WordPress Security Best Practice Checklist in Simple English

Website not secure

A Jargon-Free Explanation for Small Businesses and Home Users

There are literally millions of results on Google that talk about WordPress security, but 99% of them are targetted at people who are either technical or at least technically proficient – whether they manage their own WordPress websites or manage websites for other people.

This article avoids technical stuff.

It sets out a simple, totally non-technical WordPress security best practice checklist for small business and home users who are just starting out, so that they can take some simple steps to strengthen the security of their sites without having to worry about coding or complicated configurations.

There are plenty of more involved and technical things that can be done in addition to what I’ve described below, that will strengthen your site further. The areas I’ve covered in the paragraphs that follow will provide a basic level of security and if you would like to take things further (and you probably should) by all means contact me or take a look at this page, which describes the agency service my company offers.

So let’s get into it…


The first thing I want to address is hosting.

The web host is the company that operates the servers on which your website sits, and which presents it to the world when your web address is typed in.

Avoid free hosting!

There are many web hosting companies around, offering hosting services at a range of prices – from free to several hundred US$ a month.

Avoid the free ones!

The reason is that in order to make a profit these hosting companies rely on advertising for revenue, and spend the minimum possible on security for their infrastructure. They tend to overload their servers and do not always keep their software up to date.

And out-of-date software is one of the primary ways hackers successfully hack websites.

As with most things, with hosting you get what you pay for. Free hosting will be less secure than paid-for hosting, so don’t go for free – it’s a false economy.

You can get good, fast and secure hosting for around US$5/month (sometimes less) – here is some information on a great hosting provider that I have used for some years: click here.


The next thing you should look for in hosting is how often they back up your account.

What relevance does this have to security, I hear you ask? Here’s what:

If the hosting company has a back up of your website and your website is hacked you can ask them to restore a previous version of your website, taken from before it was hacked. That will get your website back up and running again quickly and efficiently (and with no technical knowledge required on your part).

Free SSL Certificate?

Finally, on hosting, you want to make sure they offer a free SSL certificate. An SSL certificate means that connections to and from your website are encrypted, thereby hiding credit card and other sensitive details from prying eyes.

This is important because the major browsers are now clearly telling site visitors whether the website they are visiting is safe or not. And if you are selling stuff on your website having an SSL certificate is required.

You do not want this to appear in the browser bar when you’re trying to sell something:

A good web hosting company will offer a free SSL certificate which requires only the click of a button to activate (and they’ll activate it for you if you ask).

User roles

OK that’s enough on hosting, at least for now. So let’s look at some simple steps you can take on your site itself.

Restricting user roles is a simple way of minimising the damage a hacker can do if they break into a site using someone’s username and password.

A user role is a definition of the functions that any user can have on a website. The lower the user role the fewer functions a user has access to and the less they can do.

WordPress has 5 levels of user roles. From the highest to the lowest they are:

  1. Administrator – the most powerful role. They can add, edit or delete content or users (including other administrators). They can install, edit and delete themes and plugins and they can alter site settings. They have total control of the site.
  2. Editor – these people have control of the content on the site, including comments, categories and tags, but not the ability to manage themes, plugins, settings or other users
  3. Author – these people can add, edit or delete their own content, and they can assign existing categories and tags but not create new ones or delete them
  4. Contributor – these people can add and edit their own posts, but they cannot publish them. They can assign categories but not create them and they can assign tags. Typically, an editor would review posts by a Contributor, make any edits they felt necessary and publish the article.
  5. Subscriber – These people cannot add or edit any content, but the role is useful if you have a site where people need to log in to read articles

For security, each WordPress installation should have only one Administrator.

I have seen WordPress installations with as many as 8 Administrators, and that multiplies by 8 the options a hacker has of illegally accessing the site and being able to wreak havoc.

So if you have multiple users on your WordPress installation take some time to review and, where necessary, revise their roles to make them as low as possible while still enabling them to do what they need to do.

Usernames and passwords

I wrote an article back here describing the importance of choosing secure usernames and passwords on WordPress. I do urge you to read that article. It’s not technical in any way, but if there is anything I need to clarify just leave me a comment under the article.

Here are two other things you can do with passwords that will help to strengthen your site against brute force attacks:

1. Enforce strong passwords

The ability to force users to use strong passwords does not exist in the default implementation of WordPress, but there is a simple plugin you can install that will create this function for you.

Click here to read the details.

Go to your plugins page, click ‘Add new’ at the top left and type ‘Force Strong Passwords’ into the search box on the right – it should be the first plugin in the list that comes back. Just click ‘Install Now’ and then click ‘Activate’ (it’s the same button, but it changes the label when the plugin is ready to be activated) and you’re done.

Now, although a user will be able to over-write the WordPress generated password they will not be able to use a password that does not meet the criteria for ‘Strong’, and that will greatly improve the site’s protection against brute force attacks (people illegally trying to access the site by guessing the username and password)

2. Enforce Password expiry

Most accounts, especially accounts containing sensitive information – e.g. your company email – require you to change your password every so often.

