Site Security: How to Keep Your WordPress Site Safe

February 21, 2020

Kerrie Ashall

It’s a sobering fact: Google blacklists tens of thousands of sites every single day for malware or phishing. Getting hacked is something many of us would like to believe can’t really happen. But if you own a website, it’s your responsibility to make sure you’re up to date with site security.

Why WordPress, specifically? Simply, it’s the biggest CMS (content management system), arguably the most popular (28% of all global websites are WordPress hosted, with 60% market share!) and the best platform we know of for optimising SEO.

But hackers can interfere and seriously damage your business reputation, jeopardising your revenue or even stealing customer information. Though WordPress is pretty secure already, you can always reduce risk, even if it seems a little intimidating and you’re not 100% tech-savvy. Here we’re sharing our 10 must-have safety tips as a great place to start.

Keep WordPress updated, and back up, back up, back up!

WordPress is open source and will automatically install smaller updates, but needs your say-so to go ahead with more major ones. Make a habit to install updates diligently, including any third-party plug-ins or themes.

And, as always, regularly do backups. There are free WordPress plugins that will help you backup to a remote cloud location such as Amazon or Dropbox on a (at minimum) daily basis.

Use strong passwords

Take the time to change to stronger passwords across the board. Limit who can access the account (think guest posters or freelancers) and if you must, use a password manager and commit to regularly refreshing passwords.

While you’re at it, change the default “admin” username!

Change your WordPress Admin URL

A simple but effective way to discourage minor hacking. If you’re worried about compatibility issues, you can always use a separate plugin to hide your login URL and convert it to a personalised one.

Rethink your WordPress hosting service

The right shared hosting provider can shield you from significant risk at the backend, on the server-level. Consider Bluehost, Kinsta or Siteground, which will continuously monitor activity, offer automatic updates and provide more sophisticated protection. A good host can detect attacks and automatically ban suspicious IPs, but also offer support in worst case scenarios.

Use a plugin

It’s not enough to rely on built-in WordPress security mechanisms. Yes, you’ll have to pay for these (sometimes quite a bit) but it’s worth taking the time to understand exactly the functionality you’ll get, and whether it’s appropriate for your site and business.

Security Ninja, Google Authenticator, Vaultpress and Jetpack are all popular options and will monitor your files, record failed logins, blocks bots and spam, or scan for malware. Sucuri is also a great option for those wanting a free plugin. Chat with your SEO team to hone in on what’s most important to you – easy to use interface, value for money, simplicity, two-factor authentication or an advanced, comprehensive solution?

Choose HTTPS

If this is not installed, then you run the risk of sharing your login details. When submitted on HTTP your sensitive information is simply passed to the server in plain text and so can be intercepted. Enable SSL encryption (Secure Sockets Layer) and use HTTPS when possible.

Enable WAF (Web Application Firewall)

A firewall blocks suspicious traffic before it can do any damage; there are two main types – DNS level or application level, the former being a little more robust. DNS firewalls send your site traffic through a cloud proxy server first so only genuine visitors land up at your site.

Disable file editing

WordPress has a default code-editor that lets anyone tweak the themes and plugins from the admin dashboard – an obvious risk when it comes to hacking. Disable it with a simple addition of code.

Limit failed login attempts to 3

WordPress default is unlimited failed logins, giving hackers endless time to guess. Instead, visit Settings > Login Lockdown and choose the retry number, the retry time period and the period your site will lock for after that. You could alternatively consider a plugin for this.

Also consider automatically logging out idle users, and add security questions to your login screen.

Change your WordPress database prefix

The default is “wp_” but change it to something that’s less easy for hackers to guess your table name.

For those starting out, or the self-confessed tech-phobes among us, tightening up online security can seem like an daunting prospect. Luckily, there’s plenty of support available and our experts at Fibre are always at hand to answer your questions. Don’t be afraid to experiment. Take it a step at a time and put yourself in the shoes of someone trying to get in – how can you make it as difficult as possible?

Recent Work

  • Glide

    The Glide group is the UK’s market-leader in household utilities, broadband, connectivity and communications.

  • The Fry Group

    Established in 1898, the experts at The Fry Group assist expats based in the UK, Europe, and the Far East with all aspects of their financial planning.

  • Helping Hands Home Care

    The team at Fibre are absolute experts in SEO. Working together we have dramatically improved SEO performance particularly at a local level.


Ready to get started?