A guide by Laura Hartwig
I’ve been a WordPress Developer since 2011 and
find it important to keep my clients sites secure.
It’s much easier to prevent your site from getting
hacked rather than try to recover your site after
it’s been hacked.
Powers nearly 30% off all websites.
This is good and bad.
➔ Server Space
Hackers want to store files on your
server and connect it into a botnet.
➔ Because they can
Many hackers like to hack sites just to
see if they can. It’s a thrill similar to
hunting or leveling up on a computer
First Law of
➔ Nothing is unhackable
Level of Security
➔ Your level of security will
depend on resources vs. value
The reality is that you are not going to
spend a lot of time and money on a
website that you don’t value. Adding
security measures is a pain, like locking
your doors, so you will need to decide
what level of protection is worth it.
1. Choose a
➔ Latest PHP Version
➔ Use HTTPS
➔ SFTP (Not FTP)
➔ Private Server
At least don’t host multiple sites on
➔ Use a CDN
Like Cloudflare (free)
2. Keep Your Site
➔ Update Core, Plugins & Themes
Be wary of themes plugins that haven’t
been tested. (Esp Free)
➔ Remove unused themes &
➔ Use services like ManageWP if
you have a lot of sites.
But be wary of updates breaking your
➔ Don’t leave old files on your site
Esp not old sites
3. Use Strong
➔ Don’t use “admin”
➔ At least 14 characters
➔ That means everyone!
➔ Everyone should not be Admin
➔ What is the default user role?
➔ People who no longer work for
➔ Use Adminimize to control
➔ Use unique usernames
Remember that nicknames can
5. Use Security
➔ Change Login URL
Don’t use /wp-admin
➔ Limit Login Attempts
And notes about if it’s wrong username
➔ Two Factor Authentication
It’s a pain, but it works
Prevents brute force attacks
➔ Hosting Backups
Good hosts will do them automatically
➔ Backup Plugin
Updraft or Backup Buddy
➔ Schedule Backups
Backups are no good if not done. How
often you need to backup depends on
how often you update your site.
➔ Send them somewhere
Download to your computer or file
7. Get Notified
➔ Google Console
Will let you know if your site has been
hacked. This is actually too late, but a
good idea if you rarely check into your
site. Once Google knows, your site will
be blacklisted. This will hurt your
visitors and your ranking.
➔ Use a Malware Scanner
Sucuri or WordFence
8. Your Own Security
➔ Strong password for your email
➔ Don’t email passwords
WordPress will automatically email
passwords or use a service like 1ty.me
➔ Don’t keep passwords on your
computer or in your browser
➔ Use Virus protection on your
computer and update your
➔ Turn off your computer at night
9. If You Get
➔ Use your backup
But make sure it has not been
Fixing hacked sites is what they do and
they can get your site up fairly quickly,
but it will cost you.
➔ Read their blog if you are really
interested in security
I hope you will make some changes right
away to make your site more secure.