The Complete WordPress Security Guide Part 2

Part 1 of this security-based miniseries discussed the vital foundations that you need to lay to set up a secure website, but it doesn’t end there. Part 2 discusses tips to help you to keep your WordPress site secure long-term from updating non-active plugins and themes to preventing and blocking bad bots.

The Complete WordPress Security Guide part 2: Maintaining a secure WordPress site

Security is top of the list of concerns for website owners. You want to protect your company's business data, and you need to comply with data and privacy regulations to make sure that your customers' details aren't breached.

This makes secure managed WordPress hosting a crucial issue, but there are also other steps you need to take to protect your website. We've already discussed the vital foundations that you need to lay to set up a secure website, but it doesn’t end there.

Building a secure WordPress hosting or self-managed site is the first and critical step in keeping your website protected from hackers and malicious actors, but maintenance is crucial too. This section discusses tips to help you to keep your WordPress site secure over the long term.

* This guide is aimed at WordPress websites hosted on a Linux server, but maybe relevant for secure WordPress hosting on Windows servers as well.

Keep WordPress up to date

Both your core WordPress and your plugins and themes need to be kept up to date if you want secure WordPress hosting and a safe website.

WordPress developers regularly upgrade the system to improve it in different ways. They add new features, improve its stability and performance, and enhance existing feature performance in order to stay up to date with today's standards.

Most importantly, updates also fix bugs that were found since the previous release, as well as adding proactive security fixes and improvements.

WordPress is an open-source system that is widely available online, so every security issue in older releases are well known across the internet and are easy prey for hackers who target old and out-dated software. For example, security experts Sucuri recently wrote about a security breach called XSS that was fixed by WordPress version 5.1.1. If your WordPress version is out of date, its security flaws are well known and are easier for attackers than to try and find new flaws and exploits in newer WordPress versions.

That's why it's so important to regularly update your site to the latest version of WordPress.

By default, WordPress automatically installs minor updates, but for major releases you must enable the Automatic Updates feature in the Systems Update menu.

Irina Strelnikova / Shutterstock

Additionally, you should never perform any changes to WordPress' core files for your secure WordPress hosting site. Because updating WordPress usually deletes your changes, it makes you less likely to want to carry out updates, and that will directly impact your website security and lead to potential security breaches and other issues in the future.

uPress Customers: The main dashboard shows 2 toggles for automatic updates under the WordPress tab, one for the core WordPress releases and another for plugin updates. Toggle them both to "On."

Migrate to uPress within 24 hours

Closely monitor activity on your website

Another way to ensure secure WordPress hosting for your site is to closely monitor crucial activities that happen in the management area, both in real-time and past activity. That's not something you can handle manually, so you'll need a logging plugin that'll run in the background and document every action.

When you utilize these plugins as part of your secure WordPress hosting, you’ll always be able to see which users logged on to your website, what they edited, which changes were made, what plugins were added/removed, which media files were uploaded, which configuration changes were made, and more. It helps you correct mistakes that could leave your secure WordPress hosting site vulnerable to attack, and spot suspicious behavior that could be a sign of malicious action.

To do all this, you can use the plugin ARYO Activity Log, which is available for download from the official WordPress plugin repository.

Keep regular backups

A good, trustworthy backup system is the first tool in your secure WordPress hosting arsenal against WordPress security exploits. Remember, no website is 100% secured at all times, so you need a way to fix everything if the worst should happen and your site gets hacked.

Bear in mind that government and international corporate websites are hacked into on a daily basis, so your smaller website is vulnerable too. Having an accessible backup allows you to quickly recover from a breach in your secure WordPress hosting by restoring your data from a version that is known to be secure and safe.

You can and should backup your WordPress websites in a few different places:

  • At the server level. It's recommended to perform a daily backup for your secure WordPress hosting at least every 30 days, if not more often, and it's even better if the backups are stored on a different server.
  • Using a trusted backup plugin. This is a less reliable option, but it can be a valid secondary backup system. There are a few free or premium plugins available, such as VaultPress or UpdraftPlus. We recommend using a plugin that can send backups to an external cloud storage service like Dropbox or One Drive.

