There are some basic security measures every WordPress user should be aware of. The main reasons for a WordPress site being compromised are out of date plugins, themes or WordPress itself and weak passwords. Taking care of these two things dramatically reduces the change of an attack.
Simple passwords and passwords using dictionary words can be guessed by automated tools.
- Google provides a useful guide to creating strong passwords.
- Loginizer is a free plugin you can use to prevent automated password guessing attempts.
- Wordfence also prevents automated password guessing attempts, and more.
Always run the latest versions of WordPress, your theme and plugins. This way you can be sure any security related updates that have been made are applied to your site. WordPress has one-click updates to make this easy.
- WordPress by default automatically updates itself when a minor release is made. Minor releases address security issues, so this is very helpful.
- Companion Auto Update can automatically update plugins for you or you can set it to email you when new updates are available. Some web hosts can auto-update your plugins as well, so check with yours.
- Wordfence will also send you an email when a plugin or theme needs to be updated.
See our guide on Updates for more information.
Every website should be backed up on a regular basis. This way if something ever does happen, you’re covered. You can restore your site. Read our recommendations for Backup Solutions. Many hosts will do this automatically and there are also useful plugins to handle backups.
Enable HTTPS / SSL
Every website should use https:// instead of http://. You can make this switch by installing a free SSL certificate. Read HTTPS for WordPress: Auto-enable SSL for Free to learn how to set this up for free in three simple steps.
It is usually enough to use strong passwords and keep WordPress, plugins and themes up to date. However, if you want an extra layer of protection, consider a Web Application Firewall (WAF).
Sucuri provides a firewall that helps protect a website (WordPress and other platforms) against attacks. If ever their system doesn’t catch an attack and your website is compromised, Sucuri will remove malware for you. We use Sucuri ourselves for churchthemes.com since our website is critical to our business. However, we don’t recommend it for most churches due to the cost and somewhat technical setup procedure. If your website has been repeatedly hacked then you may want to consider Sucuri.
Wordfence is a less expensive and easier to use solution (free to $99/year) that provides comparably effective protection. Our company has used this plugin for other websites and we recommend it.
- Things You Should Do After Building Your WordPress Site touches on security in more depth.
- Read Hardening WordPress on the WordPress Codex if you would like even more details.