In this post I wrote about how many people use the same password on all their accounts and the dangers of doing that. Enforcing a change of password every so often is a way of mitigating the risk of doing that, and is something I heartily recommend.

Believe it or not, though, there are no simple, password expiry plugins currently available. There are plenty of plugins that include password expiry within a lot of other functions, but those require a lot of configuration and a deeper knowledge of how WordPress works. There are also plenty of simple password expiry plugins but many of them have been closed down and the rest are not compatible with the latest version of WordPress.

Therefore, a friend and myself are writing a simple password expiry plugin and I’ll post a link to it here when it’s ready. That will enable you to install this plugin and easily get users on your site to change their passwords every so often.

If you’d like to be notified when that plugin is available leave a comment below.

Display name publicly as

The final section on usernames and passwords doesn’t sound particularly relevant, but here’s why it is:

If you set up a user and don’t add their first and surnames, WordPress will display their login username by default on the front of the website as the author of posts. That would be a gift to the hackers who now only have to guess the password the user is using in order to gain access to the site.

Therefore, please fill in the user’s first and surnames, and then scroll down the user profile page and use the drop-down menu to define how their name should be displayed publicly. There will be various combinations of their first and surnames as options and this enables you to choose one that might be consistent with your business style. Alternatively the user can choose how they want to be named as the author of their posts.

Software updates – at the click of a button

WordPress is actually a very secure platform but only because the WordPress security team are constantly monitoring new security threats or responding to vulnerabilities that members of the WordPress community find. When either of these things happen they quickly issue a security release.

In fact, probably 95% of WordPress updates are security releases to fix vulnerabilities someone has found or to counter new threats.

For that reason it is very important that you log into your site each day and check for any software updates to plugins, themes or WordPress itself.

If there are updates available, then as soon as you log in you will see a little red bubble next to both the ‘Plugins’ menu item and the ‘Updates’ menu item under ‘Dashboard’.

For convenience, you can go to the Dashboard > Updates page, where all the items that need to be updated are listed. Starting with Themes, then the Plugins and finally WordPress itself, check the check box next to each item and click the update button and the items you have checked will be updated.

As simple as that.

It could not be easier, but it is very important that you check your site each day and do any updates that are available.


The last area I want to talk about as far as WordPress itself is concerned is backups.

I mentioned in the section on hosting that you should choose a host that automatically does backups of your hosting account.

disks being put into a safe

Those backups will usually include everything in your hosting account, including your website, your emails and anything else you’ve uploaded to it, because they are backing up your account, not just your website.

In this case, when your hosting provider restores your account from a previous version everything to which you have access will revert to how it was at the time of the last backup.

That is what you want for your website, but may not be what you want for your entire account because you will also lose emails that arrived after the last backup was run, and that could cause some problems.

For that reason I have a backup plugin on my website that backs up just the site itself and any other directories that I specify. That means that if the site is hacked I can restore just the site to the state that it was at the last backup. My emails and other files are left untouched.

You should still choose a host that offers free backups, but I suggest you also install a WordPress backup plugin so you can back up your site independently.

The backup plugin I use on all the sites I build is BackupBuddy – more details here.

Backup plugins do a big and important job and, therefore, require some configuration. In the case of BackupBuddy the developers, iThemes, have made this as painless as possible by providing a set of recommended BackupBuddy settings.

Using public WiFi – Coffee shops etc

Wifi symbol

The next area I want to cover is safety when using public WiFi in coffee shops, airports, hotels, etc. This is not strictly WordPress related, but since many of us log in to our sites when we’re out and about it’s clearly relevant.

Earlier, in the section on Hosting, I talked about making sure your hosting provider offers a free SSL certificate and that you have clicked the button to activate it.

This will ensure that the connection between your computer and the server where your website sits is encrypted (secure)

Why is this important?

Because there is a category of threat called ‘Man in the middle’. Here’s what that means:

Public WiFi is not secure. By its nature anyone can log onto it using the publicly displayed username and password. And ‘anyone’ includes the hackers.

The hackers have scanners that enable them to monitor the traffic of everyone who’s logged onto the WiFi network and in that way they are able to pickup the login addresses, usernames and passwords of everyone using that WiFi.

The SSL certificate I talked about earlier only relates to communications between your computer and your website. This is important for the protection of your website, but if you visit other sites that have not activated SSL while using public WiFi the hackers will still be able to monitor your traffic. They will be able to get hold of your login details for any website you log into that has not activated SSL.

As a result, I recommend that you install and use a VPN if you regularly use public WiFi.

VPNs are very easy to install and they pretty much configure themselves. In any case, they have set up instructions that are simple and easy to follow.

A VPN will encrypt all communications between your computer and every site you visit on the Internet, not just your own website, and this makes your use of public WiFi very much more secure.

