Beginner’s guide to WordPress security best practices

Updated 2/18/22. Originally published August 9, 2018

Are you leaving your doors unlocked?

WordPress powers more than 40% of all websites. It's used by both experts and beginners, and our preferred website tool at Surelutions. Unfortunately, many WordPress sites are not properly maintained. The combination of popularity and neglect makes outdated sites an easy target for hackers. All software is vulnerable when it's not kept updated, and WordPress is no exception.

Your car might not get stolen if you leave it unlocked with your keys on the seat, but you're making it super easy if someone does come along. Your website might not get hacked if it's not secure, but let's not take that risk.

The good news is, there are some basic steps you can take to keep your website much safer.

Note: This article includes our recommended best practices for a simple business or nonprofit website. If your website has advanced features, frequently updates, critical data, or more than 20 pages, we recommend signing up for a WordPress maintenance plan.

What are your biggest risk factors?

A WordPress website is most vulnerable when:

  1. Cheap hosting
  2. Weak passwords and usernames
  3. Outdated software
  4. Missing or useless backups

If you have any of these issues, your website is at risk.

But I don't have anything worth hacking!

It doesn't matter if you have a 5 page website and only 3 visitors per month (thanks, Mom!). It's not about you. Hackers cast a huge net and see what catches. Sometimes sites are hacked for fun, sometimes they're used as a gateway, sometimes they're injected with spammy keywords and garbage links.

Top four ways to keep your WordPress website safe and secure

WordPress security is a big topic that could fill a book. But even if you're not a web developer, you can make a big difference in the security of your website by starting with these key steps:

1. Choose a high quality web host who specializes in WordPress hosting

It's very difficult to keep your website protected if your web host isn't taking care of web server-level security and hardening. Believe me, we have tried. A cheap host may save you a few bucks per month, but if something goes wrong, you are on your own. If your website matters to you, invest the extra $15-20/mo. to have the security architecture and firewalls in place and the support of a sysadmin at the ready.

We have worked on hundreds of websites, and used countless web hosts and domain registrars over the years. See our recommendations here.

Once you have a good host in place, it's time to focus on the security and maintenance of your website itself.

2. Use strong usernames and passwords

You've heard it a million times, but here it is again. A secure password is THE most important step you can take to keep any account safe, including your website logins.

  • Have a strong password - Make sure your password is long and difficult to guess. Don't use your name, pet's name, company name, website name, dictionary words, or short passwords. Do use a combination of upper and lowercase letters, numbers and punctuation.
  • Delete the default 'admin' user - This is the default username for WordPress, and the one most frequently used for invalid login attempts. Don't use 'admin' or any variation of it. Add a new admin user, and delete the original.
  • Have an unpredictable username - Don't use your company name or website name for your login. These are frequently used by bots to try to login in to your website.
  • Don't give anyone admin privileges unless they really need it. 'Editor' is sufficient for making content updates.
  • Give every user their own username and login so you don't have to share passwords.
  • Use a unique password to log into WordPress. Do not use any password that you use for other sites, such as Facebook, Amazon, Best Buy, or others.
  • Use strong passwords and usernames for your web hosting, domain registrar, SFTP, and related accounts as well.  They should NOT be the same as your WP login.


  • Watch this short video on choosing a secure password:
  • Check how secure your passwords are:
  • See if your email has been involved in a data breach:
  • Use a tool like 1Password to manage your passwords. You can have very long and complex passwords without having to remember them or even type them in each time.

3. Update WordPress, themes, and plugins monthly (or more)

WordPress developers frequently release updates to their software to add features and patch security issues. When you keep your software updated, you're blocking hackers and bots that are attempting to take advantage of past security holes and vulnerabilities on old versions of the software.

  • Keep WordPress core files updated
  • Only install plugins and themes from reliable sources
  • Update plugins and themes monthly (or more)
  • Regularly review plugins and how they are being used. Remove those that are no longer needed.
  • BUT WAIT! Make sure you have a fully restorable backup before you make updates. Sometimes updates cause errors and the way to "undo" an update is to restore a backup.



4. Monitor your site regularly, and make sure you have  restorable backups

  • Visit your website frequently to check that everything looks as it should. If your site is broken or hacked, the sooner you find it the easier it is to fix.
  • Review your Google listings regularly - Compromised sites may have a warning message on Google results. Ideally you will find and fix any problems before Google identifies a problem.
  • Always have automated, reliable, restorable backups of your website. Don't assume your web hosting company is providing this service. We back  up our client sites daily, and keep 90 days worth of backups. For a personal website that does not change frequently, weekly backups should be fine.
  • Store your backups somewhere other than your website or web host. If your website goes down, or your web host has a server crash, you could also lose your backups. You can use a third party backup service, or store your backups elsewhere, like Dropbox or Google Drive. Whichever method you chose, be sure you know how to restore a backup.
  • Check your web host and see what backup options are included in  your plan. Enable those backups as well. Many budget hosting companies charge extra for backups, and also charge you to restore a backup. Premium hosting companies always include backups and tech support to restore.


More resources to explore

These best practices are just the tip of the iceberg. There are numerous other factors that influence website security. But like a car, a good start to keeping it safe is to lock the doors and bring the keys inside your house.

Here's some more information on WordPress security to explore:

Need help?

If you'd like help from our team for maintenance and support drop me a line. We offer monthly WordPress Care Plans to manage all these tasks and more.