10 Steps to a Secure WordPress Website

Every day, some scary report about a major site being hacked or a sensitive database being compromised hits the web … and freaks everyone out.

Why take WordPress security so seriously?

Why all the security talk? Because staying vigilant about security is an on going responsibility for any WordPress site owner. In fact, it’s an ongoing responsibility for everyone online, whether you’re using WordPress or not.

So we’ll continue to discuss it here as much, if not more so, than performance. Hey, sub-second load times are great, but not if you’re hosting hidden links to Viagra sites or Google is flagging your site as malware-infected.

I know that security can sometimes be a nebulous, obtuse topic. If you don’t have a technical background, the risks and the necessary safeguards can be difficult to comprehend.

As you read this list, consider it less a “top 10 list” and more of a checklist. If you come across one, two, or ten of these that you cannot mentally check off as being part of your current security arsenal, stop reading and go implement it.

Let this motivate you: we see between 50,000-180,000 unauthorized login attempts every single day at the sites we host. The vast majority of these are hackers using brute force techniques to get into websites and wreak havoc. It is possible, perhaps even probable, that a hacker halfway across the globe is trying to hack into your site at this very moment

… I hope your password isn’t password123.

And now, on to the most important top 10 list you’ll read all week:

1. Maintain strong passwords

Let’s kick off the list with the easiest step you can implement immediately. Hopefully you already have.

If not, do not procrastinate on this one.

Take this seriously.

Excuses like, “But I want one password for all of my sites so that I won’t forget!” or “My (generic) password is good enough, and what are the odds that someone is really going to try to hack me?” are not acceptable.

If you aren’t using a password that’s at least ten characters, with numbers and letters, capitals and lowercase … you’re doing it wrong. Do it right. Especially this one.

2. Always keep up with updates

WordPress updates are not just released for the Google News search results. They are released to fix bugs, introduce new features, or, most importantly, to patch security holes.

Will WordPress (or any software program, for that matter) always be one step ahead of the hackers? Of course not. Quite the contrary. For the most part, as with performance-enhancing drug testing in sports, software is always going to be one step behind the hackers. That’s just how it goes, it’s the world we live in.

But when major security holes are known — and patches are available — there is no excuse not to implement them. Thus, there is no excuse not to keep up with WordPress updates. The same goes for plugins and themes.

I know that many of you feel trepidation when it comes to updating WordPress, afraid that it might break your theme or disrupt a plugin’s functionality. My response to this is simple: if you’re afraid of it, then you need to re-evaluate your theme and plugin strategy. Your theme

As for plugins, this is why vetting plugins is so important. If a plugin isn’t updated regularly, or you’re not paying for support, then you should be afraid of it possibly breaking with a WordPress updates. Thus, you might want to rethink using it at all.

wordpress websites3. Protect your WordPress admin access

Should you change the name of the default “admin” user that every WordPress installation starts out with? Sure, you can. It certainly isn’t going to hurt.

Just know that it isn’t the pinnacle of security measures. Hackers can find usernames fairly easily from blog posts or elsewhere.

More important than disguising the specific admin username is to make sure that every username of your site with administrator access is protected by a strong password. (Yes, I’m referring you back to #1 in this list.)

4. Guard against brute force attacks

Before you pass out at the magnitude of that number, know that you’re far from powerless against these nameless, faceless hack attempts.

First, your web host should be helping to protect you from brute force attacks. We do. We regularly monitor where failed login attempts are coming from and then lock out the offending IP addresses.

Second, make sure you’ve checked off tips 1, 2, and 3 above.

Third, there are programs that can be installed (such as Limit Login Attempts) that will make it much more difficult for brute force techniques to work.

5. Monitor for malware …

It’s imperative that you have some kind of system in place to constantly monitor your site for malware.

How you monitor is vitally important. Choose a method that can actually dive into your file structure and detect deep breaches, rather than one that just shows you where you’re vulnerable.

6.Then do something about malware!

Monitoring for malware is not a solution in and of itself. The solution is what happens once malware is detected. If you are not a Synthesis customer, the Sucuri team is a great one for you to partner with because they’ll not only scan for malware, they’ll help you clean it up once it’s detected. And if you are a Synthesis customer, you already know that we’ll take on the job of cleaning and repairing your site should anything bad happen to it.

7. Choose the right web host

I’ve already told you about the server-side scanning and malware cleanup guarantee that we give all of our customers. One major security risk is being on a shared server. Think of it this way: take the security risks inherent in your own WordPress installation, then multiply it by the number of sites on the server. And if you go with generic hosting, chances are you’re going to be lumped in with hundreds and hundreds of other websites.


Your own VPS may not the right option for you. It may be too expensive, or your traffic may not necessitate it. That’s fine. But if you’re going to be on a shared server, make sure it’s shared with just a small number of sites (our shared servers have no more than 10 sites) on a hosting stack that has proven safeguards in place to protect it.

Also, find a host that doesn’t get complacent about security.

Anyone who would claim to “have security figured out” has no clue. Online security is constantly changing. Web hosting companies need to constantly evolve with that changing landscape, and the threats the come with it. Make sure whoever you trust your website to operates with this mentality.

8. Clean your site like you clean your kitchen

Did you know that your WordPress installation could easily have ticking time bombs sitting on it that you’re not aware of?

If you have old themes and plugins that you’re not using anymore, especially if they haven’t been updated, you can basically just go ahead and start the countdown to your next security breach. A messy site also makes it much more difficult for security professionals to operate should your site be compromised.

You wouldn’t leave dirty dishes and silverwear sitting in stale water for three days in your sink would you? Of course not. It would be a breeding ground for filth and muck.

9. Control sensitive information

And when you are doing that cleanup of your file structure, check to make sure you are not leaving bits of valuable information available for all the world to see. For example, the readme.html file by default will say what version of WordPress you’re running. If you’re running an older version of WordPress with a known security hole, hackers will find you.

Similarly, look into your phpinfo.php or i.php files. They’ll tell a hacker everything about your setup and serve as a “road map to the house” before they even break in.

And leaving .sql database backups files is a big no-no. If a hacker can download your entire database they’ll have every username and encrypted password you’ve ever used at their disposal.

While your website host should be scanning for items like this, why leave anything to chance? You wouldn’t walk out your front door without pants on (at least I’d hope not!) … so don’t run your website that way.

10. Stay vigilant

This is one is pretty easy to explain. Just stay on top of what’s going on out there.

You should be with a managed WordPress host who has your back, but it never hurts to have your own too. Just keep your eyes peeled. Don’t think that security issues are only affecting those other sites. They could just as easily be affecting yours.