While the Newspack platform and WordPress software are inherently secure, it is also the responsibility of editors and publishers to ensure good security practices in their daily use of the site. Here are our recommendations for ways to keep your site and accounts secure.

Strong passwords

A strong password is a foundational piece of site security. Your password should be hard for other people to guess and hard for a brute-force attack to succeed. A strong password is necessary for more than protecting your content: a hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.

WordPress features a password strength meter which is shown when changing your password in WordPress. Use this feature when changing your password to ensure its strength is adequate.

Patterns to avoid when choosing a password:

  • Any permutation of your own real name, username, company name, or name of your website
  • A word from a dictionary, in any language
  • A short password (fewer than 16 characters)
  • Any numeric-only or alphabetic-only password (a mixture of both is best)

Many automatic password generators are available that can be used to create secure passwords.

Password manager

Passwords should not be stored in a spreadsheet, Google Doc, wiki, or other unencrypted or insecure document. Instead, use a password manager, also known as a password wallet or password vault. Consumer Reports recommends either 1Password or Bitwarden, both of which support individual users and teams. 1Password also provides free individual accounts for journalists and discounted accounts for journalism organizations.

Two-factor authentication

In addition to using and storing a strong password, it’s a good idea to enable two-factor authentication (2FA), which requires the use of both a password and another device, such as your smartphone.

If you’d like to add 2FA protection to your site, please let us know

Administrator-level user accounts

With great power comes great potential for damage. Only those who need to be able to have full control over all aspects of the site should be given Administrator access. Here is a list of the capabilities an Administrator has, which includes creating, editing, and deleting posts, pages, donations, and users, as well as installing plugins, changing site templates, and customizing sitewide options.

In general, most site users should be able to successfully work on the site with Editor-level access or below

It’s a good habit to regularly audit your users and remove any that no longer need access or who have left the organization.


Removing any extra and unneeded WordPress plugins is also a key element of site security. If you’re not using a specific plugin, deactivate and delete it.

For more information about online security in journalism, read “The Field Guide to Security Training in the Newsroom“.