Skip to main content
Easily create better & faster websites with the Total WordPress Theme Learn More
(opens a new tab)
Security

Simple Security Tips for WordPress to Increase Safety

Vital Security Tips for WordPress to Increase Safety

WordPress is one of the most popular choices for web design, and for good reason – it’s both beginner friendly and significantly more powerful than the competition. But this also means that nefarious folks are constantly on the lookout for weaknesses. And the last thing you’ll want is to see your site compromised or hacked. Which is why these 5 simple security tips for WordPress are a great place to start for your new website.

Ensuring your site’s security should be a top priority – both during its development and afterwards. And this guide is intended to give you a solid start so that at the very least your site is not easy pickings.

Fortunately, WordPress makes the job of securing your site relatively easy. There are a number of simple steps you can take, along with a myriad of reliable plugins you can use that provide more advanced security features. Overall, shoring up your site will require surprisingly little effort, and you’ll likely reap the benefits in the long run.

To get you started, we’re going to explain five simple security tips to tighten up your WordPress site security. Some of these may seem familiar, as we’ve covered them in previous beginner’s guides, but let’s review the basics!

1. Back Up Your Site Regularly

The UpdraftPlus plugin.

It’s important to start by acknowledging that no matter what you do to protect your site, there’s always a chance something could go wrong. In short, no security measure can provide 100% protection, so it’s vital to keep your site backed up. That way if disaster strikes you have a way to recover.

It’s also highly recommended to back up your site regularly as well as before making any major changes, which is why we’re addressing this tip first. Most of the other security suggestions below involve installing plugins and modifying user information, so you’ll want to create a backup before implementing any of them. Same if you choose to update or install a new theme – having a backup on hand is especially helpful if something doesn’t go quite as planned.

To get started, check with your hosting provider, as they may already create backups for you. Most good WordPress hosts have daily backups, which is great! We personally use WP Engine to host WPExplorer, which offers daily backups with options to backup on demand, download copies and quickly restore your site with a click.

If this is not a part of your hosting – or for an extra layer safety – consider installing a backup plugin. We recommend the free UpdraftPlus plugin for its ease of use and reliability. UpdraftPlus makes it easy to set up scheduled backups and automatically save them to your preferred online storage provider (such as Dropbox or Google Drive).

Whatever solution you choose, put your site backups on a regular schedule and store them somewhere secure.

2. Keep WordPress Core, Themes, and Plugins Updated

As with backups, updating your site regularly is a must. WordPress is a prime target for hackers given its popularity, and new security threats appear often. Fortunately, WordPress takes these threats very seriously by releasing and automatically installing frequent security updates.

Selecting WordPress as your platform of choice means you’re already starting off on the right foot. However, it’s still important to make sure that every part of your site is up to date.

Any time there is an available update to WordPress core, free themes and plugins from WordPress.org, as well as any premium third party themes and plugins with auto-updates, you will see a notice in your admin dashboard. Or really, notices. There will be an update icon with a counter in the admin bar at the top of the dashboard, an update notice in the main sidebar menu (for themes and plugins) and an update notice on each respective submenu area for themes and plugins. There are a lot of notices to make you fully aware that it is time to update.

WordPress Updates

Fortunately, performing these updates is a simple process. We recommend backing up your site first, then you can navigate to Dashboard > Updates to install any core, theme or plugin updates your site has available. Some premium third party themes and plugins may offer updates through their own separate system though, so do double check your site add-ons periodically to be sure your site is fully up to date.

3. Select a Strong Username and Password

The WordPress password generator.

When creating a username and password to log into an important service, you’ll want to select hard-to-guess credentials. The same principle holds true for your WordPress website. If a person (or bot) is able to access your account, they’ll have free reign with regard to your site and its data.

It’s also tempting to stick with the default admin username, but we strongly recommend against it. After all, it’s the first thing hackers will guess if they want to crack your password. Instead, go with a unique username.

As for your password, the easiest solution is to use WordPress’ built-in strong password generator. It will provide you with something both random and secure (just be sure to write it down or preferably save it in your password manager of choice).

If you haven’t created your WordPress site yet, you can simply implement these suggestions when you perform the install (which we recommend in our WordPress Installation Guide). However, if you already have a site and are regretting the credentials you chose, don’t worry. You can reset your password and change your username at any time.

4. Limit Third-Party Access to Your Website

The WordPress user roles screen.

There’s an information security concept called the ‘principle of least privilege‘, which states that you should never give a user or program more access than is necessary. This is a basic but crucial consideration, because it’s the best way to limit the potential for security breaches and misuse of information.

We previously talked about WordPress user roles as well as how they can be used to manage what different types of users have access to. Limiting access is vital when you have many different users accessing your site. However, it plays a role even if you’re the only one running the show, since it applies to plugin access as well. Fortunately, there are some simple measures you can take to limit third-party access:

  • Only give users the permissions they need. For example, don’t provide administrator access for someone who only needs to write posts.
  • Similarly, only give plugins and themes access to your site when you really need them, and be sure they’re reliable and secure.
  • Remove user access for those who no longer need it, and delete themes and plugins when you’ve stopped using them.
  • Configure your folder and file permissions carefully.

Plugins and themes are immensely helpful tools, and it can be great to have a team helping you with your site. Just make sure that you ultimately control who is able to access and use your site and its data.

5. Install a Comprehensive Security Plugin

Wordfence Security Firewall & Malware Scan WordPress PLugin

We’ve already mentioned a couple of plugins that perform specific security-related tasks. However, there are other comprehensive options available that will provide most of your site’s security needs. They can be real time-savers, and if you choose one that’s well-supported it will be regularly updated to handle new threats and concerns.

Of course, when you’re looking for a security plugin it’s crucial to choose one that’s reliable and trustworthy. Look for one with excellent user ratings and positive reviews, check out how frequently it’s updated, and consider how much support the developer provides.

You can find plenty of security plugins by searching through the WordPress plugin directory. If you’re not sure which to go with, however, we recommend the free Wordfence Security plugin. It’s arguably the most popular WordPress security plugin, offering basic security options, a firewall, and other blocking features. It also enables two-factor authentication, as well as regular scanning and monitoring of your site, data, and traffic. For a free option it does a LOT.

If Wordfence doesn’t have everything you’re looking for, you can also go with alternatives such as Solid Security which also creates regular backups, or the reputable Sucuri Security which monitors and logs everything that happens on your site. Whichever plugin you choose, make sure to visit the plugin’s online documentation to be sure you setup all the included features properly.


Shoring up your security isn’t the most exciting part of creating a WordPress website, but it is an important part. The more thought and effort you put into your site’s security, the less likely you are to encounter a disaster. Taking a few basic steps now to protect your site will provide well-deserved peace of mind later on.

Do you have any questions about how to keep your WordPress site safe? Let us know in the comments section below!

Disclaimer: WPExplorer may be an affiliate for one or more products listed in the article. If you click a link and complete a purchase we could make a commission.
vital-security-tips-wordpress
Article by Kyla WPExplorer.com staff
3 Comments
  1. katerina svetlaya · 8 years ago

    excellent article!

  2. Arfan Hossain · 7 years ago

    Really Great collection. I would like to backup my site automatically from wp dashboard but not from cpanel. So can you please tell me easiest way how can do it please?

    • AJ Clarke · 7 years ago

      I only recommend VaultPress for updates. It’s seamless and anytime you make any chance to your site it makes a backup point. Unlike many plugins it won’t slow down your site or bloat up your server. All the backups are stored safely on the WordPress.com servers and you can restore your site if ever needed with a single button click.

Leave a Reply

Your email address will not be published. Required fields are marked *

Learn how your comment data is processed by viewing our privacy policy here.