Securing a WordPress website is actually not difficult. Basically, it’s just normal housekeeping that makes your website more secure. There are some simple but very effective measures you can take to protect your website.
What you easily can do yourself
1. Updates, Updates, Updates
At the top of the list is keeping all plugins, themes, and even the WordPress core up to date. Regular updates close known security gaps that attackers specifically exploit. Updates therefore not only bring new features, but above all important security patches.
2. Sensible user capabilities
Not every user needs admin capabilities – usually, one administrator account is sufficient. All other user should only get the capabilities they need in order to do their job. This limits the damage if a user account is compromised. A hacked editor account is significantly less critical than administrator access.
3. Delete inactive plugins
Be sure to only use plugins and themes that are actively maintained. Sometimes the author loses interest or an extension is no longer updated for other reasons. Themes and extensions that are no longer maintained pose a major security risk and should be removed promptly.
The same applies to plugins and themes that are not actively used. You try out a plugin or theme and then deactivate it again. We don’t delete them right away because we might use them after all. You should also keep an eye on this list and delete everything that is not being used.
4. Only use trustworthy sources
Only obtain themes and plugins from official and trustworthy sources. Supposed bargains, where paid extensions are offered for free or at very low prices, usually contain malicious code. This puts your entire website at risk.
5. Secure Access
You should always use strong credentials, which means, above all, good passwords (see box). Never reuse passwords, even if it makes them easier to remember. Avoid the default username “admin”, as this is always the first one tried in brute force attacks. Each user should have their own account with a secure, unique password and only be granted the necessary rights.
For particularly sensitive access points—primarily administrator accounts—it makes sense to set up two-factor authentication (2FA).
On websites with many users, you no longer have direct control over the strength of passwords. In this case, it is worth installing a plugin that enforces strong passwords. Weak login credentials are the biggest security risk for any website.
A good password should…
- consist of at least 12 characters
- contain upper and lower case letters
- use numbers and special characters
- not contain real words
- not be used more than once
6. Don’t skimp on hosting
A good hosting provider protects its servers with a modern, secure infrastructure, creates regular backups, and provides expert support in case of problems. This is an important basis for the security of your website.
Hide login?
Very often, I read the following advice: you should hide the login page. This is not difficult to implement; the WP login is simply assigned a different URL. I don’t consider this measure to be very effective, because attackers can also find hidden login pages. It is better to focus on strong usernames and secure passwords.
And what about security plugins?
There are many offerings in the plugin directory under the keyword “security”. These plugins promise fast, comprehensive protection for all situations. They are available in free versions via WordPress.org or in premium versions for an annual license fee. They usually offer functions from the following areas:
- Firewall, i.e., login attempts are logged and, if necessary, the IP addresses from which the attempts originate are blocked.
- The malware scanner checks the installation for potential malicious code and compares the plugins with lists of known security vulnerabilities.
- Ways to secure user accounts and logins, e.g., by requiring strong passwords.
Many of these functions can also be handled by a good hosting provider. Depending on your hosting provider’s security standards, you may not even be allowed to install any security plugins. This is not a disadvantage, but a sign that the hosting company takes the issue seriously and takes care of it. You can often configure individual aspects in your customer menu.
The appeal of a security plugin is that it guides users through all of the above security aspects. The functions are brought together in a dashboard, where everything is clearly displayed and (ideally) well explained. However, if you want to use more than just the basic functions, you usually need the paid version. For those who have a more affordable hosting plan, a security plugin can increase the security of the website.
Instead of installing a large extension with many functions, you can also manage many aspects individually. For example, you can install a plugin that enforces strong passwords and, ideally, requires two-factor authentication for certain user groups. Or one that only allows a certain number of login attempts.
I also have other options for security scans; there are plugins and services that offer this service, either free of charge or for a fee. This often comes together with the backup function: a plugin that regularly creates backups and sends them to another server, if possible, can usually also initiate a security scan.
Conclusion on security plugins
Security plugins can help make the complex topic of security easier to understand. Some things may not seem absolutely necessary at first glance—I’m thinking, for example, of hiding the WordPress login. But when used correctly, these plugins can be helpful.
It is important to note that security plugins in particular require meticulous attention when it comes to updates. After all, these tools have extensive rights in the system and interfere deeply with a website. If a security vulnerability remains open here, the security plugin itself becomes a security risk.
The usefulness of a security plugin depends not least on the hosting. If your website is hosted by a provider that already offers sophisticated firewalls and malware protection, installing an additional extension does not add much value.
Security plugins can also lead to a false sense of security: if weak passwords are in use or there are many unmonitored admin accounts, the back door is wide open. Even a security plugin cannot prevent this.