How To Keep Your WordPress Website Secure

This post was last updated on May 19th, 2023

How To Keep Your WordPress Website Secure

Web technology and threats are rapidly changing

As web technologies continue to evolve at breakneck speeds, the possible threats faced by website owners can be difficult to keep up with. It’s crucial to adapt to these threats to keep your WordPress website secure, protect your private information and your users.

For over 12 years, OlyWeb has been helping clients keep their sites and online presence secure by developing sites using best security practices and providing hosting with the highest industry standards in security. The most crucial steps though come down to the client making smart choices with their online presence.

The best recommendations to keep your WordPress website secure

We want to share what we’ve learned and the best ways you can make sure your website stays secure. We’ll go cover the best recommendations from security experts to help you navigate developing online threats and protect your website and personal data.

1. Use a strong password to access your site.

Protecting your site from malicious parties starts with a strong password. 30% of internet users have experienced a data breach due to a weak password (GoodFirms). Two-thirds of Americans use the same password across multiple accounts (Google,Harris Poll). The most commonly used password is “123456.”(Cybernews).

With so many internet users getting this wrong, lets start with what makes a password strong to begin with.

Whats considered a strong password?

  1. It’s long: The password should be at least 12 characters long but the longer you can make it the better. You can use a sentence or favorite quote to help you increase length.
  2. It’s unique: Your passwords should be different every account you have. This is so if one password is compromised on one account, your other accounts won’t be in jeopardy.
  3. It’s complex: A strong password should contain a mix of uppercase and lowercase letters, numbers, and special characters (such as !, @, #, $, %, etc.).
  4. It’s unpredictable: Avoid using common words or easily guessable information about yourself such as your name, birthdate, or child’s name. Instead, use a combination of random words or phrases. Also avoid pattern variations of the same password like: Evergreen2023 Evergreen2022 or predictable patterns like 12345 and asdfg.
  5. It’s changed regularly: Changing your password regularly greatly increases security. Changing your password every three months is the standard recommended by cybersecurity experts.

A strong password should be difficult for others to guess, but that also makes it hard to remember! That’s why we always recommend using a well established password manager to manager your credentials.

Pro Tip: Use a password manager

Although password managers can have their own drawbacks. They still provide a much greater level of security than trying to remember all of your passwords and inevitably resorting to weak or reused passwords on your accounts.

Not all password managers are alike though! Our personal top picks are 1Password and Bitwarden. If you’d like to learn more, here is a great article on CNET on the Best Password Managers in 2023.

2. Limit the number of admin accounts on your site.

Does your WordPress site have too many administrator accounts? As administrator accounts have access to all site settings they can be a main target for hackers. The more admin user accounts on your site, the greater the possibility one of the accounts could be compromised.

In your website dashboard go to the Users tab to see who has admin access. From there you can change their role to have less access or remove users that don’t need access anymore.

3. Only use trustworthy and well-maintained plugins on your site.

When we initially build websites we always vet all third-party plugins to make sure they’re well-rated and well-supported by their original developer. WordPress makes this easier for you as their catalog of available plugins includes reviews, compatibility warnings, and recent updates.

Picture of WordPress plugin with arrows pointing to positive reviews and recent updates.

In general, you want a plugin that has a four star or higher rating, was updated within the last 6 months and of course is compatible with your current version of WordPress. You can see all of this information from the plugin’s listing in the WordPress plugins catalog or in the Plugins section of your dashboard under Add New.

If your site is more than a few years old, it could have plugins that are no longer maintained by their developers and could pose a serious risk to your site. Reviewing these older plugins on a regular basis is a good idea.

At OlyWeb, our hosting platform automatically scans all plugins on hosted sites alerting us to any security risks so our team can install updates or address the issue immediately. If you’re not sure about the status of the plugins on your WordPress site feel free to reach out to our team and we’ll be happy to help with any questions you have.

4. Regularly update your computer and other devices you use to access your website.

It’s important the operating systems and programs you use to access your website are up to date as well. Most operating systems for desktop and mobile devices have automated this process for their users, but if you’re not sure, reach out to the support team for the maker of your device to ensure updates are happening regularly.

5. Make sure antivirus software is installed and active on all your devices.

Hacking threats are continually evolving and target all types of computers and mobile devices. That’s why its important to have antivirus solutions installed on everything you use to access the internet.

If you’re not sure if your computer or device has antivirus installed visit your device’s app store to see what options are available for antivirus protection.

6. Be vigilant against scams and phishing attempts.

Look for a new blog post soon covering Common Scams and Phishing Attempts you and your team should be on the lookout for. Stay Tuned!

Is your WordPress site hosting secure?

You can implement every safe practice listed above, but if your WordPress hosting isn’t secure to begin with, all of that hard work will be for nothing. Choosing a full-featured, hosting provider should be your first priority for keeping your WordPress website secure.

Below are best practices your hosting provider should be providing you and it’s what OlyWeb currently offers to our hosting clients. If your interested in secure WordPress hosting you can learn more about what we offer here: Managed WordPress Hosting.

Features your WordPress host should be providing:

  1. Regularly Updating WordPress Core and Third-Party Plugins
    WordPress has an automated background updates feature that allows sites to set plugins, themes and WordPress core to update automatically and most hosts have this turned on for their sites. This sounds great until that latest plugin update crashes your site.

    On our hosting platform we take care of this update issue with a daily update and testing cycle making sure all updates are applied without error. If our system sees an error caused by an update it’s able to instantly roll it back so we can find a fix for you before reapplying it.
  2. Scanning all files on your site for malware and security flaws
    It’s important to have ongoing threat monitoring that not only includes server side scanning for malware and security flaws but also malicious activity monitoring.

    We use WPEngine’s robust server side scanner and plugin monitor along with Sucuri Security that monitors all sites for unauthorized file changes or suspicious activity. These two things combined greatly reduces the potential hacking attempts or vulnerabilities.
  3. Blocking hacking and spam attacks on your site with a strong firewall
    Beyond internal file system is the constant threat of external attacks to sites and networks. Your hosting platform should have a strong firewall to protect against a variety of attacks.

    All of our sites are protected by WPEngine’s robust firewall that monitors and blocks malicious traffic, enumeration attempts (password guessing) and other threats like brute force attacks.
  4. Backing up your site daily
    What if you accidentally delete content or crash your site in a way that can’t be quickly fixed? Many hosts don’t regularly backup sites leaving you possibly with a site down for prolonged periods.

    At OlyWeb, our sites are backed up nightly and can be instantly restored if anything goes wrong on your site. We also keep backups for 30 days giving our clients extra coverage.
  5. Enforcing strong passwords for all users of your site
    As mentioned, your site should require a strong password by default for all users and have a built-in strong password generator to help with changing your password through the dashboard.

    This is standard on all of our sites and is enforced through must-use plugins.
  6. Securing all traffic to your site with an SSL certificate
    Most hosting plans include free SSL certificates that can be installed for your site either by you or the hosting company. This encrypts data between visitors and your website, providing an additional layer of security which is important for safely entering passwords, private information like in forms, and processing credit cards.

    We install this automatically for all of our clients at no cost and no extra setup required.
  7. 24/7 Downtime Monitoring
    What if your site goes down at 3am and you don’t notice? Hosting companies don’t monitor this so if your site goes down it’s up to you to catch it.

    At OlyWeb, we monitor all sites 24/7 for possible downtime. Our system accesses your site every hour to see if your site is loading correctly and if it receives a loading error, we’re immediately alerted and able to find a fix for you.
  8. Regular checks on your site from our team and much more!
    Although we have many automated processes to keep your site secure. Automation can’t replace a real person interacting with your site and checking everything is working as it should.

    Even if there are no error reports, we make sure to log into your site every few weeks to do a visual check on the site and main pages to make sure everything is running as it should.

We’re always finding ways to improve the security optimization for all of our hosting clients to keep our clients’ WordPress websites secure. If you have any questions about our services, feel free to send us a message!