Use the 3-2-1 rule: Keep at least 3 copies of the data, at least on 2 locations, and at least 1 copy off-site

Remove non-active plugins and themes

In August 2011, it was revealed that the popular script TimThumb was vulnerable to malicious exploits. TimThumb was and still is included in many popular WordPress plugins and themes. Within days we saw attackers using this vulnerability to their advantage, ranging from spamming WordPress sites with promotional material for other websites (SEO hijacking) to modifying PHP files that are stored on the server with random, meaningless characters at best, or even injecting other malicious code and exploits.

Most website owners didn’t realize that the script (and the malware) was running on their server and compromising their secure WordPress hosting. Some of them deactivated the problematic plugin or theme, but did not completely remove them. Deactivating the plugin or theme was meaningless and didn’t help at all, since the vulnerability remains as long as the problematic code exists on the server.

The Golden Rule for plugins and themes is if you’re not using a plugin or theme – delete it!

Block and prevent Bad Bots

Most hackers tend to send "spies" to check on a website before they start an attack. These are what we call "Bad Bots."

Bad Bots affect your website's performance, steal your content, occupy your valuable bandwidth, badly sabotage your website statistics, and most importantly, they look for security vulnerabilities in your secure WordPress hosting.

You can find a long list of bots that have been marked as "bad" at If you're using a security plugin or secure WordPress hosting service, you're probably already blocking the bots on this list.

uPress customers: There's a "block bad bots" toggle under the security tab in our management panel.

Understand the minimum requirements for a secure server

Your managed WordPress hosting service plays the most important part in securing your WordPress website, so it’s vital to find a secure WordPress hosting service.

A secure WordPress hosting company should:

  • Closely monitor new and existing security threats around the web, taking extra measures to secure WordPress hosting servers.
  • Be capable of withstanding a DDoS attack.
  • Regularly maintain the core components of the server, frequently updating them to prevent any chance of security vulnerabilities.
  • Offer a Disaster Recovery feature and a contingency plan, in case of an emergency.
  • Support PHP version 7.2 and MySQL version 5.5 and up
  • Completely separate between different users on a shared secure WordPress hosting service
  • Run a built-in firewall, preferably WAF that offers options specifically for secure WordPress hosting, and a Network Intrusion Detection System that regularly scans website activity.
  • Frequently scan websites on your secure WordPress hosting server and update you about them when necessary
  • Enable you to track any file changes on your website.

Maintaining a secure WordPress site is an ongoing task

As you can see, setting up a secure WordPress site using secure WordPress hosting is important, but it's not enough to protect your website forever. Using a secure WordPress hosting service that meets certain requirements for a secure server goes a long way to helping you maintain your secure site, but you also need to take responsibility for keeping your WordPress version up to date and backed up, monitoring website activity, removing disused plugins and themes and blocking and preventing bad bots.

We hope you found this guide useful. Do you have anything to add, or want to give your own advice for securing a WordPress website? Or, if you have any questions about managed WordPress hosting in general, we'll be happy to hear from you!

As managed WordPress hosting experts, we know what we're talking about, whether you need advice on backups, plugins, or security. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Explore plans

hello world!

Read more about these topics!

Related Posts

The Complete WordPress Security Guide Part 1

Every website owner’s biggest concern is securing a managed WordPress hosting website. In this series, we’ll walk you through the best maintenance and security advice for securing your managed WordPress hosting website from secure themes and plugins to passwords and permission management.
Read More

How to Change Date and Time Formats in WordPress

Are you doing business internationally? Or perhaps you’re in a location that requires a 24-hour clock (many European and Middle Eastern cultures write in “army time” - like “Meeting at 18:00”.) If that’s the case with your target audience, you need to meet them where they are in the language and format they’re used to. Learn how to change the time zone if you’re targeting users in a specific location, or adapt the date and month to match local customs.
Read More

The uPress Site Migration Tool

Our smooth, user-friendly Auto Migration Tool automates WordPress migration to make it friction-free. This user-friendly guide will teach you how to migrate your site in 1,2,3, go!
Read More