The 7-Step WordPress
Security Guide

Simple steps To Keep your website safe and secure

Is your WordPress website secure?

According to W3Techs, an astounding 43.0% of all websites currently on the internet use WordPress as their content management system (CMS).

While this means that WordPress is a great CSM for many businesses and organizations, it also means that hackers see focusing on sites running on WordPress as a worthwhile opportunity. Since it is by far the most popular CMS, it is also by far the most attacked.

These attacks come in several different forms:

  • Brute force attacks simply use an algorithm to keep trying to guess your login and password until it gets lucky

  • A Distributed Denial of Service (DDoS) attack doesn’t seek to gain access to your site but instead tries to prevent anyone else from doing so by bombarding it with tons of requests until it all comes crashing down

  • Redirect hacks are when an infected site redirects the traffic from legitimate pages to go wherever the hackers want to send your visitors

  • Malware and other malicious code is often added to sites without the owner knowing after an outdated plugin or other element of your site is exploited

There are other ways that hackers try to get into your website, but the key takeaway here is that you must take website security seriously to avoid becoming a victim.

But don’t worry, Onsharp is on a mission to make the internet a safer place, one website at a time. We’ve put together a list of simple steps you can take to keep your website secure.

Let’s get started.

Scan Your Website

Our free Triple Threat Scanner will grade
your site's speed, SEO, and security

Tip #1

Keep Your Website Up-to-Date

Outdated themes and plugins expose your site to hackers

Just because the front door is locked doesn’t mean that someone won’t try to sneak in through the window. When it comes to your website, having out of date themes, plugins, or other elements can leave holes in your defenses.

Theme and plugin updates often come out because a vulnerability was discovered and addressed. If you do not take the time to keep things up to date then you’re putting your website at unnecessary risk.

Remember to regularly check for the latest updates and apply them so that you don’t leave a back door wide open.

Bonus Tip

 Be sure to deactivate and remove unused plugins and themes regularly!

Tip #2

Change Login Page Defaults

Good security happens on purpose, not by default

When you create a new WordPress site, the default login page is typically yoursitename.com/admin and your default user name is usually Admin as well.

Not good.

If hackers know your login page and your username they are well on their way to gaining access to your website, so you will want to change both of these ASAP.

Updating your login page URL is easily accomplished using a plugin. Our recommendation is to utilize a WordPress security plugin that will allow you to do this (more on security plugins below), but you can also accomplish this with a purpose-built plugin like WPS Hide Login.

Once you’ve got your preferred plugin installed simply make the URL change and your website’s login page will be more difficult for hackers to find and therefore more difficult for them to break into.

Also, never leave your username as the default of Admin. Most hacking attempts aren’t done by a human person at a keyboard but by an algorithm trying out different combinations. By making sure you aren’t using Admin as your username you are decreasing the odds that they can guess the right username and password combination.

Bonus Tip

Regularly review the users that have access to your site and remove any who no longer need it.

Tip #3

Use Strong Passwords

The stronger the password the harder it is to crack

If you rely on a cheap lock to protect your valuables you can’t be too surprised when a criminal is able to get past it to take your stuff.

A strong password is the equivalent of upgrading from a cheap combination lock to a more robust option that is far more difficult for bad guys to get around.

So what exactly counts as a strong password? We recommend a creating a password that meets the following criteria:

  • At least 12 characters in length
  • A mixture of upper case, lower case, and numbers
  • Use at least one special character


There are a number of strong password generators out there you can use to come up with something if you’re stumped. Check out strongpasswordgenerator.org

Bonus Tip

It’s always a good idea to update your passwords from time to time. We recommend that you do so at least annually.

Tip #4

Implement Multi-Factor Authentication (MFA)

Add an additional layer of security to your login page

Once you’ve created a strong password, we recommend implementing Multi-Factor Authentication (MFA).

It doesn’t matter how high-tech your home’s security system is if you don’t lock the front door.

But don’t just lock it, double lock it!

Your backend login page is the main doorway to your website, and so it’s important you’re making sure uninvited guests cannot get in. So what’s the best way to do that? Make sure you always implement MFA.

MFA is a form of user authentication that requires multiple credentials to verify identity. Rather than simply asking you for your username and password, which can easily be compromised or guessed by hackers, MFA requires a second form of authentication.

For example, a security code could be sent to a mobile device to verify your identity or you could use an app like Google Authenticator to access a rotating code that must be imputed alongside your username and password. This means that hackers would need your username, password, and your code (which means they likely would need your phone).

