5 Easy WordPress Security Tips - Heart Internet Blog - Focusing on all aspects of the web

As part of our ongoing improvements to the system, we are removing the reCAPTCHA v1 service from our WordPress installations.

This was set up in 2013 and the security world has moved on from simple “Are you a human?” responses. As WordPress has become more popular, it’s more likely that hackers will write scripts specifically to attack WordPress sites.

If you’re wondering how secure your WordPress site will be, don’t worry – there are very simple things you can do to make sure everything runs smoothly.

Keep WordPress up to date

Person walking up a staircase

This is the most obvious one, and, yet, it’s the one everyone forgets to do. Even on my own sites, I forget to keep them updated, and if I have a site I don’t have to check regularly (like, for example, my blog on the local coot population), I’ll often be several versions behind.

But now’s your chance. Stop reading this and go update your site.

Right now.

Update your plug-ins too.

That was easy, wasn’t it?

Make sure your passwords are strong

Bottom of a MasterLock key lock

This is another obvious one, but it’s also the one everyone falls down on. And it’s not a matter of adding in all the characters and numbers – it’s about having unique passwords for each site. No longer having the same email address/password combination for Netflix/Steam/WordPress/Google/DropBox/that tiny little forum you still hang out at.

Check Have I Been Pwned and if you show up, change your passwords. Even if you don’t show up, change your passwords. Use KeePass or another password management tool and keep them with you.

And once you’ve sorted out your passwords, you can make logging in an even more secure process by adding two-factor authentication. Try miniOrange’s Google Authenticator.

Clean up your users

A person using a Macbook illuminated only by the screen

Have people left your company? Did you get guest authors in? How many users do you have on your WordPress installation? And what are their permissions?

This might not seem like a big deal, but the recent ICO ruling against Carphone Warehouse found that their £400,000 data breach was the result of someone using a valid WordPress login on an outdated site.

So what do you do with these unwanted users? If they haven’t posted anything, delete them. There’s no reason to keep them around and they’re just a risk.

If they have posted something, and you’d like to keep them as an author, you can set their role to “No role for this installation”. This means that they can try to log in, but then once they log in, it doesn’t let them do anything else, and they can’t access the Admin screen after.

A screenshot of the WordPress admin screen stating 'Sorry, you are not allowed to access this page.'
Yes, I did lock myself out of my WordPress site.

Get a good plug-in

There are hundreds of security-related plug-ins available, containing everything under the sun, from firewalls and brute force testers to two-factor authentication and anti-spam measures. Luckily, most of them are free or have trial versions, so you can test them and see which works best for you. You can also judge the plug-ins by the number of downloads and the ratings.

Here are four that are generally considered to be on the top of their game:

Wordfence Security
Sucuri Security
All in One WP Security & Firewall
iThemes Security

And don’t forget that Jetpack comes with a lot of security features, and it’s automatically installed on your installation of WordPress.

You should also double-check all your existing plug-ins to make sure they’re still regularly maintained and kept secure. Just recently, thousands of sites, including the NHS and ICO, were turned into cryptominers by one third-party script that had been hijacked.

Back up regularly

An aisle in an archive

Of course, no matter how much we lock everything down, no matter how many plug-ins or security measures we’ve taken, we can still get hacked.

This is where regular backups come in. Even if you do get hacked, you can just revert back to a previous version with a minimum of data loss.

You can use the backup feature in the eXtend Control Panel to take a backup of your entire site, but you’ll need to remember to take those backups, as well as remembering to back up the database separately.

Jetpack also has a backup feature, which you can set to do a daily backup.

Or you can get a separate plug-in, many of which will back up your site to another cloud service, such as AWS, DropBox, or Google Drive. UpdraftPlus is a popular one, as is BackWPup.


So here are five easy things you can do to strengthen your WordPress security. What else do you recommend?

Subscribe to our monthly Heart Internet newsletter, filled with the latest articles about web design, development, building your business, and exclusive offers.

Subscribe now!


Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

Leave a reply

  • Hes


    Sassy af.


Comments are closed.

Drop us a line 0330 660 0255 or email sales@heartinternet.uk