WordPress is a brilliant website CMS (content management system) with bundles of functionality out of the box. WordPress is open-source so it is free to use and the code is available for everyone to use, read and modify. It can save thousands when compared to commissioning a bespoke website CMS.  There are many other benefits, including portability and the number of WordPress developers available worldwide.

However, WordPress does require ongoing security and maintenance. WordPress code and plugins are evolving and updating at a rapid pace. The updates are usually a mixture of new features and important security measures to keep your website free from hacks and malicious activity. Google can spot malicious content on your website and will remove the website from their search engines. A hacked website can also damage your reputation and can cause issues with your GDPR compliance. Open-source platforms may be more prone to hacks because more people (hackers) are familiar with the source code.

Our 8 security tips for WordPress

We recommend the following WordPress website security provisions:

  1. Use good quality hosting. The hosting needs to provide regular backups for your developer to use if required. The backups are really key as you will need to make sure that you are comfortable with the frequency that they are taken and the duration for which they remain available to you.  Hacks can sometimes stay dormant for a few months before they appear.  Cheap hosting providers will not always offer backups for you to access and instead might require you to manually backup your files and database.
  2. Regularly monitor your website for updates. WordPress can automatically update in some circumstances but generally there will be frequent notifications for WordPress and plugins urging you to update them.
  3. Monitor irregular log in attempts. As well as monitoring for updates, you should be monitoring potential malicious activity like failed logins, unusual website activity and file changes on the server.
  4. Set up a development/staging site. This allows you and your developer to test upgrades and updates in a safe environment and avoid testing directly on your live website. Updating a plugin takes hardly any time at all but there are never any guarantees that they will work. By using a staging server you eliminate risk to your live website and can thoroughly test all updates in advance.
  5. Prepare for conflicts and issues. “Easy” updates may fail. Perhaps there is a conflict with another plugin, a bespoke piece of code or perhaps the plugin is no longer supported and needs to be replaced. It is difficult to foresee what issues you may experience over a period of time. Generally there is a correlation between the website complexity and the resources required to address issues. Certainly over the period of a year, even the most basic website might require several hours of maintenance.
  6. Hide your admin. Keep your admin url private, usernames/passwords secure and limit access to both the back-end or hosting to the people who really need it.  Carry out regular audits of users and delete any that are not required.  Remember to also update passwords to both the website and the hosting regularly.
  7. Use a reputable firewall. It will add a level of security by automatically blocking malicious activity and users.
  8. Treat a hack quickly. Identify and remove hacks or malicious content as quickly as possible.  We offer a 24/7 WordPress website monitoring service which provides alerts as soon as something looks suspicious.  In addition to the automatic alerts we will manually check your website to make sure that nothing untoward has slipped through. Removing a hack can often be as simple as deleting a file but often could be more complex.  Generally the sooner they are detected, the easier they are to remove. Ideally you will want your developer to be able to monitor your website and have an arrangement with them to provide the removal service should it be required.

Keeping a WordPress website safe and secure is really a balance between having the correct hosting and backups, regular monitoring, updates and fixes, housekeeping and technical support for manual monitoring and code changes.

Get our news direct to your inbox

Subscribe to our mail list