WordPress website security checklist: Basic & best practices

With technologies moving forward, and global growth in online presence for businesses and individuals, cybercriminals receive more opportunities to discover and exploit the vulnerabilities in the website structure. Especially when it goes about the website built with Content Management Systems. 

WordPress is the most popular CMS on the market with roughly 64 million websites existing on the web. Adding its open-sourced structure, no surprise that it’s a popular target for hackers. So if you are the owner of a WordPress website, it’s better to dedicate some time to research online learning resources, enrolling in network and security courses, and monitoring relevant news. Sharing these resources or making sure that people who work on the website know the rules of safe internet conduct as part of the onboarding plan will also help you to avoid human-related breaches. If you are reading this and want to protect your WordPress installation you’re in the right place. 

Let’s check what you can do in this regards:

Do Updates: the more often the better

The first step towards securing your WordPress website is making sure you use the latest WordPress edition as well as recommended PHP and MySQL versions. Special attention should be paid to the core version, plugins and themes because the longer software exists, the more chances there are that hackers find ways on how to penetrate your website. The good news is that it’s possible to set up automatic version updates for the WordPress version by setting the following rule in your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

And for plugins, it’s possible right from the admin panel in bulk or one by one selecting the necessary plugins when a new version becomes available. 

There is a way to manage all the updates in one place with the help of plugins like “Easy Updates” or similar ones.

Share login details carefully 

It’s highly recommended to leverage a minimum privilege policy when providing access to users who need to access your admin panel. Instead of sharing your main admin details, create a separate user with the necessary access. It’s also possible to assign a role to a user based on the granted permissions. It’s useful when you have several people in the team with different responsibilities and when a content manager or editor asks you for access, they do not have to possess the same rights as developers to publish articles. 

Pro tip: Make sure to remove the users once you finish collaboration and regularly perform the audit of the users with admin access (there are plugins for that too), to find unused accounts and delete them as well.

Don’t think you are saving with unofficial software

Sometimes prices on the official websites that sell WordPress add-ons may seem to be high, and there’s a temptation to buy them when you see up to 50% discounts on some forums or offers to have it “almost for free”. Beware of such deals, as usual, this is either cracked software or infected by the malware. And besides just being illegal, it can cost you much more to recover from the consequences if you happen to catch a virus on your website. Another argument against it, that you will not be able to get any support from the software provider. It’s because licensed vendors secure their products with unique authentication like private API keys or unique purchase codes to provide updates and verify customers to help with troubleshooting.

Vet the host

If you use shared hosting (aka web-hosting), you have little influence over the global server settings, and ensuring the security lies on the shoulders of your hosting provider. So before purchasing the plan, pay attention to the following aspects:

Arm yourself with Security plugins

You can also strengthen the security by installing WordPress plugins that act as local firewalls and scanners to filter the traffic and quarantine the files. Sucuri, WordFence, or WPScanre just to name a few out of the most popular ones. As often the malicious scripts are aimed at getting access into the Admin dashboard and target /wp-admin pages, protecting its URL by replacing the default with some customized slug-like /johncontrolpanel, /janepersonaldashboard, or others will make these attempts not successful. There are also plugins to achieve that, like WPS Hide Login.  

Ensuring the security of your WordPress installation is not a one-time measure. That’s why the tips above as well as other general measures like setting the strong password and arranging their regular rotations should be included in the checklist of regular maintenance tasks to keep your website safe and sound.