7 Tips to improve website security

In this tutorial, we will cover seven steps to improve your site’s security. Ensuring the security of your website is of paramount importance in today’s digital landscape. With cyber threats becoming increasingly sophisticated, it is crucial to implement robust measures to protect your website and the valuable data it holds.

Learning outcomes

  1. Use a password manager and secure passwords.
  2. Implement two-factor authentication.
  3. Review and manage user accounts.
  4. Install a trustworthy plugin and theme.
  5. Keep plugins and themes up to date.
  6. Install a security plugin.
  7. Stay informed about security.

Comprehension questions

  1. What are some key measures you can take to enhance the security of your website?
  2. Should you invest in a security plugin?


Welcome to Learn WordPress. Let’s talk about seven tips to improve website security.

Number one, use a password manager and secure passwords for your logins. Password managers such as 1Password and Bitwarden are worth exploring. One of the most common areas for security failure is, unfortunately, the human one. No two passwords should ever be the same, and ensure passwords are at least 10 to 12 characters and include numbers and symbols. And remember, never use admin as a username. Password managers store your passwords securely and allow you to generate unique secure passwords for each login without needing to remember each one.

Number two, use a two-factor authentication. Two-factor authentication can significantly enhance the security of your WordPress site by adding an extra layer of protection to the login process. This way, even if someone else gets your password, they still can’t log into your account without that second factor. Two-factor authentication may seem like a small step, but it can greatly improve the security of your online accounts and help protect your personal information. You can search for a two-factor authentication plugin, such as WP 2FA two-factor authentication or miniOrange’s Google Authenticator. Some security plugins also include two-factor authentication, but we will talk more about security plugins in a minute.

Number three, always review your user base, remove unnecessary users and be very selective of admin users. Let’s make our way to Users in the dashboard. User roles such as editors, authors and contributors should be monitored. Typically the administrator role is reserved for the website’s owner. Removing unnecessary users will minimise the potential attack surface or entry points that attackers can exploit.

Number four, only install plugins and themes from trusted developers and uninstall what you are not using. To assess the reliability of a theme or plugin there are a few things to review. Check user feedback and reviews, note when it was last updated, look at the number of active installs, explore their support and documentation, and double-check that it is compatible with the latest version of WordPress.

Number five, keep your plugins and themes up to date and remember to back up your site before updating. But you might be asking, “why?”. Keeping your WordPress themes and plugins up to date is important for maintaining the security, stability and compatibility of your site. Updates often include security patches that fix vulnerabilities in software, as well as bug fixes that could cause your site to malfunction or break. These bugs could also potentially be exploited by attackers to gain unauthorised access to your site. By keeping your website up to date, you can ensure that your site is protected against the latest security threats and run smoothly with the latest web technologies.

Number six, install a security plugin like Wordfence, Jetpack Security or iThemes that will scan your site for any reported vulnerabilities. There are also many other plugins available in the plugins directory worth exploring, such as Patchstack, All-In-One security, etc. A website security plugin can help protect your website from common cyber threats, block malicious traffic and alert you to potential security issues. In essence, a security plugin will help you maintain the security and integrity of your website.

And finally, number seven, something for more advanced users. Follow security focus blogs like Patchstack, WPscan or blog.sucuri, which reports any new vulnerabilities for which there are updates as well as emerging web threats. Then there are also some other steps worth exploring. Firstly, choosing a reliable web host. Secondly, installing an SSL certificate if your host has not already installed one, which will allow you to enable HTTPS, which ensures that no information is passed in plain text. And thirdly, using a spam detector, especially if you have a blog or allow comments on posts.

All the best keeping your site safe and secure. And visit Learn WordPress for more tutorials and training material.

Workshop Details


Wes Theron

I am an Instructional Designer for the WordPress open-source project sponsored by Automattic. I am a strong supporter of the open-source movement. I have a background in education and content development. I am a husband, father, dreamer and lifelong learner.