FREE 20 minute website audit. Advice, tips or a quick fix for your website.

Request a call or message me.

How to secure your WordPress website

Posted by Jonathan.

Last updated April 10, 2024.

If you’re new to web design you might be worried about security. What does it mean to keep your WordPress website ‘secure’ and what’s the worst that can happen if it goes wrong?

And how do you prevent these things from happening?

How attacks happen

Attackers probe for weak points in your website that could give them a way in. 

This is mostly due to poor security practices or badly maintained software, although even the best systems can occasionally fall victim.  In recent years eBay, EasyJet and Virgin Media have all been ‘had’. 

An attack could mean loss of data, service interruption, or even your website being taken offline.

Luckily, when it comes to WordPress, security comes built in and it’s possible to prevent the vast majority of attacks with routine website maintenance and careful choice of software.

But how do attacks happen?

Brute Force Attacks (ie. Guess the Password)

This very basic sounding attack method is made much more sophisticated by modern computer programs, which can guess anywhere between 10,000 and 1 billion passwords every second, meaning your 5 letter password can be guessed by the time you’ve read this sentence

Attackers can even make it look like they are accessing from thousands of different devices, bypassing the preventative measures that are meant to stop people repeatedly entering false log in details.

How to stop it: You can easily prevent this kind of attack by choosing complex passwords, and taking advantage of 2 factor authentication, which means an intruder needs more than just your password to log in.

Outdated and poorly maintained software

Most websites these days are made up of multiple pieces of software. Occasionally these bits of software develop vulnerabilities, which hackers home in on by scanning thousands of websites at a time. They then use various methods to ‘inject’ code to gain access or cause harm.

How to stop it: Making sure your software comes from reputable developers, and is kept up to date with the latest security patches, protects against the vast majority of issues.

Phishing and ‘authentication cookie theft’

Sometimes attackers bypass the website completely and steal user credentials straight from the user’s

Security firm We Watch Your Website found the majority of website hacks happen via ‘Authentication Cookie Theft’. This is when intruders steal a piece of code from a user who has already logged in, enabling them to mimic that user and bypass the normal login process.device, using malware called ‘info stealers’.

How to stop it: If possible don’t leave yourself logged in to websites unnecessarily; if you’re not logged in, an attacker can’t bypass 2 factor authentication. Never click on links in emails unless you’re certain where they’re from, and keep your anti virus software up to date.

5 ways to keep your WordPress website safe

Take back ups

First things first: take a back up! If all else fails, a back up means you can never lose everything, whether it’s through malicious action or user error. 

Your web host should maintain a back up but this is not always quick to recover and they may charge. Use a plugin to do this automatically and for free, such as Updraft Plus

What I do at Clickish: I always keep 2 backups of your website that can be restored instantly if needed.

Choose a good quality website host

A website host is the company that stores your website’s files and makes it available to others on the web. If a problem occurs on your website’s server, a bad ‘un can potentially gain access to your website, no matter what other security measures you’ve taken.

Going for a quality host means:

  • Server software is properly maintained and up to date.
  • You get fully fledged security measures, such as firewalls and intruder detection.
  • Websites that share your server are properly monitored and isolated, meaning infected websites can’t affect the performance or integrity of your own.

What I do at Clickish: I currently use Siteground for all my websites, who are well regarded for security. See my list of recommended web hosts for more suggestions.

Use quality software and services, and keep them up to date

Only use software you know comes from reputable vendors and who have a track record. Check their reviews and search their company online to get a sense of their reputation.

Check for software updates regularly in your WordPress dashboard, and update within a few days of release, or sooner if they detail a known security threat.

If you handle payments on your website, take advantage of payment providers like Stripe or Paypal who handle all the security and legal compliance for you, or consider an externally hosted payment page, like the ones WorldPay or GoCardless provide.

What I do at Clickish: I only choose software from vendors I believe are reliable. As a web designer I also have access to software that might be unaffordable for a single website, such as specialist form builders. When I maintain your website, I keep the software up to date and take regular back ups before major updates in case something goes wrong.

Install a security plug in

While not the Be All and End All of WordPress security, a good security plugin, such as Wordfence or Sucuri, can strengthen the security procedures that already exist on WordPress. For example, by enforcing 2 factor authentication, running additional security scans, or turning off features that you don’t need and that could open an avenue for attack.

What I do at Clickish: I install well known security software on all my websites. I also make some technical changes to beef up security such as disabling certain features you don’t need and changing the default login URL and database table names.

Strong passwords, good antivirus

Make sure you and other users have strong passwords and take advantage of 2 factor authentication, wherever possible. Keep antivirus up to date and don’t click on email links if you’re not sure where they come from.

What I do at Clickish: I always use up to date anti virus software and strong passwords, along with 2 factor authentication. I also look after your data. I never keep it on my devices for longer than necessary, or without proper safeguarding. See How I Protect Your Data.

So is that it?

You can prevent the vast majority of attacks by following the simple advice here, but there’s much more to security, including some that is very technical and handled by your host or the core website software.

For a deeper dive on the things you can do to secure your  WordPress website, see this WP Beginner Guide.

Leave a Reply

Your email address will not be published. Required fields are marked *