Evergreen WordPress Security

WordPress security is essential if you wish to keep your content safe from hackers. Hackers have many reasons for hacking your site, collecting personal information of your visitors or simply infecting your site with malware and/or viruses. Most hacks are automated. Basically, this just means that the majority of hackers use software to crawl the web seeking out vulnerable sites.

Hackers will often create a network of hacked sites that they can use for things like black hat SEO, phishing from your email addresses, database scraping in order to gain your users’ personal information, and the list goes on. Not every site hacked is a WordPress site but hacking is a big business and since recent statistics estimate that WordPress accounts for about 27% of all websites it’s easy to see why WordPress security is so important.

According to HostingFacts.com there are over 37,000 websites hacked every day. That’s 13,505,000 each and every year and growing. In March 2016, Google reported that more than 50 million website users had been warned about a website they were visiting could contain malware or steal information.  Not only that, but Google blacklists around 20,000 websites for malware and 50,000 for phishing each week. These figures show you how serious website security should be to you and your business. If you secure your physical business location shouldn’t your website be just as important?

The WordPress Codex (the official WordPress online manual) provides everything you need to know about WordPress including a great deal of information concerning WordPress security and hardening measures. However, there are many more steps that can and should be taken to improve the overall security of your WordPress website.

There are many methods and processes that can be used to help defend your site against an attack. Below you will find evergreen WordPress security methods that are tried and true. They have been and will continue to be used as solid security measures for any WordPress site.


1. Keep Your Core Files Updated

WordPress updates their core files on a regular basis and addresses bug fixes, new features, and security updates. WordPress does a great job in finding, fixing, and implementing security fixes quickly and efficiently. These updates are essential if you want your site to be safe and secure for you and your visitors. By not applying these updates you leave your web site open to security vulnerabilities and hackers.

Today, WordPress automatically updates your files and many hosting companies force the updates as well so that if your website becomes infected it will not endanger their servers. Security is everybody’s business today.

We don’t generally allow automatic updates for the sites that we manage. We prefer to do that manually. We like to test all updates to ensure that it will not break a live site. We do this by setting up a staging site which we update first to ensure that everything works correctly and does not break any areas of your site.


2. Use Strong Passwords

One of the most important things you can do for your site security is to have a strong password for your administration access. If it is too simple it makes it much easier for hackers to gain access and take control of your website.

According to Network World, the 5 most common passwords for 2016 were:WordPress login screen shot

  1.  123456
  2.  123456789
  3.  qwerty
  4.  12345678
  5.   111111

As you can see that none of these passwords are even close to being strong or secure.

With passwords like these, even you or I could sign in and create our own administrator account. This gives any hacker access whenever they want and they are then able to add backlinks, malware, send email, and a host of other malicious actions.

Creating a strong password is not that difficult. You simply need to use uppercase and lowercase letters, numbers, and punctuation marks. Don’t use words but rather a random selection of the above suggestions. There are also a couple of great programs you can use to create and store secure passwords for everything you may need a password for. We suggest 1Password or LastPass, they are both great options.

If you allow people to register on your site will want to enforce them to use strong passwords as well. You can do this easily by using a security plugin such as Wordfence Security or iThemes Security.


3. Use ONLY Trusted Plugins and Themes

There are many places that you can find WordPress themes and plugins. One of the largest repositories themes and plugins is WordPress.org. It is run by volunteers who will check the themes and plugins in order to be placed into the directory. Many of these themes and plugins are updated on a regular basis and many are not so it is important for you, as a website owner, to ensure that your theme and especially your plugins are up-to-date.

Below are a couple of places to find some great premium themes and plugins for your WordPress website:

  1. Elegant Themes (We use their Divi Theme for our site)
  2. Envato Market

There are many others but we like these two in particular.


4. Backup Your Site

There are a number of reasons that you need to backup your website on a regular basis, but the main reason is to recover your site if it were to be hacked or if it broke because of an outdated plugin. You may even have authorized access to people who may have made a change that caused the site to break.

If you prefer to do it yourself here are a few backup options::

  1. Backup Buddy
  2. UpdraftPlus
  3. BackUpWordPress

There are many others but we like these in particular. Of course, if you want someone else to take care of the details for you, we offer a very reasonable WordPress Backup Service ourselves.

Regardless of how you decide to backup your site it is important that you keep a regularly updated copy in multiple places. This way there is even less of a chance that you will not have a copy available to you. Another important WordPress security precaution is to NOT keep copies on your server or in your email because either one of these can be hacked.


