Back to Blog
Share on:
  • Web
  • Web

WordPress Security 101

By Thad Bloom

Avatar for Thad Bloom

WordPress is an extremely popular content management system for non-profit websites. Because of it’s popularity, hackers and bots often target WordPress. Here are a few simple rules to protect your website.

1) Choose a secure password and NEVER send an email that contains your password to anyone – even Imagebox!

I can’t stress how important this is. Often, I find that individuals will not only use a weak password – but will send their weak password to me in an email, including a handy link to the login page. Email is the most insecure method to send information that is intended to be private. The best way to share private information across the web is through an application or service that encrypts the data. We often ask our clients to fill out a text document on our Basecamp account.

Bonus: My colleague Chad has written a great post on secure password selection with tips on how to manage your passwords. For more information, check it out!

2) Pick a good user name for your admin account(s).

Bots typically attack the WordPress login screen, attempting to “brute force” their way into your website. To minimize the chance of your account being compromised, you should never use the following usernames for an admin account:

  1. admin
  2. administrator
  3. webmaster
  4. info
  5. websitename (ex: imagebox)
  6. (ex:
  7. wordpress

A good choice for your username, would be your first name. Additionally, you could add the year you were born (ex: thad1985).

3) Not everyone in your non-profit needs to have the ‘admin’ role.

The admin user role for WordPress has access to many features that can easily be used to exploit your non-profit’s website. This includes managing/installing plugins and themes, editing core settings, managing users and much more.

Often times, the editor role is sufficient for most of your users. The editor role allows the user to create and delete posts or pages, upload media and moderate comments.

4) Use a security plugin.

There are handful of good plugins that are great at helping you keep your website secure. At Imagebox, we usually recommend and install Wordfence.

One of my favorite features of Wordfence is the ability to automatically lock out individuals or bots after they have attempted to login to the WordPress backend with an invalid username and password combination. This feature alone will stop 99.9% of attacks on your WordPress website.

5) Keep WordPress, plugins and themes up to date.

Running the latest and greatest versions of your software is crucial. A relatively new feature within the WordPress core software is the ability to allow automatic updates to WordPress. This allows the WordPress development team to quickly deploy important security updates automatically across the web. Some premium plugins even allow for automatic updates.

Our more tech-savvy clients sometimes opt to perform updates on their own. If you think you fit into this category, just make sure to create a backup of your files and database. There are plugins that can assist with this process, such as UpdraftPlus, BackUpWordPress or VaultPress.

Alternatively, if you’d like us to help you with WordPress updates, feel free to contact us for a quote.

6) Never install plugins or themes from an untrusted source.

Name any popular premium WordPress plugin or theme and you can easily perform a search on Google to find a pirated copy. 99.9% of the time, these pirated copies contain malware that will infect your site in the blink of an eye. has an exhaustive selection of plugins and themes that can be trusted. Other sources for trusted software include any website that sells premium themes or plugins. If you’re unsure whether you should trust a plugin you’ve found, feel free to ask us!

If your website security has been compromised, what should you do?

Chances are, you will not know how to fix the problem yourself. While Imagebox can assist with manual removal of malware, this can often be time consuming. We recommend signing up for the service at Sucuri. The most basic plan for Sucuri costs $199.99/year and should be sufficient to clean your website and offer protection for the rest of the year.

After malware has been removed, you should update the passwords for the following:

  • All WordPress accounts that have the admin, editor or author role assigned.
  • FTP
  • MySQL database
  • cPanel (if applicable)
  • Hosting Account (Siteground, WiredTree, GoDaddy, etc.)

There are other, more technical steps that can be taken in order to harden the security of your non-profit’s WordPress website. At Imagebox, we strive to provide you with a website that not only looks good, but also introduces itself to the World Wide Web wearing a bulletproof vest!