10 Things You Must Do if You Own, Run, or Manage a WordPress Website

by Dusty Hale of HALE.GROUP

Dusty Hale - Protect Your WordPress Website

If you own or manage a WordPress website this could be the most important thing you ever read concerning your website!

You MUST do these things, and if you pay an agency or someone else to manage your site you MUST make sure they are doing these things!!!

Let me just reiterate, if you own or manage a WordPress website, this could be the most important article you could ever read in terms of protecting your investment in both time and money spent on the site. WordPress is hands down one of the most popular website systems being used on the internet in current times. It’s open-source and it’s free and you can host it on most any reputable hosting service. That means you own your website, system, and content, and can move it and run it where and how you choose without limitations. It also has a robust plugin architecture allowing you or your development agency to customize the website’s look and feel as well as the system itself to suit almost any need in today’s modern web. However, with this level of ownership and popularity comes a price in terms of maintenance responsibilities. The popularity of WordPress and its commonly known open-source architecture make it a target for hackers all over the world. Website owners and administrators must be proactive to battle the constant attacks on WordPress sites and ensure their investments are protected.

Before I begin explaining the basic things one must do to protect a WordPress website investment, let me tell you about some of the horrors I’ve witnessed when one does not heed the advice I’m about to give. I’m a veteran web developer with over two decades of professional experience and some years ago when WordPress started becoming popular I’ve personally witnessed several entire sites destroyed and deleted by hackings on the popular hostgator.com platform and we’ve also worked with and helped numerous other site owners revive, repair, and in some cases rebuild their WordPress sites due to malicious attacks and hackings that could have been avoided using the advice below.

The basic things you MUST do if you own, run, or manage a WordPress website:

Okay, enough of the lectures ha! Let’s get you informed so nothing bad ever happens and you continue for years to come to be successful and thrilled with your WordPress powered website. The advice I’m about to give you is based on what we do in-house and our own preferences (HALE.GROUP) to protect our clients’ sites and our own sites. There are also other approaches, plugins, and methods as well but this is our own tried and true formula and I hope it helps you make the most of your site and I hope it helps you sleep better at night knowing your site is maintained well and protected as much as reasonably possible.

1 – Keep the WordPress Engine, Theme, and Plugins Up to Date

We recommend updating these things at least once quarterly and if you have the resources even better do it once a month. There are numerous approaches to keeping things updated from automating it to doing it fully manual one thing at a time and testing each update. Unless you want to risk having an unpleasant surprise to deal with, we recommend turning automatic updates off and updating these things manually on a cloned development environment or testing version of the site and absolutely do make backups of the live site before any update goes live. If you’re unsure about this, ask your administrator or web development agency.

2 – Use the WordFence Security Plugin

WordFence is our preferred WordPress security plugin and has many great features to keep WordPress sites protected from attacks. The free version provides all the basic layers of protection and a web application firewall and automatic scans that alert you to potential threats allowing you to take action. For more information and to download this plugin, visit the plugin’s page on WordPress.org at the link below or simply type the word ‘WordFence’ into the search bar of your site’s WordPress plugin dashboard and install directly from the dashboard.

Get WordFence

3 – Enable 2FA Authentication in WordFence

2FA or 2 Factor Authentication provides an extra step required to sign in to administration functions of a WordPress site. It can be enabled inside the WordFence plugin’s settings tab. Brute force login attempts are stopped by the extra step. In addition, you can add your own IP address and/or the IP addresses of your administrators to the safe list in the settings to override the extra step for any IP address on the list.


2FA WordFence Settings

4 – Limit the Number of Admin Login Attempts in WordFence

This is a setting inside the WordFence plugin mentioned above. We usually limit the login attempts to 3 times and set the lockout duration to 4 hours. In addition, there is another setting to block anyone attempting to use an unknown username to sign in. Hackers often attempt to sign in with the username “admin” since this is the default admin username for WordPress.

5 – Change the Name of the WordPress Admin URL

You can do this using the WPS Hide Admin plugin. Ask your administrator or agency to give your admin web address something unique like yourname.com/managestuff instead of the normal yourname.com/admin or yourname.com/wp-admin. Better yet if you do all your administration from the same IP address you could even ask your administrator to lock the admin screen from the entire world other than you or your office’s IP address thus you’ll never have a single attack on your login screen ever again.

WPS Hide Login

6 – Block Countries Known for Hacking and Attacks

You can install and use the IP2Location Country Blocker plugin for WordPress to block countries that cause problems on sites. We analyze stats regularly and monitor attack attempts and I can say undoubtedly that most of the attacks we see come from China-based IP addresses so unless you’re actually intending to serve audiences in China that is a good place to start blocking. We see attacks from other countries also and look at a website’s Google Analytics stats to see where the site’s visitors are coming from.

