Rocket Squirrel Rocket Squirrel
Rocket Squirrel

A global community of coders, developers, and designers

July 2024


5 security tips for running a WordPress site

for every WordPress beginner

Darren PinderDarren Pinder

We love WordPress. There are so many reasons to use it, whether you’re an individual blogger or a large company looking for a stable content publishing platform. From it’s excellent editing capabilities, to the extensive library of over 37,000 free plugins in the WordPress directory (plus countless more hosted elsewhere), the many themes and frameworks available, it has proven to be a fantastic and secure addition to the online publisher’s toolbox.

Whoa, whoa, hold up. WordPress is terrible for security, it’s open source!

WordPress, like many publishing platforms, is open source. Many people believe this makes it insecure, because its source code is freely available to anyone to view. And while it’s true, that this does mean anyone can see how WordPress works and look for vulnerabilities, the fact that it is open source is also what saves the platform from constant breaches.

You see, certain-minded people try to break into proprietary software as well as open source software. Just because something is open source, doesn’t mean hackers will attempt to compromise it at the expense of proprietary software.

On the contrary, being open source gives WordPress a distinct advantage over proprietary. There are thousands of active WordPress community members, not to mention the hundreds of thousands (if not millions) of web developers and software engineers, a lot of whom regularly use WordPress and provide feedback – either manually or autonomously via anonymous-feedback plugins – to the folks that help make WordPress secure. And when a vulnerability is found, it can usually be identified, coded against, and that code can be distributed via WordPress’ wonderful update system much faster than a small team of developers hidden away in Silicon Valley can with some proprietary gear.

How to secure WordPress

There are a number of things every web developer should do to secure their WordPress installations. Information about this is covered in numerous places, like the WordPress Codex, plus numerous tutorials (like herehere, and here).

But today I’m not looking at what web developers should be doing. Instead this post is geared towards you, small business owner. We have a number of clients who have WordPress websites we have set up, but security doesn’t begin and end with us, it also extends to the website owner, and anyone who uses it on a day-to-day basis to carry out their business operations.

These top 5 tips are geared towards you, so there won’t be (much) technical talk. Plus if you have any questions, just leave us a comment below!

1. Secure passwords

The first tip for securing your WordPress site would be about using secure passwords. There’s a lot of confusion about what constitutes a secure password, with many websites seemingly giving contradicting information, like it must be 13 characters long, contain numbers, letters, symbols, and a haiku. However what many people fail to realise is that complexity over length is not the way to go. It is in fact, preferable for length over complexity.

Let me show you what I mean. You’d assume that john123 is a weaker password than 897mj3″ correct? Well you’d be right, but the more complex password isn’t exactly hack-proof.

Let’s take a look at How Secure Is My Password, a really handy site that brings this point home. If we enter john123, it informs us that password would be guessed instantly. Fair enough. If we enter 897mj3″ it says 6 minutes. Now 6 minutes is better than instantly, but we can do better than that. Let’s aim for something which is both complex but also quite long. In a recent interview with John Oliver, Edward Snowden gave the rather memorable example of a great password: MargaretThatcherIs110%Sexy. Hardly something you’re likely to forget, is it? And according to the password checker, it would take 88 nonillion years to break it (that’s 88,000,000,000,000,000,000,000,000,000,000 years). So next time you need a secure password, shoot for length first, and add a little complexity afterwards.

2. Keeping WordPress and plugins up-to-date

This one is probably the most important tip of all. Keeping the WordPress core and all plugins up to date is essential for site security.

It’s almost every month that news of a new vulnerability is found in some plugin widely used in the WordPress community. Often these are down to mistakes made during the coding practice of plugins, but they are often resolved quickly and an update is usually available when news breaks of the vulnerability.

It’s worth speaking to your web developer / agency before you actively update sites yourself, as there is some inherent risk in doing this. If your web devs have made changes to the WordPress core (which they really, really shouldn’t have done) or have made changes to plugin code (which they shouldn’t really have done, but it’s more excusable in some cases), then updating either of these could overwrite their changes. Likewise if a plugin has changed it’s minimum PHP requirements for example, and your server is running an old version of PHP, the plugin may not work altogether.

While we’re on the topic of minimum requirements, it’s also a good idea not to install plugins that haven’t been updated for some time. Anything that hasn’t been updated for at least 6 months could be a security risk, and avoid anything that isn’t stated explicitly as being compatible with your current version of WordPress – it’s a dead give-away that the plugin code isn’t maintained.

Realistically, your web development team should have a plain in place to manage upgrades, but if they don’t, you need to ask them about the safest way for you to upgrade WordPress and plugins. We’re happy to say that our clients enjoy the benefit of having us take care of all their site security, backups, and upgrades automatically, meaning they don’t have to worry about it.

3. Keep your computer free of malware

This tip is a bit of a bog-standard one, and if you’re not doing it already, you need to spend some time today making sure your computer is clean. If you have some malware installed on your computer, then it could very well be keylogging everything you type, which could include your WordPress admin login details. It could also include your online banking details, so you see why it’s so important to check?

I’m often asked which anti-virus or anti-malware software I recommend, and currently I’m happy to recommend Microsoft’s Security Essentials, as well as Malwarebytes Anti-Malware.

4. Don’t use the admin user account

Hopefully this one was dealt with by your web developer during set up, but using the admin account is a bad idea. Generally people who try to brute force their way into WordPress sites always try to target the admin account first, because it’s set up by default. So the best idea is to create a new Administrator user account (that does not use “admin”, or your site name, or anything remotely related to your site name as the username), and delete the Admin account. This is safer to do on new installations on WordPress, but if you want to do this on your existing site, it’s always a good idea to give your web developer a shout and get them to do it – making a mistake could accidentally delete content!

5. Leverage plugins to keep your site secure

I can’t stress how important it is that you take site security seriously. Fortunately there are a number of great plugins out there that can help with this! We recommend Wordfence or Sucuri for firewalls, malware scanning, and post-hack recovery. They have similar overlapping features, but also slightly different, and both have their fanbases. There are also numerous plugins available to take automated backups of your database, which I highly recommend you do. Whilst I don’t recomemend any particular plugin for this (as we use ManageWP for our sites), there are a lot of good options out there.

Is there a security tip you think we’ve forgotten? Have any questions about the points made above? Leave a comment below!

Owner of Vatu Ltd and Raccoon Events. Organiser at WordCamp London. Into space, code, and running.

Comments 1
  • Crixu
    Posted on

    Crixu Crixu

    Great post Darren. I would also add to never give away the admin credentials.
    I had a lot of customer which had trouble with some WordPress Theme or Plugin. Instead of creating a new user just for me which can be deactivatet i just got the plain password to the admin user account and some didn’t even changed their password after i was finished.