WordPress security | Guide to protecting your website

WordPress is the world’s most widely used CMS. There are many good reasons for its popularity, including the countless customisation options you have at your fingertips when you create your website with WordPress. 

Although WordPress is built on secure software that is continuously maintained and improved by many developers, its popularity has also made it an attractive target for cyber-attacks. 

This means that whether you have a simple WordPress blog or a more comprehensive website, WordPress security must be a priority. By prioritising security, you reduce the risk of your site and data becoming targets for malicious attacks. 

Fortunately, there’s a lot you can do to protect your WordPress website, even if you lack technical expertise. In this guide, we provide a list of security measures you can easily implement to improve the security of your website. 

Why is WordPress security important?

The short answer is that by prioritising WordPress security, you can protect your WordPress website against harmful cyber-attacks that can destroy your important data, cause your website to crash, or lead to identity theft. 

The typical purpose of a hacker attack is to steal personal information, spread malware, or take control of a website. 

By ensuring your WordPress site is secure, you protect yourself, your users, and your company’s reputation. 

WordPress protection: A how-to guide 

In this section, you’ll find a list of security measures that will help you protect your WordPress website. 

Secure WordPress hosting

It’s crucial to choose a hosting provider that excels in security to make sure you get your website started on the right foot, safety-wise. You should choose a host that has built-in malware protection, automatic backups, and an SSL certificate as part of its hosting packages.

With a good WordPress host, you’ll also have access to support when you need it. This gives you the best starting point when launching your online project. 

Keep WordPress updated

One of the most important things you can do for optimal security on your website is to regularly update WordPress. WordPress continually releases new updates that repair vulnerabilities, so by keeping your WordPress core, themes, and plugins up to date you reduce the risk of cyber-attacks. 

Even if your website and plugins function as they should, they may still have bugs and vulnerabilities that you won’t notice until it’s too late. These vulnerabilities can be avoided by updating. 

Skipping important updates is almost like leaving your front door open, which most people wouldn’t feel safe doing. 

If you want to avoid the hassle of manual updates and further increase your website’s security, we recommend Managed WordPress, where we ensure your website is always up-to-date and functioning as it should. You can read more about Managed WordPress later in this article. 

SSL and HTTPS

SSL stands for Secure Sockets Layer. It is a protocol that encrypts data transfer from your website to the user’s browser. By activating SSL on your website, you prevent unwanted third parties and hackers from accessing your or your users’ personal information, such as credit card numbers, passwords, or other sensitive data. 

When an SSL certificate is activated on your website, its address will change from HTTP to HTTPS, which is a secure encryption protocol. After activating the SSL certificate, a padlock icon will also be displayed at the top of the browser’s address bar, to the left of your website’s URL. The padlock symbol shows your visitors that your WordPress site is secure. 

Typically, you have to pay for an SSL certificate, but if you choose WordPress hosting with one.com, an SSL certificate is included in your hosting plan no matter which plan you choose. 

Strong passwords

Everyone knows that secure passwords are important in all contexts, but we often take the easiest route when creating a password. This is always a bad idea because it can be precisely your poor or reused password that causes a cyberattack or results in your personal data falling into the wrong hands. The more places you reuse the same password, the greater the risk. That’s why you need to have strong passwords everywhere on your WordPress website. 

A strong password:

• Contains at least 12 characters 
• Is not reused in multiple places 
• Is not shared with others 
• Is not a variation of one of your other passwords 
• Contains a combination of upper- and lower-case letters, numbers, and special characters (! & @). 

If you, like many others, find it difficult to remember all your different passwords, you can use a password manager. A password manager is a program, app, or website that collects all your passwords in one place.  

With a password manager, all passwords are protected with one master password. This means you only need to remember the password to your password manager to access all your passwords. 

Read more about password protection in our article 5 ways to password protect your WordPress website. 

Two-factor authentication (2FA)

With two-factor authentication, a second form of authentication is required at login in addition to the password. The secondary authentication can be a unique one-time code sent via SMS to your phone number, or a code generated by an authenticator app, such as Google’s.  

In some cases, it’s also possible to use your fingerprint or facial recognition as the second step, if your phone or tablet has this capability. 

