Over 40% of the top 10 million websites online use WordPress. But is WordPress safe? The short answer to this question is yes – WordPress is safe. However, that doesn’t mean WordPress doesn’t have any vulnerabilities.
Thankfully, the WordPress community has documented many common WordPress vulnerabilities, making it easy for website admins to add layers of security to their site. In this article, I’ll cover 5 easy ways to make your WordPress website more secure.
1. Have Unique Admin Usernames & Strong Login Passwords
The admin login page is the first line of defense for your WordPress website. It’s where any administrator or user can gain access to the “back-end” of your site and make site changes, input or extract user/customer data, or add or remove site files and features – provided that they were given permission to do so.
Yet bad actors can also use this login page as a gateway for an attack against your site. For example, in “Brute Force” attacks, hackers make repeated attempts at guessing your login credentials to gain access to your site.
It wouldn’t take long for these hackers to successfully break into your site’s sensitive information if you’re using a generic administrator username and password (like “admin” for the username, and “password1234” for the password).
Therefor, the first easy thing you can do to make your site more secure is use unique usernames and strong passwords for site login credentials. You’ll also want to ensure your username and password are unique to your WordPress website and not used for other login locations (like your online banking or social media login). This will add an additional layer of security.
If, on the other hand, you recycle your usernames and passwords across multiple sites, all the sites using these credentials will be put in jeopardy the moment one of them is compromised by a hacker.
If you’re worried about losing your login information, make a paper copy of the information (be sure to include proper capitalization!). Store the paper copy in a safe location where only you and trusted persons have access (like a lockable filing cabinet).
Additionally, you can enable two-factor authentication or a onetime password (OTP) for your WordPress login page. This will provide another layer of security for more levels of protection. For example, the WordPress security plugin SG Security (which comes with SiteGround hosting plans) comes with a “Two-factor Authentication” feature that utilizes Google’s Authenticator Plugin. This means that even if a hacker guessed your admin username and password, they would still need to figure out the randomly-generated authentication code to gain access to the backend of your site.
2. Use the Latest Version of WordPress
Another easy way to keep your site safe is to always use the latest version of WordPress. WordPress runs on a “release cycle” that puts out new versions of the core code every 4 months or so. While WordPress’s new versions can be minor or major, they almost always contain security updates.
These updates are based on the latest information from sources like the Open Web Application Security Project (OWASP Foundation), “an online community dedicated to web application security.”
Thankfully, WordPress and each of its new release versions are always free to install on your site. And, in most cases, WordPress will automatically update your site to the latest version (unless you specifically tell it not to or are using a version older than WordPress 3.7).
Plus, WordPress’s core team spends a lot of effort making new versions of WordPress backwards compatible. This simply means that new versions of WordPress are designed to work with your existing themes, plugins, and custom code.
You can check if your site is updated to the latest version by navigating to Dashboard>Updates (yellow arrow in the above image). Here, you’ll see what version of WordPress you’re using and whether it’s the latest version available (red arrow in the above image).
One important thing to note is that you don’t typically want to “jump” to the latest version of WordPress if you’re using a much older version.
For example, if you’re using WordPress 4.9 (released in 2017) on your live site, I don’t recommend trying to update straight to WordPress 6.2 (the latest version at the time of this article). This will break things.
Instead, you can download and install past releases to your website and slowly bring your site up to date. Plus, you’ll want to back up your site’s files before performing your updates. I recommend checking out this article on the various steps to take prior to, during, and after backing up your WordPress site. It can definitely be a process, but it will save you the headache of crashing your site and trying to fix everything after the fact.
Note that the older your current version of WordPress, the more tedious and precarious this process will be. This is all the more reason to keep your version of WordPress up to date at all times!
3. Update Your Theme to the Latest Version, Plus Uninstall Unused Themes
WordPress “hardens” the security of its default themes by constantly developing, iterating, and releasing new theme versions. This means you should always use the latest default theme from WordPress when you can as it will have all the latest security updates built-in.
Thankfully, it’s easy to tell which default theme is the latest because they name each new theme after the current (or upcoming) year when the theme is to be released. For example, the theme they released in 2023 is called “Twenty Twenty-Three.”
Aside from security updates, new default themes also contain many new features that are designed to make designing your websites easier and more enjoyable. Plus, they often come with performance improvements to make your site perform better and thus help you get more traffic.
