How to keep your WordPress site secure

Written by Tom Greenwood - May 23, 2012

It is a sad fact that we live in a world where there are people who set out to damage other peoples websites or hijack them for their own commercial or political gain.  The possibility of having your website hacked is becoming an increasingly big worry for many website owners, and it is understandable that you want to be confident that your WordPres site is secure.

There are many ways to hack a website and it can happen to any website using any CMS.  To combat this risk, WordPress releases regular security updates in an attempt to stay one step ahead of hackers, but there is an inherent risk with any open source system, since the code is available for hackers to study and they can therefore more easily identify loopholes.

So what can you do to ensure that your WordPress site is secure?

There are few basic rules and advice that you should adhere to:

  1. Use a secure password (for FTP/cPanel aswell as WordPress)
  2. Log off public computers
  3. Only share your login details with people that you trust
  4. Update your passwords regularly

WordPress Specific Security Measures

  1. Keep WordPress up to date.  WordPress regularly release security updates to make your site more robust.  If you are running an old version, then there may well be a known security loophole in your site that could easily be avoided
  2. Keep you plugins up to date.  Just like the WordPress core, plugins also get updated regularly, sometimes to remove security issues found in previous versions.  So always upgrade to the latest version
  3. Keep your theme up to date.  As above, but in the case of themes you might well have a custom designed theme.  In this case, check whether any open source tools have been used in the theme, such as timthumb.php and then check if these have security updates available
  4. Only use plugins that you trust.  Plugins from the WordPress plugin directory are monitored for security issues and also are subject to user ratings by the WordPress community.  However, if you buy a plugin from another website then you need to do your research to check that it is trustworthy
  5. Hide the version number of your WordPress installation.  The source code of a WordPress site states which version you are running.  Some hackers scan the web for sites with specific version numbers that they know they can hack, so if you hide the version number you can fly under their radar
  6. When you install WordPress, choose an admin username other than ‘admin’.  Since hackers know that ‘admin’ is the default username, hackers only need to crack the password to get into your site, rather than needing a username and password combination
  7. Use a security plugin like Better WP Security to add an extra layer of protection
  8. Use a secure host for your website.  Some hosting companies have extremely tough security systems while others have virtually none, so do your research and check that yours provides sufficient protection
  9. Take regular backups.  This can be achieved using a backup plugin like BackupBuddy, or as a service offered by your web host.  It won’t stop you getting hacked, but it will allow you to get back up and running quickly in the event of a breach

All of the above steps are simple and don’t take much effort to implement, and by doing so you can sleep easy at night knowing that there is minimal risk of your website being hacked.

If you have more WordPress security tips to share, feel do leave them as a comment.