Best Practice Tips To Help Keep WordPress Secure


Running a small business website can be an exhaustive overtaking that requires many different things to keep up to date. You go down the path of having a website as a way to market/advertise your business by either paying someone or setting it up yourself. Then once it is setup, most people will overlook one thing that can be brutal, which is what would happen if you lost your website? Do you keep your blog posts saved somewhere else? Are you backing up your website to different sources? Is your password really strong and unique? While I always suggest using WordPress due to how scalable it is as a platform, it is still susceptible to attacks. How can you better protect yourself? Below are some tips that you could take for yourself and implement on your website, or if fiddling with security seems too boring, you can always hire someone (like SuperMauDev) to help you keep your website secure.


Yes, that is me shouting. Let me give you a horror story. I used to run a website that averaged about 100,000 hits per month. There was an average of ten writers that would contribute content to the site regularly and things were going really well. Then one morning I wake up to the website not loading. Turns out the server on the hosting side was attacked and all the websites on those servers were down. In a panic, I turned to some WordPress experts and they immediately jumped on the issue and worked with the hosting company to get the server restored. After about 24 hours, and hundreds spent on their services, the databases were restored but corrupted. The WordPress Expert we worked with said “It’s ok, with a website this size, we can just rebuild WordPress and recover from your backups, you have backups right?”


I was 22, running a pretty successful blog, and security was never a concern of mine. The database was corrupt beyond recoverable, and I lost everything; years of blog posts from multiple writers. My writers were devastated, and we literally had to start over from scratch. All because I didn’t have a backup.

Now you may be thinking that your website isn’t as large as the blog we were running, but security should still be taken all the same. You spend money to get it built yourself, probably stare at it for a few hours a week, and even so you think you would be ok to lose it in an attack or corrupt database, why throw that time away.

WordPress has tons of different plugins that you can configure for backups. One piece of advice I will give you is to not only have your hosting company do your backups. They backup your Web Server content on the same Web Server. If that server goes down, your website and backup data are both unrecoverable. Backup to a local source, to somewhere in the magical cloud, or go crazy and do both.

2) Strong Passwords

This is one that seems like a no brainer today but many people still use weak passwords. You may think to yourself “why would a hacker want to get into my website?” Easy answer is that you probably use that same password in multiple sources. Or they are just running bots that are digging through WordPress sites trying to get any information that it can find. A hacker can crack a 16 character password in under an hour. There is a cool website found here that can actually track your password strength. Kinda fun to play with, if you’re nerdy like me, to see how strong your passwords are.

If you have a phrase like “supermaudevpassword” it received a score of 20% on that website. That is entirely too weak, because, well for one I have the word password in it. That’s hilarious and please do not do that. But what if I change this to something called a Passphrase and put spaces in-between each word like “super man dev password.” Still all lowercase but the percentage goes up to 35%. Not much of a bump, but lets add uppercase to each first letter. That goes up to a whopping 93%. Please know that I do not use this password anywhere ever! You can setup WordPress to allow passphrase passwords if it doesn’t allow it currently.

3) Keep WordPress and Plugins Updated Regularly

WordPress does a pretty good job keeping update numbers in your face, but not enough that it becomes a distraction. I’m guilty of going weeks not updating my WordPress, or not configuring it to update automatically. Their are tradeoffs to both scenarios. Most themes/plugins do a pretty good job on not breaking when an update takes place with WordPress, but it does happen. So setting up WordPress to stay updated automatically can be a gamble, but is probably the safest route to take if you are one to neglect keeping WP updated.

Plugins are the same way. You can have them updated automatically. It takes a few lines of code change in your functions.php file, but it can be done. There are also plugins that you can install to help, but I tend to preach not to add plugins if you don’t have to. WordPress plugins are great and it is what makes WordPress so useful, but plugins also break the clean experience, and you always risk relying too heavily on plugins. They are mostly made by multiple companies/individuals that you are relying on to stay current. Sometimes they are, and sometimes they break which can leave parts of your website broken until they fix their issue.

4) Set Strong Passwords For Your Database

Remember when you were first installing WordPress and it wanted a Database password? Maybe not, as some installers handle this themselves, but others who installed WordPress manually had control over this password. If your hosting company set this up, they probably emailed you the information in case you need to access it for anything. Dig through your email, find that password, and verify it’s a good bulky strong one. If you log into your database, check out other things including making your HTaccess stronger, and setting stronger permissions to your Server files. Explaining these things is beyond the scope of this blog post, but you can search out best practices elsewhere.

5) And Lastly, Check Your Changes

Best practice is to implement these security features and check them often. You backup your website, but have you tested it? Have you went through the process of backing up your stuff and actually restoring from your backup? If so, great job! If not, then trying to restore these things can create more of a headache if not done properly. Also check your server a handful of times per year to make sure permission haven’t changed for anything.

I hope this has been helpful. Please feel free to reach out if you have any questions. Thanks for reading!