June 12

Top 5 Layers of WordPress Security


Top 5 Layers of WordPress Security

Everyone knows you need security for your WordPress site. But not everyone knows what the layered approach to security is.

Let’s talk about the Top Five ways you can apply layered security to your WordPress site and start protecting it right away.

What is Layered Security?

First off, let’s talk about what layered security means. Layered security is simply a fancy way of saying you need different and multiple levels of security for whatever it is that you’re trying to protect. So in this case, since we’re trying to protect a WordPress site, we need to make sure we have different levels of protection in place.

Not just a plug-in. Not different plug-ins that do the same thing. You need different levels that work together to protect your site in different ways.

Now, this might sound complicated, this might sound hard, but it’s really not.

Think about the layers like a house. Your house might be in a gated community (layer 1), have door locks (layer 2), have an alarm system (layer 3), etc. All of those things are different layer of security for your house.

Using a WordPress security plugin by itself, without a strong password, would be like leaving the doors unlocked on your house and only relying on your alarm system.

Now, let’s work through applying five different layers of security you can put in place on your WordPress site today.

#1 – Password

Layer number one is your password. They are often overlooked and are sometimes inconvenient, but are absolutely necessary when it comes to protecting anything on the internet.

We tend to make up passwords that are easy to remember. Sure they are easy for us to remember BUT they are also easy to guess and that means it’s also easy for a hacker to hack your website.

The best practice is to apply a password that is complicated and hard to guess. You can either make your password complex or long (or both!), but out of the two, length wins. The easiest way to pick a long password that you can remember is by using something called a passphrase.

For example, your password could be a basic sentence like “I left my lunch in the refrigerator last week and Charles ate it”.

Now that’s really long, but it might not be that easy to remember either… Unless of course he really did eat your lunch and you’re going to hold on to that grudge forever!

While that’s a bit exaggerated, you kinda get the point, yeah length wins here.

Making sure your admin password is long is a quick win and something that you can put in place quickly and easily on your site.

The other thing you can do is you can also have a more complicated password, you can make up letters and numbers, but the problem with that is it’s going to be really hard for you remember. You’ll probably write it down on a Post-it note so you don’t forget it and your weird cousin’s gonna come over, find it, and think “Hey, I’m gonna mess with Charles later today”

I mean, you just need to avoid that situation altogether.

So another thing you can do to make having a secure password that’s simple to remember is a password manager.

There are different password managers out on the market. Some are free like KeePass, and there are others with more features that are paid like LastPass or Dashlane.

The paid options are great because you can share passwords with multiple people in a family, and even across different computers and devices.

A password manager makes it really quick and easy to have complex passwords and be able to use those quickly and easily. They even give you the option to enter your passwords automatically on various websites that you visit.

So password managers are a great way to help make using secure passwords, like those on WordPress, less of a chore.

#2 – Updates

Updates are again something that’s easily overlooked, but they are also very important.

WordPress always has updates, just like any other application. In this case, it also includes the plug-ins that are associated with WordPress.

Updates are needed to not only add new features, but also because code is always changing and people are always finding problems with the code, called vulnerabilities. That’s not something that’s not unique to WordPress, it’s common to all software.

So the risk here is if you have things that are out of date, a hacker could find your WordPress site and start trying to break it by using a list of things they know work if you have an older, outdated version.

The best practice here is to login at least once a week and make sure your WordPress site is up to date. It just takes a few seconds to make sure everything is current.

As an alternative, some hosts actually do WordPress updates automatically. If you have a web host that will take care of that for you, just make sure that feature is turned on, and you won’t have to worry about it.

Also, you want to make sure that you are actually using all the installed plug-ins on your website.

Sometimes we’ll go out we’ll download a plug-in, we’ll try it, we’ll realize that it’s not something we really want or use, and we’ll just leave it on or will deactivate it, and we’ll just leave it sitting there on the WordPress site.

This is another way that hackers can use to actually get into your WordPress site and attack your website, through outdated software that we’ve forgotten about. Just make sure to remove, not just disable, any plug-ins that you don’t use or need.

#3 – SSL

I can’t tell you how easy it is for someone to copy the username and password that’s used to log into a website if a hacker is trying. The only way to prevent this is through an SSL certificate that you can install on your website. SSL is that little indication on the address bar that says HTTPS or has a little lock icon.

If you don’t have that on your website, you need to get that right away because what happens is that when you log in to your website, your username and password are sent to the website through something called clear text, which means anybody can read it. If you have an SSL certificate installed, that information is encrypted (or scrambled) and hackers can’t easily see your password and use it later to get into your site.

As an added bonus, having a security certificate installed is supposed to help your Google ranking. So if that’s something that’s important to you, it’s just another reason to make sure you have one in place.

There are a lot of different companies that can issue an SSL certificate. One of those is called Let’s Encrypt.