Just a word of caution here: always remember that you get what you pay for..! Going for free VPN services will often result in slower Internet browsing, the supplier logging and possibly selling your browsing data to third parties and less secure browsing.

With a good VPN paid-for service you won’t notice any difference in browsing speed and your details will be kept properly secure – not sold or passed on to third parties.

Putting it all together

Each of the steps I’ve covered in this article are small enough in themselves but, taken together, they will provide a reasonable level of security for your WordPress installation.

Always remember, though, that no website can ever be 100% secure, whatever steps you take. Therefore, the smart ones among us prepare a recovery plan that they can follow if (or rather ‘when’) their website is hacked.

You should put together a recovery plan too. Cyber-crime is only growing and you should be aware that’s there’s a high likelihood of your website being hacked at some point.

All the best

P.S. Is your WordPress website as secure as it could be? Take a look at the WordPress security products I have reviewed (I use all of them and I’d be happy to answer any questions you may have):

{ 6 comments… add one }
  • Ian August 31, 2018, 10:33 am


    Surely a VPN will encrypt from your computer to the point you select on their service map. eg my ISP is Bluehost in the USA. So if I set a VPN from say HK to a point in the USA (eg San Franciso) the comms are encrypted between these two points. I believe my ISP is located in Colorado so I guess I’m not covered on that leg. I guess an SSL cert is better as it covers from the browser to the server.

    • Martin September 1, 2018, 12:23 am

      Hi Ian,

      VPNs and SSLs are doing slightly different jobs.

      The SSL certificate protects the connections between one point (your web server) and anyone who accesses it and, yes, end to end. The VPN works in the opposite direction by protecting connections from your computer to any websites you visit.

      I’m not knowledgeable enough to go into the technical details, but once your connection emerges on the other side of the destination VPN server it emerges without any trace of who you are or where you are connecting from.

      As in everything, you get what you pay for. So as long as you’re paying for a good VPN service your traffic will be running through their DNS servers (i.e. not your ISP’s DNS servers – Bluehost in your case), so your ISP cannot watch your traffic. You are completely incognito.

      Finally, the good VPN services log only the information that is needed to operate the service and resolve problems – i.e. no activity or connection logs are kept. They are also generally located in jurisdictions that offer greater privacy protections than, for example, the US (the VPN I use is based in the British Virgin Islands).

      So the SSL certificate is not necessarily better, but, if you’re the webmaster, should be used in addition to, a VPN because, as I said, they are doing slightly different jobs.

      If you’re not a webmaster, of course, you have no control over whether you want to use HTTPS – that’s driven by the webmasters of the sites you visit.

      The reason I raised VPNs in this article is because they protect people who are using public Wifi networks in coffee shops, airports, restaurants, etc., from hackers who sit in the same locations with scanners trying to pick up user login credentials.



  • Rachael September 11, 2018, 11:16 pm

    Hi Martin,

    I had an issue with one of my blogs a couple years back where all the numbers in my comments randomly turned into GIFs- I can’t remember what they were exactly, but I remember being so freaked out and thinking I was going to lose a project I’d been working on for some time! I’ve been trying to stay on top of my website security ever since. I actually just noticed the “Not Secure” tag on my own blog. Do you think that’s something I should worry about even if I’m not selling anything directly on site? I do link out.. eh, I guess it wouldn’t inspire confidence in any regard.

    I’m guessing SiteGround offers that free SSL cert? I’m currently using Hostgator and I’ve never seen anything about it, but I’ll ask. I actually used SG early on but switched when I lost my introductory rate. I’m starting to wonder if I should switch back – maybe the higher price point is indicative of higher quality / security after all.

    Anyway, I really appreciated your non-technical-jargon perspective here. Most articles of this nature fly right over my non-technical head so that was great. Thanks for sharing!


    • Martin September 12, 2018, 8:59 am

      Hi Rachael,

      It’s definitely worth getting the SSL certificate so that the browsers tell visitors your site is secure. It has been a factor in ranking in the search results for some time now – HTTPS sites are generally ranked higher if all other factors are similar.

      I would definitely recommend Siteground and yes – they do offer a free SSL certificate (Let’s Encrypt). I have a VPS with them where I host mine and my clients’ sites, but you can sign up with them independently and they will import your site for you. Apart from being great WordPress hosts, their support is absolutely second to none.

      There are more details on this page, but if you have any other questions just ping me.



  • Marketa September 14, 2018, 1:14 pm

    Hi Martin,
    I didn’t realise that it was so bad to take advantage of free hosting. Thank you for this informative article; I’ll be looking into a paid service for sure
    Have a great weekend 🙂

    • Martin September 14, 2018, 2:18 pm

      Hi Marketa,

      Thanks, and yes, unfortunately you generally get what you pay for..!

      You have a great weekend too 🙂




Leave a Comment