7 – Do NOT Have or Use the Username ‘admin’ in your System

While monitoring the website for my clients through WordFence security I regularly see brute force login attempts and often they are trying to sign in to the site with the username “admin” and this is basically because many WordPress sites don’t change or remove the default “admin” username after installing and launching the site. Hackers expect this user account to exist in the system and purposefully exploit that.

Suggestion: Check all your site’s user accounts and make sure the default admin account or any account with the username ‘admin’ is deleted. If you’re unsure, ask your administrator or agency to make sure this is done.

8 – Consider Disabling XML-RPC

XML-RPC is WordPress’s feature for allowing 3rd party applications to administrate and/or interact with WordPress. Unless you’re using other apps to manage and/or post to your site, I suggest turning it off because most of the unauthorized login attempts I see, seem to be using some form of hacker app that attacks the xmlrpc.php file of the targeted WordPress site. See the screenshot below of a typical day of attacks on the WordPress login on my personal site.

xmlrpc.php attacks

9 – Use a Reliable Hosting Vendor Known to the WordPress Community

This is possibly one of the most important points in this article. Spend a little extra money on your hosting to ensure the hosting environment itself is not a target for attacks. From our experience cheap hosting services from companies like HostGator, GoDaddy, 1and1, to name a few offer super cheap and easy to use hosting services but unless you subscribe to their extra security services and hacking repairs services these hosting networks seem to be a target for attacks and it’s not if but when your site gets hacked. In fact, with HostGator and GoDaddy we have seen attacks where entire sites were deleted and destroyed and unable to be recovered through their backup system. In case you’re stuck using cheap hosting on something less reliable then it’s especially important you do the other things in this article. On the other hand, we’ve had little to zero problems with WordPress hosting service on both Pantheon and SiteGround and recommend them both for WordPress related hosting. Pantheon is our preferred place but it’s costly. SiteGround is our preferred place for projects that need a dedicated cloud server for hosting multiple sites.

10 – Do NOT Rely on Your Hosting Vendor’s Backup Service

This is critical and even more so if you’re using cheap hosting services like GoDaddy, HostGator, 1and1, or other similarly priced services. Hosting vendors often provide backup services but often times and especially with cheaper level plans, their backups are not retained long. Some are retained for only a day before the backup is overwritten with a new daily backup. This means if your site gets hacked or infected or worse wiped out by accident, the new backup simply backups the infected version of the site, and thus you have a corrupted backup and no other backups to pull from. Always, always, always use a backup plugin that automates and retains full backups daily or weekly depending on how often your site is updated. Each backup should be retained for a minimum of 30 days in case your site gets infected and goes unnoticed for a few days you be able to go back as far as 30 days or more depending on how you configure it. UpdaftPlus is our preferred plugin for automating, retaining, and storing WordPress website backups and allows us to store the backups in our preferred cloud services such as Google Drive, DropBox, Amazon, etc. The plugin over 2 million installations and has a 5-star rating. I give it my personal approval as well and use it regularly. Visit the link below for more info and to download it or simply type ‘updraftplus’ into the search bar of the add plugins screen in your WordPress dashboard.

Get the UpdraftPlus Plugin to Keep Your WordPress Site Backed Up All the Time

Now that the Site is Safe, Relax, but don’t Forget 🙂

Peace of mind is important. Now that your WordPress site is as safe as it possibly can be, relax and enjoy the peace of mind but don’t forget to repeat point 1 in this list and keep your WordPress engine, theme, and plugin up to date with the latest released updates at least once every quarter and if you have the IT resources or a high traffic site, do it at least once a month.

Use G Suite Groups for Shared Inboxes

Use G Suite Groups for Shared Inboxes

Do you use G Suite to power your organization's email? Have you ever needed to set up a general email box like info@yourcompany.com or support@yourcompany.com for you and/or several colleagues or more to share and help respond to general communications that are not...



iDusty as in, I, Dusty Hale, founded HALE.GROUP over a decade ago and since that time we have developed and worked on numerous large scale website and application development projects. Visit HALE.GROUP to learn more.

About the Author

Photo of Dusty Hale surfing in Costa Rica.Dusty Hale
I'm a professional photographer and website solutions consultant living in beautiful Tamarindo, Costa Rica for over a decade. It is my joy and pleasure to serve others using my creative and technical skills in the digital industry.

If you have a suggestion, idea, or any thought at all, please reach out.

Reach Out