Not sure how to update your themes in WordPress? I show you how in my WordPress for Beginners 2023: No-Code WordPress Masterclass on Udemy.
Whether you decide to use the latest default theme for your WordPress site or stick with the theme you’re comfortable with, you should always delete any inactive or otherwise unused themes in the back-end of your site. This is because unused themes (especially older themes or third-party themes) may have security vulnerabilities that make it easier for hackers to gain access to and attack your site.
You can learn how to delete unused themes from WordPress in this help article by Davies Media Design.
4. Update Plugins to Their Latest Version & Check Compatibility
One of the things that makes WordPress great is its integration of third-party plugins. However, not all plugins are created equal and some of them may actually create security vulnerabilities for your site.
Luckily, there are a few easy things you can do to reduce the risk of security threats created by plugins.
For starters, it is always recommended that you download and install WordPress plugins from the WordPress repository. This is because plugins listed here need to be reviewed and approved by the WordPress Security Team before being made available for download. You can find these plugins via this direct link to the plugin repository, or from directly inside the WP Admin Area of your site by going to Plugins>Add New (yellow arrow in the image below).
When deciding on which plugin to download for your WordPress site, I highly recommend using plugins that are listed as “compatible with your version of WordPress.” Thankfully, WordPress tells you if your plugin and WordPress version are compatible from directly within the Plugin directory (red arrow in the image above). Plugins that have not been tested against the latest WordPress version will display the message: “Untested with your version of WordPress” (blue arrow in the image above).
While “untested” plugins may work fine with your WordPress version and theme, there may be undiscovered security vulnerabilities attached to these plugins. So, use such plugins with caution on your website.
Note that WordPress states in their Security White Paper: “Inclusion of plugins and themes in the repository is not a guarantee that they are free from security vulnerabilities.” This being said, plugins with known “severe vulnerabilities” are removed from the repository, and may even be fixed by WordPress’s Security Team before being reposted to the repository.
Finally, once you do have plugins installed on your site, you’ll want to make sure you keep them all up to date. Plugin developers typically introduce security updates and fixes with their new versions. So, by having the latest version of a plugin, you ensure you have all the latest security updates available for that plugin on your site. Just like with unused or inactive themes, I also recommend you deactivate and uninstall any unused plugins on your site to reduce the chances that any such plugins create a security vulnerability later.
If you’re not sure how to update plugins in WordPress, I highly recommend checking this process out in my WordPress for Beginners 2023: No-Code WordPress Masterclass on Udemy.
5. Add an SSL Certificate to Your Domain
The final easy way to add more security to your WordPress site in 2023 is to add an SSL Certificate to your domain.
SSL (Secure Socket Layer) Certificates essentially validate that the content your site visitors are seeing is coming from the actual creator of the content, and not an imposter or fraudulent website. In other words, it verifies that everything is legitimate from directly within the user’s browser.
Site’s that have an SSL Certificate properly set up will have a lock icon next to the site’s URL in the browser’s search bar. For example, if you look at the top of this website in Google’s Chrome browser, you’ll see a lock icon next to the main URL (red arrow in the image above). When you click the lock icon, you’ll see a line that says “Connection is secure.” This is Google verifying that the connection between this website and the visitor’s web browser is secure and private.
SSL Certificates are especially important for any website that collects ANY type of user data. This includes simple information gathered from a contact form (i.e. name, email, phone number, etc.), as well as more complex or private information that would, for example, be gathered from an eCommerce site (i.e. credit card numbers, address, etc.). By making the connection secure between the website and the site visitors, SSL certificates make it very hard for hackers to steal the information exchanged between the two parties.
Some website hosting companies charge for an SSL Certificate, while others (like Siteground) will offer a free SSL Certificate. Most hosting providers should offer a SSL Certificate, as well as provide instructions on how to install it on your WordPress website.
As an added bonus, search engines like Google tend to rank websites with SSL Certificates higher than those that don’t have one. In other words, SSL Certificates not only make your sites more secure, they can also help your site get more traffic.
That’s it for this article! If you enjoyed it, you can learn more about how to create a WordPress website from start to finish in my WordPress for Beginners 2023: No-Code WordPress Masterclass on Udemy.