WordPress security is a topic that gets a lot of attention, both good and bad. If you listen to some people they’ll tell you that WordPress isn’t secure and using it will leave you wide open to hacks. True, WordPress sites are constantly being targeted by hackers but not because WordPress itself is inherently insecure.

WordPress is a target for two reasons: one, it’s used more than any other website platform, and two, there are some common but easy-to-fix mistakes that people make when it comes to WordPress Security. Here’s how to fix them to make sure that hackers have no luck on your WordPress site.

When talking WordPress security I like to take a bottom-up approach, starting with the web server that your website lives on.

WordPress Security Step 1: Pick a Good Web Host

A good web host will make sure that the software that WordPress relies on—the host operating system (usually Linux), Apache or Ngnix, PHP, and MySQL—is kept up to date on their computers.

These programs can have security holes too, and updating them regularly closes one door to hackers. Unfortunately some hosts go for years without updating existing accounts, leaving you vulnerable.

It’s hard to keep track of which hosting companies do the best job, but in general avoid the $5/month cheapo specials from the big companies. Sites using those hosting plans get the least attention and fewest resources from the hosting company. For a site that your business relies on, expect to spend $20-$30 a month for a solid plan that will keep your site secure and stable.

WordPress Security Step 2: Use Strong Passwords and Smart Usernames

Long, long ago in a more innocent time every WordPress site started with one user account named “admin”. This account had administrator access which meant that anyone who logged in as admin could do pretty much anything to your site. Hackers knew that there would almost always be an “admin” user name, so they only had to guess the password, cutting their work in half.

Luckily WordPress wised up and now you need to provide both the username and password for the first administrator account. Don’t choose anything like “administrator”, “webmaster”, or any variation on your site’s name or URL. These are too easy to guess and get hackers half way in your front door.

You also need to select a strong password. When you create your password in WordPress there’s a handy password strength meter to help you pick a hard-to-hack password. Don’t be tempted to ignore this: a random string of letters, numbers, and punctuation that you have to keep written down in your wallet is much more secure than some combination of your first pet’s favorite food and your great-aunt’s birthday.

WordPress Security Step 3: Only Install Trusted Software

Just like your computer, your site can get hacked by software that appears to be legitimate but has a hidden, sinister purpose. The best way to stay safe is to only install plugins from trusted sources like the WordPress.org repository, Envato Market, or the websites of reputable software development companies.

Never install plugins that have been “nulled” (i.e. hacked versions of premium plugins that you can get for free) or premium plugins being sold at a steep discount on a site not owned by the plugin developer.

These plugins have been modified so that registration is no longer required—but what else has been modified? They could open up a secret “back door” into your site. Also, you’ll be hard pressed to get security or compatibility updates for these pirated plugins, and getting those updates is vital.

WordPress Security Step 4: Keep Your Site Up to Date

This is without question the most important park of WordPress security. If you’re running an old version of WordPress, a Plugin, or a Theme with a known security hole you’re at risk even if you are using a secure web host and have a strong user name and password.

Out-of-date software is the number one reason why WordPress sites get hacked, and some of the responsibility for this lies on the people who build WordPress sites. A lot of WordPress designers and developers hand over sites to their clients without mentioning updates at all.

There are a couple of ways to fix this. One is to use a Managed WordPress host that will take care of updates for you. This is the most fool-proof way since it’s totally out of your hands, but be sure to verify what you host will update. Some only update WordPress itself, leaving the task of keeping plugins up to date to you. Others do it all.

If your host doesn’t provide update services, download and install the Easy Updates Manager plugin right now. This plugin lets you enable automatic updates yourself. If you decide to automatically update your themes, make sure that your site is using a “child theme” or else your site’s theme customizations will get wiped out if you update your themes.

Take note that if you have any “premium” plugins or themes that you paid for and require an annual renewal fee, you will need to make sure you stay on top of these or else you will probably stop receiving updates. This can be a big problem—a popular page building plugin, Visual Composer, often needs to be updated when new versions of WordPress come out. If you can’t update WordPress because you don’t have a license to receive updates to Visual Composer or other premium plugins you could put your site at risk.

Finally you might hear that updates are bad because they might break things. This is sometimes true of major WordPress or WooCommerce updates, say from version 4.6 to 4.7. But minor bug fix updates like 4.7.1 to 4.7.2 almost never cause this type of problem and if they do plugin developers and notified in advance. To be on the safe side always update all of your plugins before running an update of the WordPress core.

The best practice is to run a “staging” site, which is a clone of your website running at a different URL. This lets you test updates without worrying about taking your actual website down. Which leads me to my next point…

WordPress Security Step 5: Keep Backups!

If, despite all your efforts, your site gets hacked, or an update causes problems, you will need a backup. That way you can just restore your site to its working state. There are dozens of backup plugins or services for WordPress. Some hosts offer backups as a paid upgrade.

Whatever backup plan you choose, make sure it saves the backups to a different computer than the one your site lives on, and ideally you’d get the backups saved to an entirely different service like Dropbox, Amazon S3, or Google Drive. That way if something really bad happens (like Godzilla destroying your web host’s data center) you will still have your backups.

WordPress Security Step 6: Install Security Plugins

Even after doing all of the above there are still some ways that a hacker can sneak in to your site, or take it offline with a flood of login attempts. And sometimes a security hole is discovered and sites start getting hacked before the hole can be patched. This is where a security plugin comes in.

The Jetpack plugin from Automattic (the company leading the development of WordPress and WooCommerce) helps by blocking some types of “brute force” attacks, where hackers use thousands of computers to try to break in to a site by hammering it with attempts to guess the user name and password. Even if the hackers don’t get in the surge of traffic can make your site impossible to access.

Other plugins block malicious traffic to your site, secure your WordPress database and the files on your site, and can scan your site for viruses or malware. The most common ones right now are All in One WP Security & Firewall (AIOWPS), Wordfence, and Sucuri. Wordfence and Sucuri have free and paid versions, while AIOWPS is totally free. They all have their own approach to security but they will all provide solid protection.

Tilt the Odds in Your Favor

There’s a saying that you don’t need to have the best bike lock—you just need to have a better lock than the bike parked next to yours.

WordPress security is a little bit like that. You can never be sure that your site is 100% secure from attacks (nobody can, whether they run WordPress or something else). But you can make sure that your site is not an easy target, and that’s what the steps in this article will help you do. Stay safe out there!