If you just need a basic level of protection, Let’s Encrypt will actually issue SSL certificates for free, which is awesome. Also, some web hosts can issue Let’s Encrypt certificates automatically for free as well, making it a really convenient option. Not all web hosts do though, so be sure to ask your provider to know what steps you need to take in order to protect your site with an SSL certificate.

#4 – Backups

You always want to make sure you have a backup in place. The primary benefit, of course, is that it will help get your website back up and running if it happens to get hacked. It also gives you peace of mind when updating WordPress and the installed plug-ins.

If you install a plug-in that ends up breaking your website or you do an update that ends up breaking your website, you can restore that backup quickly and easily and get back up and running without a lot of downtime.

Now, if you’re restoring a website that’s been hacked from a backup, you need to try and figure out why your website was hacked so that way it doesn’t get hacked again! If you have a really good web host, you can work with that team to figure out what happened with your website and can give you some recommendations on how to fix it.

For a backup solution, sometimes web hosts will provide backups for free. If not, then you’ll have to get a plug-in and take care of it yourself. A plug-in that I’ve used before and one that I highly recommend is called UpdraftPlus.

UpdraftPlus is a solid and feature-packed plug-in that I’ve had great experiences with. It can help make sure your website is backed up on a regular basis and you can even set it to upload the backups to different cloud service providers like Google Drive or OneDrive. It’s a really great option if your host doesn’t provide backup services.

#5 – Solid Webhost

Last but not least, you need to make sure that you have a good web host. A good web host can do a lot of the things that I talked about already in this article, like making sure your website is secure with an SSL certificate and that your site is backed up. In addition, a good web host should also provide a couple of other services.

One is malware scanning. It’s basically like antivirus software for your WordPress site. The web host will scan your site regularly and make sure everything is okay. If something is found, they will either send you an alert or they will fix it themselves.

The other thing a good web host provides is DDoS protection. If a hacker is trying to take your website offline and prevent visitors from getting to your website, they can use something called a distributed denial-of-service (DDoS) attack. A good host will actually be able to help prevent that. This is really important if you have an eCommerce website, or if you’re sending traffic to a website through paid ads. If a hacker is trying to take it down, having a web host that can help prevent these types of attacks is fantastic.

You also need to make sure that the web host is responsive with their support, and that they can actually help you.

There’s a lot of cheap hosting out there that’s available, but it’s cheap for a reason! They don’t provide a lot of these services and they don’t have great support, they just have a place for you to store a website. At the end of the day, if you’re making a website, you need something that’s reliable. After all, you aren’t just making a website for fun right? You want people to be able to get to it and you don’t want to have to worry about all these issues from a security side.

Personally, I highly recommend WPX Hosting. They only do WordPress hosting though, so if you have a Joomla website, they aren’t for you.

Since WPX Hosting is dedicated support and hosting WordPress websites, their service is a lot higher quality than the typical hosting service. I’ve had some really great experience with them and they offer the features I’ve talked about here.

They aren’t the cheapest solution, but they aren’t the most expensive either. To me, they’re really affordable, especially given the features that they provide.

I’ve also had to contact their support services a couple of times for some minor things, enabling some things on the back end, I’ll just leave it at that. Their response was very, very fast…Less than 10 minutes. If you’re looking for a web host that provides you a little bit of peace of mind, WPX Hosting is worth a look.

#6 – BONUS

You made it to the end of the article! Here’s en extra tip just for you as a way of saying thank you!

You may be wondering why I didn’t talk about any security plug-ins. Well, to be honest, that’s something that everyone else talks about and they aren’t always needed. In fact, they may cause more harm than good.

Security plug-ins do help and provide some additional protection, but if you don’t have the other 5 pieces in place, they don’t help very much.

Not only that, they can sometimes cause other issues with your site. I’ve seen everything from not being able to save blog articles, to preventing backups from running.

Plug-ins usually take some work to make sure they run properly and if you’re not very technical, or if you’re looking for more hands-off security solutions, you might think twice before installing on of these.

THAT SAID… I’d recommend having Jetpack installed on your website. Jetpack is more than just a security plug-in, and it’s from the makers of WordPress so, if anything will be safe for your site and easy to use, this it.


Using basic security principals will go a long way to keeping your WordPress site healthy and running. The easiest way to accomplish all 5 points is can be done in 2 simple steps:

  1. Make using strong passwords easy with a Password Manager
  2. Use a good web host to take care of the other layers

If you’re looking for a good host, I personally use WPX Hosting.

I hope this was helpful! Please leave a comment below and let me know what other things I can do to help make sure that your life is secure.

Loved this? Spread the word

About the Author

Mark Beall

Related posts

Top 5 Layers of WordPress Security

​Read More
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!

%d bloggers like this: