12 Most Important Tips To Improve WordPress Security

Recently. WPTemplate shared an infographic on WordPress security issue. The figures were shocking. Each year, thousands of websites are compromised and the figures keep increasing every year.

In year 2012, more than 170,000 WordPress sites were hacked and that’s crazy!

The million dollar question could easily be, “Are you doing enough when it comes to securiting your website security?”

Safety and Security of WordPress Blog

Source: WordPress Templates

So, what you can do to improve your WordPress security?

Did you notice two of the biggest contributor to WordPress security are hosting companies and WordPress themes? And heck, most of thought that WordPress security has always associated with weak security password.

WordPress is one the biggest blogging platform in the world and thus, it is not something new that it is targeted by hackers every single day.

Being said that, you should not take WordPress security for granted and therefore, you should act now.

Yes mate, right now … by doing these easy steps!

1. Practice frequent updates

When was the last time you upgraded your WordPress or plugins? Usually, the latest updates are the one that has security patches or even newer features. If you have yet to get them updated, do it now. It wouldn’t take you more than 5 minutes.

At least, do it for the sake of your website security. Seriously!

2. Perform housekeeping and clean up on your website regularly

Good website maintenance could keep hackers away

Safety first when it comes to website security

Do you know that it is best to delete or uninstall those unwanted plugins you have on your database? Yes, even though they have been deactivated, you should … and by all means remove them immediately. Having lesser plugins also provide a better website loading speed and not to forget, leaving a better experience for readers as well.

The main reasons is because there are many plugins which might pose a threat especially to WordPress. You have to remember that even though you might have deactivated them, they are still accessible in your website database.

3. Avoid using Admin username

This is the same mistake everyone does. You should never use Admin as your administrator ID. I know some WordPress sites advice users to create Admin username without any administrator access. For me, it is best to leave Admin untouched.

The first thing a hacker would try is to brute force login using Admin or Administrator ID. If you are using either one of those username, then you are basically making their life (of hacking) easier!

It is always best to have a mixture of words, symbols and numbers. Of course, you can further boost your WordPress security by adding capital letters as well.

4. Turn off membership registration

Controlling the number of registrations could easily avoid hackers

Proper ‘security check’ for members is vital to improve your WordPress security

Yes, I don’t allow open registration at all for my sites. Instead, I’ll manually add members myself. This is to ensure that I have complete control over security matters. Small security actions goes a long, long way when it comes to securing your WordPress site.

If everyone is able to register on your site freely, then you might have problem when you’ll find spam bots and potential hackers trying to break the website security.

I truly understand that adding membership manually might be a real pain but it is worth it for those who really cares about security matters. Of course, if you are running a big company, uses WordPress and has a full list of members, Premise might be the best WordPress membership for you.

5. Changing table prefix

This is one hell of efficient method when it comes to WordPress security. Better WP Security plugin makes it sound easy with just a press of a button. No, it isn’t that easy!

You got to learn how to change the prefix correctly or else, you are going to destroy your website … literally. I changed the last round and I accidentally ‘destroyed’ my theme.  Ouch!

6. Backup, backup and backup

Nothing goes more important than backup … when it comes to website and stuffs. Lucky for you, there are some seriously good backup plugins and programs that work perfectly for WordPress. Why backup you may ask. Well, imagine you are being hacked or something bad happen to your site today. You can easily restore everything in a very short period since you have a backup file. What happens if you have no backup files? Then you would need to start back from scratch!

Real case scenario. Three months ago, I had several websites running and when ‘something’ bad happened to them, I practically lose hundreds of articles. Yes, I do backup but I only did once a month which is clearly, insufficient! However, it was good that at least, I still have a month old backup. If not, I would be doing everything from scratch … and for over five websites!

7. Security plugins could help

Installing security plugins will increase your WordPress security level

Hello, you’re being monitored.

Let’s say you are less geeky and need help with securing your website. There are WordPress security plugins such as WordFence and Better WP Security which could provide above average security features with just a few clicks of the mouse. Can’t decide which to use? You may find my review here, Wordfence vs Better Wp Security plugin.

