Beginner WordPress User

0 of 25 lessons complete (0%)

Getting started with WordPress

Getting started with WordPress security

This is a preview lesson

Register or sign in to take this lesson.



In this lesson, we will walk you through the essential steps to establish a strong security foundation for your new WordPress website. These practices will ensure your online presence is safe and secure. Let’s get started.

Learning outcomes

Here are the learning outcomes for this lesson. Keeping your site up to date, selecting a secure hosting provider, choosing a robust password, choosing two-factor authentication, installing and activating a security plugin, and lastly, controlling who has access to your site.

Keeping WordPress updated

The most important thing to do for WordPress security is to keep WordPress itself and all installed plugins and themes up to date. You will be happy to hear WordPress automatically applies security updates. Since the WordPress 5.6 release, every new site has automatically enabled updates for minor and major releases. Users are also encouraged to choose themes and plugins that are actively receiving updates.

Choosing the right hosting provider

Next, selecting the right hosting company is crucial. When choosing a hosting provider for your website, make sure they include security features that will keep your site safe. Here are some features you would want them to include in their offerings. Please note some hosts might charge more to include these services.

Number one, a firewall to block suspicious activities to ensure only the right traffic enters your website. Number two, malware protection. This is like having a security guard who checks everything coming in for any harmful bugs or viruses. Malware protection scans your website regularly to remove any malicious software that could harm your site or visitors. Number three is an SSL certificate, which includes an encryption code that ensures all information sent between your website and your visitors is secure. SSL stands for Secure Sockets Layer. Number four, regular backups. This means your website’s content and data are saved regularly. If something goes wrong, you can restore your website to a previous healthy state. Number five, DDoS protection. This helps your site handle surges in traffic, ensuring it doesn’t crash or slow down. DDoS stands for Distributed Denial of Service. Lastly, you want SFTP access. This is like having a special secure tunnel for transferring files to and from your website. It ensures that your files are moved safely without being intercepted by unauthorized parties. SFTP stands for Secure File Transfer Protocol.

Choosing a robust password

Next, it’s imperative to establish a robust password. Passwords are key for safeguarding your website. Your password is the weakest link to the security of anything you do online. If your password is easy to guess, your online identity is vulnerable. Make sure you don’t use simple or predictable passwords. Instead, make sure your passwords include a mix of uppercase and lowercase letters, passphrases, numbers, and special characters. Aim for a length of at least 12 characters, and you can also use spaces. Avoid using birth dates, nicknames, or other personal information as a password.

Let’s look at a quick example of a password that is easy to remember but hard to guess. The password is Monks Drive to the Beach, but of course, I’ve included special characters, capital letters, lowercase, numbers, spaces etc.

Logging out of your account

You can also protect your account by logging out when you’re finished working. This is especially important when working on a shared or public computer. If you don’t log out, someone can access your account by viewing the browser history and returning to your dashboard.

Two-factor authentication

Another step worth mentioning is to enable two factor authentication to fend off brute force attacks. A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. Two-factor authentication usually involves entering a code or interacting with an application on a smartphone when attempting to log into a service. In this case, WordPress.

WordPress does not have two-factor authentication by default. However, there are several plugins that provide two-factor authentication for self-hosted WordPress websites, and that leads to the next important topic, namely security plugins.

Security plugins

Enhance your security further by installing a WordPress security plugin. Many security plugins also include two-factor authentication. WordPress security plugins are essential tools that safeguard your website from cyber threats. They provide real-time monitoring, prevent brute force attacks, offer firewall protection, and scan for malware. These plugins enhance login security, ensuring only authorized users can access your site.

Controlling who has access to your site

Finally, controlling who has access to your site is essential. While each site has only one owner, you can have other users share some of their administrative load. However, sharing the load also means sharing the responsibilities. WordPress provides different user roles, such as contributor, author, editor, and administrator. Contributors have the most limited role. They can only draft posts but can’t publish them. Authors can publish posts and upload images but can’t edit other users’ posts. Editors can edit or publish any users’ posts, moderate comments, and manage categories and tags. Lastly, administrators have full control of a site. They can even delete it, so it is recommended that each site only has one administrator. Assign these roles carefully based on the level of access users need. And avoid giving unnecessary administrator privileges to prevent potential mishaps or unauthorized changes.


By choosing secure hosting, utilizing WordPress security plugins as well as two-factor authentication, creating strong passwords, and managing user roles, you will significantly enhance your website’s protection. Please note that we do not endorse any of the themes or plugins mentioned in this video tutorial. They are merely examples.