5. Use a Security Plugin

WordPress security plugins are a great way to “watch over” your website. There are a number of good plugins out there and they do a variety of things to protect your website from hackers. Unfortunately, no matter how hard we try, no matter how many steps we take, attacks can and will continue to happen. There are always going to be people who will attempt to hack websites.

WordPress sites are a favorite among hackers for many reasons, the sheer number of bad or insecure web hosting accounts, poorly coded plugins and themes, and everyone’s favorite, weak passwords. As we have been advocating throughout this post there are numerous evergreen WordPress security practices that you should incorporate on every WordPress site you have, such as strong passwords, keeping WordPress updated, removing unused themes/ plugins, etc to improve security. Below are some of the WordPress security plugins that we recommend and even use for our clients.

  1. Wordfence
  2. iThemes Security
  3. Sucuri Security

Most WordPress security plugins provide login security which is the easiest way for hackers to get in. All that being said most of these security plugins don’t do much to prevent exploits in plugins and themes. This is where you must be vigilant in keeping your themes and plugins updated or having a service such as WP Maintenance Plans to take of those things for you.


6. Change your Admin Username

When WordPress is first setup the default username for your admin area is created as, “admin.” Naturally, anyone who knows about WordPress knows this default username. A great majority of people never change this which makes it easier for hackers to gain access since they only have to guess your password. So one of your first tasks after getting your website up is to change your administrative username to something that will be more difficult for a hacker to guess.


7. Install a Secure Socket Layer (SSL) Certificate

If your site requires users to log in or enter personal information, you need an SSL certificate. Even if your site does not gather personal information you will be viewed as more trustworthy by having a “secure” site through SSL. Google has made statements recently concerning the importance of having an SSL certificate and how your site rankings and the way they show your site to visitors through the Chrome browser will be handled.

You will recognize a site that has an SSL certificate in use by seeing HTTPS instead of HTTP in the browser bar. This simply indicates that the site is secure and the connection is encrypted. Some sites, depending upon the browser you use will also include a small padlock in front of the URL address.

One thing to be aware of as you are surfing the internet is that when you see “Secure” in your browser bar, it simply means that the connection between your browser and the website you are connected to is encrypted. It does not, however, mean that the domain is “Trusted”, “Safe”, “Not malicious” or anything else.

There are many plugins that help you “switch” your site from HTTP to HTTPS once your SSL certificate is installed. They basically go through your site and redirect all traffic to HTTPS, usually via your .htaccess file or with JavaScript. Many of these plugins will also change your site and home URL to HTTPS as well as replacing all http:// URL’s with https://, except hyperlinks to other domains. Those links would need to be verified and change manually. Check each plugin to see what it does specifically and if you will need to take any additional steps to ensure complete SSL adherence.

Here are a few SSL plugins that are currently available and we would recommend:

Verve SSL
WP Force SSL
SSL Insecure Content Fixer
Really Simple SSL


8. Use Secure FTP (SFTP) or Shell access (SSH)

Filezilla screen shotIf you spend any time transferring to or from your website through FTP you should ensure you are using SFTP or SSH (shell access) rather than simple FTP. FTP is not as secure as the other two options and hackers could potentially interject your FTP connection.  You should also check to see if there are any FTP accounts that are not necessary and delete them to prevent them from being accessed without your consent. If you would like a more detailed explanation of how SFTP or SSH works check out these two articles, SSH Protocol or SFTP, The Modern FTP by SSH Communications Security


9. Change the wp_ Table Prefix

By default, WordPress sets up your database tables with wp_. If you leave it as is, it makes it easier for hackers to hack into your site and database tables since the table names are the same across most WordPress installs. Simply changing this to something different when setting up your site to begin with it will be less accessible to hackers.

If you have already setup your database and want to change the prefix after the fact it can still be done. There are several plugins you could use to change the table prefix to something else. However, be very careful and make a complete backup of your site before attempting this change as it could break your site if not done correctly.

Here are a couple plugins that we can recommend to help you with this task:

All in One WP Security and Firewall
iThemes Security


10. Move your wp_config file

Your wp_config file is probably the most important file you need to secure. If a hacker gains access to this file your website will belong to them. By default, this file is located in the root WordPress folder. The most simple way to secure it is to simply move it outside of your public_html directory. By doing this, users cannot access it. WordPress will look in other directories to find it if is not found in the WordPress root folder.



We have covered 10 evergreen WordPress security methods that you can use to increase the security of your WordPress site but it doesn’t stop there. As hackers become even more sophisticated in their efforts, as software changes, as WordPress evolves, security will be an important part of your website. Continue to come back for more articles on WordPress security and protecting your interests online.