When we think of web security, we often envision a giant server farm teeming with IT professionals along with developers who pore over every bit of code. Then too, we think of high-profile breaches that leak private data and negatively impact the economy.

Yet, web security should be of concern to everyone who works on or owns a site. That’s especially so when you’re using a popular platform such as WordPress. Why? Because we are all sitting targets.

Your Web Designer Toolbox
Unlimited Downloads: 500,000+ Web Templates, Icon Sets, Themes & Design Assets


Whether your site boasts millions of visitors or only a handful, bots and other malicious actors are hammering away. They’re attempting brute force attacks on logins, adding poisonous code to legitimate files and other assorted mayhem.

And, while we can’t necessarily account for every possibility, there are things we can do to mitigate the risk. Even better is that it’s not hard to do!

With that, here are some simple steps you can take to make your WordPress website more secure.

Understand WordPress User Roles and Capabilities

If you build sites for clients, it’s important to realize that not everyone needs the same level of access to the back end. Administrator accounts are great in that they provide total control over settings and plugins. But in the wrong hands they can be dangerous.

The developers behind WordPress understand this, and that’s why they’ve created various user roles. Each role (Administrator, Editor, Author, Contributor and Subscriber are the defaults) comes with their own set of capabilities. The lower the user role, the fewer capabilities that user will have.

So, for clients who won’t necessarily need to install plugins or touch other sensitive settings, an Editor account is perfect for them. They have all the power they need to manage content, while still being walled-off from potentially harmful items. Even if they do need occasional access to other things, they can use an administrator account when appropriate.

Just to be clear, we’re not necessarily worried about our clients doing harmful things (although, an adventurous one could do some unintended damage). Rather, it’s the possibility of that user’s account being compromised. If that were to happen, a lower user role won’t have the same impact as an administrator.

If the default roles don’t quite match up with your needs, you also have the option to create your own. This could be used to, for example, allow users access to only a specific post type. It allows for more fine-grain control of who can access what.

As an aside, it’s also a good idea to create separate user accounts for each person who needs to access the back end. This simplifies account maintenance, as you can just remove individual accounts as people come and go from the organization. Plus, the less you share your passwords, the better!

A key going into a lock.

Install a Security Plugin

Sure, you may spend a ton of time online. But you can’t be there to watch over your website 24/7. Therefore, it makes sense to employ tools that will keep a look out on your behalf.

There are a number of security plugins that can handle the job. The free versions of Wordfence, iThemes Security or All In One WP Security & Firewall can offer huge benefits. They can do things like lock out IP addresses, stop brute force login attempts and scan your site for existing malware or security holes. Some will even email you when a problem is found or your install is outdated.

If you manage several websites, a security plugin offers a great way to stay on top of these issues. However, they’re also useful for those times when you hand off a site to your clients as well. Clients who aren’t very security-conscious will have that extra set of eyes that will keep them well-informed.

It’s worth mentioning that there are more plugins available than mentioned above. And each one has its own strengths. The one you choose should fit your basic security needs and refrain from slowing down your site too much. Performance is especially an issue on lower end hosting platforms and should be a consideration.

Of course, these plugins aren’t cure-alls for security. You still need to employ other best practices. But they are great at catching the low-hanging fruit that make up the majority of threats to your site.

Security menu item within WordPress.

Use Common Sense

By now, everyone should know that they should be using unique, hard-to-guess passwords. But still, so many of us take shortcuts because it’s easier.

So much of security is actually using your own common sense and encouraging others to do the same. Sometimes, that requires a tiny bit of extra work – but it’s well worth the effort. Here are a few examples:

Install an SSL Certificate

Having SSL enabled will encrypt user communications with your site (on the front and back ends). With web browsers now calling out sites that don’t use SSL, having a certificate is also darn-near mandatory to defend your reputation. And with many hosts offering either free or cheap options, you have zero excuse for not adding one.

Be Cautious with Plugins

Not all plugins are created equally. Before you install and activate one, be sure to do some research. Look at its release history, support forums and user reviews. You’ll get a better sense of how well-maintained it is and whether it’s worth using. And, look for installed plugins that haven’t been updated in a while. They could be a weak point in your security.

Stay Current

Not only should your entire WordPress install (including plugins and themes) be kept up-to-date, but your hosting environment should do the same. Ensure that you’re running a supported version of PHP and other required software. If you’re unsure, ask your host for more information.

Maintain Current Backups

We all cross our fingers and hope something bad doesn’t happen. But if it does, it’s much easier to restore a safe backup! You’ll especially want to have multiple current copies of your site’s database and the /wp-content/ folder.

Lightbulb on a desk.

Stay Alert

If it seems like security threats are only getting more numerous and complex, it’s because they are! While WordPress itself is well-written and secure, it does have the biggest target on its back of any CMS. That means we need to remain alert and develop good habits.

It doesn’t need to be so difficult. The steps outlined above won’t take much time, but can literally make the difference between your website being hacked or not. That in itself is reason enough to put in the extra effort.

Written by Eric Karkovack

Eric Karkovack is a web designer with well over a decade of experience. You can visit his business site here. In July 2013, Eric released his first eBook: Your Guide to Becoming a Freelance Web Designer. He also has an opinion on just about every subject. You can follow his rants on Twitter @karks88.