10 Security Steps You Should Take Before Launching Your WordPress Site

There’s a lot to think about when you’re about to launch your WordPress site, but it’s important not to neglect taking the proper security steps. Site security can be one of those things you don’t realize you need until you have a problem, but by then it may be too late.

Prepare to succeed with your new site by taking the proper steps upfront. In this post, we’ll look at ten security steps that will get you off on the right foot with your new site.

1. Keep WordPress Updated

The first line of protection for your site is to keep everything updated. This includes not only using the most current version of WordPress, but also keeping plugins and themes up to date as well.

Updating is important because often the reason for the update is a security patch for known issues. If you’re using the most recent version of the software, you’re better protected than other WordPress users who aren’t.

Beyond just important security features though, updates also mean you can take advantage of new features and options. So before you launch, make sure all your software is updated and plan to keep it that way. If you’re passing your site build off to a client, make sure their team is aware of the importance of updates and knows how to apply new updates as they’re released.

2. Be Choosy with Themes and Plugins

Beyond keeping your theme and plugins up-to-date, don’t install “sketchy” plugins of questionable origin. On a rare occasion, plugins from less reputable sites may contain easily exploitable code or just downright malicious content.

WP Org Menu Themes and Plugins

Plugins and themes listed in the WordPress Theme Directory and Plugin Directory with higher numbers of users, up-to-date versions, and good reviews are the most safe. Third party premium plugins from major developers that aren’t listed in WordPress are also generally safe, as long as the site is high quality, has up-to-date plugins, and good reviews and/or feedback from users.

3. Create Strong Passwords

Web-wise readers out there may be shaking their heads right now for my mention of this, but realistically there are still many users who don’t use strong passwords. A surprising number of users will still use “123456” or “password”. Even “p@ssw0rd” isn’t much better at fooling sophisticated hacks.

Fortunately, creating a strong password doesn’t have to be difficult. My tool of choice is Strong Password Generator, with which you can create a password chock full of random letters, numbers and symbols – the perfect combination for a near-unbreakable password.

4. Limit Admin Access

The initial setup and launch of your site is actually the perfect time to think about who will have access to the admin area of your site, because few people your team are likely to need access to your site’s admin area. For those that do, take advantage of the available Roles and Capabilities. WordPress offers a number of access levels, from subscriber all the way up to multisite super admins.

Your developer, site manager, and other similar roles will need full access. But consider contributor, author or editor roles for team members that will just be creating, editing and updating content.

5. Limit Login Attempts

The more chances a hacker gets to attempt a brute force break-in, the more likely they are to succeed. However, a simple plugin can limit the number of login attempts from a specific IP address before locking it out.

The Limit Login Attempts plugin is my solution of choice. The plugin hasn’t been updated in a couple years – which isn’t ideal – but it has more than a million active users, a number of five-star reviews, and recommendations from many WordPress blogs. That makes it a safe bet, and a good way to get your site protected before launch.

6. Use a Different Username for Display

Not admin login screen

Speaking of brute force logins, avoid using your actual username within your site. If you have your username on your site, you’re give hackers one-half of the information they need on your login page. Instead, head over to your profile page in the admin area and set a display name that differs from the username you use to log in.

7. Hide Your Login Page

Move Login Plugin

This is one of my favorite security ideas, because it’s so simple but can make such a big difference. Nearly all WordPress admin login pages can be reached by either mysite.com/wp-admin or mysite.com/wp-login. However, Move Login is a simple plugin that lets you customize the URL for your login page. Do this, and you’ll be far and away much more secure once you launch.

8. Hide Your WordPress Version Number

Yet another simple but effective security precaution that can be implemented in a few clicks. Hiding your site’s WordPress version number adds another layer of security, by making it harder for hackers to know which kinds of vulnerabilities they could try to exploit.

Remove Version Plugin

Your version number can be hidden with a simple bit of code, although there are also plugins like Remove Version available.

This tip is most helpful if you don’t use the most current version of WordPress, but I would of course recommend that you keep WordPress updated at all times!

9. Make and Keep Regular Backups

Backups enable you get your site back to how it was before you installed a bad plugin, before a hacker installed malicious code, or before someone broke your site – assuming you’ve kept your backups, that is.

Set up a regular off-site backup with plugins like VaultPress or UpdraftPlus, and if you ever do have a problem, you’ll be able to recover quickly.

Most backup plugins and services have either an upfront or recurring cost. Most will allow you to send your backups to a Google Drive, Dropbox, or other cloud storage location. Some can do real-time backups, while others rely on custom scheduling. For more info on your options, check out this post over at WPBeginner.

10. Use a Security Plugin

A security plugin differs from all these individual precautions because it tracks attempts to hack into your site. Statistics can be a useful tool when deciding on other factors for your site. If you see many blocked attempts, your site may be more of a target and you should take extra precautions you previously thought you could do without. Purchasing a premium plugin or forking out $5 per month for a service like VaultPress will be easier to justify when you see the benefits.

Good security plugins to get your site ready for launch include:

Even More Security Steps

The above security measures should keep most new sites safe from hackers and malicious code, but some users may want to do more. You could for example:

  1. Turn off directory browsing
  2. Disable file editing
  3. Enable HTTPS for specific pages

The next line of security (beyond the basics above) is more complex, so casual users and business owners should arguably let a developer handle these steps. But for a site that deals with user information for a large member database, e-commerce, or other high-target sites, these added security measures are well worth considering.

Wrapping Up

With these ten steps, your new WordPress site will be safe and secure when you’re ready to launch. As you can see there’s a range of options, from very simple fixes to more complex precautions, and some have a cost you’ll need to consider.

Regardless of how you do so, make sure you implement strong security for your site – even before it is live. This will make the launch and running of your site more fun and hassle free.

Have your own must-do security tips for new sites? Let us know what we missed in the comments below!

About Tom Ewer

Tom Ewer is a professional blogger, longtime WordPress enthusiast and the founder of WordCandy.

1 Comment

  1. Andres on July 5, 2015 at 8:18 pm

    Great article! Concise and on point. Thanks for posting!

    I would also recommend BruteProtect (https://wordpress.org/plugins/bruteprotect/) by Automatic. Have you used Clef two-factor authentication (https://wordpress.org/plugins/wpclef/)? I’ve been researching it a bit before trying it. Looks like a good idea.

    The only thing I would say is I didn’t like WordFence. It’s extremely taxing on the server’s RAM and I saw an exponential increase of attacks on a new site when prior it barely had any visits. Uninstalled.

Leave a Comment





LIMITED TIME OFFER - Get access to all of our plugins for use on unlimited sites for just $99  Learn More
[i]
[i]