WordPress is the most popular content management system around. And because it's so popular, it's also an easy target for hackers. If there's a way to get in, you can be sure it's already been exploited.
That's why it's so important to make sure your WordPress setup is as tight as possible. We keep our Managed WordPress servers well protected (our live statistics show you exactly what we've blocked over the last 48 hours), but it's up to you to ensure that your WordPress site is safe. There are steps you can take to lock things down — and with the tips below, your site can be as safe and sound as your own front door.
Check who has admin rights
Did you give a developer admin status to fix something one time? Forget to remove someone who's moved on? Is your main admin account still just called "admin"?
These are all small gaps that can lead to big problems. Go through your list of users and check who has access. If anyone no longer needs admin rights, set their role to "No role for this site".
That way, even if they (or someone pretending to be them) logs in, they won't be able to make changes, edit content or accidentally (or not-so-accidentally) delete anything. And if they're listed as authors on your blog, don't worry — they'll still be credited on the posts they've written.
On our Managed WordPress packages, we automatically generate unique admin usernames for added peace of mind. It's one more layer between your site and anyone trying to break in.
Don't forget about your passwords
Still using the same password you set up in 2014? Or using the same password across multiple sites and just changing the number at the end? We all do it – no wonder HaveIBeenPwned stays in business.
Your WordPress admin password should be strong, unique and separate from your Krystal Identity account. Use a trusted password manager such as 1Password, Apple Passwords, or KeePass.
Our Managed WordPress automatically generates a random password for you — and you don't even need to remember it. You can log in to your WordPress site securely through your Krystal dashboard.
After all, hackers can't steal your password from you if you don't know it to begin with.
Backup, Update, Repeat, Repeat
No matter how careful you are, there's always the risk of something going wrong. That's why regular backups matter.
With a backup, you can revert your site to a time before it was attacked, patch the problem and have everything running smoothly again.
And the best way to ensure that those problems are patched is to keep your WordPress installation as up-to-date as possible. Those updates fix security issues and bugs, so skipping them can leave your site exposed.
Managed WordPress makes both of these simple. We take regular backups of your site, and automatically update your WordPress core, themes and plugins. That's one more thing off your plate.
Always use legitimate plugins and themes
Cracked versions of plugins and themes just lead to problems — opening your site to anything and everything.
If you can't afford a particular plugin or theme, look for well-reviewed free alternatives on WordPress.org. If the team there has vetted them, you can be sure they're tried, tested and safe. Trust us — no custom font or slider is worth the risk of compromising your site.
Look into security plugins
There are hundreds of free security-focused plugins in the WordPress directory. Many have paid tiers that give you even more protection and monitoring, such as two-factor authentication (2FA), directory protection and malware scanning.
If you're running a small site and already using Managed WordPress, you may not need one — our built-in protection covers most of what you'd get from a plugin. But if you rely heavily on your site for income, especially if you're running e-commerce, a little extra security can be a smart investment.
Set up extra protection
Two-factor authentication (2FA) is one of the easiest, most effective security upgrades you can make. Whether you use an Authenticator app, a third-party device, SMS messages or emails, 2FA is just an extra barrier between anyone trying to log in and your precious site's content. WordPress has an article on how to set up 2FA for your WordPress site, and you should have already set it up for your Krystal Identity (if you haven't, we have a detailed guide to help).
In your Managed WordPress control panel, you can also go one step further and lock WordPress admin access to specific IP addresses. It means you won't be able to make tweaks while on holiday, but it also means no one else can try from anywhere else.
For more advanced tips, WordPress has a fantastic Hardening WordPress article that'll give you even more ideas for locking down your WordPress site.
Keep aware of what's happening
Keeping everything updated and locked down is great, but keeping informed of what's happening in the WordPress world is also incredibly helpful.
Wordfence keeps track of vulnerabilities and patches on their blog, and they also have a newsletter which posts the latest security updates. Search Engine Journal also has a dedicated WordPress news section, which will give you the latest security news (since, obviously, a hacked WordPress site is bad for your search engine optimisation).
With these simple steps (and a little help from Managed WordPress), you can be sure your WordPress site is safe, secure and running smoothly.
As always, if you have any questions, feel free to get in touch — we're happy to help.
Share this article
About the author
Kate B
I'm Kate, and I'm one of the Senior Marketing Managers here at Krystal. I'm a transplanted Southern Californian who likes bad pop culture, the Internet, and talking everyone's ears off about web hosting. Howdy!