How to Keep WordPress Secure

You’ve probably noticed a little message at the top of your WordPress admin, telling you that there is a new version of WordPress available and giving you a link to upgrade.


Each new version of WordPress removes new security threats and protects against bugs and hackers (as well as introducing fantastic new features and better useability). Just like you keep your anti-virus software up to date, you should also make sure your website is always using the latest version of WordPress.

Not updating regularly can make your website vulnerable to attacks. You may also find that some plugins are not compatible with older versions of WordPress so you will have problems adding new functionality to your website.

Follow these steps regularly to keep your website safe from hackers!

Step 1 – Backup Your Website

  1. Upload and activate the wp db backup plugin on your website
  2. On your admin sidebar, go to Tools then Backup
  3. Tick all the boxes in the top section and email yourself a backup of your website
  4. Setup the bottom section to email you a backup file automatically once a week
  5. On your admin sidebar, go to Tools then Export
  6. Export a copy of your content and save to your computer
  7. If you have access to ftp, you could also download a copy of your wp-content folder (this contains your customised theme, your active plugins and all your images)

NOTE: Make sure the backup file has actually arrived in your inbox. If it hasn’t, you may also need to add the SMTP Email plugin and ask your hostname for an smtp address to enter. This will make sure that all website generated emails get through.

Step 2 – Upgrade WordPress Version

You will find an Upgrades section under the Dashboard tab at the top of your admin sidebar.

Be aware that if the automatic upgrade doesn’t work, you will need an ftp program and ftp access details for your website to be able to manually upload overwrite the necessary files. It is also recommended that you de-activate all your plugins before upgrading.

To upgrade WordPress automatically, do the following:

  1. Click on the upgrade link at the top of your screen
  2. Click on the Upgrade Automatically button
  3. Wait until you see the message saying that your upgrade was successful

If you can’t upgrade automatically, or would prefer to do it manually, do the following:

  1. Download the latest version of WordPress and unzip it
  2. Using ftp, overwrite the wp-admin folder and the wp-includes folder
  3. Overwrite all the files in your root directory
  4. Leave the wp-content folder as is. Only overwrite the index.php file
  5. Once you have upgraded, go to your WordPress admin and you should see a message to upgrade the database
  6. Click on the link to complete your upgrade.

Get more detailed instructions here…

Step 3 – Upgrade Your Theme

If you use a child theme and are upgrading Genesis, go ahead and upgrade automatically with confidence. Your customised child theme will not be overwritten.

BUT if you do not use a child theme and your theme shows up as having a newer version available, do not update unless you want to loose any customisations. Check with the theme company before making any theme upgrades.

You will find an Upgrades section under the Dashboard tab at the top of your admin sidebar.

  1. If there is a newer version of your theme, it will be listed on the Upgrades page
  2. You may need to enter your website’s ftp details to upgrade so get these from your website host first
  3. Tick the box to the left of each one, then select Upgrade

If you have any plugins which cannot be upgraded automatically, you could either use ftp to upgrade them manually or deactivate them while you are upgrading WordPress, then use Plugins/Add New to install the most recent version and overwrite your old one afterwards.

Step 4 – Upgrade Your Plugins

  1. If there is a newer version of the plugin, it will be listed on the Upgrades page
  2. You may need to enter your website’s ftp details to upgrade so get these from your website host first
  3. Tick the box to the left of each plugin, then select Upgrade

If you have any plugins which cannot be upgraded automatically, you could either use ftp to upgrade them manually or deactivate them while you are upgrading WordPress, then use Plugins/Add New to install the most recent version and overwrite your old one afterwards.

Make Your Passwords More Secure

To add a new user, go to Users/Add New in your admin sidebar.

Other easy ways to make your website more secure are:

  • Make your password hard to guess. Eg. companyname01 is not good!
  • Don’t use admin as your username

NOTE: If you are using admin, you need to add a new user with administration access then make that new user the author of all the admin posts and pages first. You will also need to use a different email address.

Once you have done this, you can login with the new details and delete the old admin user.

Comments

  1. Jo Couchman says

    Make sure you delete any plugins which aren’t active on your website as they can be a security risk too. Just go to Plugins, tick all those not active and select delete from the dropdown box at the top.

  2. says

    For manual upgrades I recommend uploading to a temporary folder, creating another one called “backup”.

    When the upload is complete I move my old wordpress files and folders (except for the wp-content folder and wp-config.php file) into the backup folder. I go into wp-content/plugins and move akismet out too.

    Then I grab the good versions and move them to their proper locations. Don’t forget to get the akismet plugin too!

    This can all be done in less than a minute and creates minimal disruption.

    The upside is that if WordPress remove a file from their code it is removed from your installation as well.

    A few years ago WP had a major security breach via an obsolete file that hadn’t been removed when people upgraded.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>