TL;DR: Staying on top of your website security helps avoid issues that could potentially ruin your business. Understanding common weaknesses and developing a security routine is the best way to protect yourself.

Keeping your business running smoothly is a delicate juggling act and the last thing you need is for your website to go offline or suffer an attack. The fact is, security threats are often invisible, and unnoticed weaknesses can lead to websites going offline, data breaches, or other costly issues. 

By understanding the various aspects of WordPress website security and taking active steps to protect your online presence, you can drastically reduce your chances of falling victim to malware or other security threats. 

photo of a person using a security application on a tablet device

WordPress website security

If you have a WordPress website, you are far from alone. WordPress holds 60.8% of the CMS market share, with over 500 new WordPress websites created on a daily basis. 

There are many reasons WordPress is so popular. It has a wide variety of plugins and themes, a user-friendly interface—and is generally considered to be secure.

But that doesn’t mean it’s invulnerable. Far from it. In fact, your website is only as safe as the steps you take to protect it

For example, if you don’t regularly keep your website up to date, you are more likely to suffer an attack. In 2019, over 56% of CMS applications were out of date when they were infected and out-of-date plugins are the main point of entry for malware, amounting to 52% of all reported WordPress vulnerabilities. 

The vast majority of website weaknesses are directly related to human error. Poor maintenance, weak passwords, and other bad practices are common security pitfalls which you can address right now.

WordPress website security: Common weaknesses


There are many layers of WordPress website security. Having a solid foundation and good routines in place from the outset will give you a winning head start. 

We’ve already mentioned the importance of keeping your website up to date, especially if it’s running on a self-hosted Content Management System such as WordPress. Establishing a regular schedule to review and update your website should be at the top of your list.

Other simple checks to review include if your website is using an SSL certificate (it starts with HTTPS and there’s a padlock in the browser) and that you have a Web Application Firewall (WAF) installed to fend off malicious bot traffic. If either of these are missing, or you’re not sure, you should contact your hosting provider as soon as possible to see what they provide and what you’re responsible for. 

photo of two business men in suits looking worried while viewing a laptop

Human error

Next, you have to consider the role of avoiding human mistakes in protecting your website. After all, WordPress website security begins with you. Your website is the online home for your business—if you provide someone the key, they will be able to get in.

This is exactly what happens when you don’t take proper care of your passwords. In the course of your business, you will often have to share passwords with either internal team members or contractors. When doing this, you must make sure that:

  1. All passwords are unique.
  2. You remove users as soon as they no longer need access. 

Finally, you need to be on guard against phishing attempts, which are increasingly sophisticated and can fool even tech-literate individuals. The most common technique involves attackers pretending to be someone that you know and trust within your network. If you see an email even from a person that you know asking for sensitive information, confirm via another channel that it’s them before sending anything.

Develop a routine

Maintaining a secure website is a matter of routine and by following some simple steps, you can dramatically reduce the risk of getting hacked. While by no means exhaustive, here are top best practices to take control of your website security.

1) Keep everything up to date

If you take only one measure to maintain your website security, let it be this one. We know updates can occasionally be frustrating, but any time spent doing it will be saved tenfold down the line. And that’s without going into the potential financial savings. 

This goes both for your plugins as well as your WordPress version. Since WordPress 3.7, you can actually configure WordPress core to update automatically, and since WordPress 5.5, you have the ability to opt-in individual plugins to be updated automatically.

photo of two business women in an office shaking hands

2) Use trusted plugins and themes

It’s important to know where your themes and plugins come from before you install them. You may have heard that “you get what you pay for” with WordPress themes and plugins. And while you should always do your research, “free” doesn’t always equate to “bad.”

What’s more important is to see where they come from. For example, if your chosen theme is listed on the WordPress directory, it is perfectly fine to use—even if it’s free. 

Just make sure you never install a theme or plugin from a source you don’t fully trust.

And, once again, keep everything up to date.

3) Back everything up

You should be doing this daily as it is an essential way to protect your website. If the unthinkable happens, you are easily able to roll back time and save all that precious data. It’s also especially important to back everything up before you update any themes or plugins. 

There are a number of trusted plugins you can use to help you. Here are a couple we recommend:

Be sure to send your backups to an external location, such as Dropbox or Google Drive. You can easily set up a free Google account just for your website backups and use your entire 15GB of free storage for website backups. Once you have a backup, remember to test that it works and that you’re able to restore it to another location—you don’t want to be figuring it out in a worst-case scenario.

WordPress website security is an ongoing process and integrating it into your everyday life is the best way to combat any threats and keep everything running smoothly. But there’s no time to delay. It’s vital to begin implementing security best practices as soon as possible.

If you’d like further help, we’re always on hand to chat. Feel free to reach out at any time!

About The Author
Justin Korn

Justin is the founder of Watchdog Studio, and former Director of IT at both Wells Fargo Securities and AirTreks. A prodigy of the dotcom era, he now provides businesses in Oakland, California and the surrounding Bay Area with honest, expert website services to drive growth.