WordPress Security in Two Minutes (Give or Take)

WordPress SecurityDo you worry about your WordPress security? Do you wonder if hackers, spammers, or other ne’er-do-wells are able to hack into your website and do damage? Get up-to-date information on securing your WordPress website in the article below and put your mind to rest.

I’ve heard–mostly from non-WordPress developers, that WordPress is prone to hacks and malicious scripts and attacks. This isn’t true. The fact is that WordPress is by far the most popular CMS (content management system) on the planet for good reason, and powers anywhere from 20% to 25% of the world’s known websites.

Because there are so many WordPress sites out there, there are naturally going to be more WordPress sites that get hacked. The sheer number of them make them an inviting target. However, a few logical steps will keep your WordPress website safe.

Last week during staff our lead developer, Andy Woznica, shared with us how we can keep our WordPress sites–and those of our clients–safe and secure in a world of hackers, spammers, and ransomware. It was so good I asked him if I could share it with all of you.

He consented.

I’ve kept his original document mostly intact. Feel free to read it with an English accent, as Andy’s from London.


Don’t Panic.

[Cheap Douglas Adams reference to win over the crowd -ed.]

For most WordPress websites, to avoid spam, black-hat SEO, or server resources takeover, a strong password, an updated WordPress Core with secure plugins and themes, and a secure server are adequate to keep a site secure and such an installation should rarely raise any concerns. Always keep backups of the database, uploads and theme. WordPress itself is seldom the weakest link in the chain – badly-written plugins and themes are.

WordPress security strategies you can implement:

  1. Passwords. No brainer.     Passw0rd2017! = BAD     ]~a5RMY9NM)qa+0~ = GOOD
  2. Update, Update, Update. Yes that’s right, Update. 2005 is not a WordPress “Vintage Year.”
  3. Limit plugin use as much as possible. More plugins = more code = a bigger target for hackers and bots.
  4. Use a theme that does what is required but avoid themes that contain bloated scripts and features that are never going to be used. Mo’ Code, Mo’ Trouble.
  5. Limit user accounts if possible. People, and their ability to create weak passwords and fall for phishing attacks, are often the weak links.

WordPress security strategies your web developer should bring up:

  1. Discuss a backup strategy. [At flyte, we have a Website Care Plan that includes 90 days of backups…about 89 days more than the typical hosting company gives you. If you'd like to know if it's right for you, just ask.]
  2. Discuss an update strategy. Who is going to be responsible for updating the WordPress core as well as the plugins?
  3. Make the client aware that this is also their responsibility, especially in a shared hosting environment. One weak website can put all the websites on a shared server at risk.
  4. Help the client vet themes and plugins or suggest tried and tested options/alternatives.
  5. Discuss the benefits of having an SSL certificate. This ENCRYPTS data sent to and from the website to the browser making it difficult to use if intercepted. This will also allow Secure FTP for development work.
  6. Use WordPress Security Keys. Security keys are a set of random variables that improve encryption of information stored in the user’s cookies. If a site has been compromised or if a bot finds out your salt and authentication keys it’s easier for them to get into the site. Change these periodically. Like the keys to your house … kinda.
  7. Use a security plugin. At flyte we use All In One WordPress Security. Here’s a list of some of the top WordPress security plugins.
  8. Check file permissions. This isn’t a hippie commune. We can’t be setting the file permissions to 777.


The security of your WordPress site is up to you and your developer. The integrity of your site can’t be left to a “set it and forget it” mindset.

By following the recommendations above and by working hand in hand with an experience WordPress developer your site won’t be an attractive target to a would-be hacker.

Do you have any tips or tactics for keeping your WordPress website safe? Let us know in the comments below!

Author: Andy Woznica
Editor: Rich Brooks