How to Boost WordPress Security in 5 Steps or Less

April 6, 2016

I’m sure you’ve read at least one of those WordPress security horror stories. You know, the ones where someone loses their entire website due to a hacker attack or some other obscure vulnerability that renders their server useless.

Yep, we read those, but we read them just as that … stories. “This couldn’t happen to me!” – we’re thinking. But it can. And especially if you don’t take care of some security precautions that are actually very simple to do most of the time.

Here’s our tutorial on how to boost your WordPress security in 5 steps or less:

1. Handle user accounts and passwords properly

Okay, so you probably know that you should be using complicated passwords only, and not use the same password for multiple profiles/sites. But that’s way easier said than done, right?

I mean, I get it … having to remember multiple passwords is just impossible. And I don’t bother either.

But there’s something you can do instead:

A) Get LastPass. It’s free and there are plugins for all popular browsers. The idea is simple here. Create one main password for your LastPass vault (something that’s difficult to guess), and then store all your other passwords in that vault. Whenever you want to log in to your site, LastPass will fill in that specific password for you. No need to remember it.


B) Don’t use your main administrator profile when managing your WordPress site. Instead, create a separate user for that purpose. Give it the role of “Editor.” That role has all the user credentials you need to publish content, yet has none of the ones that can break your site if the username/password fall into the wrong hands.

2. Be careful when getting new plugins

Traditionally with WordPress security, plugins are the main cause of trouble as they’re the ones with the most security vulnerabilities.

What’s even worse, it’s always the weakest link that breaks. So you only need one plugin that’s low quality to jeopardize your whole site.

Here’s what you can do:

  • Always check if the plugin you’re getting is compatible with your version of WordPress:


  • Generally, don’t get plugins that haven’t been updated for more than 6 months:


  • Optionally, use a plugin called Plugin Security Scanner to make sure that your other plugins don’t have any known security vulnerabilities in them.

3. Keep your WordPress and plugins updated

This is a very important thing to do when it comes to WordPress security, yet it also remains incredibly overlooked by most people.

Every new version of WordPress patches the previously discovered vulnerabilities, and improves your site’s performance in a number of ways. It’s the same story with plugins.

Also, along with those new updates, the WordPress guys publish a changelog detailing everything that’s been modified. Those changelogs are quite a goldmine of information for hackers. Here’s an example excerpt from the changelog of WordPress 4.4.2:

WordPress 4.4.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. […] WordPress versions 4.4.1 and earlier are affected by two security issues: a possible SSRF for certain local URIs, reported by Ronni Skansing; and an open redirection attack, reported by Shailesh Suthar.

If you’re a hacker, you now know how you can attack outdated sites, and what their vulnerabilities are – it’s the WordPress team themselves that validated those vulnerabilities as serious-enough by fixing them in the new update.

That is why you always need to be on the newest version of WordPress as well as the newest versions of every one of your plugins.

4. Perform regular backups

Backing up is something we talked about in one of our recent posts, so instead of discussing it here again, let me just say that backups are often your last resort and probably the only way of restoring your site if anything bad happens to it.

For more info, plus a quick how-to on backing up your site, visit this.

5. Use a security plugin

Last but not least, let’s mention a handful of additional plugins that can help you keep your WordPress secure on autopilot. Here are some of the top security plugins out there:

  • Wordfence Security. The most popular WordPress security plugin out there (with more than 1 million active installs). It protects your website from hacker attacks and malware.


  • Sucuri Security. Sucuri is a well-known authority in the website and WordPress security space. Their plugin is a set of tools for security monitoring, malware detection, and security hardening.
  • AntiVirus. A popular security plugin that protects your WordPress website against exploits and spam injections.
  • Theme Check. A nice plugin for testing if your theme is in tune with all the latest coding standards and practices. And forgive me for being the bearer of bad news, but if this plugin says that something shady is going on with your theme, it’s probably a good moment to change it.

So that’s it for the 5 things you can do to boost your WordPress security today. Have you done them all yet?