How to check your WordPress website security

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

Arguably, one of the best things about hosting websites on WordPress is that it doesn’t change very much. A large part of WordPress’ success, in fact, comes from its simplicity and how easy it is to onboard new users. Its popularity also means there are high numbers of returning users who also contribute significantly to the amount of user documentation material available in the public domain. 

WordPress is checked regularly by the hundreds of developers that make it, but it’s still vital to conduct your own site security protocols also. When it comes to using the site, there are tried and true practices that are easy to follow. However, WordPress does undergo several updates a year that website owners need to stay aware of to protect the security and performance of their websites. 

So, how can you ensure your WordPress and plug-ins are all correctly updated? Let's find out.

Think long-term, think evergreen 

This preventative approach to website health is what we call evergreen maintenance. We encourage website owners to check the security and performance of their sites a minimum of every six months. As professionals, we check our websites monthly to ensure nothing slips through the cracks to affect the functionality of the site, but encourage others to find a schedule right for them. 

In addition to general updates, WordPress owners should perform periodic health and security checks, for example, website bugs and malicious attacks, as part of their best practices for good governance. If this leaves you thinking: When was the last time I checked on my website health and security at an advanced level? And you can’t remember the answer. The time to do so is most definitely now. 

Automated reminders can help prevent missed checks, but relying solely on automation would be a mistake. Conducting regular manual tests and updates throughout the year is vital for confirming the harmonious performance of your website and protecting the user experience (UX). Website owners should decide on a schedule of reviews and evaluations to be done throughout the year and ensure they comply with their own plan.

With that in mind, let's explore the pillars of evergreen maintenance and how you can check your own WordPress website's security and performance. 

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.

(Image credit: Shutterstock / jijomathaidesigners)

Lock in your security protocols 

Remember when that little lock icon in your browser URL bar didn’t use to be there? We’ve come a long way since the early internet when only payment pages or other sensitive pages featured the secure lock icon at the front of their URL. Now it’s standard to see the lock icon at the top of your screen—and worrying if you don’t. But why? 

The lock icon lets website users know they are using a secure connection. It’s the difference between Hypertext Transfer Protocol (HTTP) and Hypertext Transfer Protocol Secure (HTTPS). These acronyms refer to the application-layer protocol required for communicating between web browsers and servers. Many companies even block their HTTP now as a best practice, redirecting users to their HTTPS site only.

Too often, HTTP sites were being exploited for their vulnerabilities from non-secure protocols, so HTTPS became the standard for all websites. Even simpler sites for personal use, such as a family photo blog, now show a lock icon as normal, a large part thanks to site hosts such as WordPress. Since 2014, HTTPS has been prioritized and is part of Google's page experience assessment. Whether sensitive payment data or a simple holiday blog, you cannot rank on Google without HTTPS.

When it comes to two similar websites, Google chooses the secure over the non-secure one, no matter the topic, as it indicates the owner has put time and effort into maintaining their site. That’s why ensuring your connection is secure is an essential part of evergreen maintenance. When a website follows best practices and is better maintained, it’s likely the user will have a better experience of the site, and hence: the site will rank higher than its non-secure competitor.

Test, validate, and repeat 

When it comes to website maintenance, set yourself a schedule and stick to it. Evergreen maintenance is defined by the fact it is ongoing. That schedule will be different depending on what you use your website for and how many plugins or application programming interfaces (APIs) you might use, for example, to keep your website running. The more you use, the more you will need to check they’re all running correctly. 

When setting up a business, there can be lots to think about, but it’s essential to take care of both your website's front and backends to ensure it’s secure and healthy. That way, your website—and your business—will remain protected from disruptive vulnerabilities and malicious attacks. If you want to increase the likelihood of Google ranking your website highly, it needs to follow best practices for security and performance. 

In cases where your website security needs to be more advanced, such as e-commerce sites or meet-the-team pages, it’s advisable to seek support from a developer. Still there are several tools website owners can use if they prefer to go at it alone. 

Here are just a few tools you can use for the ongoing evergreen maintenance of your WordPress website

SSL Server Test

The server test from SSL reviews what vulnerabilities your website contains that could be exploited, such as encryption and pin, whether your common and alternative names match so no one can fake your website, and checks if your security certificate is up to date.

Let’s Encrypt

Certificates to say your website pages are secure used to be very expensive, around $300 a year, but Let’s Encrypt is a non-profit organization that has helped significantly reduce their cost to nothing. In their mission to secure the internet, Let’s Encrypt now issues security certificates for free through mass providers like Shopify, Mozilla, and Wix. Better yet: Let’s Encrypt security certificates automatically renew every three months. 

Security Headers

Security headers are a defensive tool in your arsenal. They are directives that make it harder for hackers to create fake site links from a browser search result page (sometimes called clickjacking) that trick users into visiting an alternative site. The tool helps you review what client-side vulnerabilities your site may be at risk from. This stops hackers from gaining access to a user's password and login details that they may enter via a fake version of your website, for instance. 

PageSpeed Insights

Ensuring a fast page speed load time is not only vital for a good user experience (UX) but also promotes a higher page ranking from Google. When your website security and maintenance are up-to-date, page load times could and should be under one second. Testing your website page speed is a quick way to assess whether your site is up to standard in UX and will continue to rank highly for Google.

Pingdom Website Speed Test

Our best advice would be don’t just use one tool! Use one source to validate another. Choose tools that are designed by different companies as they will often look for things the other is not. Combining multiple testing and validation methods helps ensure comprehensive cover and is a top best practice we recommend, so use this tool alongside PageSpeed Insights to compare results. 

WordPress maintenance

Thinking evergreen when it comes to WordPress maintenance is a simple way for site owners to ensure their websites' ongoing health and security. Whether that’s checking your site using the tools suggested once a month or twice a year is up to you! Just make sure you set a schedule and stick to it as part of website owner best practices. 

Matt Franklin is the Digital Production Manager at Bonsai Media Group. With a background in marketing, design and development, he coordinates project requirements, collaborates with internal teams, oversees code sprints, and helps lead QA and user experience efforts.