WordPress and Security — 10 Security Best Practices

By Lisa Hirst Carnes | July 2022

Illustration of a lock over the WordPress logo.

Running a nonprofit organization isn't easy. 

Not only do you need to convince people to support your cause, you also need to serve your community. Since most of these activities take place on your website, it's critical that you keep it secure.
We've been designing websites with WordPress for over a decade. But, we're not alone. WordPress powers more than a million websites globally. But, like other content management systems (CMS), your site may be vulnerable if you don't focus on security.
A hacked website can also be devastating to your organization. Unfortunately, it's not uncommon to find yourself in vulnerable situations.
You've likely been to a website that displays a safety warning. This is common. In fact, Google has a list of around 10,000 quarantine websites that it deems unsafe. So, how do you make sure your website is safe? Read on to find out how you can keep your website off that dreaded list. 

How Many Websites are Powered by WordPress?

WordPress is by far the most popular CMS. According to the W3Techs, WordPress powers 43% of the top 10 million websites. This translates to a market share of 62% of the websites using content management systems.
This brings us to the following question.
Is WordPress secure? YES, it is!

WordPress Security

WordPress is open-source software, so it’s got a huge, vibrant community committed to it. This is one of the reasons we like it so much! This community develops updates to strengthen its security whenever a vulnerability is exposed. These updates keep WordPress out of reach from threats.
Nonetheless, all WordPress sites use other third-party tools. The people managing third-party plugins may not adhere to WordPress security guidelines.
Most security threats are due to:
  • Outdated plugins
  • Using an old version of WordPress
  • A lack of WordPress and security knowhow
  • Weak password and user permission control


10 WordPress Security Best Practices

Here are 10 proven WordPress security best practices to help keep your site out of reach of hackers. 

1. WordPress and Theme Updates

Most hacks occur on WordPress sites using outdated software versions. Hackers capitalize on outdated WordPress versions' flaws to exploit their targets.
It's vital to keep your WordPress site updated. But, you should understand what you're updating. Get help from a WordPress expert like ArcStone to manage updates. 

2. WordPress HTTPS Headers

HTTP security headers add an extra layer of security. 

But, installing the headers can be a complex process. Even a tiny mistake may nullify your header's effectiveness, especially in older browsers. We recommend using a staging environment before applying them on the site and, of course, consulting an expert.

3. Plugin Management

Before installing new plugins, vet them by answering a few questions. Is the plugin updated on a regular basis? How many websites is the plugin installed on? What do the reviews say?
Like any other element, plugins need regular updates. 

4. Password Management

The most basic practice to keep your site safe is to configure every account with a strong password. Most attacks capitalize on users' weak or predictable passwords.
Creating a strong password makes it difficult for attackers to guess your credentials.
Most people understand the importance of using strong passwords. Unfortunately, passwords such as "password," "12345678", and "qwerty" is still a common mistake. Cybernews recently reported on the most common passwords. Did your passwords make the list?
We recommend using a password manager such as 1 Password to keep your credentials secure.

5. User Management

Limiting access to trusted parties is critical to keeping your site secure. Only some users should have "admin" permissions. All other users should have limited access to only areas with their specific tasks. For example, if a team member writes content for your blog, give them "author" permissions.

6. Hosting Services

Not all web hosting providers are equal. One way to ensure security is to look for the right host who can offer security features, including:
  • Malware scanning services
  • SSL certification
  • Regular backups
  • Looking for user reviews and ratings can help you find a secure web host.

7. Security Plugins

Security plugins scan and detect any malware attack on your site. They can catch and clean even malware that is difficult to detect in a manual process.
Security plugins like Wordfence Premium protect your site from recent exploits, detect the latest malware, and deter malicious IP addresses.


This protocol helps the browser and transfers data over the web. Encrypting your site with HTTPS disguises data. This limits the chances of hackers manipulating your information.
HTTPS encryption is essential when your website contains sensitive data, such as financial information.

9. 2-Factor Authentication

Along with creating strong passwords, two-factor identification (2FA) adds another layer of protection. 2FA allows you to use a one-time password (OTP) or secret code after entering your login details. This makes it even more difficult for hackers to access your site.

10. Expert Support

There's a lot to learn about security, and having a basic understanding isn't enough. 
If your organization lacks WordPress security experts, consider working with ArcStone. We'll work with you to devise the right website maintenance and security plan. 
WordPress is secure and a solid choice for your organization. No matter the CMS you choose, you must focus on security.

Contact us for technical expertise and advice to keep your website safe and secure.

Topics: Design and Technology