How to secure your WordPress site in 5 steps

Securing WordPress

WordPress is one of the most popular content management systems available (CMS). Powering more than 38% of the web, it’s the CMS of choice for a whole range of uses, from personal blogs to government websites.

Its flexibility and ease-of-use make WordPress attractive to a huge and varied user base. Unsurprisingly, this user base makes WordPress sites particularly attractive to hackers.

Is WordPress secure?

While the WordPress Security and Core teams are continuously working to monitor and mitigate security risks, vulnerabilities in the software and third-party extensions do exist and hackers are quick to exploit them. 

A 2019 report by security plugin Sucuri found that of the security breaches they investigated, 90% related to WordPress sites, with third-party themes and plugins the primary route of attack. 

How to secure your WordPress website

Research has found that the average cost of a hacked website is $2,518. As anyone who has had to pay out to recover a site or has endured the stress of a breach will know, when it comes to website security, prevention is better than cure. 

So what can you do to secure your WordPress website?

There are numerous ways you can protect your site against malicious attacks and data breaches – but where to start? We’ve put together five simple steps you can take to secure your WordPress website today.

Stay up-to-date  

Step one is a relatively quick and easy way to avoid pain later: make sure you’re running the latest version of any software used on your site.

Start by updating to the latest version of WordPress. Each version includes security patches and additional features aimed at helping to improve the security of your site, so it’s worth staying up-to-date.

But running a recent version of core alone isn’t enough. Every time you install a plugin or theme, you run the risk of opening up your website to security vulnerabilities. To mitigate this risk, WordPress recommends checking for updates via the Plugin Screen in your admin every three to six months.

Finally, make sure to use the latest PHP version. As well as increased security, your site will likely benefit from performance improvements. Like WordPress, PHP is maintained by a global community, all working to develop useful security features and patches. Ensuring you have the latest PHP release is a simple way to stay on top of the security game. 

Take stock of your plugins

Following on from step one, if there are any plugins or themes you’re no longer using, don’t hang on to them for sentimental reasons – get rid. Your website will thank you.

By fully removing unused extensions, not only will you benefit from increased loading speeds thanks to all that freed-up memory, but you’ll also shut down potential access routes for would-be hackers. 

Note that simply deactivating and deleting any old plugins might not be enough – you may also need to clean out unused database entries or extra code. Check each plugin’s readme file for full instructions on how to remove all traces.

Finally, when deciding to install a new plugin, make sure it has a positive reputation and, ideally, in-built security features to protect your website and your visitors’ data. For example, contact form plugins weForms and Forminator have been built with security in mind. They use reCaptcha to prevent bots spamming your site with unwanted entries and attempting malicious SQL injections.

Lock down access to your site

Step three sounds simple but is often overlooked: check your website access and permissions.

Easy-to-guess passwords and using ’admin’ as your default user are two surefire ways to a compromised website. Make sure all passwords associated with your site are unique and strong, then store them securely. For example, in 1Password or Last Pass

Double-down your efforts by activating two-factor authentication. This will mean you’ll need to provide additional authentication each time you log in, but it will help to prevent malicious users from gaining access to your site. 

While we’re talking about website access, did you know that by default WordPress doesn’t limit the number of login attempts on your site, leaving you open to attack from bots and hackers? Combat this by installing a plugin like Limit Login Attempts Reloaded and changing your settings.

Finally, make the most of native user roles. FortressDB uses the built-in roles in WordPress to ensure that any files stored on our servers can only be accessed by users with the correct user role and permissions, reducing the risk of sensitive data falling into the wrong hands.

Make sure your database is working for you, not against you

Step four: make sure your database isn’t leaving you exposed.

WordPress is accessible, easy-to-use and comes with several important security features, including SSL certificates, as standard. However, when it comes to keeping your data secure, WordPress has one key flaw.

By default, WordPress stores uploaded images, videos and all other media files in the wp-content/uploads folder. And the wp-content/uploads folder are public. This means that uploads to your site could end up in Google search results, making sensitive data visible to everyone. Worrying, right?

FortressDB was developed, in part, to resolve this very issue. The database plugin stores uploaded content directly onto its secure servers, removing any risk of it being made visible to the wider web.

Not only that, but all data sent from WordPress to FortressDB’s secure servers is sent over SSL. This means your data is encrypted and kept safe from prying eyes, even if you’re using an insecure public network.

Choose safe, secure WordPress hosting

Last, but not least: choose a reliable, security-focussed WordPress hosting provider.

Hopefully if you’ve taken the above steps to secure your website, you won’t have to handle a compromised website. However, hackers and bots are using increasingly advanced methods to target security weaknesses.