Basically, these plugins will boost your WordPress security level and even provide you the well needed security notifications. Definitely worth a shot for those who prefer to be on the safe side.

8. Increase your security features with Content Delivery Network (CDN) services

Heard about Cloudflare and Incapsula? If not, you should definitely use one. Seriously!

Content delivery network or CDN could provide minimal security especially when you are using a free service. Well, some security is always better than no security right? No? :)

I always consider CDN to work very well especially when it comes to preventing Distributed Denial of Service (DDoS) attacks and also improving the website loading speed. Personally, if you are using a CDN for security, Incapsula has a very good security background while Cloudflare is much better of with improving website loading speed (with some security features).

9. Know your WordPress plugins

We all talk about WP everyday.

Now, ask yourself a question. How much do you know about your plugins?

I used to download and try all types of plugins last time and without even bother to check the reviews. Now, I do check their reviews first and even a little bit of Google-ing before installing anything. Some malicious plugins could be hacker’s backdoor to your admin area and protected files. So, always have a good grip of what you are installing and decide if they are really worth the time (and your website security).

Nothing is too personal when it comes to website security!

10. The last level of security comes from you

You are the one in charged of your website security

Me? Seriously?

Yes this is true! Who is your best, most accountable and trusted watch guard for your website? It’s you for Christ’s sake! You got to be on your toes and at least, check on basic changes done that you should be worried about. Let’s take a simple example below.

I had Better WP Security installed on one of my niche website and every time changes are done to my site, I”ll receive an email notification immediately. Imagine small changes such as uploading an image to my gallery and it triggers an email notification. Good? Excellent I would say!

Thing is, you got to at least know what’s happening on your website. Well, you might not have the technical skills to know what to do but at least, you’re still able to alert your hosting provider or developer to check on that.

And when you think that are all …

Hold on there tiger! The above are 10 important security tips when it comes to WordPress and I still have two more under my sleeves!

11. Choose the right WordPress theme for your website

Do you know that 29% of security problems originated from using the wrong WordPress themes? There’s absolutely no denial that there are thousands of free WordPress themes out there. My personal advice?

Ditch those free themes for crying out loud! Jesus! Don’t you see it? These themes might have some codes inside which could compromise your security. Not all, but certainly, I know a lot of them who actually are!

I don’t get it … I really, really don’t get it on … you know … free WordPress themes.

If you are willing to buy premium WordPress theme, you have to be careful as well as not all themes are coded properly. Badly codes one will actually affect your website in many ways.

Here are two of the best WordPress themes I would recommend any day; Genesis Framework and Thesis theme.

Personally, I’m a huge fan of Genesis because:

  • Genesis 2.0 says out with the old (XHTML) and in with the new (HTML5), and if you want your website to be future-compatible it needs to use HTML5
  • Genesis 2.0′s support of Schema.org code — used by Google, Bing, Pinterest, and many others — allows you to incorporate microdata into your site’s code, further enhancing your SEO
  • Genesis 2.0 has code that, if you can believe it, is even cleaner and more lightweight than ever before — which means less bloat and faster load times for readers
  • Genesis 2.0 is responsive, and thus most of the child theme are as well
  • Genesis 2.0 is backwards-compatible (which makes update a brief)

Don’t take my words for that. Check them out yourself and decide which is best using the links below:

Genesis Framework | Genesis Child Themes | Thesis Theme

12. The importance of hosting companies

Last but not least, the infographic provided by WPTemplate proved that hosting companies play a huge role in terms of WordPress security. With 41% of website hacks originated from website hosting,  I bet the figure explains it all.

Personally, I know there are so many hosting companies that are offering cheaper than usual hosting packages. I totally get it that hosting is a competitive industry but have you ever thought that cheap hosting might not provide even the slightest security features for your lovely website?

Let’s take some ‘stats’ for example, shall we?

