3 Security Essentials for WordPress Users

by | Oct 22, 2023

3 WordPress Security Essentials –

Among boating enthusiasts, it has been said the two happiest days in life are the day you buy a new boat, and the day you sell it.  Similarly, many website managers feel conflicted about their investment: beneath the excitement and opportunity of an online presence lurks a world of confusing choices that seem to offer multiple risks for every reward.

What is to be done? I don’t have any great advice for boat owners (though I’d like to be one myself). But if you own or maintain a WordPress website, here are 3 essential steps you can take today to reduce worry, lower risk, and revitalize the fun factor of your web presence.

Security Essential 1: Multi-Factor Authentication (MFA)

Even if you’ve never heard of MFA, you’ve no doubt experienced it: every time you check your bank balance or update an insurance policy online, MFA is that pop-up code sent to your phone or email after you enter your traditional password. You’ll also see it referred to as 2FA, meaning Two-Factor Authentication.

Is MFA annoying? Yes, but it works. Research shows that Multi-Factor Authentication drastically reduces your online risk. According to Microsoft, enabling MFA prevents 99.9% of attacks on user accounts. That’s a pretty solid statistic! MFA has also been shown to eliminate 96% of phishing breaches, which account for one-quarter of all data breaches that take place.

Why MFA Works: By requiring an additional form of verification (this is the ‘multi’ in multi-factor), MFA offers you an extra layer of defense. The average hacking attempt is not sophisticated enough to sniff out an additional biometric verification or one-time passcode (OTP) generated by a third-party app. For the sake of your peace of mind, the minor inconvenience of enabling and using Multi-Factor Authentication is well worth it.

How to Get It: One of the most popular and reliable MFA plugins for WordPress is WordFence. The WordFence plugin conveniently handles a variety of security-related tasks: in addition to MFA, there’s login security, a robust firewall, IP blocking, and malware scans–all for free (there is also a paid upgrade that offers even more options). You can find information about it here.

Once WordFence is installed on your website, go to Login Security. You will see an option to enable Two-Factor Authentication that looks like this:

WordPress Security Essentials multi-factor authentication

There’s just one more step to follow and you’ll be up and running: In addition to WordFence, you also need a smartphone app that will provide your one-time passcodes for login. Many apps are available depending on your device; one popular choice is Google Authenticator, which you can find here for Android and here for iPhone.

Install the app and scan the QR code on your WordFence screen to link your account (don’t miss the step of entering your one-time passcode into the box on the bottom right).

Then in the future, you’ll use the unique 60-second passcode generated by your app as a second step to log in to your WordPress website. Taking this relatively painless step dramatically reduces the chances of your WordPress account being breached, but to make your site login secure, all users with administrator privileges should be required to do the same.


Security Essential 2: Regular Updates

Technology is constantly evolving, and so are the sophisticated ways that hackers look to exploit it. One essential practice to avoid becoming a hacking statistic is keeping key elements of your site up to date.

For WordPress users, the place to start is with your Site Themes, Site Plugins, and of course, the WordPress Platform itself.

WordPress Platform. WordPress releases regular updates to its platform, and these should be considered essential security upgrades. Failing to keep your platform updated can lead to a host of problems (no pun intended).

Fortunately, WordPress makes it easy. When you log in to your dashboard, any updates will be shown front and center, and you’ll also see a special icon next to the update menu item.

Site Themes. Whether you are using a basic WordPress theme like Twenty Twenty-Three or a premium one like Astra, keeping your theme up to date is an important security step.

A good quality theme will post updates regularly to address newly found security flaws and enhance functionality. In fact, if you find that your theme has not received an update in quite some time, this is a serious warning sign–it might be time to switch to a new one.

Also, don’t be a theme hoarder: Keeping a downloaded collection of themes that you aren’t using not only takes up storage space but also leaves open the possibility that someone will exploit a weakness contained within one of those files. The only exception is WordPress’ default theme for the year, which contains important system files and cannot be deleted.

3 Security Essentials for WordPress Users Plugins

Plugins. Finally, don’t forget about updating your plugins. A great number of site vulnerabilities come by way of insecure plugins. For this reason, it’s also wise to limit your plugins to the absolute essentials (plus, the additional code each plugin requires can slow down your site response time.)

Although it’s wise to verify plugin updates manually (and Editing Advantage would be happy to do this for you!), you may want to automate the process to save time. Once again, WordPress makes this easy. On your plugins page, you’ll see an option to ‘enable auto-update’ on the right side.


Security Essential 3: Staying Aware

Several years ago there was a popular TV game show called The Weakest Link. After each round of trivia questions, one ‘weak’ team player would be eliminated until only a final winner remained. When it comes to keeping your website secure, make a resolution that you and your team will not be the weakest link.

3 Security Essentials for WordPress Users

Research shows overwhelmingly that the human factor is the biggest vulnerability when it comes to online security: weak or stolen passwords account for 81% of breaches, and people who receive phishing emails are tricked by them 47% of the time. These are two statistics you don’t want to be on the wrong side of!

Staying aware means continuing to follow best practices such as using Multi-Factor Authentication and keeping website files updated. It means training other users in security practices and holding them accountable. Trying to save time by taking security shortcuts may be tempting, but far better to invest a little time entering a one-time passcode than to sort through the enormous headache and brand damage of a hacked or hijacked website.

Of course, I’d also recommend entrusting your site to a reliable service like Editing Advantage–freeing up your time so you can focus on the essentials. However, with a steady commitment of time and a mindset of diligence, you will position yourself to avoid common pitfalls and maximize all those benefits that brought you online in the first place.


Thanks for checking out 3 WordPress Security Essentials!


You may also enjoy my post about how to avoid 4 Non-Profit Website Mistakes

Mark Pedrin

Mark Pedrin


Mark is an editor, web designer, and language instructor who loves helping individuals and organizations maximize their potential. He lives near Seattle, Washington with his wife, daughter, and one Extremely Dangerous Cat.