WordPress Security Best Practice Checklist in Simple English

Website not secure

A Jargon-Free Explanation for Small Businesses and Home Users

There are literally millions of results on Google that talk about WordPress security, but 99% of them are targetted at people who are either technical or at least technically proficient – whether they manage their own WordPress websites or manage websites for other people.

This article avoids technical stuff.

It sets out a simple, totally non-technical WordPress security best practice checklist for small business and home users who are just starting out, so that they can take some simple steps to strengthen the security of their sites without having to worry about coding or complicated configurations.

There are lots more things that should be done in addition to what I’ve described below. They are technical or configuration steps that will strengthen your site further.

The areas I’ve covered below will provide a basic level of security and if you would like to take things further (and you should) by all means contact me or take a look at this page, which describes the agency service my company offers.

So let’s get into it…


The first thing I want to address is hosting.

The web host is the company that operates the servers on which your website sits, and which presents it to the world when your web address is typed in.

Avoid free hosting!

There are many web hosting companies around, offering hosting services at a range of prices – from free to several hundred US$ a month.

Avoid the free ones!

The reason is that in order to make a profit these hosting companies rely on advertising for revenue, and spend the minimum possible on security for their infrastructure. They tend to overload their servers and do not always keep their software up to date.

And out-of-date software is one of the primary ways hackers successfully hack websites.

As with most things, with hosting you get what you pay for. Free hosting will be less secure than paid-for hosting, so don’t go for free – it’s a false economy.

You can get good, fast and secure hosting for around US$5/month (sometimes less) – here is some information on a great hosting provider that I have used for some years: click here.


The next thing you should look for in hosting is how often they back up your account.

What relevance does this have to security, I hear you ask? Here’s what:

If the hosting company has a back up of your website and your website is hacked you can ask them to restore a previous version of your website, taken from before it was hacked. That will get your website back up and running again quickly and efficiently (and with no technical knowledge required on your part).

Free SSL Certificate?

Finally, on hosting, you want to make sure they offer a free SSL certificate. An SSL certificate means that connections to and from your website are encrypted, thereby hiding credit card and other sensitive details from prying eyes.

This is important because the major browsers are now clearly telling site visitors whether the website they are visiting is safe or not. And if you are selling stuff on your website having an SSL certificate is required.

You do not want this to appear in the browser bar when you’re trying to sell something:

A good web hosting company will offer a free SSL certificate which requires only the click of a button to activate (and they’ll activate it for you if you ask).

User roles

OK that’s enough on hosting, at least for now. So let’s look at some simple steps you can take on your site itself.

Restricting user roles is a simple way of minimising the damage a hacker can do if they break into a site using someone’s username and password.

A user role is a definition of the functions that any user can have on a website. The lower the user role the fewer functions a user has access to and the less they can do.

WordPress has 5 levels of user roles. From the highest to the lowest they are:

  1. Administrator – the most powerful role. They can add, edit or delete content or users (including other administrators). They can install, edit and delete themes and plugins and they can alter site settings. They have total control of the site.
  2. Editor – these people have control of the content on the site, including comments, categories and tags, but not the ability to manage themes, plugins, settings or other users
  3. Author – these people can add, edit or delete their own content, and they can assign existing categories and tags but not create new ones or delete them
  4. Contributor – these people can add and edit their own posts, but they cannot publish them. They can assign categories but not create them and they can assign tags. Typically, an editor would review posts by a Contributor, make any edits they felt necessary and publish the article.
  5. Subscriber – These people cannot add or edit any content, but the role is useful if you have a site where people need to log in to read articles

For security, each WordPress installation should have only one Administrator.

I have seen WordPress installations with as many as 8 Administrators, and that multiplies by 8 the options a hacker has of illegally accessing the site and being able to wreak havoc.

So if you have multiple users on your WordPress installation take some time to review and, where necessary, revise their roles to make them as low as possible while still enabling them to do what they need to do.

Usernames and passwords

I wrote an article back here describing the importance of choosing secure usernames and passwords on WordPress. I do urge you to read that article. It’s not technical in any way, but if there is anything I need to clarify just leave me a comment under the article.

Here are two other things you can do with passwords that will help to strengthen your site against brute force attacks:

1. Enforce strong passwords

The ability to force users to use strong passwords does not exist in the default implementation of WordPress, but there is an excellent security plugin you can install that will create this function for you.

Click here to read the details.

With that plugin installed and the ‘Enforce secure passwords’ featured activated, a user will be able to over-write the WordPress generated password, but they will not be able to use a password that does not meet the criteria for ‘Strong’.

That will greatly improve the site’s protection against brute force attacks (people illegally trying to access the site by guessing the username and password)

2. Enforce Password expiry

Most accounts, especially accounts containing sensitive information – e.g. your company email – require you to change your password every so often.

In this post I wrote about how many people use the same password on all their accounts and the dangers of doing that. Enforcing a change of password every so often, while not a life-saver, is a way of mitigating the risk of doing that, and is something you should consider.

This feature is available in the iThemes Security Pro plugin (that I linked to above) and activating it will add some more security to your login.

