Secure your WordPress website

Protection Requirement:

Skills/Resources:

Welcome to my WordPress Security Guide.

Christopher Bennetts - WordPress SecurityThis guide deals with all aspects of WordPress security, both malicious threats and other considerations related to protecting the integrity and availability of your website.

Read my six step WordPress security preparation below before implementing any of the security measures.

Christopher Bennetts, September 2015


Before looking at any of the security measures in this guide it is important that you read the following.

Protection Requirement:

BASIC

Recommended for all

OPTIONAL

Advanced security measure not required by most

SPECIAL

Only for those with a special need

Skills / Resources: Guide to skill level and resources required to implement


1. Document all changes

You need to keep a record of each security measure you implement. Do not skip this step. Not doing so could cause hours of confusion and frustration. It does not matter how you document it as long as you do and you keep the documentation in a safe place.

I plan to develop a template where you can record all security measures. When complete you will see a link to it here.

3. Back up before implementing any security measures

Even the most experienced web-masters can make a mistake and this can break WordPress. Having a backup gives you an easy roll back option to restore things the way they were in the event that it all goes terribly wrong.

Even along the way if you are going to edit a system file, make a quick copy of that system file, and if the changes you make do not work you can quickly restore the original. You really don’t want to restore the entire site from back up because of one small error made in editing a single file.

4. Implement only those security measures you believe you need

Implementing all security measures because simply because you can, will often cause you a lot of unnecessary frustration. With almost every security measure there is a cost in terms of ease of access or some other restriction.

5. Implement only one change at a time

When implementing security measures only implement on change at a time and then test it. If it is working then document it and move on to the next.

6. Ongoing Security maintenance and reviews

Security is not a one time measure.  While some of the security measures you implement are, there are many tasks that need to be performed on a regular bases such as checking and updating your CMS and plugins. Scanning for malware and just keeping up-to-date with security and threats in general.

You need to schedule ongoing security maintenance and reviews. If you can’t commit to this then outsourcing this might be the best option.  Virtual Webmaster Services can relieve you of this task and also attend to many other tasks related to maintaining your website.


I produced this guide in an online format because the nature of security means that it is constantly subject to change. A guide published in PDF format would quickly go out of date. I will continue to update and expand this guide, especially as new threats emerge along with new methods and tools to deal with them.