5 Best Practices to Secure Your WordPress Website

An essential component of maintaining your WordPress website involves keeping it secure. By keeping your WordPress website secure, you’re not only protecting your own website, web server and website visitors, you’re also helping prevent harmful activity on other websites, servers and user’s computers, tablets and smartphone devices.

Here are five best practice recommendations for improving WordPress security:

1. Keep WordPress updated and remove unused plugins and themes

Updates to WordPress themes, plugins and core are released fairly often. It’s important to keep your website up-to-date with the most current releases in order to prevent security breaches, fix bugs, and to have all of the latest features at your disposal. If you’d like to be notified by e-mail, when an update relevant to your website is released, the Mail On Update plugin was created just for this purpose. Alternatively, the WordPress security plugin mentioned below, WordFence, also has the option for you to be emailed when an update is needed on your website (see #4 below for more information).  Also, be sure to remove any unused plugins or themes that may be installed on your site.

2. Create a unique, secure password

This may be the easiest thing you can do to help keep your website secure and is just plain common sense these days: use a strong password.

Here’s a great tip for crafting your unique, secure password:

Take your favorite line from a movie, song, or book and convert it to a passphrase that contains uppercase and lowercase letters as well as special characters. Let’s say your favorite song is Brown Eyed Girl by Van Morrison and the opening line, “Hey where did we go? Days when the rains came” just makes you want to break out in song.  Why not use that as the basis of a secure yet personally memorable password like HwdwG?*DwtRC!*135 ? It contains uppercase and lowercase letters, a few special characters, and numbers. It is also not a word appearing in the dictionary providing additional protection from hackers, yet is personalized and easy for you to remember.

A few things to avoid when choosing a password include:

  • Any alteration of your name, username, company name, or name of your website.
  • A word from a dictionary, in any language.
  • A short password (use a minimum of eight characters).
  • Any password comprised of only alphabetic characters (a mixture of alphabetic, numeric, and/or special characters is best).

Want to test the strength of your password? Check out this free secure password checker tool offered by Microsoft.

3. Never use the default “admin” username

It is highly recommended that if your WordPress website has a user with the default “admin” username, that you change it. The “admin” username is a known target by WordPress hackers. If your website still has a user called “admin”, follow these steps to change it:

  1. Log in to your WordPress website.
  2. Click on Users >  Add New in the left-hand admin menu.
  3. On the subsequent page, fill in the fields to create a new user account with a different username. You will need to use a different email address than what is currently in use by the “admin” user and be sure to select Administrator as the Role for the new user. Click the Add User button to complete the new user registration process.
  4. Next, log out of WordPress.
  5. Now, you’ll need to log into your WordPress website again using the new username and password you just created.
  6. Click on Users in the left-hand admin menu.
  7. Hover your cursor over the “admin” username; links for “Edit” and “Delete” will appear. Click on “Delete.”
  8. You will be prompted with a dropdown menu to select the user that all of the posts and links created by the “admin” user should be attributed. Be sure to select the radio button for “Attribute all posts and links to…” and select the new user (or another preferred) user that the content will be transferred.
  9. Click on the Confirm Deletion button.

That’s it! You have now removed the “admin” username from your WordPress website. All posts, pages and links created by the admin account have been transferred to the new (or preferred existing) user.

Tip: If you would like to update the email address used for the new account to be the one you previously had set up for the “admin” account, you can change it by clicking on Users in the left-hand admin menu and hovering over your new username and clicking “Edit”. Update the email address under the Contact Info subheader and click the Update Profile button to save your changes. You’re all set!

4. Install WordPress security plugins

There are a number of WordPress security plugins that can be installed on your website to add some additional security. One that I highly recommend using is Wordfence. Wordfence is a free plugin that scans your WordPress website for viruses, malware, changes to your files, and can be configured to email you if a plugin, theme, or core update is needed. See Wordfence Protects Your WordPress Site From Hacks for a step-by step visual guide on installing and configuring the plugin to scan your website. To set up email notifications, go to Wordfence > Options from the left-hand admin menu and set the Where to email alerts field.

5. Configure your backups

Backup, backup, backup! There are plenty of WordPress plugins that can easily be set up to automate backups for you. One that I recommend and frequently use is Updraft Plus. This plugin offers many configurable options for automated backups including backup in the cloud using services like Amazon S3, Dropbox, and Google Drive), FTP, SFTP, and email. Should you need to restore your website, it can be performed with the click of a button.

Additional resources

Heather Larson is a WordPress specialist based in Seattle who designs and develops user-friendly websites for nonprofits, wellness professionals, and small business.

Skip to content