Welcome to WordPress.
You are now a part of a sprawling community of WordPress users, developers, and geeks. And your website is one of 16 million others currently powered by WordPress.
You already know about user-friendliness, the vast variety, and utter control you get to exercise over your WordPress website. But it’s not all fun and games until you learn how to keep it safe.
WordPress is as secure as you make it. So let’s harden your defenses against common attacks.
1. Back Ups
These are necessary for maintenance, security, and just general peace of mind.
A backup is your safety net in times when a) your website crashes, b) you lock yourself out, and c) you get hacked.
All you need to do is install a trustworthy backup plugin and use it to create scheduled backups of your website. Try one like Backup Buddy (premium, has good auto restore features), BackUpWordPress (free), WordPress Backup to Dropbox (mostly free, great for creating and storing site wide + database backups on cloud), and SaaS like VaultPress, UpdraftPlus, et al.
Tip: Create a backup schedule that coincides with your general maintenance schedule. Essentially, anytime you upgrade something on your website, your backup should save it.
2. Download from Trusted sources only
Most WordPress websites are open to attack through theme and plugin vulnerabilities.
Make sure you download absolutely nothing from sources that reek of malicious activity: typically websites offering premium goods for free are major culprits. A few bucks saved now will come back to give you grief later.
Trusted sources like the official WordPress repositories (for themes and plugins) are safe, along with large marketplaces like Envato (ThemeForest and CodeCanyon), iThemes, StudioPress, etc.
Tip: Exercise the same caution before hiring a custom WordPress development services provider.
3. Strong Passwords and Admin username
It may sound harsh, but if you’re too lazy to change the default username and couldn’t be bothered to use a strong password, you deserve to get hacked. At this point you’re practically inviting attackers.
Long, strong passwords are your first line of defense against ‘standard’ brute force attacks. The length and complexity exponentially increases the time it would take to crack your password. Mix up random letters in upper and lower cases with numbers and characters.
Also change the default username (“admin”, are you kidding me?) to something less obvious.
Tip: Set up a new account and assign admin role to that, and delete the previous “admin” username account. It’s one of the simplest ways.
4. Security Plugins
Oh, now we’re talking.
Security plugins are your website’s personal anti-virus systems, in that they will whet your website and exterminate any malicious bits left behind by potential attackers. This is essential: WordFence (The best and largely free plugin with exhaustive features for site security, login, two factor authentication, etc.)
There are more options (like Login Lockdown, iThemes Security, etc.) but WordFence has enough features to do all their jobs on its own.
Tip: Feature packed plugins fulfill more requirements, and make it easy to keep your plugin-count under tight control. This is good for both security and performance.
5. Update Consistently
Most good Plugins and themes, and the WordPress core itself, roll out updates on a regular basis. Your job is to update to the latest version.
You may have noticed that within a few weeks of every major platform update (last one was 4.4 Clifford), you will get minor version release notices (last one was 4.4.2). These are fixes for security vulnerabilities. Themes and plugins also keep pace with the updates for error-free performance and more tightly-knit security.
So update. Consistently.
Once you have set up a routine for maintenance and security, you can progress to advanced tactics to harden WordPress by checking out even more security tips and this complete checklist.
It’s a war out there. Do your part by keeping your wits around you, and be safe.