Security and Website backup best practices for WordPress sites

It is an unfortunate fact of online life that hackers will at some point attempt to gain access to your website. Even WordPress sites are prone to hacking. Why? It’s a fact that WordPress is the most popular content system on the Internet today. Therefore by definition, ti is the target of more attacks than any other. Aside from the traditional safety systems, there are additional ways in which you can secure your WordPress website and make it as difficult as possible, if not impossible, for hackers to gain access. Let’s check them out.

Web hosting service

To begin, you need to sign up to a reputable WordPress hosting company with a good track record. While the majority of websites will start on a shared hosting plan there is always the option to move to. Remember powerful hosting services like VPS and dedicated servers are at your disposal. It’s worth mentioning that as your website grows and traffic increases so should your web hosting resources. In this instance we will look at ways to protect your WordPress site on a shared hosting account. In case you’re wondering, these security tips will work on any hosting package.

7 Website backup best practices

We all know that we should take backups of our website but many people fail to do so. It is the common “it will never happen to me” syndrome which has seen numerous people lose businesses overnight. When looking at a web hosting service you need to consider web hosting backup options which may include a cloud backup business option. The beauty of a cloud backup service is that the backup is held off site offering you further protection.

1. Rename popular URLs

If you have used WordPress for some time you will be well aware that there are various common URL extensions such as:-

  • wp-loging.php
  • wp-admin

When hackers are looking to crack your username and password they will automatically assume those common URL extensions and simply type in:-


This will give the hackers access to your login page where they can use their database of common usernames and passwords to gain brute force access (don’t use ADMIN as a username!). Now imagine, if you were to change the common URLs on WordPress how would they find your login page?

There are various WordPress plug-ins which will do this for you or you can do this manually through the control panel. For example change the wp-login.php extension to my_new_login. This is a very simple but an extremely effective means of protecting yourself from hackers gaining direct access through your WordPress site.

2. Install SSL certificates

All website owners will be well aware that SSL certificates and the new https protocol ensure encrypted communication between a visitor’s browser and your web hosting account. This makes it much more difficult for hackers to intercept communications, undertake third man hacks and it is also a failsafe check to clarify that the site your visitor is looking at is your site – no fraudulent clones. There has been some criticism of search engines penalising websites without SSL certificates and https protocol but the hackers have become more determined and technically advanced. So, flagging websites which do not have the necessary safety precautions is perfectly justified.

3. Regularly change passwords

Yes, this is something we all know about but yet again few of us actually change our passwords on a regular basis. Hands up if you have the same username and password for multiple accounts? It may be easier to remember but did you realise, once hackers find one of your usernames and passwords they will try this across all of your accounts. They will also try this across common bank accounts hence the reason why many people over the years will have received spurious communications from banks with which they have no accounts.

Even if the web hosting service you sign up to is the most secure possible, using common usernames and passwords on multiple accounts could put your websites at serious risk. While it is obviously sensible to focus on your web hosting account and website files from a security point of view, this is not the full picture. Using the same password for your web hosting control panel to that which you use for other accounts could be the chink in the armour that lets the hackers in. Don’t make it easy!

4. Idle accounts are a serious risk

In years gone by it was possible to remain logged into numerous online accounts to save time logging in and logging out. Over the years idle accounts have become a serious security risk because if that machine is hacked, or somebody physically uses that machine without permission, they can cause serious damage to your web hosting files. Thankfully, there are now WordPress plug-ins and services you can add to the control panel which will logout idle accounts to reduce any security risk. On the surface this may sound like a relatively innocuous danger but think about it, if your machine is hacked or somebody uses your machine without permission, what damage could they do if your accounts are all open?

Imagine the scenario, you leave your account open online and somebody uses your machine to open an email. They click on an innocent link which allows hackers to gain access to your machine. What could they and what would they do next?

5. Password protect directories

While a web hosting backup service offers a vital element of protection to your website, you should also consider password protecting important directories. For example with WordPress the wp-admin directory is very important and holds vital information and files which keeps your website running smoothly. Just imagine, if someone was to gain access to your hosting account, maybe they hacked your control panel or gained brute forced access through the WordPress login page, they could gain access to all of your files. However, password protecting individual directories with an array of random passwords would make it extremely difficult, if not impossible, to gain access to the nuts and bolts of your website.

While you should always follow website backup best practices this is another very important element of safety which many people fail to follow. You should password protect your directories and change your passwords on a regular basis. One further simple error many people make – do not save your passwords in a form which is easily accessible to others!

6. Website monitoring tools

If you access your control panel traffic statistics on a daily basis you likely become aware of attempted hacks and unauthorised activity. The main problem here is that by the time you have seen the statistics and the traffic numbers the hack may already be out of your control. It is therefore important to consider the array of website monitoring tools which work on a real-time basis. They will track inwards and outwards traffic, access to files and directories, changes made and inform you of any suspicious activity.

While there is no doubt that hackers have become more technologically advanced, good old-fashioned access logs will always highlight suspicious activity. If you receive an email warning of suspicious activity on your website then act immediately. There is no point having real-time services and then putting these warnings to one side. The quicker you act on suspicious activity the more chance of shutting down the hack before major damage is done. In a worst-case scenario, revert back to your web hosting backup, suspend your site, find the security issue, make changes and then you can open for business again.

7. WordPress plug-ins

One of the benefits of WordPress being the most popular content management system on the Internet is the enormous number of WordPress plug-ins available. While we tend to focus on theme and commercial plug-ins, there are an array of extremely useful, fast acting and very informative WordPress security plug-ins. If you lock down your control panel as much as possible, considering some of the issues mentioned above, and layer this with WordPress security plug-ins you will make life as difficult as possible for the hackers. Following simple cyber security practices may seem cumbersome and a waste of time but you won’t regret it!

Many people fail to realise but hackers tend to go for the “low hanging fruit” therefore if you make it difficult for them to gain access to your website they will likely look elsewhere. Hackers can best be described as vultures, once one of them spots a prey the rest will all follow and leave nothing but a carcass. However, if that lone vulture cannot access your website they will look for the next easy target.


There is no doubt that web hosting backup services, many of which involve cloud backup business account, extremely important when looking to secure your WordPress site. There are also ways and means of protecting directories on your host account as well as access to your WordPress website. Simple things such as random usernames and passwords, regularly change, together with password protecting individual directories can make a difference. They also an array of WordPress security plug-ins which will block brute force attempts, close idle accounts and advise you of any suspicious activity on your account.

Don’t assume it will never happen to you – it might – but you can still be prepared.