Skip to main content

WordPress Security Best Practices

How to keep your site healthy and safe

by mangrove team
published on 09.19.2018
locks on fence

An unfortunate reality these days is that websites are under pretty constant attack from hackers; according to, Google blacklists around 70,000 websites each week for different kinds of nefarious online behaviors! Most hackers utilize “brute force attacks” where they try as many different combinations of login credentials as possible to get into a site. Once inside, they might steal valuable client information or mess with your website just because they can. So, what can you do to protect your website and avoid these online pests?

10 Steps for greater site security

The good news is, there are various ways to protect yourself from hackers getting access to your website. The following list is generally in order from most to least important. The more of these you do, the tighter your security will be.

1. Keep WordPress core and plugins updated frequently.

Most hackers target insecurities in the WordPress core and plugins, so keeping your site updated will ensure that you have the latest patches and security code directly installed. The WordPress core is constantly being improved by a world-wide team of developers who are constantly applying security patches in response to the latest breaches, but these are useless if the updates are not applied on a regular basis. Using plugins sparingly and only using plugins that are maintained and updated frequently will also help, as security breaches quite often occur via plugin code.

2. Consider your hosting options thoughtfully.

As you are choosing a hosting service, pay attention to the security options different providers offer. One of the key security steps a hosting service can provide is to make regular backups of your site, which will keep a copy of your files safe if something should go wrong (such as hackers or an update gone awry). Other host-based security steps may include automatically updating WordPress, providing firewalls, and scanning for threats like malware and “distributed denial of service” attacks. WPEngine, our host of choice, covers all of these security steps. (You can find more details on hosting in our post about choosing a hosting provider.)

3. Ensure there is a solid backup solution in place.

If something goes terribly wrong with your site, you will want a complete and easily accessible backup file to use to restore it. We host most of our sites in WPEngine, which backs up automatically on a daily basis (including all media uploads which some hosts omit) and keeps older backups for weeks. If your hosting service doesn’t provide full backups, get a plugin that will make backups on a regular basis. Make sure you have backups of not only your database, but your full site files as well.

4. Use strong passwords throughout your site.

Not just for the admin area, but also for FTP accounts, any databases, your hosting account, and your professional email address. Ensure that all these passwords are long, complicated and unique – it doesn’t do much good to password protect every part of your site if you always use the same easy-to-guess password. Keeping passwords long and complicated makes them harder for a hacker to guess. Keeping passwords unique ensures that if hackers manage to guess one of your passwords, they don’t have access to everything in your site. Creating and remembering long, complicated, unique passwords is hard, so we suggest using a password manager like LastPass or 1Password to help store them safely.

5. Change the administrator user name to something other than “admin.”

Hackers are usually trying to guess the username and password to get in to your admin portal. If you keep your user name set as admin, you’ve already done half the work for them.

6. Install a security plugin.

These specialized plugins go above and beyond the security offered by your host or WordPress directly to help keep your site safe. We use iThemes, which takes care of quite a few things on this list with the proper configuration. Sucuri is another service with similar offerings.

7. Restrict the number of login attempts allowed.

Limiting the number of times hackers can try to guess your login credentials makes it harder to get in to your site. There are plugins, like iThemes, that will take care of this for you and lock users out after a certain number of incorrect attempts.

8. Give admin access sparingly.

Use specific user roles and capabilities to control who has access to your site. WordPress has carefully defined roles that have different sets of privileges. Give people exactly the access they need when they need it, and remove their access when the work is done. This doesn’t mean you don’t trust your coworkers, it’s a recognition that the fewer people who have access to all parts of your site translates to fewer opportunities for site access to be compromised.

9. Password protect admin and login pages.

Normally, it’s very easy to access the WordPress login page – just add “/wp-admin” to the website’s root url. You can add password protection on the server side that prevents people from even getting to the WordPress login screen, let alone getting inside your site.

10. Use Two Factor Authentication.

Two factor authentication requires users to have two of three things: a knowledge factor (like a password), a possession factor (like a cell phone) and, an inherence factor (like a fingerprint or retinal scan). Scanning your retina everytime you want to log in to your website is probably overkill, but we use possession and knowledge all the time – think of having your bank card and knowing PIN at the ATM, for example, or trying to log in to your gmail from a new device and first having to enter a code sent by Google to your phone – you know your password, and you must have your phone (with a second password to prove it). You can set up the same security measures on your website to add another layer of security.

In Conclusion…

Overall, keeping your WordPress site secure requires a little more work, but it’s well worth the benefit. If you’ve ever cleaned up a site hack (or had to pay for a cleanup), or experienced a few days of site outages, you understand. There are various additional steps you can take above and beyond the ideas listed above to keep your site secure, but you should be well on your way with these as a start.

We also suggest reading the following articles for further information:

A Certified B Corp, Mangrove is a woman-owned website design and development company with a diverse, talented team distributed around the globe. We’ve been building websites since 2009 that amplify the work of change-making organizations and increase the competitive power of businesses owned by historically marginalized people.

If you found this post helpful,  subscribe to our monthly newsletter for notice of future posts and other news from us.

Thinking about a project?