Display name publicly as

The final section on usernames and passwords doesn’t sound particularly relevant, but here’s why it is:

If you set up a user and don’t add their first and surnames, or specify a nickname, WordPress will display their login username by default on the front of the website as the author of posts. That would be a gift to the hackers who now only have to guess the password the user is using in order to gain access to the site.

Therefore, please fill in the user’s first and surnames, and then scroll down the user profile page and use the drop-down menu to define how their name should be displayed publicly. There will be various combinations of their first and surnames as options and this enables you to choose one that might be consistent with your business style. Alternatively the user can choose how they want to be named as the author of their posts.

Software updates – at the click of a button

WordPress is actually a very secure platform but only because the WordPress security team are constantly monitoring new security threats or responding to vulnerabilities that members of the WordPress community find. When either of these things happen they quickly issue a security release.

In fact, probably 95% of WordPress updates are security releases to fix vulnerabilities someone has found or to counter new threats.

For that reason it is very important that you log into your site each day and check for any software updates to plugins, themes or WordPress itself.

If there are updates available, then as soon as you log in you will see a little red bubble next to both the ‘Plugins’ menu item and the ‘Updates’ menu item under ‘Dashboard’.

For convenience, you can go to the  Dashboard > Updates page , where all the items that need to be updated are listed. Starting with Themes, then the Plugins and finally WordPress itself, check the check box next to each item and click the update button and the items you have checked will be updated.

As simple as that.

It could not be easier, but it is very important that you check your site each day and do any updates that are available.


The last area I want to talk about as far as WordPress itself is concerned is backups.

I mentioned in the section on hosting that you should choose a host that automatically does backups of your hosting account.

disks being put into a safe

Those backups will usually include everything in your hosting account, including your website, your emails and anything else you’ve uploaded to it, because they are backing up your account, not just your website.

In this case, when your hosting provider restores your account from a previous version everything to which you have access will revert to how it was at the time of the last backup.

That is what you want for your website, but may not be what you want for your entire account because you will also lose emails that arrived after the last backup was run, and that could cause some problems.

For that reason I have a backup plugin on my website that backs up just the site itself and any other directories that I specify. That means that if the site is hacked I can restore just the site to the state that it was at the last backup. My emails and other files are left untouched.

You should still choose a host that offers free backups, but I suggest you also install a WordPress backup plugin so you can back up your site independently.

The backup plugin I use on all the sites I build is BackupBuddy – more details here.

Backup plugins do a big and important job and, therefore, require some configuration. In the case of BackupBuddy the developers, iThemes, have made this as painless as possible by providing a set of recommended BackupBuddy settings.

Using public WiFi – Coffee shops etc

Wifi symbol

The next area I want to cover is safety when using public WiFi in coffee shops, airports, hotels, etc. This is not strictly WordPress related, but since many of us log in to our sites when we’re out and about it’s clearly relevant.

Earlier, in the section on Hosting, I talked about making sure your hosting provider offers a free SSL certificate and that you have clicked the button to activate it.

This will ensure that the connection between your computer and the server where your website sits is encrypted (secure)

Why is this important?

Because there is a category of threat called ‘Man in the middle’. Here’s what that means:

Public WiFi is not secure. By its nature anyone can log onto it using the publicly displayed username and password. And ‘anyone’ includes the hackers.

The hackers have scanners that enable them to monitor the traffic of everyone who’s logged onto the WiFi network and in that way they are able to pickup the login addresses, usernames and passwords of everyone using that WiFi.

The SSL certificate I talked about earlier only relates to communications between your computer and your website. This is important for the protection of your website, but if you visit other sites that have not activated SSL while using public WiFi the hackers will still be able to monitor your traffic. They will be able to get hold of your login details for any website you log into that has not activated SSL.

As a result, I recommend that you install and use a VPN if you regularly use public WiFi.

VPNs are very easy to install and they pretty much configure themselves. In any case, they have set up instructions that are simple and easy to follow.

A VPN will encrypt all communications between your computer and every site you visit on the Internet, not just your own website, and this makes your use of public WiFi very much more secure.

Just a word of caution here: always remember that you get what you pay for..! Going for free VPN services will often result in slower Internet browsing, the supplier logging and possibly selling your browsing data to third parties and less secure browsing.

With a good VPN paid-for service you won’t notice any difference in browsing speed and your details will be kept properly secure – not sold or passed on to third parties.

Here’s the VPN that I use.

Putting it all together

Each of the steps I’ve covered in this article are small enough in themselves but, taken together, they will provide an improved level of security for your WordPress installation.

Remember what I said earlier though: there are more steps that you should take. These are more complex in that they require adjustments to configuration or technical settings, and you should get help to implement these if you’re not comfortable undertaking them yourself.

Most importantly, though, remember that no website can ever be 100% secure, whatever steps you take. Therefore, the smart ones among us prepare a disaster recovery plan that they can follow if (or rather ‘when’!) their website is hacked.

You should put together a recovery plan too – here is how to do that.

Cyber-crime is only growing and you should be aware that’s there’s a high likelihood of your website being hacked at some point.

All the best

P.S. Is your WordPress website as secure as it could be? Take a look at the WordPress security products I have reviewed (I use all of them and I’d be happy to answer any questions you may have):