WordPress and go straight to your database, which may be easier to hack. Choosing a strong username and password can help mitigate the risk.

Backup WordPress

Even with these security suggestions, your website may still be hacked. The easiest way to resolve this is to roll back to a backup. Make sure you take daily backups - hosted offsite.


Explore our other projects