[This post was updated May 19, 2016]

Websites developed by us are all developed on the WordPress platform. Not only is it by far the most popular content management system, it’s also one of the easiest to work with. But because it is the most popular content management system, it’s also the system that is subject to the most attacks by hackers.

According to Wordfence, the developers of the WordPress security plugin, the recent “Panama Papers” information leak from law firm Mossack Fonseca was partly the result of exploiting an out-of-date plugin which had a known security vulnerability.

Wordpress SecurityBy the way, all websites developed by us have the Wordfence plugin installed. It does a lot in the background to protect your website. It’s a great plugin — and that’s just the free version.

I cannot say it enough—you MUST perform regular maintenance on your website to keep it secure. Make it and leave it might have worked in the old days of HTML files, but not any more. That sounds scary, and in a way it is. There are some very nasty people out there who would love to get into your website to send out spam, set up phishing scams or use your server as a platform for other illegal ways to make money.

But keeping your website secure isn’t that hard. Here’s my simple take on it—these five things can go a very long way to keep your website secure:

  1. Keep the WordPress core and all plugins and themes up-to-date.
    This is critical. Some clients worry that updates will cause their site to break. In the nearly 10 years I’ve been working with WordPress, I’ve only had that happen once and it was quickly fixed. The risk of that happening is far outweighed by the risk of a hacker exploiting a vulnerability in an old version. Research shows that exploiting a vulnerability accounts for half of website attacks.
  2. Install only trusted plugins and themes.
    A good sign of a trusted plugin is one that’s being widely used. The WordPress plugin repository shows how many websites use each plugin. Also look to see how long it has been since it was updated. Plugins that haven’t been updated for a year are more likely to have a known vulnerability. When it comes to themes, choose one from WordPress.org or a trusted commercial vendor. Do not trust free themes from any other site. There are too many offering ‘free’ themes that have been programmed to exploit your website.
  3. Use an administrator username that cannot be easily guessed.
    NEVER use ‘admin’. That is the first one hackers try. The most common ones that a hacker will guess are ‘admin’, administrator’, your domain name, the first significant word in your company name, and your own name. If you’ve chosen an obvious user name, half the hacker’s job is done. They can set up a script that can guess your password at the rate of hundreds of guesses per minute. These are known as brute force attacks.
  4. Use a password that cannot be guessed.
    I’m dumbfounded by people who confide that they still use ‘12345’ or ‘password’ as their password! Many security experts also say that your password should not be: your birth/anniversary date, a pet’s name, the name of a loved one, your phone number — or anything that could be easily guessed. Some experts go so far as to suggest it should not include any word found in the English language. Make sure your password is a mix of upper and lower case letters, numbers, and characters on the upper row of your keyboard. It should also be long.
  5. Install a security plugin.
    A security plugin can do many things: Scan for known malware and phishing scams, block brute force attacks, alert when WordPress and plugins or themes need an update, and more. Wordfence Security has saved more than one client website here by alerting us to problems quickly.

See? It’s not that hard to keep your site safe. There are no guarantees, of course. Even the most security conscious web managers run into problems. There are other more “techie” steps you can take, but if you do these five things, you are well on your way to having a continually secure WordPress website.