5 Tips to Keep Your WP Website More Secure

Five to ten years ago, website owners didn’t have to think very much about security. We’ve come a long way since then, and now that DIY content management tools are becoming commonplace,  there is a marked increase of neglected or incorrectly configured WordPress sites to be targets for hackers and malware.

If it’s not obvious – “malware” is really bad news for a website.  If left to go for too long, it’s possible for an infection of this sort to take down an entire website and render it irreparable. In addition, it can affect that website’s search engine ranking, causing you to lose business!

Fortunately, there are a few security tricks to make it more difficult for malware or hackers to infiltrate your website.

Tip 1: Regularly Backup, Update and Maintain Your Site

Would you allow years to pass without tuning your piano? Just like any musical instrument, A website requires regular maintenance in order to function properly. Neglecting regular maintenance can have disastrous results on a WordPress website – the same way your piano soundboard can become irreparable if you do not regularly take care of it.

Backup Your Website Regularly

Many good website hosts offer automated regular backups as part of their service or for a small monthly fee. I personally also prefer to keep backups of my websites stored on my own computer. That way they are easily accessible if something happens over at your hosting company.

Learn How to Properly Back Up a WordPress Site

Update Your WordPress Installation, Theme, and Plugins Regularly

The WordPress team and the community of developers working in WordPress is actually pretty great about identifying security holes and quickly patching them.


When you log in to your WordPress dashboard and you see “an update is available” – stop ignoring it!  This means that a security threat has been found and repaired within the software and doing the update will help patch that open hole.  It only takes a few clicks to update your website.

It’s kind of the same thing as doing your Windows Updates if you have a PC (psst…you should never ignore those, either!)

Important Note: Always make a backup prior to updating.

Tip 2: Ease off the Plugins!

Plugins are third party services commonly used to add functionality such as contact forms, slideshows, SEO, or to “speed up” your website.  If you have more than 4-5 plugins installed on your website, you might be suffering from a very common addiction to plugins.

They may seem harmless and innocent; however, plugins are actually one of the most common ways malware waltzes right on in. Repairing a site once a malware infection happens is nothing like playing Strauss!

When you install plugins, you give them permission to access your database and install files and information to your server. It’s important to only use plugins which are necessary to the function of your website.

Before adding any plugin, consider the following:

  • Do I REALLY need this plugin?
  • Is the plugin coming from a legitimate, reliable source?

If you already have a bunch of plugins installed, consider removing and deleting the unnecessary plugins within your dashboard.

Tip 3: Choose a Reputable Hosting Service

There are a multitude of reasons why you should do your research before committing to a website host. Security is one of the main reasons!

If you can afford it, I recommend choosing dedicated hosting over shared hosting, and if possible, choosing a host who regularly monitors the security of your website.

Note: If you are unhappy with your web host, there are ways to move; however, this is not a process to facilitate on your own unless you are knowledgable about it – hire a web developer to help you!

Tip 4: Make Your Passwords Secure

A lot of people do not even realize this, but there are actually FIVE passwords that you need to make sure to keep secure when you have a WordPress website.

Your Main Hosting Account Password

This is the master key to your hosting account.  Anyone with access to this can make changes to your account (which includes your FTP, mySQL, and even your e-mail account if is hosted in the same area). They can even make purchases if you have your credit card information stored in your hosting account. Make this password the most secure of all.

Your E-Mail Password

If someone has access to your main e-mail account, they could potentially reset any of your other passwords. Make sure to have a very secure e-mail password and to change it from time to time if you feel it may have been compromised.

Your FTP Password

“FTP” stands for “File Transfer Protocol” and this usually the main method to access the location in which WordPress and any WordPress themes are stored.

Anyone with access to this can change the design of your website – and anyone knowledgable enough about WordPress can also figure out how to access your mySQL database. This password is easily changeable in most hosting situations. It’s also important to have as few FTP users as necessary – and only allow those users access to the folders they require access to, to do their job.

Your mySQL Database Password

While this is the least likely part of a WordPress installation to be compromised because it is by  nature the most secure part of the system, it is also the most important because this is where all of the data for your website is stored. Once a mySQL database has been hacked or infected, it is very difficult to return the website to its previous, healthy version (unless you have a backup!)

If you are manually installing WordPress, make sure to create a good password for this. Some web hosts have “one click” installations, in which case, the password will be generated for you without you having to worry about this step.

Note: if you already have an existing WordPress website, absolutely do not change the password to your mySQL database without consulting a professional.  It will cause your site to stop working. There are certain specific steps that must be taken prior to changing this password. Consult a professional WordPress developer to assist you.

Your WordPress Admin Password

This is the password that allows you to log in to your WordPress dashboard from a browser. Luckily, WordPress has a great built in password generator now, or you can type in your own and see how strong it is from their indicator!

Password Tips: Do not use any variation of your name, your birthday, the city you live in, your pet, or a word that is easy to guess. It truly is a complete pain to try to remember a complicated password, but it is worth it in the long run if you care about your information’s privacy. There is a great program called  LastPass that you can use to store passwords securely.

Tip 5: Hire a Professional To Maintain Your Website

A lot of us want to be able to do everything ourselves, but the truth of the matter is that sometimes it is worth it to hire an expert to handle things for you. 

f you have the budget, it doesn’t hurt to utilize a professional web developer who is an expert at WordPress to help you maintain your website.