Yes, WordPress is safe. WordPress is secure, as long as publishers take website security seriously and follow best practices. Best practices include using safe plugins and themes, keeping responsible login procedures, using security plugins to monitor your site, and updating regularly.
Unlike themes and plugins, there’s only one WordPress core, and it’s maintained by a world-class security team. WordPress stays on top of vulnerabilities in their software and releases security updates to patch their core files. Whenever WordPress releases an update, install it as soon as you can, since the issues each update solves are public knowledge.
Also, there are additional measures on your end to keep WordPress functioning at its safest. These include:
- Protecting your login with strong passwords. Additional features like two-factor authentication and plugins to limit login attempts and add captchas are also worth looking into.
- Installing a WordPress security plugin that can scan your site for malware, and running scans of your website on a regular basis.
- Enabling SSL so visitors can securely connect to your site.
- Hosting your website with a Webfoot Marketing and Design for our English speaking US based hosting
Suggested Plugins
WPS Hide Login Description:
WPS Hide Login is a super light plugin that lets you easily and safely change the url of the login form page to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before. https://wordpress.org/plugins/wps-hide-login/
Simple Login Captcha
A simple captcha for the WordPress login form. To be able to login, the user is required to enter a random 3-digit number in a text field.
The correct number is displayed above the field by a small JavaScript code. Compatible with the WooCommerce login form. Compatible with multisite. https://wordpress.org/plugins/simple-login-captcha/
Really Simple SSL
Really Simple SSL automatically detects your settings and configures your website to run over HTTPS. To keep it lightweight, we kept the options to a minimum. Your website will move to SSL with one click. https://wordpress.org/plugins/really-simple-ssl/
Limit Login Attempts Reloaded
Limit Login Attempts Reloaded stops brute-force attacks and optimizes your site performance by limiting the number of login attempts that are possible through the normal login as well as XMLRPC, Woocommerce and custom login pages.
This plugin will block an Internet address (IP) and/or username from making further attempts after a specified limit on retries has been reached, making a brute-force attack difficult or impossible. https://wordpress.org/plugins/limit-login-attempts-reloaded/
Update WordPress Admin Username
Using the steps below, we show you how easy it is to add a new WordPress administrator user, delete your old non-secure default admin one, and then assign or attribute all of the old user’s posts to your new secure user.
- From the left-hand menu, hover over Users, then click on Add New.
- Fill in all of the user fields with new info. Then select Administrator from the Role drop-down. Finally, click on Add New User.
- You should now see your new admin user you just created.
- Hover over Howdy, admin at the top-right. Then click on Log Out.
- Now type in your new WordPress admin username and password and click login.
- From the left-hand menu click on Users.
- Prior to deleting your old admin user, I’d recommend you backup your WordPress database just in case. Hover over the old admin user, then click Delete.
- BE CAREFUL! Deleting your old WordPress admin user, without attributing its posts to your new admin user will delete all those posts! Now select your new admin user from the Attribute all posts drop-down, and click on Confirm Deletion.
- You should now see the old admin user has been deleted, and you should only be left with the new administrator user, will all the old posts attributed to it.