6 Proven WordPress Security Tips for Absolute Beginners

This website runs on the WordPress Content Management System (CMS). And, in my opinion, WordPress is a future-proof tech for all it is capable of, and more ✨

If you are new to the world of CMS’, I have a tip for you: every CMS has something attractive to offer. However, you need to pick what suits your use-case and lets you do more, instead of going with other people’s recommendation. With all that said, if your favorite CMS is WordPress, just like mine, or, if you are exploring the security side of things before trying it out, you have landed on the right place.

I have been using WordPress for a decade to create blogs/ecommerce sites. Here, I have decided to share some of the most effective (and easiest) security tips for WordPress websites.

1. Keep It Simple, Stupid (KISS)

The KISS design principle is applicable to everything, including securing websites.

To achieve systems that work best, and are secure, simplicity should be the goal.

Whether it is about the WordPress theme, configuration, or anything else in your website, the simpler, the better.

With WordPress, it is easy to break this design rule because of all the functionalities and plugins available at your disposal.

New WordPress creators might want to pack in all kinds of features in their website for the oomph factor, and in the process, they could end up with several unnecessary plugins, scripts, and configurations.

So, if you follow the KISS concept on WordPress, you will have:

• Fewer things to manage (plugins you need and one/two themes installed)
• Easier to maintain/update things
• Keep the website secure effortlessly

2. Protect Your WordPress Login

Of course, do not keep the default WordPress login password if you installed it using a one-click installer from any platform. And, generate a strong password that you can use for login.

If you want to take things up a notch, you can install two-factor authentication plugins to add a verification to your login, preventing brute force attempts.

I hope WordPress adds a native 2FA functionality, but until then, you can try these WordPress plugins:

• Wordfence Login Security
• miniOrange’s Authenticator

If you would like to be on the edge of the tech while protecting your login, I have some mind-blowing options for you 🤯

1. Passage.id: If you want to implement a passkey login experience (for free), you can configure Passage.id by 1Password on your WordPress website using the OpenID Connect Generic plugin. I have configured it on this website, and I love it!
   
   You need to create an account with Passage.id and configure things, but it should be well-worth it!
   
2. Duo Universal: Duo Universal is a plugin by CISCO’s Duo Security company. It offers various multifactor authentication methods, including passwordless login (with passkey support for premium users).
   
   You need to create an account with Duo Security (it’s free). You can choose to upgrade to the premium after the trial ends, or continue using the free authentication methods for free.

If you’re hearing about passkeys for the first time, read my blog post on using passkeys.

Of course, the passkey implementation and similar techniques are well-suited for experienced users.

But, my experience with it has been so seamless. I can recommend it to any beginner who is willing to put an hour or two to implement a future-proof login method, safe for the website.

3. Install Security Plugins

I know, I told you not to install several plugins, but a security plugin simplifies a lot of the essentials that you need for a secure website.

Some security plugins do offer two-factor authentication as well. So, you can decide to use a single security plugin for 2FA and overall security, or keep separate solutions for login.

The security plugins help you keep a watch on modifications in your files/configuration, block unauthorized access to important files, and other malicious attacks. Most of them are free for the essential functions, and offer a premium upgrade for advanced protection.

There are several security plugins out there, I recommend trying out any of these:

• Wordfence Security (my favorite, this is what I use on this website)
• Solid security (formerly iThemes security, free to get started, and optional premium with backup integrations)
• Jetpack Protect
• Malcare Security (Cloud-based solution, no impact on your website)
• miniOrange Malware Scanner

4. Use Website Security Checker for FREE Recommendations

If you are not a big business, or an individual like me, we don’t have a budget to consult a security professional, right?

So, any free consultation that we can get, it’s a good thing.

With Sucuri’s website scanner, you can easily get a couple of useful recommendations along with links/tips to implement the remedy to improve the site’s security.

If you are already utilizing the security plugin, or have been following some official WordPress hardening tips, chances are, your website may not display any problems. But, if something appears, you can always try to fix that.

You can also try SiteLock’s free website scanner.

5. Utilize a WAF or a CDN (or Both)

A Web Application Firewall (WAF) is a security layer on top of your server to thwart off any threats even before they try to connect to your server in any way.

Cloudflare is the most popular solution, which is free to get started, and offers a free Content Delivery Network (CND) along with it. The majority of the websites on the internet rely on it.

An alternative to CDN is Bunny.net (partner link). It does not include a WAF, but, the CDN is faster, and more reliable at times when compared to Cloudflare. And, it also includes DDoS protection for the assets served.

I use Cloudflare + Bunny CDN for the best possible results. You can choose to use just Cloudflare if you would rather not configure or pay for a separate CDN. It’s totally fine, it’s just my choice of things.

6. Update Everything Regularly

It’s pretty self-explanatory. You need to keep an eye on your themes, plugins, WordPress version, and everything else that you use within the website for the latest available version.

Of course, make sure that you have a backup before you update anything. You can use a free backup plugin like UpdraftPlus Backups.

I hope these tips help you out on your journey to explore and build WordPress sites.

💬 What is your favorite security plugin? Do you prefer to go bare bones, hardening the security without plugins? Let me know your thoughts in the comments below!