Developing a site with WordPress is always an exciting adventure: ideas, plugins to try, “content creation” and design, a thousand tests before reaching a finished product. In the midst of this creative process, the security of the WordPress site must be considered. A “100% secure” site is difficult to obtain, but this is not the reason why the issue should be ignored: the owners of the site are also responsible (for this reason, every website should have an SSL certificate).

Some people might think that “I’m not an interesting person, my website is not famous or popular “… And they are wrong: the popularity of WordPress, the fact that its code is in the public domain, are a strong point but also a weak one. By exploiting new vulnerabilities or an old version, or by exploiting a weak password, you can do damage.

There are essential tools and tricks, accessible to everyone, for the security of WordPress. Let’s see what they are.


Whenever we are going to install WordPress, we have to create a database and an associated user. Then, we create an admin user. In both cases, you need to create a password. The golden rule is to create complex passwords, long and difficult to guess. To be clear, these passwords are not secure because they are easy to guess: Password, 1234, abcd, pass, or 2019

A malicious person who tries to access the dashboard, if they type “admin” and “1234”, would have total control of your website. He could immediately replace your contents with others (the classic “Hacked by“), delete pages and plugins, insert malicious code in php files and… change your password. That’s why we created complex passwords.
A random series of letters and numbers is a good solution: h6_2j=$!tg6%f2*4kB_n’
If possible, it is useful to add a second level of security by sending a code via SMS to be typed in after entering the password, That’s what we call two factor authentification 2FA.

As regards to the creation of passwords, we strongly recommends the purchase of a password management tool as 1Password or dahslane or Lastpass. In addition to storing passwords in an encrypted archive, these softwares are able to suggest complex passwords. Excellent technical support, exists for Mac, Windows, iOS and Android and is integrated into browsers. A good investment.



The second golden rule is to keep WordPress and plugins up to date. Just like any Microsoft Windows, a CMS also receives security updates, stability and new features. Performing an update usually takes little time, a few minutes well spent. Not updating your site, means leaving it for longer exposed to potential attacks.



The third golden rule is to put in place a system of constant protection. Like cats and mice, between two updates who knows what happens! There are very well-trained hackers who are always looking for ways to do damage. Protection is a must, which means Wordfence.


Wordfence for WordPress

This is a free plugin (with additional paid functions) that allows you to keep an eye on the security of your site. Thanks to an integrated Firewall, Wordfence prevents being “hacked” by identifying suspicious traffic and blocking it. It also blocks brute force attacks. Cherry on the cake, Wordfence allows you to block entire regions or countries, as well as individual IPs.


The fourth and last golden rule is to download or purchase themes and plugins from official sources, from the websites of their respective publishers or from the site Pirated packages from dubious sources / torrents may contain malicious code.


Make regular backups. Generally, hosting companies offer automatic backups. Alternatively and in addition, there is an excellent plugin: UpdraftPlus. Free of charge, this plugin allows you to make and automate site backups. Note that you can configure the sending of the backup to an ftp folder, to your Dropbox account, Google Drive, etc..

UpdraftPlus for WordPress

The typical scenario is as follows: after an update, strangely the site gives a blank page, a server error … or is infected by a php code on all files. By doing a “restore”, you can return to a clean version of the site from which to restart. It is essential to have on average the last 3-5 backups of the site files (images, php, css, etc..) and the database, in which the contents are saved.