keeping website secure for wordpress or drupal

If you click on the links in this post, we may earn money from the companies mentioned in this post, at no extra cost to you. You can read the full disclaimer here.

Sharing is caring!

If you have your own website or blog, then you need to know how to secure a website. These security tips can help you protect your website from spammer, hackers and more.

  1. Don’t use public WiFi when working on your website (for example, at Starbucks, the airport, etc)
  2. Don’t work on your website on a public or shared computer (such as in a library or a hotel business center)
  3. Don’t send your passwords over email, text, Facebook messenger, etc (for example, if you’re going back and forth with a tech support person about something regarding your website)
  4. Use different passwords everywhere – a password manager can help with this
  5. Limit your admins – don’t give out administrative access to everyone in your company, and delete admin accounts that are not in use
  6. Don’t use the userid “admin” for your admin accounts – choose a unique name that makes it harder for hackers to figure out
  7. Limit your login attempts to at most 5 (you can use a security plugin, which we’ll discuss later)
  8. Use the Login No Captcha reCAPTCHA plugin to add a Captcha (“I am not a robot”) checkbox to your login on your website
  9. If you’re using WordPress, delete your inactive plugins
  10. If you’re using WordPress, delete your inactive themes
  11. If you’re using WordPress, keep your plugins up-to-date. Some managed WordPress hosts, such as Liquid Web and SiteGround, will update your plugins for you. Another option is to install the Easy Updates Manager plugin.
  12. If you’re using WordPress, don’t add a theme or plugin to your website if it hasn’t been updated in the last 12 months, because that could leave you vulnerable to new security attacks
  13. If you’re using WordPress, keep your theme up-to-date
  14. If you’re using a CMS (content management system, such as WordPress or Joomla), make sure your core files are up-to-date (for example, keep up with WordPress core updates, Drupal security updates, etc)
  15. Be wary of free themes/plugins/software from unfamiliar websites, as they could contain malware – a good source to use for WordPress websites is Envato
  16. Get an SSL. Your web host often provides this for free, but if your web host does not, we recommend Namecheap. We’ve used them for some of our websites when the host did not provide an SSL, and their prices are very good.
  17. Force users of your website to use the https version instead of the http version.  If you need help doing this, you can contact your host because they may be able to do it for you (for example, Kinsta does).
  18. Choose a web host that provides the best security. When you have shared hosting, you’re more vulnerable because you’re sharing a server with multiple websites. For increased security, choose VPS hosting or choose a shared host that has good support – and make sure your host utilizes the latest PHP, Linux, etc.
  19. Make sure you have backups of your website. You want to have backups as frequently as you update. Automatic backups are preferable so there’s never a time when you accidentally forget to update. Some web hosts will offer you daily backups, such as Kinsta, Flywheel, WPEngine, etc. If you don’t have a web host that offers automatic backups and you use WordPress, then you can purchase Backup Buddy. As someone who didn’t have a web host who backed up my site and wasn’t using any outside backup help and had my website completely wiped out, I highly highly recommend backups!
  20. Get extra security for your website. While the above suggestions help, since your website is so precious, sometimes you’re going to want to get even more security (think of it as getting a home security system on top of locking your door).
    • If you use WordPress, I recommend iThemes Security, but go ahead and buy the pro version as it gives you ticketed support. If you use a different CMS, then Sucuri would be a great way to protect your website. Similar to iThemes, you’ll need to buy a pro version to get the best features. Sucuri will also work for WordPress, too, so if you use WordPress you can check out both and see which one works best for you.
    • If you use Drupal, here are some modules that can give you added security:

Pin for later!

Is your website secure? Make sure you keep your site safe from hackers, spammers, etc. with these 20 helpful tips for any content management system (WordPress, Drupal, Joomla...). Find out the best password practices, which websites to download plugins from, which modules or themes could help keep your site secure, where to get SSL, etc. Great advice for any blogger or small business owner even without programming experience