  • Yoast SEO, Chris Brogan, Jay Baer and Chris Pirillo uses Web Synthesis hosting
  • HTC, FourSquare, SoundCloud and Balsamiq uses WP Engine hosting
  • Volkswagen, Samsung, Sony and dribbble uses Media Temple hosting

Now, does all these makes any logical sense to you?

The above are examples of big brands trusting their hosting companies. Do you see why they don’t go for cheaper corporate hosting? C’mon, give me a guess and I’ll wait! Yes, you got it right mate. It’s all about security.

When it comes to WordPress security, it is best to leave it to the pros if you have limited expertise.

Obviously, these brands are having a much bigger package but it doesn’t mean that you can’t join the big boys’ club. There are packages below $20 which could work very well on your budget and most importantly, a piece of mind 24/7.

You may be using a package say $5 per month but you have to do all the job and maintenance yourself. Simply by adding $15 a month, you would can leave all the maintenance work to the pros … for free.

With proper web hosting, you can forget about spending hundreds or thousands of dollars on webmasters who will take care of your websites (no offence though).

Last time, I was with GoDaddy and then, moved over to HostGator. Even though I was happy with my money spend with them, I wasn’t too happy about the support. What can you expect from a $4 or less web hosting package right?

Again (and like what I always say), don’t take my word for it. Go have a look at their websites have to offer.

Recommended high end web hosting companies: Web Synthesis | WP Engine | Media Temple

You may also take a look at my review on why BlueHost is my top choice for affordable web hosting service.

Over to you…

If you think that SEO and all those blogging tips are important, think again. WordPress security is much more important nowadays. Thousands had done them wrongly and I certainly do not hope that you are one of them! Remember that hackers are always out there and you need to be ready for them.

Do you have any other WordPress security tips to share? If you do, drop me a comment below and let’s discuss it over.

**If you find this article interesting, I would be very grateful if you could share it using the red button below.

Reginald Chan

Reginald Chan

Professional Business Consultant at Traffic Diet
Reginald started blogging in 2005 and it soon went from just a hobby to a serious occupation. He specializes in content writing, marketing, social media and SEO. He also tweaks WordPress during his free time. Get more from him on Facebook, Twitter and Google+. Reginald is also offering paid services and if you need any help, feel free to contact him and check out the services he is offering or check out his SEO agency.
Reginald Chan

@Reginald_Chan

Business consultant, Search Engine Marketing and social media strategist. I help bloggers & businesses make money #seo #sem #socialmedia #blogging #marketing
How To Create A Back-Up Plan For Your Blog http://t.co/8fdIgOGg8c via @NotNowMomsBusy - 15 mins ago
Reginald Chan

Comments

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    CommentLuv badge

  1. says

    Hi Reginald,

    This sure is an important infographic :)

    All the points mentioned there and by you are so important. I learned some the smart way, and some the hard way. Well, if one wants to be completely smart, then he or she should just follow blindly what all is mentioned here.

    I’ve used BetterWPSecurity and WordFence, and found them both good – you’ve to use either of the security plugins. Not that you cannot protect your blog or site otherwise, but these plugins do help you save time and efforts, and are essential for the novice and non-technical people like myself.

    One important revelation by the infographic is that contrary to general belief, WordPress blogs do not get hacked mostly by weak passwords. Of course the combination of admin username and a weak password does play havoc, but seemingly harmless themes and plugins do more damage.

    Your suggestions about hosting companies are good and worth giving a thought. Of course, we can’t afford laxity and security is important, else everything else goes waste.

    Thank you for such a wonderful and helpful post. Have a nice weekend :)

    • says

      Hi Harleena,

      Thank you for your excellent input! Man I love it when you write in such a detailed manner :)

      For the infographic, that is great. Excellent one indeed and we all thought weak password was the issue. Crazy huh?

      Both of those WP security plugins is definitely worth the effort … but avoid using both. This is something many people asked me over and over again.

