Most of the websites we manage are built-in WordPress, which is the most popular Content Management System in the world. With the rise of cyberattacks over the last few years, we are frequently asked whether websites can be run securely and safely on WordPress.  

The short answer is yes. The long answer is more complicated. 

Since it has 65% market share, WordPress sites are obviously a big target for hackers.  But this scale also has its benefits. WordPress has a fantastic security team and a massive community of developers working to keep the platform safe and secure to use.

Ultimately, it is the archer, not the arrow.  WordPress sites can be extremely secure if you follow best practices and actively maintain WordPress core and the theme(s) and plugins your site uses. If you don’t perform this sort of preventative maintenance, your website will become an easy target for hackers.

This is the case with every Content Management System, however, not just WordPress.

Working from the assumption that you are already doing the basics right (performing security updates regularly, running your site on SSL, etc.), the following are five additional steps you should take to make your WordPress site secure.

(1) Use WordPress Plugins Selectively

One of the best things about WordPress is the thousands of plugins that are available to extend your website.  Unfortunately, this is also one of the worst things about the platform. 

If your site uses a ton of plugins, it will be more complicated to maintain.  And if you use plugins that aren’t reputable and updated frequently, you are potentially making your site a target.

When building a site in WordPress, we try to be selective about the plugins we install and use.  I would follow these simple rules:

• Don’t install plugins just because you can.  I would only install plugins that truly add value to your site.
• Remove/disable plugins you aren’t using.  We all occasionally install plugins as an experiment and end up not using them.  Take the time to clean up your plugin list.

Only install plugins that are actively maintained.  Before installing a plugin I would confirm that it has been updated at least in the last few months and has over 10,000 active installs.  Only use plugins that are trusted and reputable.

(2) Secure Your WordPress Admin Accounts

To state the obvious, if a hacker gets access to the administrative area of your WordPress site you are in trouble.  

There are some easy ways to keep your admin accounts secure:

• Don’t use “admin” as the username for your primary administrative account.  Use an obscure username.  We recommend setting up individual accounts for each admin instead of using shared usernames.
• Use a password that is at least eight characters long and includes a mix of letters, numbers, and special characters.
• Make sure to remove unneeded admin accounts when people leave your organization.
• Set up two-factor authentication for administrative accounts.  The WP 2FA plugin (which meets the requirements outlined above) can help you set this up.
• Bots know that the default WordPress login slug is wp-login.php and the default admin pages are in wp-admin. Changing those URLs with a plugin like WPS Hide Login will make bots’ lives harder to run their ‘hardcoded’ exploits. 

(3) Secure your WordPress site with a Web Application Firewall

A Web Application Firewall (WAF) helps protect your website by monitoring your site traffic for malicious intent. WAF’s will automatically block traffic that looks suspicious. WAFs are effective at helping block common attacks such as Distributed Denial of Service (DDoS), Cross-Site Scripting, Web Scraping, and SQL Injection.

Many host providers offer firewalls as part of their hosting packages. Third-party tools such as Cloudflare and Sucuri are also good options.

(4) Review your analytics for security issues

Monitor your site’s traffic analytics on a regular basis to make sure nothing weird is happening.  As an example, if you see a lot of traffic from a random country that might be a sign that someone is trying to exploit your site.  If you see a lot of traffic to a weird-looking page that might be a sign that someone has gotten into your administrative account.

Sometimes your site can be targeted without you knowing.  Reviewing your site traffic regularly for anomalies is a good way to monitor for problems.

(5) Choose a security-focused WordPress hosting provider

There a million host providers that offer WordPress hosting for dirt cheap prices.  I think it is worth spending more on a hosting platform that specializes in keeping WordPress sites safe and secure.  

The most advanced providers are container-based, use read-only file systems for code using source code repositories, provide automated backups, and provide Web Application Firewalls.  There are a lot of good options.  We have had good luck with Pantheon, WP Engine, and WordPress VIP.