A recent report by SiteLock showed a 52% increase in website attacks in the past year, with the average website facing 94 attacks per day. With figures like these, it’s best to be as prepared as possible.

One final step you can take to prepare is to ensure you’ve chosen a reliable, security-conscious hosting provider. There are two key reasons for this: added protection and back-ups.

There are a number of well-known secure hosting providers including WP Engine, Kinsta and SiteGround, among others, which have all been developed with security in mind. They come with a range of features to help protect your site, from automatic WordPress core and plugin updates, to malware scans and features to protect your site from DDoS attacks.

In addition, most hosting providers will offer automated back-ups. This could prove essential in the worst case scenario that your site becomes compromised, helping to restore your content and reduce your website’s downtime.

With these benefits in mind, it’s worth doing your research and paying a little more for the added protection offered by a secure hosting provider.

If you’re interested in securing your WordPress website and protecting your visitors’ data, you might want to try FortressDB, a secure, safe and fast WordPress database plugin. With various pricing plans and a free trial option, there’s nothing to lose and a lot to gain.

Mike Demo talk: Increase Form Conversions and Protect your Information

Mike Demo, our friend from WebVentures, BoldGrid and weForms, gave a great talk this week on GoWP. GoWP have lots of fantastic webinars, if you want to see what’s coming up, or watch a previous one, go to

Demo is strong open source advocate, with extensive knowledge of WordPress. He has given many talks at WordCamps, MeetUps and online.

You can follow Mike Demo on Twitter, @mpmike, or visit his website,

Risk-free file uploads: weForms and FortressDB

We’ve partnered with weForms to make file uploads through forms secure.

What we love about weForms is that they are highly customisable. This allows you to adapt your forms to ensure they fit your web visitors’ needs, improving the experience with an intuitive, user-friendly process. Plus, you can see a live preview, which helps you picture how a web visitor might interact with your form while you tinker with it in draft mode.

One of the stand-out weForms features is their file uploader. Just as you can personalise each form, you can use weForm’s advanced file-upload features to change the settings of your file upload field to suit your purpose.

If you are expecting basic documents to be uploaded through your form, rather than heavier formats like media files, you might want to keep things light by setting a file upload limit. You can also set the type of files that you will accept and the maximum number of files that a user can upload, giving you maximum control.

This can be useful if your form is collecting files for a very specific purpose like CVs for a job vacancy, particularly if you want to ensure that candidates upload the right types of files in the right places (or perhaps you want to test their attention to detail, but that’s your call).

Is the personal information you collect through forms at risk?

As forms built with weForms are so easy to customise, you could create all sorts of forms: anything from simple contact forms to loan applications or patient intake forms that collect highly personal information. However, when personal information is involved, special care needs to be taken to ensure that form data is kept private and secure, which is where FortressDB comes in.

Even though you don’t intend for private information to be leaked from your form, the truth is that anyone could stumble across the data if it is stored insecurely in the default WordPress database, because of its privacy and security issues. Files uploaded through forms into wp-uploads are at risk of coming up in Google searches, and if you asked for file uploads with financial or medical information in your form, that would be very bad news.

Plus, it can be slow to search and filter data in the WordPress database. Due to the way it’s built, it gets bloated, which could be especially tricky if your form is collecting media files like MP3s or videos.

FortressDB solves those security, privacy and speed issues. Our WordPress plugin provides a secure database for WordPress forms with privacy measures guarding against data breach risks, security features that keep your data safe and a high-speed database for instant searching, filtering and data processing.

To benefit from all of that, you can access these features by using the FortressDB plugin for WordPress as a weForms integration.

Use the weForms discount

Our partnership with weForms brings benefits for weForms users, and not just in terms of securing WordPress form data and speeding up form databases. We’re also giving weForms users a special discount so they can set up their forms securely at a reduced rate, and there’s a free version for you to try first.

weForms links


Getting started with Forminator and FortressDB

We’re delighted to have partnered with Forminator from WPMU DEV. It’s a great form plugin and has wonderful features like e-signatures fields.

Not just Pro users

The latest version of Forminator (1.13.3) has now been released on This means that even free users can take advantage of using Forminator and FortressDB together. FortressDB also has a free version.

Getting started video

To help people get started, we’ve created the following video. It shows how to connect FortressDB to Forminator.


We love feedback, the good, the bad or the ugly. We’re a new product, and need your help to make it awesome.  Please email us if you have anything to say.

WPMU DEV members get a discount

That’s correct, as part of our partnership with WPMU DEV, we’re giving a discount to their members. If that’s you, go to their partners page.  You need to be logged in to see the discount code. 

