We often read reports about website or database hacking. It sometimes makes people nervous. Because WordPress is so popular, assailants are always attempting to find weaknesses that allow them access to its core features. Due to this, it’s worth taking the time to be aware of some basic security measures. Since as a digital agency we develop mostly on WordPress, we’ve included our protocol and suggestions in this WordPress Security Policy. Please note, while we’re happy to share our WordPress Security Policy to others or agencies, it is not intended to be a quick fix for all WordPress security concerns. If you have specific security concerns, you should discuss them with folks you trust to have sufficient knowledge of WordPress and security.

What is security?

Security is not about creating perfectly secure systems, as “perfect” tends to be impractical or even impossible to create and maintain. A secure server protects the privacy, integrity and availability of the resources under a server administrator’s control.

Protecting against malware

Google blacklists over 6000 malware infected websites daily. We’ve seen it and can tell you that getting blacklisted is no fun. Malware protection is important to be aware of and to monitor. The situation becomes difficult because hackers are naturally good at hacking. They know how to avoid scanners and even can skirt Googlebots.
For this reason, at Savy we rely on a multifaceted approach to security that includes:

  • Lightweight, secure server configurations
  • Blocking software
  • Relationships with security specialists

Server-side scanning

Server-side scanning allows communication with scanners while not weighing down on a server. We provide Sucuri malware scanning and removal through our host of preference because of their expertise in the website security field.
With malware scanning and removal, Sucuri continuously scans a website, cleans up what it finds and sends a report on what was done and what the cause was. Our team is always just a phone call away to discuss what these reports mean. Sucuri is available for any website hosted with our preferred hosting provider and can be enabled at any time.

Ongoing website protection

We are all about performance and security. If you are one of our clients, you can feel secure knowing you have server-side scanning and website protection tools available.

Local vulnerabilities

We make sure the computers we use are free of spyware, malware and viruses. Our operating systems and any software installed on them, including our browsers, are kept up-to-date and only access trusted sites.

WordPress, themes and plugins updates

Keeping WordPress, themes and plugins up to date is essential for security and performance. WordPress updates contain security patches for vulnerabilities, as well as improvements to user experience and functionality. While it’s always a possibility that an update may break a theme or website, it’s probably easier to restore from a break than it is from a hack. As hackers use scripts to crawl the web for vulnerable websites, outdated installs, themes and plugins can make a website vulnerable to this type of hacking.
There are free plugins to update installs, themes and plugins, although newer versions of WordPress now update WordPress automatically. For more complex sites, we recommend deploying updates on a development site. If an update is deployed without conflict, it can be deployed on the live site. For smaller sites, we suggest running live updates and keeping full offsite backups in case there are issues. We use a database manager plugin and schedule monthly backups for our clients. Our recommended host also performs backups nightly. While hosted backups are good, offsite backups stored elsewhere like on Dropbox will cover you in the case that anything happens to your hosted files.

WordPress security plugins and services

There are several WordPress security plugins. In general, here are the things we take into consideration when deciding which to use on our clients’ websites.

  1. Firewall
  2. Hardening
  3. Scanning/tracking

Most of the available security plugins accomplish these things and are easy to configure. They can help by limiting login attempts, changing the default admin username, changing the database prefix and enforcing strong passwords across the site. We also use and suggest Cloudflare, available within our recommended host, as well as content delivery networks when needed. We commonly use MaxCDN for content delivery and WordFence or Brute Protect in combination with Sucuri, especially for commerce or high traffic sites.

Strong passwords

No matter how good your security measures are, insecure passwords can get your site hacked. Through the use of automated scripts, hackers can attempt thousands of combinations until they get in. For this reason, we use password generators for all accounts and keep this information stored in a secure cloud. The value of using a password generator is that they create complex, hard-to-guess passwords. Once our clients take control of their websites, we also suggest that they update their passwords once or twice a year. This also goes for security questions and passphrases on their hosting accounts. When we assist our clients in setting up these accounts, we follow strict security questions, passwords and passphrases that are provided them via secure Dropbox.
Our recommended host provides server-based authentication to help reduce the possibility of breaching passwords through cracking. This works by having two login prompts. One login uses htaccess while the other is the standard WordPress login.

Trusted plugins and themes

We only use, and recommend our clients use, plugins and themes that have been well tested and reviewed by our team and the WordPress community. We don’t install plugins that have low reviews or negative comments, as this could be a sign that the plugin developer does not follow good development or security measures. The plugins and themes we do use are very carefully curated and monitored for continuous performance.


HTTPS encrypts traffic sent to and from a server and makes it difficult for assailants to intercept data. For our clients with more active websites, and even for smaller sites, we recommend SSL certificates, and are available to help clients install SSL on their account to help secure and protect onsite data.


When connecting to servers, we use SFTP encryption to encrypt passwords and other data as it is transmitted, so it cannot be intercepted.

User management

On of the easiest security slipups is failing to manage WordPress users. Old team members should be removed when they’re no longer accessing the site, and Administrator access should be granted only when needed. For example, users that will be adding content should be assigned appropriate access levels for their role, such as Author or Editor. We employ strict user management on all of our clients’ sites.

Security is not a simple thing. But we take it seriously by staying on top of it with these security measures. We welcome your feedback and insights if there’s anything we missed.
To your security and success – Savy