Secure Your WordPress Site

Update Regularly

Perform updates when they become available for your website. WordPress regularly makes updates to make your website more secure. By applying the updates and patches, you can ensure your website is receiving the latest security protection. Also, remember to update plugins! Hackers can be successful simply because a plugin is out of date. Keep your website, and your plugins, updated.

Apply a security certificate to your website

SSL certificates enable encryption of sensitive information during online transactions and are used to confirm the identity of a web site or server and ensure the integrity of transmitted data. User certificates can be used to sign (authenticate) email messages, and, in some cases, can be used for encryption of email messages. Signing email messages provides authenticity and non-repudiation of the email message which can be verified by the recipient. Encrypting emails and sending to individuals that can de-encrypt the message provides confidentiality of the message and any attachments.

Cost and Restrictions

UA participates in the InCommon Certificate Service, which provides unlimited SSL/TLS and client certificates at no cost to UA employees or departments. InCommon, which is operated by Internet2, uses Comodo as the certification authority. More information about the InCommon Certificate Service and the certificates offered under the program can be found on the InCommon website. Email the IT Service Desk to request a certificate. You will be contacted for the required information needed to generate the certificate.

Protect Your Login and Database

  • Apply Duo two-factor authentication to your WordPress login. Simply install the Duo two-factor authentication plugin, and contact the OIT Security team for activation instructions.
  • Change the admin username to a custom username. Hackers look for “admin” accounts.
  • Use a unique password. Remember, the longer a password is, the stronger it is. We recommend 12+ characters.
  • Ensure your other site administrators and editors have reset their default passwords to longer, stronger passwords.


Ensure your website is setup to connect securely using SFTP or SSH, not standard FTP. You can also set directory permissions to protect the entire filesystem.


Backup your site regularly! There are several plugins that can help with this: VaultPress, BlogVault and Backup Buddy just to name a few.