Disclosure: This post contains affiliate links for products or services that I personally use and highly recommend. If you click on the link and make a purchase, I may receive a commission, at no additional cost to you. I only recommend products or services I believe will be good for my readers and clients. (I don’t recommend junk; that’s not how I roll.)
Protect your Website from Hackers and Malware
WordPress is one of the most popular website platforms in the world. Unfortunately, that makes it a big target for hackers. That’s why it’s important to make sure that you take steps to protect your website. Here are my WordPress Security Tips to help keep your website safe – even if you’re not techy!
Your Computer
The first thing you can do to protect your WordPress website is to protect your own computer. It might not seem related; but it really is. If your computer gets a virus or spyware, it can then infect your website when you work on it. So:
- Run good anti-virus software on all computers that you will be using when you’re working on your website.
- Use strong and unique passwords for every website and online account that you access. You can use the Strong Password Generator website if you need help with generating a strong password.
- Use a password manager to store all your passwords, instead of saving them in your browser or in a file on your computer. I use (and love!) 1Password. Another option for a password manager is LastPass.
Your Web Host
Your web hosting account has a direct impact on your WordPress security.
- Use a web host that has strong security measures in place to protect your website.
- Make sure your hosting account is setup to meet the minimum requirements to run your WordPress site at optimal speed and at optimal environments. You can find the web host requirements for WordPress here.
- Use strong and unique passwords for your web hosting account, including any FTP logins, your website database, and your email accounts.
- Install an SSL certificate on your website – and then setup your WordPress website to use it. After you do this, your website will use HTTPS instead of HTTP – and you’ll also see a padlock icon next to your website address in the browser.
- Run regular security scans to detect malware on your website.
- Regularly save full website backups off-site (not your hosting account).
For more information on creating WordPress backups see:
How to Backup your WordPress Site
Some web hosts have a lot of this functionality already built-in on your web hosting account. If yours doesn’t, you can install a plugin to do this. (I’ve included more information on WordPress Security plugins below.)
WordPress Security
There are a few simple things you can do right within WordPress to make your website more difficult for hackers to access.
- Don’t share your WordPress login with other people who need to access your website. Setup each user with their own username and password.
- Setup user accounts with only as much access as they need. Be especially careful setting up users with the administrator user role, as this role gives the user full control of your WordPress website.
- Don’t use “admin” as a username. Because this is the default username that is used when installing WordPress on a new website, it is the first username a hacker will try to get into your site. (If you already have a user account setup with the username “admin”, here’s how to change it.)
- Make sure all the administrators on your website are using a strong password and are changing it periodically.
- Delete any WordPress users from your website as soon as they no longer need access to it.
- Set a limit on the number of failed login attempts that are allowed. If a user tries (and fails) to login more than that number, the login function is disabled for them. This helps stop brute force attacks (hackers trying different usernames and passwords, over and over again, until they get logged in).
- Only install reputable themes and plugins that are regularly updated.
- Make sure you are keeping the WordPress software, your themes and your plugins updated. That way you are fixing any security problems soon after they are discovered.
- Delete old themes and plugins that you no longer use – because these can be security risks, too.
WordPress Security Plugins
You can use a WordPress security plugin to protect your website from malware and hacking attempts.
There are many different security plugins available. The two I recommend are:
- Wordfence Premium: $99/year
- JetPack Security – $25/month
Both plugins offer free versions; but you’ll want to go with their Premium versions. And to clarify – just choose one security plugin; don’t run both of them on your website.
Another option is to go with a high-end web hosting company that handles the security features that these plugins include. I use Flywheel web hosting because their hosting plans already include security features – so you don’t need to use and pay for a separate security plugin.
For more tips on web hosting check out:
Choosing the Best WordPress Hosting for Busy Entrepreneurs
In addition to all of these WordPress security tips, there are some additional (quite techy) steps you can take to secure your WordPress site. But following this list of tips will definitely make your website much more secure.