Signed on the dotted line: FortressDB & Forminator

FortressDB & Forminator bring secure e-signatures to WordPress forms

“It’s alive!” Our integration with Forminator, that is. Even more fitting: “It’s secure!”

FortressDB has joined forces with ‘the most magical and completely expandable drag-and-drop forms plugin for WordPress,’ Forminator, giving you everything you need to collect information through your WordPress forms with risk-free privacy and security measures in place.

If you want to engage your web visitors through interactive polls and quizzes, Forminator is for you. Equally, you can rely on Forminator for your basics like contact forms and surveys. It’s a great tool for everyone, and our integration gives you the opportunity to store your form data securely.

Using FortressDB, your form data and files will be kept in a database with high-level encryption, instead of the WordPress database where it is at higher risk of privacy and security breaches.

Why is this important, you ask? Well, you might be receiving personal, private, or sensitive information through your forms. However, data stored within the default WordPress database is vulnerable and files are saved insecurely in the wp-uploads public folder, meaning bots can find files and bring them up in a Google search.

FortressDB stores data and files differently. It’s completely secure, so you can be comfortable that the privacy of your form data is protected.

Signed on the dotted line

The importance of securely storing form data really comes into play with Forminator’s latest feature: e-signatures.

One of the most exciting things about our collaboration with Forminator is that FortressDB will support you to collect e-signatures from your WordPress forms securely.

The consequences of letting your web visitors’ signatures out into the wild are… well, yikes. Let’s not go there. Better to keep them locked away in a database using the FortressDB plugin.

You’ll control exactly who has access and can relax knowing that nobody unexpected will be able to get their hands on your customers’ signatures.

The following video show how to add an e-signature field to a form, and how that is stored securely in FortressDB.

How to start creating secure forms

The integration is currently available to Forminator Pro users (yes, you can try it out right now… go, go, go). You’ll have to wait a little bit longer if you aren’t a Pro, but it will soon be made available on for free.

You can start using FortressDB with the Forminator plugin from your WordPress dashboard. There’s no need to visit any other sites, you can install and activate the plugin and connect to a secure database all from WordPress within a couple of minutes.

Once connected, you can start using the FortressDB integration with your Forminator forms and the data will be stored in a secure database. You can view and interact with this data within WordPress, but it is no longer stored insecurely using the WordPress database.

Some things are meant to be kept private. Use FortressDB with Forminator to store your form data securely.

WPMU DEV members get a discount

That’s correct, as part of our partnership with WPMU DEV, we’re giving a discount to their members. If that’s you, go to their partners page.  You need to be logged in to see the discount code. 

Learn more about Forminator and FortressDB

We have more information on our Forminator page.

An acknowledgement of launching in 2020

We started FortressDB in January of this year. Since then, life as we know it has changed considerably.

Under normal circumstances, we’d be using our first blog to shout about the great benefits of our product, but this time there’s something more important to say.

Instead, we have chosen to use this first blog post to acknowledge what has changed, the challenges we are facing all over the world, and that continue to impact our lives.

The COVID-19 pandemic has impacted the whole planet. We are all sick of the word unprecedented, but that’s exactly what this is.

People have died. People are mourning. People have lost their jobs. People are scared. So much has been put on hold and nobody knows what’s next.

We are overwhelmed with gratitude for the world’s key workers who have given everything they have to help others. They are putting their lives at risk, and in very sad cases, making the ultimate sacrifice.

Thank you to everyone on the front line, and not just those in the medical professions, but also teachers, retailers, public transport staff, cleaners, and every other key worker we rely on. Every one of you is making a difference.

But this isn’t just about COVID-19. During the global health crisis, light has been shed on another pandemic, one which has been taking innocent lives for much longer: racism.

The tragic death of George Floyd is a story that’s, sadly, not unique. His death has triggered peaceful protests, not just across America, but many countries across the world, including the UK and our home of Bristol.

In some cases, the response to these protests has been further violence and further deaths. There is no excuse for this.

We acknowledge racism as a systemic problem and publicly commit to doing everything in our power to help support change. Black lives matter and it’s outrageous that we even need to fight for that.

Our hope is that, as ugly and tragic as this period is, it will lead to real change. We 100% support the #BlackLivesMatter movement.

If there is anything we can do to help related charities and non-profits, please reach out to us. If our product is of use to you, we’ll happily give you a free licence.

Right now, many people are angry, and many people are scared. In an ideal world, we wouldn’t choose 2020 as our year to launch, but life isn’t that simple.

As a start-up, we need to rely on momentum, and pausing for 6 or 12 months isn’t an option.

So, we are launching. Despite all the challenges of this year so far, we hope our plugin will help some of you to manage your data.

Stay safe,

The FortressDB Team