This guidance applies to any WordPress site operated by or on behalf of the University, regardless of where it is hosted or how it was set up. It is intentionally generic as WordPress configurations vary considerably across the institution. If you are unsure how to implement any of these steps, your web developer or hosting provider should be able to assist. The IT Security team can provide advice but does not manage or maintain WordPress sites on behalf of other teams.
Accounts and Access
Review all user accounts on the site and remove any that are no longer needed. Every account that exists is a potential entry point, and accounts belonging to people who no longer work on the site should be deleted rather than left inactive.
Ensure that account roles reflect what each person needs to do. Admin access should be limited to whoever is responsible for maintaining the site itself, installing plugins, and managing settings. Anyone who only needs to add or edit content should have the Editor or Author role, not Admin. Admin accounts should be as few as possible.
Use a dedicated admin email address that is a University managed email address where possible. Personal or externally hosted email accounts linked to admin roles do not carry the same protections and are harder to monitor.
Authentication
Enable two-factor authentication for all accounts and make it mandatory for admin level accounts as a minimum. A straightforward plugin for this is WP 2FA, which supports authenticator apps and is simple to configure. Once installed, admin accounts should be required to enrol before they can log in.
Consider changing the default WordPress login URL from /wp-admin to something less predictable. This reduces automated login attempts significantly. Plugins such as WPS Hide Login can do this without breaking anything else on the site.
Updates
Keep WordPress core, all plugins, and all themes up to date. The majority of WordPress compromises exploit known vulnerabilities in outdated software. Where possible, enable automatic updates for minor releases. Major updates should be tested before applying but should not be deferred indefinitely.
Remove any plugins or themes that are not in use, even if they are simply deactivated. Inactive plugins and themes still represent attack surface and do not need to be there if they serve no purpose.
Backups
Ensure the site is backed up regularly and that backups are stored in a separate location from the hosting environment itself. A backup stored on the same server as the site will not help if the server is compromised. Backups should be tested periodically to confirm they can actually be restored. Plugins such as UpdraftPlus can automate this and send backups to an external location such as cloud storage.
Security Hardening
Install a security plugin that provides brute force protection, login attempt limiting, and basic firewall functionality. Wordfence and Solid Security are both widely used and provide a reasonable baseline without requiring significant technical knowledge to configure.
Disable the ability to edit plugin and theme files directly through the WordPress dashboard. This removes a significant risk if an admin account is ever compromised, as it prevents an attacker from using the dashboard to inject malicious code directly into the site. This requires a small change to a core WordPress configuration file and is best carried out by your hosting provider or web developer. If you are unsure who to ask, your hosting provider’s support team should be able to do this for you.
Ensure the site is running on HTTPS with a valid SSL certificate. Most hosting providers offer this at no additional cost. A site running on HTTP is transmitting login credentials in plain text.
Check that your hosting environment is running a supported and up to date version of PHP. Older PHP versions are no longer receiving security updates and represent a risk at the platform level regardless of what is done at the WordPress level. Your hosting provider can advise on this.
Monitoring and Logs
Check the site’s activity logs periodically. Most security plugins include an activity log that shows logins, failed login attempts, plugin changes, and file modifications. Unusual activity, such as logins at unexpected times, new admin accounts appearing, or plugin installations you did not make, should be investigated promptly.
If you receive an automated alert from your hosting provider or security plugin about unusual activity, do not ignore it. Contact your web developer or the IT Security team for advice.
If Something Goes Wrong
If you suspect your site has been compromised, do not attempt to clean it yourself unless you are confident in what you are doing. Contact your hosting provider and your web developer immediately. Preserve any logs or evidence before making changes where possible. If the site holds any personal data submitted through forms or other means, contact the IT Security team and refer the matter to Legal Services.