WordPress is the most popular and widely-used content management system in the world, powering nearly a quarter of the internet. At Exygy, we’re big fans of the WordPress platform, but we also understand that it can be scary when there are news reports about multiple data breaches and successful hacking attempts. With even high-budget, major corporate websites clearly so vulnerable, how can you be sure that your own WordPress site is protected from unwanted access? We’ve compiled a few tips to help you make good decisions when it comes to protecting your website – follow these steps and you’ll be well on your way to a more secure WordPress experience.

1. Choose your developer wisely.

Pretty much anyone can put a WordPress site together for you, and you can even create a basic installation yourself, but it’s worth asking whether the person or team who assembled your site is well-versed in WordPress security.

An experienced developer or agency will already be familiar with any new discoveries of security holes, and will know the best ways to close up those vulnerabilities and keep your site safe. Given that your whole site depends on it, this is one area where you don’t want to skimp.

2. Choose your hosting provider wisely.

When choosing a service to host your WordPress-driven site, it can be tempting only to look at cost, just to keep things simple. It’s important to remember, though, that price isn’t the only difference between hosting providers, and paying a little more for a provider with strong security is certainly worth it.

Price isn’t the only difference between hosting providers

Research is essential – take the time now to find a hosting company with a good reputation, so that you don’t pay for it later with an unfortunate incident that could have been avoided. We like to use WP Engine, because they’re clear about their security environment, and are diligent about implementing the latest and strongest protocols.

3. Update, update, update.

WordPress is continually striving to update its core software in order to give users the best possible experience. Updates often address potential developing security vulnerabilities, but of course you can’t take advantage of the strengthened security if you’re not installing the updates.

Many hosting services now have automatic updaters that will keep your WordPress installation current without any intervention on your part, but you’ll still need to update any plugins and third-party themes manually. Having out-of-date installations can make things easier for would-be attackers, so don’t give them that gift.

Having out-of-date installations can make things easier for would-be attackers

4. Strengthen your login information.

It’s shocking how even after all the warnings online about choosing a secure password, a lot of users still go with something easy to remember, like their pet’s name, a string of sequential numbers (“123456,” for example), or even the word “password.”

Even more complex passwords that you think no one will guess, will be no match for a hacker using basic tools. There’s a lot of good advice out there on how to choose a strong password; in addition, you’ll want to avoid using the old default username “admin” on your account.

5. Choose third-party add-ons by reputation.

One of the wonderful things about WordPress is how versatile it can be with the addition of third-party plugins and themes. However, it’s important to remember that your site is only as secure as its weakest add-on, so don’t just start installing things that look cool without doing some research first.

Your site is only as secure as its weakest add-on

It’s pretty easy to do a few Google searches to find out whether a plugin you’re considering has a decent reputation and is updated frequently, and doing so can help keep you from inadvertently installing something that could end up weakening your site’s security.

If you’re unsure of how to best proceed in choosing plug-ins and add-ons, here’s a guide we wrote to evaluating which are worth your time and effort.

6. Keep your virtual house clean.

As time goes on and your website evolves, you’ll probably find that you start using some new plugins or themes, and perhaps abandon some older ones that no longer serve you.

Remove the clutter and get rid of what you don’t need

If your plugins or themes directory is full of idle third-party add-ons that you know you’ll never use again, it’s time to remove the clutter and get rid of what you don’t need. Delete rather than disable – the very presence of outdated plugins can make your site more vulnerable to a breach, and furthermore, cluttered directories can make things more difficult for your security team in the event of a compromised site.