      Finally as for the hosting companies, yes it is a good thing to have someone taking care of things when you are asleep or like me (lack of tech skills) and I obviously can’t afford a developer. Most of the time, Google is my friend.

      Right, thanks for your comment and hey, have a great weekend ahead!

      Reginald

  2. says

    Well you know how I feel about this subject Reginald and glad you shared this infographic with your readers as well. I thought it was just spot on with providing so much great information of all the things we should be doing in order to secure our blogs to the best of our ability.

    I was really surprised when I read those stats and learned that weak passwords weren’t the way they were finding themselves in for the most part. We hear all the time make them stronger which I do but that it was themes, plug-ins and hosting services. Wow, talk about surprising.

    I hope that everyone will pay attention to this as well as your words of advice and do the best you can to make your blog secure. Always backup your blog and I do mine daily so just in case anything ever were to happen that you’d have a copy to set things back up.

    Thanks for sharing this Reginald, great advice.

    ~Adrienne

    • says

      Hi Adrienne!

      Just like you, I was more than just astonished by the results. Yeah, I thought password was the biggest contributor. From where I come from, cheap hosting is everywhere but quality wise, not so good. I even heard hosting companies messing around with your admin password and website SEO if you are bad payer.

      Backup is vital! I learned that the hard part and damn, I would NEVER wish to face that problem again … No way!

      Have a great ahead Adrienne & talk to you soon!

      Reginald

    • says

      Hi Cassie,

      You’re most welcome. I hope you liked this and do come back for more!

      *p/s Have you signup for the free weekly newsletter? No obligations ;-)

      Have a great week ahead!

      Reginald

  3. says

    Wow – I must admit that the visuals you used in this post are simply amazing. WordPress vulbnerability is a question which was bothering me for a long time. Yet, with your tips, I already feel more protected. As they say, warned means armed.

    • says

      Hi Julia,

      Thanks for comment and glad you find that useful! WordPress is always amazing but it is always vulnerable if users are not careful. The best way is always play safe and you would be fine. Those tips are very basic but it could lead to lots of problem if one isn’t careful.

      Reginald

  4. says

    Hi Reginald,
    Very interesting infographic and the 12 points you elaborated on.
    One that I consider most important is the backup. That makes sure you get your site back running no matter the degree of damage caused.

    Having your backups locally with you is very important. We really don’t have to rely solely on out hosts. Download your database and your media folder weekly or daily is a great idea. I have a tutorial on my blog on how to setup a free software to automatically download your db to your local machine as scheduled

    Thanks for the wonderful post bro and do have a splendid weekend

    • says

      Hi Enstine,

      How are you mate?

      Backup is more than just vital. We can’t really avoid unwanted ‘incidents’ to happen and thus, it could be very nail biting especially when something happen to your site. Backup is definitely needed and luckily, WordPress has some really good free plugin for that.

      Have a great weekend and take care Enstine!

      Reginald

  5. says

    thanks Reginald, i mainly use plugins for WordPress security but this post has changed my concept about WordPress security, can u please tell me a good free plugin for backup

    • says

      Hi Rahul,

      For free backup plugin, I always suggest WP-DBManager. All you need to do is set when to backup, repair your database and optimize it as well.

      There’s also option to send the backup to your email or to Dropbox, S3 etc :)

  6. Luis says

    Thanks for the detailed article on the useful tips on security issues. I have had some issues with a plug in recently where it said that some update needed to be installed. Well when I contacted my hosting site, the company with the plugin said it was my hosting and the hosting said it was on the companies end. It now makes me wonder if that plugin was trash to begin with. I will recommend this article to my followers. Thanks

    • says

      Hi Luis,

      You are most welcome. As for the updates, usually it comes from the plugin developer only as hosting company is just a provider for hosting environment. However, bear in mind that in some case, some plugin developer will develop a special code for specific hosting environment just to ensure the plugin works. It happens but always be wary about this so-called ‘upgrades’.

      Good luck!
      Reginald Chan recently posted…Long Tail Pro Review, Features And $30 Discount CodeMy Profile