WordPress is the most popular Content Management System (CMS) in the Internet world today.

Since its initial launch back in 2003, the blogging platform has become extremely popular. Today, more than 23.3 percent of the top 10 million websites are using it for a variety of different purposes.

Together with its significant expansion, however, WordPress has faced several security problems, which continue to persist. It’s nothing unusual for a WordPress website to get attacked by hackers, who often succeed in installing malware in one or more areas of its core structure, stealing or damaging data.

If you own a WordPress website then you need to be familiar with the platform’s security issues. The big question for you is how can you be sure that your website, your files and the people visiting your pages are secure? After all, there are hundreds of thousands of WordPress site owners, who have implemented payment getaways on their websites or they are using them as part of their business. The last thing you want, if you fall into that category, is to risk the loss or steal of sensitive data.

So, let’s see the 5 best tips that will help you secure your WordPress website and protect you from malware attacks:

  • Always Stay up to Date (Themes, Plugins, WordPress)

This may sound rational but there are still hundreds of thousands of WordPress site owners who don’t update their plugins, site themes and WordPress itself. The process is really simple and all you have to do is log in to your admin panel and follow the prompts about pending updates.

As SC magazine reports there were more than 100,000 WordPress websites which were infected by malware back in December of 2014 and that number was going up. Outdated plugins, themes and WordPress installations is the easiest way for a malware to intrude your CMS and harm your files before you know it.

Think about it, why are there even updates in the first place? Yes it is to release new features, but MOST often it is because there were bug fixes- in laymen terms, this means that the plugin, theme, whatever was previously vulnerable and this new version is secure (for now).

So, step one, always keep everything related to your WordPress website up to date. Be careful, if you made customizations on your core files, they may get affected by such updates.

  • Keep your Computer Secure

Make sure your computer is secured and malware-free. An infected computer may eventually affect your WordPress installation and work as the “vehicle” for a virus to be transferred straight into your database or installation files. Use a well-known and reliable computer to significantly reduce your risk of this security threat.

Be careful, if you own an Apple computer, the myth about Macs not getting infected by virus were busted long ago.

Key phrase: A secure computer = decreased risk.

  • Back it up

This one is essential. I strongly doubt that there is a serious company that doesn’t perform at least some backups of its data. So if you are one (or you plan to become), but even if you just want to stay away from unnecessary headaches, install a backup plugin today. There are several different backup plugins that you can use, most of which are reliable. Some of them are free (or based on freemium models). You may go ahead and search the market to find the one that best suits your needs and pocket. I’ve personally used Updraft Plus in several different WordPress websites and I am very satisfied with its performance.

When you are backing up, make sure that your plugin backs up both your files, plugins, themes and your database. If you back things up in a cloud service, like Dropbox or Google Drive, you’ll greatly reduce your exposure to threats. Be aware that some plugins perform backups on the same server you have your WordPress installation, which is not recommended. That’s because, if a virus infiltrates your system, it may harm your backups, too, so you’ll obviously be in trouble.

Key to remember: Always backup your data, including your WordPress websites themes, plugins, customizations, and databases.

  • Consider a WordPress Security plugin

Due to the high amount of infected websites, several WordPress security plugins have emerged in the market over the last few years. Again, you may search a few different plugins to find the one that suits your specific needs. There are some plugins which have over a million downloads each and they are reliable. In most cases, they will automatically perform all those nitty-gritty tasks that you would have to do manually if you didn’t have them installed.

If you know what you are doing and if you feel confident about performing tasks like altering your .htaccess files, then you may as well do it yourself. If not, if you have little to no programming knowledge, if you want to save time or if you are just starting out with WordPress, installing a security Plugin will save you from all the hassle. Some security plugins come with onboard backup features.

Key point: Installing a security plugin is recommended, especially if your WordPress website is used for business purposes.

  • Ensure you are the only one getting admin access

This actually breaks down to several sub-parts, which you have to pay attention to, in order to ensure your WordPress site stays secured. First and foremost, be very careful with the login credentials of your administrator profile. By default, WordPress will assign the “admin” username for the admin of your site, and that’s the first step for a hacker to break into your files. Make sure you change it during the initial setup-installation of WordPress.

Another important point that often gets neglected is your password. This Cnet article shows you the worst passwords for 2014 and if you happen to find yours in that list, change it immediately.

On top of that, you may also want to install a plugin that limits login attempts. Hackers may attempt to gain access to your website by using automated tools that constantly try different passwords that may be correct. With the use of plugin that limits login attempts you can feel a bit less worried about strangers getting admin access to your website.

Key phrase: Prevent hackers from getting admin access to your WordPress site.


6) Finally, when it comes to ecommerce, an SSL certificate is an absolute must! Actually, even if you don’t accept payments directly on your site, an SSL certificate can protect your users from having their log-ins stolen (likely the same log-ins that they use on other websites). This is why I highly recommend an SSL certificate. I recommend the SSL Store for SSL certificates, otherwise you could purchase directly through your hosting company, although not recommended (note- you’ll need to purchase a dedicated IP in your hosting account, if you are on a shared hosting plan, before installing the SSL certificate).

When you sell something online, you are undergoing a certain amount of risk. The least risky would be to not accept payments at all. Probably the second least risky would be to set up payments through Paypal. The third would be to go through a professional company such as Shopify, or Volusion. Finally, if you are setting up an ecommerce store and worried about security, you should contact a professional.

Thanks for reading!

Related: Learn how to start your website with WordPress here.