Checklist to Make a WordPress Site Secure
This WordPress security checklist is meant to target a non technical user. By this I mean a small business owner, or individual running a WordPress website, not a technical checklist for a WordPress developer. There are a lot of things not on this list that should be, but without the technical knowledge, I don’t feel it is worth going into here. Hire a WordPress Developer instead. : )
WordPress Security
WordPress security is not optional. If you don’t secure your WordPress website you will most likely get hacked. For the small investment of time (or cost if you hire a WordPress developer to secure your website for you), it will save you time, money and aggravation down the road.
- Use quality web hosting services.
- Keep WordPress core code updated.
- Keep code plugins up to date.
- Delete inactive plugins you are not using.
- Delete WordPress themes that are not active.
- If you are using the username "admin", stop. Create a new user with the role of Administrator and then delete the old one. (In this order, create new first, delete admin user second.
- Use a strong password. (Min 8 characters, upper and lower case letters, numbers and symbols.) (This advice applies to all passwords for anything, not just WordPress)
- Change your password regularly. (This advice applies to all passwords for anything, not just WordPress)
- Don't use the same password for WordPress for anything else. (This advice applies to all passwords for anything, not just WordPress)
- Use HTTPS on your admin side to encrypt data submitted. (These days its recommended to use HTTPS on the front end too)
- Backup your code AND database regularly. Do not leave the backup on your web server. Download it or store it on cloud service like Dropbox, Google Drive. I recommend UpdraftPlus for this.
- There are a lot of security plugins out there. I recommend iThemes Better Security because you can do almost everything from it and not have to install separate plugins for different security features. Warning though - misconfiguring this plugin will lock you out of your site. Hire a WordPress developer to set this up for you.
To keep WordPress secure, this is not a one time checklist to do and forget it. All of these items need to be reviewed and updated regularly. Many people don’t take the time to keep WordPress secured and ignore it until the site crashes. I promote proactive, regular WordPress maintenance services vs panic mode when your site crashes.