"I saved our church A TON of money..."
— Eric Johnson What They Say


There are some basic security measures every WordPress user should be aware of. The main reasons for a WordPress site being compromised are out of date plugins, themes or WordPress itself and weak passwords. Taking care of these two things dramatically reduces the change of an attack.

Password Security

Simple passwords and passwords using dictionary words can be guessed by automated tools.

  • Google provides a useful guide to creating strong passwords.
  • Loginizer is a free plugin you can use to prevent automated password guessing attempts.
  • Wordfence also prevents automated password guessing attempts, and more.

Stay Updated

Always run the latest versions of WordPress, your theme and plugins. This way you can be sure any security related updates that have been made are applied to your site. WordPress has one-click updates to make this easy.

  • WordPress by default automatically updates itself when a minor release is made. Minor releases address security issues, so this is very helpful.
  • Companion Auto Update can automatically update plugins for you or you can set it to email you when new updates are available. Some web hosts can auto-update your plugins as well, so check with yours.
  • Wordfence will also send you an email when a plugin or theme needs to be updated.

See our guide on Updates for more information.

Make Backups

Every website should be backed up on a regular basis. This way if something ever does happen, you’re covered. You can restore your site. Read our recommendations for Backup Solutions. Many hosts will do this automatically and there are also useful plugins to handle backups.

Enable HTTPS / SSL

Every website should use https:// instead of http://. You can make this switch by installing a free SSL certificate. Most hosts these days provide free SSL certificates.

Extra Protection

It is usually enough to use strong passwords and keep WordPress, plugins and themes up to date. However, if you want an extra layer of protection, consider the Wordfence plugin. It is cost-effective (free to $99/year) and easy to use plugin that automatically blocks attacks on your website.

More Information