2FA provides extra protection against attacks because a hacker will not be able to access your website even if they have gotten your password. 

If you host your WordPress website with one.com, you can further protect your site by enabling Advanced Login Protection directly from your control panel. 

Consider user permissions

Are there other people who have access to your WordPress site? You should then be mindful when managing your user permissions. Every new user you create opens a potential loophole for hackers, so you should only give your users the permissions they truly need. For example, if you have a friend or an employee who helps you proofread or write website texts, they only need editing rights, not administrator rights. 

If you have a user who will proofread your site content, you can give them the role of Editor. If the user is instead a writer who only needs to write and edit their own articles, the role of Author is the best choice. 

It is also a good idea to regularly review your users and delete those who are no longer relevant. 

Change your admin username

It’s not only your password that needs to be strong and unique! Your WordPress admin username should also be unique to reduce the risk of a brute force attack. When you have created your WordPress website, you can manually change the username in the wp_users table in phpMyAdmin. This tool is pre-installed in your hosting plan when you host your WordPress site with one.com. 

You can access PHP & Database settings in the control panel under Advanced settings. 

1. Find the wp_users table (it may also be called 0_users). 
2. Find the admin username and click Edit. 
3. Under user_login, enter a new username in the Value field. 
4. Click Go to save. 

Create backups

No matter how good the security is on your WordPress website, there is always a risk of something unforeseen happening, such as a cyber-attack or a technical error. Backups are your safety net in such a situation. If you have a backup, you can easily restore your website and its functions, preventing extended downtime that can harm your business’s reputation and revenue. 

Avoid unsafe plugins

There are a large number of free and paid WordPress plugins you can use to expand the functionality of your website. Unfortunately, some of these can pose a security risk to your website or lead to technical issues that prevent your site from functioning. 

The list of plugins that can damage your site or pose a security risk is quite long. Here is our complete list of discouraged WordPress plugins. 

We recommend these plugins, which offer good security and ensure your website’s performance is always top-notch. 

A selection of safe WordPress plugins:

• Contact Form 7
• Contact Form by WP Forms
• Imagify
• Jetpack
• Site Kit by Google
• Social Media Share Buttons
• WooCommerce
• WP Mail SMTP
• YARPP
• Rank Math SEO
• WP Rocket

Remove plugins you no longer need

To continue on the subject of plugins, it’s important to remove those plugins you no longer use. Having a lot of plugins can contribute to poorer security. Regularly review your plugins and get rid of those that are just collecting digital dust. Of course, first ensure that the plugin in question is not used for important functions on your website. 

Disable PHP execution

At one.com, you can install WordPress with a single click. If you have used or will select this option, you can skip this point.  

If you have installed WordPress manually, you should disable PHP execution in the upload folder. By doing so, you can prevent cyber-attacks where malware spreads from a PHP backdoor to the rest of your website. 

To disable PHP execution, you can add the following code lines to the .htaccess file found in the upload folder (wp-content/uploads). 

# Block executables
<FilesMatch ".(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$">
    deny from all
</FilesMatch>

Vulnerability monitoring

Vulnerability monitoring involves scanning your WordPress site for potential vulnerabilities that hackers can exploit. When vulnerability monitoring is carried out, all parts of your website, including themes and plugins, are scanned, significantly reducing the risk of encountering unforeseen errors or cyber-attacks. 

By choosing a WordPress host that offers automatic daily vulnerability monitoring, you ensure that your website is always well protected against attacks. 

Choose Managed WordPress for even better protection

As we mentioned earlier in the article, it can be time-consuming and annoying to manually check updates, backups, and additional security measures. If you prefer to avoid the trouble and save time, you can choose one of our Managed WordPress plans, which include: 

• Vulnerability monitoring with automatic security patches 
• Automatic plugin and theme updates with visual tests 
• Uptime monitoring in-app 

With Managed WordPress, you get more time for your most important projects, and you don’t have to worry about maintaining your WordPress site. 

Make your WordPress site more resilient

By following the steps outlined in this article, you can significantly improve the security of your WordPress site. Regular updates, strong, unique passwords, secure WordPress hosting, and the other security measures mentioned will keep your site and your users safe.