Tip #5

Encrypt Your Website with an SSL certificate

Let your visitors know that your site is secure

Your website simply must have an SSL certificate. You can easily check to see if you already have one by looking at your URL.

The first part should read https:// and show a padlock symbol. If you have this, it means your SSL certificate is updated and is keeping your site secure.

In short, having an SSL certificate in place changes your website from using the HTTP protocol to using the more secure HTTPS protocol. This encrypts your data so your information is safe from prying eyes.

If you do not have an SSL certificate, your host should be able to implement SSL on your site fairly easily and quickly. This is an important step you should take to ensure your website is safe and secure.

Bonus Tip

These days you shouldn’t have to pay anything for an SSL – Make sure you choose a host that provides this as part of your package (more on hosting below)

Tip #6

Use a Security Plugin

An efficient way to harden your site’s security

There are a number of highly-recommended plugins that provide additional layers of security for your WordPress site. Here are three worth looking into:


Each of these plugins provide you with easy-to-implement options for hardening your site’s security and keeping the bad guys at bay.

Many of these plugins will tackle a number of the tips on this page, such as allowing you to change your login URL, detecting if any users are using the default Admin username, stopping brute force login attempts by locking out users after several failed attempts, and much more.

A reliable security plugin really should be one of the first (if not the first) plugins that you install on your WordPress site.

Bonus Tip

These plugins contain a lot of options and can be a bit intimidating. If you are on managed hosting for your website they should be able to get things set up correctly for you.

Tip #7

Choose The Right Hosting Provider

Don’t forget this critical step

All of the above steps can go right out the window if you choose a poor host. Having a secure hosting provider for your website is one of the most important aspects of keeping your site safe.

When evaluating which host to go with, don’t make the mistake of choosing only on price – as if all hosts were the same. Also, don’t get lulled to sleep by all of the techno-jargon that is listed on comparison tables.

Instead, make sure that your website host provides the following:

  • No limit on site traffic. Getting a huge boost in traffic should be a good thing, not a headache. You don’t want your website to go down just because you get a great referral from a big site or because a marketing tactic proves to be a viral success.
  • DDoS protection. As mentioned above, denial of service attacks attempt to flood your website with requests in order to make it crash. You need a host with infrastructure that is smart enough to allow spikes of legitimate traffic and shut down bad actors trying to take you down.
  • Excellent Support. No matter how careful you are, things happen. Be sure your host provides great support. At Onsharp, we don’t outsource any support to a third-party. Any call, email, or support ticket you submit is handled by our team in Fargo, ND.
  • Free SSL Certificate. You want a host that is going to provide encryption for your site and handle all of the management and renewals that go with it.
  • A CDN (Content Delivery Network). A CDN is a network of servers distributed across the globe that deliver content from your website faster by using the server nearest your visitor. You want to go with a hosting provider that uses a CDN and is able to configure it properly for optimal performance.
  • Vulnerability Scanning. Just because you lock your doors doesn’t mean you can let your guard down. Regular vulnerability scans alert you to any issues that leave you exposed to attacks so that you can take action.
  • Malware Scanning & Reputation Monitoring. Your host should scan your site regularly to make sure there is no malware present and check your domain against blacklists to ensure your online reputation stays solid.
  • Regular Backups. Again, things happen. Choose a host that backs up your site at least nightly and retains the backups for 30 days. If anything goes wrong due to a hacker, human error, or a technical issue you can easily recover all your hard work.
  • A Firewall – A firewall is a means of protecting the server from incoming network connections that may compromise security and harm your site. Be sure your host includes a firewall to keep the bad guys out.
  • 24/7 Uptime Monitoring. You don’t want to be the last to know that your website was down. Ensure that your host does 24/7 uptime monitoring and is ready to take action if something goes wrong.

As you may have guessed, Onsharp’s hosting package Website Essentials does all this and more. Learn more about Website Essentials and see how it can both secure and supercharge your website.

Conclusion

On average 30,000 websites are hacked each day. There is no reason for yours to be one of them.

If you take the above steps you will have dramatically improved your site’s security and protected your investment of time, money, and effort as well as your brand’s online reputation.

At Onsharp, we are committed to ensuring that our client’s websites are safe and secure. Whether you’re looking for a premium hosting solution or are in need of a brand new website, we’re here to help.

SCAN YOUR WEBSITE NOW

Run your site through our Triple Threat Website Scanner and grade your speed, SEO, and security.