How to secure your WordPress website

Andrea Ferguson

President at AndiSites Inc.
Andi is founder and President of AndiSites Inc. She writes about website design and development, best practices, and random stuff her busy brain thinks would be useful.
Andrea Ferguson

There are some easy things you can do to secure your WordPress sites:


One of the most basic and important rules is to always use a strong password  for your WordPress accounts. Website hackers have complex “brute force” algorithms that automate guessing passwords based on commonly used words numbers and character combinations. The most effective way to combat brute force algorithms is to use a password that is at least 10 characters long, uses a combination of letters numbers and special characters (!@#$%^&*),  and has no commonly used words or names in the password.


Of course making up and remembering these passwords can be a challenge, so there are websites that can help. We like but recommend altering even these passwords slightly unless you can be 100% sure your  local computer is free of spyware/malware (which is a hard thing to ensure completely) AND 100% sure you are not visiting a dummy site.   As far as remembering the password,  you can store it in a document on your local machine if you’d like, but again, you should be confident that your local machine is clean.  The safest password storage is handwritten and hidden.


Beyond passwords, if you access the backend files for your WordPress account frequently, you should always use secureFTP  (SFTP) instead of standard file transfer protocol (FTP).  The WordPress Codex has this to say about using SFTP:


“Using SFTP is the same as FTP, except your password and other data is encrypted as it is transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.”


In other words, if you are using standard FTP your password is transmitted in the clear, and anyone listening in on your network will be able to see it in plain text, making SFTP the safer choice.  Of course having a secure network–WiFi or otherwise–will guard against eavesdroppers.  We’ll discuss securing your local network in a future post.


Keeping WordPress up-to-date is one of the most effective strategies for keeping your site hack-free and secure.

The developers at work hard to search out the latest vulnerabilities to their software and implement changes to combat them in the most recent release.  If you have one of the most recent version of WordPress (3.7 or 3.8), security related updates are automatic.   And although theme and plugin developers may not always be as on top of their game as in terms of security, you should still upgrade those files when available to be sure you’re taking advantage of the most recent code and security fixes.


Information on SFTP obtained from To read more in detail about WordPress security tactics visit:

Back to Blog