How to keep your WordPress website secure

How to keep your WordPress website secure

Whether directly generating sales through an eCommerce store, generating leads to bring you more customers, or serving as an online credential to showcase your expertise, your website is a vital asset for your business.

WordPress is, by far, the most popular way to build a website. It powers around 40% of the websites on the Internet – that means that 2 out of every 5 websites you see are likely to be using WordPress. 

But this popularity does have its downside. WordPress is a very tempting target for hackers and other malicious actors.

Every year, hundreds of thousands of sites get hacked – which sounds pretty grim, right?! But this is not due to vulnerabilities found in WordPress, this is due to out of date software and insecure passwords. Updates and maintenance are critical to the safety of your website.

When you own a WordPress site, security rests on your shoulders. Not having a plan in place to keep your business and customer data safe can damage your company’s reputation and result in a loss of revenue as your customers turn to your competitors instead.

Here are 5 essential security features that your website should have in place now:


Backups are like an insurance policy for your website – just in case your security plan fails. You should perform regular, scheduled backups of your website files and data and store them securely in a location separate from your website. Backups won’t make your website more secure – but they will give you peace of mind knowing that if anything happens to your site you can easily & quickly restore a recent version.

SSL Certificates

You may have noticed that some websites have a padlock icon in the address bar. This means that the website is using an SSL Certificate to protect your data.

An SSL certificate is a small data file that establishes an encrypted link between a browser (like Firefox or Chrome) and a server (where the website files live). This means that when you enter your information into a form on a website protected with an SSL certificate, no one but you and the website can see or access your information

If you ask for any customer data on your website you should be using an SSL certificate.


Website security is all about risk reduction. And one of the easiest ways reduce the risks of a malicious actor gaining access to your site is to make sure that you, and any team member that has access to your website, use strong, unique passwords.

You should make sure the password you use on your website is not one you use anywhere else (this is a good practice for any site you have log in access to – from your bank accounts to your social media accounts). And it should meet the following criteria:

  • At least 1 uppercase character
  • At least 1 lowercase character
  • At least 1 digit
  • At least 1 special character
  • At least 10 characters, with no more than two identical characters in a row

Because passwords like this are hard to generate – and to remember – I recommend using a Password Manager like 1Password or LastPass.


The WordPress team work tirelessly to keep their software secure – and regularly put out updates of the WordPress core software that includes security patches. To stay ahead of hackers, you need to make sure you apply these updates as soon as possible.

Your website plugins and themes are also regularly updated with security patches and new functionality – and you should make sure that these updates are applied promptly.

If you have plugins or themes on your site that are not being regularly updated by the developers, it is a good idea to find out why. If the plugin or theme is no longer being supported, it may have vulnerabilities that could compromise your website security.

If you have plugins or themes on your site that you are no longer using, you should remove them. Having unused plugins on your WordPress installation, even if they are disabled, can be a security risk.

Limit Access

When you give anyone access to your website, you should never give them your master password.

Every user on your site – whether is a staff member, designer, or digital marketing pro – should have their own login with only the specific access they need to do the job they need to do on your site.

WordPress includes roles for Administrators, Authors, Editors, Contributors, and Subscribers. This means you can tailor the access users have to your site according to what each role has permission to do.

  • Administrator: has access to all the administration features within a single site.
  • Editor: can publish and manage posts including the posts of other users.
  • Author: can publish and manage their own posts.
  • Contributor: can write and manage their own posts but cannot publish them.
  • Subscriber: can only manage their profile.

Make sure when users no longer require access to your website that you remove their login.

Is your website secure?

If there are any items on this list that you don’t have in place for your website currently, set aside some time to create a security plan for your site and get them set up. If you need any help, please be in touch.