Anbefalinger til sikker WordPress hosting

Recommendations for secure WordPress hosting

It only takes 5 minutes to install WordPress. That's good, because it leaves time for the responsibilities that come with hosting your WordPress website yourself.

  • Updated

Keeping a website running securely 24/7 is not difficult, but it is a craft

For two decades, I’ve installed and managed websites, many of them with WordPress. And I genuinely like it, especially when the installation is a well-oiled machine; with unrivalled uptime, fast performance and a solid backup strategy that saves the day when people are people and make mistakes.

Search engines also like it when you put effort into technical work. That the site loads quickly. That it’s clean and tidy and not filled with insecure, redundant code or even malware.

And users like it! That their receipt emails from the forms arrive. The absence of annoying cookie popups. Not having to read in the news that the site has been hacked and their data compromised.

That it just works.

I think you’ll like it too! So here’s a checklist of my key learnings from the engine room over the years. Drop me a comment if you think I’ve forgotten anything or have any questions. Thanks a lot!

Checklist for you who maintain a WordPress website.

Screenshot of Punktum.dk's article about DNS. Read it for a relatively easy to understand description

Check roles at punktum.dk

Someone has to make sure the domain is renewed, and who owns the domain if the registrant is no longer available? Check it.

punktum.dk on DNS (in Danish)

Wordfence two-factor setup involves scanning a QR code via a TOTP app and entering a 6-digit code.

2FA login everywhere

The chain is only as strong as its weakest link. Ensure 2-factor login to WordPress, data centre and the mail account with administrator access.

Avoid hackers with Wordfence

When adding an external backup location in Softaculous, you can choose SFTP, Google Drive and Dropbox, among others.

Follow a 3-2-1 backup strategy

To resist human error, software errors and ransomware, have at least 3 backups, at 2 different locations plus 1 cold offline backup.

Wikipedia article on backup strategies

Qualsys SSL Labs Report shows an A+ score for the oldrup.dk domain

Check the SSL certificates

Use Qualsys SSL Labs Server Test to analyse SSL/TLS and HSTS on the web server. Let’s Encrypt certificates may achieve an A+ rating just fine.

Qualsys SSL Server tests

An example of an HTTP Observatory Report from MDN with a current rank of B+.

Test your HTTP Security Headers

HTTP Observatory performs a thorough assessment of a website’s security configurations. On WordPress websites, a B+ score is possible.

Strengthen security with HTTP Security Headers

Dmarcian which tests if DMARC, SPF and DKIM records are set correctly. In this case, they are.

Remember DMARC, SPF og DKIM

These are crucial to whether mail gets through or is considered spam— and—to whether your email address is easily spoofed and abused for phishing.

dmarcian DMARC Domain Checker

cPanel's “WordPress Management” tool allows you to clone a website with just a few clicks.

Debug new releases on a clone

Your web host has built-in methods to clone a website. It only takes a few minutes. Use clones to try out new WordPress versions and plugins.

CPanel: How to clone a WordPress website

PHP 8.3 is actively supported until December 2025

Use a supported PHP version

All PHP releases are supported for 4 years, and WordPress has its own support cycle. An annual update is adequate; PHP 8.3 is still a good choice.

PHP.net about supported versions

Screenshot from the WordPress plugin list with the option "Enable Auto-updates" highlighted.

Update plugins and theme often

Critical systems with frequent changes should be updated manually. Static business card websites can be auto-updated, but keep an eye on them.

WordPress.org about plugin and theme updates

WordPress plugin page with the warning “This plugin hasn’t been tested with the latest 3 major releases of WordPress.”

Replace abandoned plugins and themes

Plugins that are no longer maintained can pose a security risk. There are almost always alternatives, so look for them.

Patchstack: How to avoid abandoned plugins

Web hosting visitor statistics show over 100,000 hits every hour on the sorting guide ressourceportal.dk

Optimise the cache; resist DDoS

By carefully tweaking the cache, the server’s resources last longer and the site can handle large amounts of traffic without being overloaded.

LiteSpeed Cache for WordPress

A Checkbot report by oldrup.dk. The report shows 99% on SEO, 99% on speed and 100% on security.

Checkbot tests your entire site

Check hundreds of pages at once for broken links, duplicate titles, invalid HTML, insecure pages, poor SEO, speed and much more.

Try Checkbot for Chrome

Uptime Robot shows an uptime of 99.999% on a good handful of websites.

Monitor uptime. Goal: 99.999%

“Five 9s availability” or 99.999 per cent uptime means that websites are down for less than 5 minutes annually. Ambitious but attainable goal.

Uptime Robot monitoring service

Oldrup.dk site icon, 4-bit colour

Bjarne Oldrup

Bjarne is a web developer with a passion for a sustainable, inclusive and respectful internet.

With a background as a computer technician, graduating in 1992, he has worked as a programmer, system administrator and network specialist. Today, he focuses on website carbon footprint, web accessibility and GDPR compliance.

Bjarne has spent the last decade working with medium-sized businesses to help them reduce their websites' environmental impact and promote healthy online practices.

WordPress, HTML, CSS and LiteSpeed web servers are Bjarne's favourite tools, and the open-source community is his comfort zone.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *