IT'S TIME TO RETHINK THE WEBSITE RELAUNCH Learn to iterate on your digital experience Get the Ebook

How to Keep Your WordPress Site Secure

Things happen, it’s a fact of life. But when they do, you need to be prepared. When it comes to your WordPress site, being prepared usually means having a backup. Sometimes though, it can mean prep work to stop things from happening.

In this post we will take a quick look at several things you can do to keep your website secure.

Learn how to achieve secure WordPress hosting with Pantheon.

Stay Current  

According to, 65% of WordPress sites are not using 4.0. That statistic is astounding. Not only because of the great leaps forward in the most recent versions of WordPress, but also because of the security implications. It’s an unnecessary risk that many site owners willingly run an application with known security issues.

WordPress now makes it easier than ever to keep up to date. Starting in the 4.0 branch, WordPress will take care of minor updates itself and only ask you to initiate the major ones.

If you are not running the latest version of WordPress, upgrade today. You get the benefit of all the new features as well as all the security patches. Don’t leave the site vulnerable to hacks—get current, stay current.

Get Plugins From Trusted Sources

The right mix of plugins is one of the things that can set your site apart from the rest. As of now, there are 34,893 plugins in the WordPress plugin repository. This isn’t the entire world of plugins, but it’s a good start. The problem is that unless you are a developer—and take the time to do a complete audit of the code—you have no idea exactly what the plugin is doing.

Thankfully, has an entire team of volunteers that now review every plugin before it is added to the repo. Of course, there are many other good commercial plugins in the ecosystem that do not qualify, but make sure you know and trust the source if you choose one. Otherwise you risk downtime, lost data, and maybe the loss of your customers’ trust.

When you download a plugin, check it out carefully before putting it into production. Whether you’re setting up your own staging environment or using a platform that has it built in, you should have a dev environment that’s identical to test and live, with no risk of pushing shoddy code into production.

Change the Admin Login Username

To log into your site, you need two pieces of information: a login and a password. If your login is “admin” then a potential hacker already has half of what they need to compromise your site. By changing your login from admin to anything else, you have automatically made it more difficult to compromise your site.

Because the login name is only half of the equation, make sure you choose a complex password and change it often, or use a secure password manager like LastPass or Roboform.

Use Two Factor Authentication

This one is a bit more complex, but still can be accomplished with no programming. Install a Two Factor Authentication (2FA) plugin like Google Authenticator and require 2FA on all your logins.

2FA only requires the ability to receive texts. To implement, you simply:

  1. Install, activate, and configure the plugin

  2. Authorize a device for each account

  3. Log in

When you log in, you will either use the app on your phone or tell the plugin to send you a  text message with a code. You enter that code, along with your username and password to log into the site. High-security system have been using 2FA for many years. Now, any WordPress website can benefit from the added security without having to get a developer involved.

Make Regular Backups

If you are not doing regular backups, stop thinking about implementing anything else and setup a backup program first. Nothing else you do will matter if you don’t have good backups.

Good backups are those that meet the following criteria:

  1. They are created automatically on a regular basis

  2. They include all custom code and your entire database

  3. They are stored offsite

  4. You have a tested recovery procedure

There are plenty of reputable WordPress backup plugins, if you are not on Pantheon (we do backup/restore at the platform level). Pick one and get started on automating your backups now.

Host and Manage Your Site on a Reliable Platform

Everything mentioned above can be done by you, manually, or automated with the technology you choose to support your WordPress site. Cheap monthly hosting offers infrastructure only—setting up dev environments, testing plugins, and staying updated is all up to you, and there’s a good chance you’ll be left vulnerable in the case of a large-scale security breach. If you’re looking for more support and a high level of security, you can spend a bit more (not a lot) monthly and not have to worry about setting all of this up on your own.

If you’re looking for more support in keeping your WordPress site secure, check out Pantheon for WordPress.

Topics Education, Security, WordPress

Let’s get in touch