A Smart Guy’s Guide to Securing WordPress

relax

It doesn’t matter if you’re a Fortune 500 company or someone with a small blog. If you have a website, you’re going to have to deal with website security.

Your WordPress website is running, you’re posting content, and things seem to be working just fine. How can you keep it secure? We offer three recommendations that can will have a huge impact in securing your site:

  1. Use strong passwords
  2. Keep WordPress, your plugins, and your theme updated
  3. Have backups of your site

Security requires regular maintenance, like remembering to lock the doors of your house when you leave and making sure the oven is off. Sure, you don’t have to do those things, but the effort is minimal, and the reward is valuable peace of mind.

Strong Passwords

key in lock

Good strong passwords are complex and difficult to remember.

Strong passwords have a mix of upper and lower case letters, numbers, and symbols. They are also by necessity longer than many passwords people choose, requiring eight or more characters.

Using strong passwords isn’t a new practice, but it goes against our personal preference. After all, it’s not easy for most of us to come up with something that works as a strong password while also being easy to remember.

The algorithms WordPress uses to rate a password as Weak, Medium, or Strong can do this for us.

Beginning in 2015 with version 4.3, WordPress changed how passwords worked. Rather than having you enter a password when a user account was created, it now creates strong passwords for you.

This is great! Now you don’t have to try and think of a secure password. Let the software do it for you – one less thing to worry about!

Yes, you’re going to need to remember it. We get it. There are wonderful tools that help you remember your passwords, however. Two you might try include 1Password and Keeper.

Keep everything updated

code on laptop

WordPress is open source code. The beauty of open source software like WordPress is that anyone can contribute to it, helping to improve and expand on the foundations. It’s almost organic in that open source code is constantly improving and maturing.

When someone discovers a bug in the code, developers can quickly write a fix for that bug, which can then go through rapid testing and deployment. Once that happens, WordPress notifies you when an update is available, and updates can be as simple as clicking a button.

When new versions of WordPress are released, updating your WordPress installation is pretty easy:

  1. When you log into WordPress, and are at the Dashboard, look in the left-hand menu, right under where it says, “Dashboard.”
  2. You should see “Home” and “Updates.”
  3. Click on “Updates.”

If WordPress needs an update, or your themes and plugins have updates, you will see the details here and can update things one at a time or in groups.

Backups

It’s always a good idea to have a current backup of your website. You never know when an update might go sideways, or something else unexpected happens. With a backup you can be up and running again with very little downtime.

Most web hosts give you the option to either make a backup through something like cPanel. With others, you might have to manually copy files and your database yourself.

There are a number of free and paid tools that let you schedule backups or have them run automatically.

Our recommendations include BackupBuddy and VaultPress. These are both paid plugins that handle the backups for you within WordPress. There are also free options, but the peace of mind you get from having your site backed up might be worth the cost of the software.

Other security tips

When it comes to security of your website, there are always more things you can do to keep your site safe.

Many of them you can do with your WordPress website without all that much effort – things like setting up brute force protection, using a CDN, enabling two-factor authentication, etc.

None of these things really matter if you’re not doing the basic steps described above: keep WordPress updated, use a strong password, and have some kind of backup plan for your site.

Take care of those simple things first, and you can get back to enjoying your website.

Namecheap offers a variety of hosting packages for all of your website needs. Set up a new site with Namecheap, or we can help you migrate your website from another hosting provider for free.

Introducing EasyWP, the fast and reliable Managed WordPress Hosting solution from Namecheap.


Building relationships is key to any successful partnership, be it in business or life in general. At Crowd Favorite, Pat Ramsey gets to do that every day as Director of Ongoing Client Support. When he’s not building websites, Pat can be found organizing the Austin WordPress Meetup or helping with the tech networking community, Refresh Austin. He’s been a trainer and advisor for Knowbility’s Accessible Internet Rallies and AccessU, and a founder the WordPress conference “after-after” party, CigarCamp. Pat is a former Navy Reserve sailor, a native Texan, and enjoys cooking large quantities of crawfish.

5 thoughts on “A Smart Guy’s Guide to Securing WordPress”

  1. I recommend a couple plugins that help stop brute force password breaking attempts: wp-fail2ban (which integrates with fail2ban on a Linux host system) and login-security-solution.

  2. Well explained.we need to first look up our basic wordpress setting.one more tip i advised never use admin as your username.

Leave a Reply to Neil Cancel reply