Good Habits for a Healthy WordPress Website

What’s the first thing you do after you return home? You shut the door, and lock it. You may also place your house keys in its usual spot so you can find it easily again, and then wash your hands with soap for at least 20 seconds.

These are habits – good habits that help keep you safe, efficient and healthy. Keeping your website safe and working smoothly relies on good habits too. Here are a few habits that we practice at ClickWP and encourage you to do the same.

Use Strong Passwords

You hear this all the time, but using a strong password is the easiest habit you can adopt to increase your website’s security.

But strong passwords are so difficult to remember!

Yes, but only if you use the “traditional” long passwords. These are passwords that look like F%+SVD#Tu7XusTh4. Nobody can remember that!

But the following passwords are just as strong, and much easier to remember:

epic obtainable scratch phobia
spiffy exercise available trick
determined son abrupt quiver
thankful gabby kick wipe

Yes, passwords can have spaces in them. And they don’t need to have letters or symbols in them. All they need to be is long enough.

I made the passwords above by combining random words from the Random Word Generator. You can make these “passwords” even stronger by adding some nonsensical words among them, e.g.


I also strongly recommend using a password manager. These will generate strong passwords for you and even fill in the password when you need to login. Some options for you to explore: 1Password, Dashlane and LastPass.

Delete the ‘admin’ user

Most WordPress “hacks” and attacks don’t do anything more sophisticated than guessing your username and password over and over and over. Avoiding using common words (like admin or webmaster) for your usernames can make brute-force attacks much less effective.

If your username is currently “admin”, change it to something else. Learn more: How to change your WordPress username

Limit user privileges

The principle of least privilege (POLP), an important concept in computer security, is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work.

For example, if you only need your VA to format and publish your blog posts, they don’t need the license to activate or delete plugins and themes. In this case, you only need to assign the Editor role to your VA.

Allowed ActionsAdministratorEditorAuthorContributorSubscriber
Login to website
Create & edit own posts
Publish & delete own posts
Upload images & media
Edit & delete any posts
Edit categories & tags
Moderate comments
Modify website settings
Install & manage themes
Manage widgets
Install themes & plugins
Update WP, themes & plugins
Add & manage users
WordPress roles and their capabilities

Learn more: Manage Users (Authors) in WordPress

Minimize the number of plugins on your website

We know that the most common way a WordPress website gets hacked is attackers gaining entry through bugs in plugins, especially if they’re not updated. So, it also makes sense to reduce the number of plugins on our websites, which minimizes the number of potential entryways for hackers.

So login to your WordPress dashboard and take a look at the plugins that are installed on your website. Deactivate any that you don’t need. Don’t forget to delete them too because even inactive plugins can allow hackers into your website.

Pro tip: Keep a record of why you installed each plugin on your website in a notebook or Google Doc. This will avoid the situation where you’re left scratching your head wondering what the plugin is for. Yes, it’s happened to us many times before!

If a notebook or Google Doc isn’t suitable for keeping track of your plugins, you can (ironically) install the Plugin Notes Plus plugin. It will allow you to add notes to the plugins on your site, so you can record their purpose.

Install plugins and themes only from reputable sources

In the seedier neighborhoods of the WordPress ecosystem, you may find sites advertising nulled or cracked plugins and themes. These are essentially pirated software – they may have had the licensing functionality bypassed.

Because of that, you won’t be notified when new versions of the plugin or theme is released – the updates won’t appear in the WordPress updates screen. You may be using outdated versions of the plugin with bugs or unpatched security holes.

While the $0 price tag is tempting, nulled plugins and themes may be modified to send spam from your website or worse, allow hackers to access your website. All of your hard work to secure and tune up your website could be undone with some pirated software. Don’t risk it.

Visit your website regularly

Here’s something we notice quite frequently. Some website owners almost never look at their own website, especially when they have VAs and support staff maintaining their website for them.

However that is a recipe for disaster because any bugs and problems on the site are not caught and can go unnoticed for days or weeks. As the website owner, bugs and problems are much more apparent to you.

And if you already visit your website regularly, be sure to also look at it while logged out AND on different devices. This will allow you to view your site as a visitor does, and quickly spot problems with the design, layout and much more.

Back to: Keep Your Website Hacker-Free and Running Smoothly