6 easy WordPress security tips - Heart Internet Blog - Focusing on all aspects of the web

As part of our ongoing improvements to the system, we are removing the reCAPTCHA v1 service from our WordPress installations.

This was set up in 2013 and the security world has moved on from simple “Are you a human?” responses. As WordPress has become more popular, it’s more likely that hackers will write scripts specifically to attack WordPress sites.

If you’re wondering how secure your WordPress site will be, don’t worry – there are very simple things you can do to make sure everything runs smoothly.

Keep WordPress up to date

Person walking up a staircase

This is the most obvious one, and, yet, it’s the one everyone forgets to do. But now’s your chance. Stop reading this and go update your site.

Right now.

Update your plug-ins too.

That was easy, wasn’t it?

Make sure your passwords are strong

Bottom of a MasterLock key lock

This is another obvious one, but it’s also the one everyone falls down on. And it’s not a matter of adding in all the characters and numbers – it’s about having unique passwords for each site. No longer having the same email address/password combination for Netflix/Steam/WordPress/Google/DropBox/that tiny little forum you still hang out at.

Check Have I Been Pwned and if you show up, change your passwords. Even if you don’t show up, change your passwords. Use KeePass or another password management tool and keep them with you.

And once you’ve sorted out your passwords, you can make logging in an even more secure process by adding two-factor authentication. Try miniOrange’s Google Authenticator.

Clean up your users

A person using a Macbook illuminated only by the screen

Have people left your company? Did you get guest authors in? How many users do you have on your WordPress installation? And what are their permissions?

This might not seem like a big deal, but the recent ICO ruling against Carphone Warehouse found that their £400,000 data breach was the result of someone using a valid WordPress login on an outdated site.

So what do you do with these unwanted users? If they haven’t posted anything, delete them. There’s no reason to keep them around and they’re just a risk.

If they have posted something, and you’d like to keep them as an author, you can set their role to “No role for this installation”. This means that they can try to log in, but then once they log in, it doesn’t let them do anything else, and they can’t access the Admin screen after.

Get a good plug-in

There are hundreds of security-related plug-ins available, containing everything under the sun, from firewalls and brute force testers to two-factor authentication and anti-spam measures. Luckily, most of them are free or have trial versions, so you can test them and see which works best for you. You can also judge the plug-ins by the number of downloads and the ratings.

We recommend Sucuri Security. It’s free and it’s a good addition to your overall security efforts.

And don’t forget that Jetpack comes with a lot of security features, and it’s automatically installed on your installation of WordPress.

You should also double-check all your existing plug-ins to make sure they’re still regularly maintained and kept secure. Just recently, thousands of sites, including the NHS and ICO, were turned into cryptominers by one third-party script that had been hijacked.

Back up regularly

An aisle in an archive

Of course, no matter how much we lock everything down, no matter how many plug-ins or security measures we’ve taken, we can still get hacked.

This is where regular backups come in. Even if you do get hacked, you can just revert back to a previous version with a minimum of data loss.

You can use the backup feature in the eXtend Control Panel to take a backup of your entire site, but you’ll need to remember to take those backups, as well as remembering to back up the database separately.

Jetpack also has a backup feature, which you can set to do a daily backup.

Or you can get a separate plug-in, many of which will back up your site to another cloud service, such as AWS, DropBox, or Google Drive. UpdraftPlus is a popular one, as is BackWPup.

Use a website security package

All these tips are helpful, but they might not be enough to stop a determined hacker. That’s why you should use a tool like Website Security from Heart Internet.

It scans for and removes malware, and the Deluxe and Ultimate packages include a firewall, which makes your site even more secure.

Because Website Security is powered by Sucuri, you get the piece of mind that comes with being  protected by industry-leading security experts.

Subscribe to our monthly Heart Internet newsletter, filled with the latest articles about web design, development, building your business, and exclusive offers.

Subscribe now!


Please remember that all comments are moderated and any links you paste in your comment will remain as plain text. If your comment looks like spam it will be deleted. We're looking forward to answering your questions and hearing your comments and opinions!

Leave a reply

  • Hes


    Sassy af.


Comments are closed.

Drop us a line 0330 660 0255 or email sales@heartinternet.uk