Securing WordPress Sites

Maybe you have a website that is a blog you no longer care about. In that case, security might not be a big deal to you. But if you've figured out how to generate revenue from your blog or site, then securing your WordPress site is crucial.

Some people will tell you to download a security plugin like the iThemes Security Pro plugin. Or they'll tell you that what you really need is a Managed WordPress hosting platform that focuses on security, like Nexcess offers.

Those aren't bad ideas. In fact, they're great suggestions. But securing WordPress sites is more than a plugin or hosting decision.

Securing WordPress Sites – From the Outside

Let's be honest – most of us aren't system or server administrators. There's a lot of things to get right that are outside of our control. But that doesn't mean we don't need to ask the right questions and look at the right options.


Do you know when the best time to catch an intruder who is trying to break into your house? It's when they're trying to break into your neighborhood. That's why some people really like buying homes in gated communities.

Firewalls are like that. They catch stuff before it ever gets to your server or site. So when you're selecting a hosting partner, for example, ask about the firewalls that are in place.

DDoS Protection

Contrary to popular belief, when your site gets hacked, it's not personal. No one picked your specific site to try to break into. A lot of times it is automated and attackers are looking for any opening they can find.

A particular kind of attack may be a bit more personal. That's a Distributed Denial of Service attack. It's when tons of automated systems are all sending requests from everywhere, all at the same time. And it's not meant to break in as much as it's meant to overwhelm your site (and bring it down that way).

So in an effort to secure your WordPress site, make sure you have figured out a plan for DDoS. One of my favorite approaches is to use Cloudflare's platform as it will not only provide a CDN, but also protect you from DDoS.

Network Monitoring

I don't want to write “the last thing” because in security, there's never a “last” thing. But the last thing I'll list here in the external factors is network monitoring. Are you working with a partner to help monitor what's happening (and logging and reviewing it) to make sure that there aren't strange requests (or strange behavior) on your site or server.

All of these things happen away from your site and server, but they're critical because when they're done right, you have less to worry about on your own site.

Now let's dig into protecting your site directly.

Securing Your WordPress Site – From the Inside

There are a ton of articles out there already that will give you the 21 things to secure your site, or 48 ways to make your WordPress site more secure. Personally, if you have to do 48 things, I think I'm looking for a better host. So assuming that you're paying more than $9/month in hosting, I would recommend three things to focus on.

Backup Everything

I own a lot of computers – I have a couple different laptops and a desktop where I do most of my work. I can move to a new computer in a couple hours. Know why? Because all my work is not only on the device, but it's backed up remotely. Nothing critical is located in only one place.

Your site may get hacked. It will suck. But it will suck a lot less if you can restore your site in a few minutes and get things back to normal. That's why my first recommendation isn't so much about security as it is about being prepared.

Back. Up. Everything.

Update Everything

The larger the surface area of your site, the more opportunities there are to attack it. Most successful hacks come from attacks that find opportunities in old plugins that haven't been updated. Or really old WordPress code that hasn't been updated in years.

The more plugins you're using, the more surface area of your site. Let's think about baseball for a second. The strike zone is based on the batter. The taller the batter, the larger the strike zone. The shorter the batter, the smaller the strike zone. If you have a lot of plugins, and they're not regularly updated, the more you have, the greater the opportunity to get hacked.

So keep WordPress core, and all your plugins updated all the time. It's why we created the visual comparison and automatic plugin updating at Nexcess.

Educate Everyone

I hate to say it, but a lot of WordPress security comes down to educating people because we're the ones making the dumb mistakes that lead to getting our sites hacked.

You might be thinking, “what dumb mistake have I ever made?”

Let me ask you a question: Have you ever used a single password on more than one site?

Me too.

That's not on the software. It's on us. It's why I moved to LastPass to generate new passwords for every site I log into.

This is why I really love iThemes Security Pro – because they do a lot of education, and then they also help you protect your site:

Here's the Good News

For all the times you've heard “WordPress is insecure,” I can tell you that it's not accurate.

Just for context and a reminder, I work at a hosting company with tens of thousands of WordPress sites we manage on a daily basis. And we see all the attempts to hack sites. Most of them never reach the site itself, and those that do, get stopped by having updated code or the security plugins that are in place.

The good news is that security isn't about the host you pick, or the plugin you use. It's about making sure that everyone gets smarter about security. That includes site owners, every editor that writes on the site, and every developer who codes on the site.

Security isn't about the code. Security starts with you. With me. And with how we need to keep learning more and more about how to work intelligently in online environments.