5 Things to Tell Your Clients About WordPress Security


Building and securing a WordPress website is always a challenge. Developers take great care to write solid code and implement features such as security plugins to mitigate the inevitable attacks.

Even so, we’re not out of the woods. To paraphrase the old saying: a website is only as secure as its weakest link. Beyond potential exploits due to code, the weakest link tends to be an uninformed user. Someone who, through no fault of their own, makes a bad choice that leaves their website vulnerable.

To use another cliché: the best defense is a good offense. In this case, it means being proactive when it comes to teaching clients about security best practices. Some things (like strong passwords) are universal, while others are more specific to WordPress itself. And that’s our focus for today.

With that, let’s review five things your clients need to know about WordPress security.

Don’t Install a WordPress Plugin Without Consulting a Professional

We get it: the temptation to install plugins is real. They are, after all, just a few clicks away.

But the risk is also real. WordPress plugins vary greatly in terms of quality and, thus, security. It’s not uncommon to find a plugin in the official repository that hasn’t been updated in a year or more. Maybe it’s harmless; maybe it’s not.

Because of this, web designers should encourage clients to perform a quick consultation before installing a plugin. Offer to take a look and review the particulars. This single step could prevent a nightmare scenario with regards to security and site stability.

There are several benefits. First, this keeps you in the loop as to what’s going on with the site. In addition, it allows you to point clients in the direction of good, reputable plugins. Not to mention that this trains clients to think before they click. That benefits everyone.

The WordPress Plugins screen.

Create New User Accounts, Rather Than Sharing a Single One

Many organizations have more than one person who needs access to the WordPress dashboard. Too often, those users share a single account.

On the surface, this may seem like a simple matter of trust. And there certainly is an element of that. If a team member leaves the organization, there is the possibility of them still having access if the password hasn’t been changed. And a malicious person could do some damage.

The other real concern here is about device security. If you have, say, five people sharing a WordPress administrator account, all it takes is one of their devices to be exploited. For example, a keylogger on one user’s PC could compromise the account.

Therefore, it’s recommended that each user have their own account. This is easy to do within WordPress, and we can even create custom user roles that limit what someone can and can’t do.

An assortment of keys.

Keep WordPress Core, Plugins and Themes Up-To-Date

Ideally, your clients will contract with you to handle software updates. But if they’re the ones taking responsibility, it’s important that they treat the issue very seriously.

As a developer, there are few things more irritating than troubleshooting a compromised website, only to log into WordPress and see that things are several versions out-of-date. It’s akin to leaving the front door of your house wide open, 24/7. You shouldn’t be too surprised when someone comes in and takes your fancy new TV.

The importance of keeping WordPress core, plugins, and themes updated cannot be overstated. Knowing that it still may be beyond the comfort level of some clients. That’s OK. Either they can hire you to deal with it or, at the very least, enable auto updates where possible.

Regardless of how updates are implemented, they must be taken care of. While it won’t guarantee security, it’s much better than the alternative.

A person typing on a keyboard.

Two-Factor Authentication Can Make a Big Difference

Adding two-factor authentication to WordPress is fairly simple. But it’s only worthwhile if stakeholders actually use it.

True, it’s not very convenient. Having to verify an email, a text message, or check a mobile app to login can be a major pain. But this extra step is vital. It puts up a huge barrier between a malicious actor and access to your website’s back end.

And the user experience is actually getting better. Some implementations are now combining device recognition with 2FA. This means that, so long as a user’s device is recognized, there won’t be a need to verify a login for a specified amount of time.

Plus, 2FA has become standard in so many places. Some online banking apps won’t let you login without it. There’s no reason why your website shouldn’t take advantage of this technology as well.

What’s Secure Today May Not Be Tomorrow

Regardless of the platform it runs on, a website is not a one-and-done affair. It requires frequent (if not constant) attention – with security playing a major role.

The web is constantly evolving. New technology gets old very quickly. And what was once thought to be a security best practice can sometimes be proven otherwise.

Because of that, website security is a challenge that really has no end. It’s a daily battle for small and large organizations alike.

The result is that websites need to change along with the times. When it comes to WordPress, that may mean replacing older security plugins with something better. Or doing away with abandoned themes and plugins to tighten things up. It could also require a change in hosts or server environments.

It’s important to understand that just because you’ve invested in security today doesn’t mean you won’t have to do so again tomorrow.

Code on a computer screen.

Educate Clients Today for a More Secure WordPress Website

Our clients often rely on us to provide some knowledge along with a killer website. And security may just be the most important subject we can educate them on.

Making an effort to do so from the beginning can pay long-term dividends. A client who understands how to keep their WordPress website secure is less likely to make one of those crucial mistakes. That alone may be the difference between cleaning up a hacked site and smooth sailing.

This page may contain affiliate links. At no extra cost to you, we may earn a commission from any purchase via the links on our site. You can read our Disclosure Policy at any time.