Web & Marketing

WordPress is the most popular content management system (CMS) in the world, but that doesn’t mean it has no security holes. In fact, as a platform designed to be used by millions of people across the globe and with such a diverse range of users, there are some pretty serious security issues that affect WordPress sites every single day. Thankfully though, there are plenty of things you can do to improve your website security and make sure that your site remains safe from hackers and other malicious threats.

1. Update your login credentials and change them regularly

You should change your password at least once every few months, if not more frequently than that. The best way to do this is by using a password manager application like Dashlane or LastPass. 

If you don’t want to use a third-party program, make sure you’re using strong passwords that are at least 15 characters long and include lowercase letters (a-z), uppercase letters (A-Z), digits (0-9) and punctuation marks (#$&’*()_+). Don’t just rely on common words; instead, create something completely unique! For example:

Example 1: MyPasswordIs12345678901234567890!

Example 2: H&+7o8k(g3q3d%MvXPGWcX8yxdRt2jQRh!

2. Always use strong, unique passwords

A strong password is one of the most important aspects of WordPress security. If a hacker is able to access your website, they’ll be able to see usernames and passwords. They can then take over your account or set up WordPress on their own server with all the same privileges you have.

A strong password should include:

  • At least eight characters in length
  • A combination of numbers, letters, and symbols (preferably not just 1s and 0s)
  • Not being based on any personal information about yourself that could be guessed by someone familiar with you (like your birthday or username)

3. Keep the number of user roles to a minimum

One of the first things you should do is limit the number of user roles on your site. The more people who have access to your website, the greater the risk that something will go wrong and they’ll be able to cause harm (either intentionally or accidentally).

As a general rule, it’s best to give only those who really need it access to administrative accounts. If you want someone else—like a content manager—to be able to make updates on their own, consider creating separate user accounts for them with limited permissions such as “author” or “contributor.”

4. Only install plugins from trusted sources (do not install nulled, cracked or pirated plugins)

  • Only install plugins from trusted sources (do not install nulled, cracked or pirated plugins)
  • Update plugins regularly and remove old ones that are no longer used.
  • Enable automatic updates for WordPress core, themes and your plugins so you don’t have to worry about it manually in the future
  • Use a plugin like WordFence Security to scan your website periodically and find security issues.

5. Add Captcha to prevent spam

Captchas stop spambots from posting comments and links on your website. You’ll see less spammy comments, which will improve the experience for real users who visit your site.

The default WordPress login page uses a Captcha that helps prevent brute force attacks against it. By adding this extra layer of security, you can make sure that only humans are logging into their accounts on your site.

Adding a Captcha to WordPress is easy! It requires just a few steps:

  • Go to “Settings” under the Dashboard menu option and click on “Discussion”
  • Then check the box next to “Users must be registered and logged in.” This will display a new field with two options: “User registration” and “User Profile Fields” where you can enter all the required data about what fields show up on each user profile when they register for an account with WordPress (and other relevant information).

6. Limit the number of failed login attempts

It’s also important to set a limit on the number of failed login attempts that can be made. This is usually done by limiting the length of time between successful logins and failed login attempts. For example, if you allow three unsuccessful attempts per minute, then users will be able to get into your site after failing three times within 60 seconds.

However, this isn’t always enough security for some websites—especially those which are accessed by multiple people or use critical data like bank accounts and credit cards. In these situations, it’s recommended that you implement a lockout period: After more than three failed login attempts have been made in one minute (or whatever number seems appropriate), access to your site will be temporarily blocked until an administrator resets your password or unlocks your account manually from their end.

7. Ensure that all your files, themes and plugins are properly updated (and if you’re using any outdated ones, delete/replace them)

  • Ensure that all your files, themes and plugins are properly updated (and if you’re using any outdated ones, delete/replace them).
  • Update WordPress core regularly (you can set the frequency of updates in wp-config.php).
  • If a plugin or theme needs updating, update it!
  • Change your passwords on a regular basis, especially if you have been hacked or had a data breach at another site where you use the same password.

8. Change your website login page

Changing your website’s login URL is a great way to improve the security of your WordPress site. 

If you’re not sure how to do this, here are a few steps:

  • Open up wp-config.php and find the line that says “define( ‘WP_HOME’, ‘http://example.com’);” (Copy/paste it so you don’t miss any characters.)
  • Change http://example.com to https://example.com and save the file!
  • Make sure that you change both instances of “http” with “https”, otherwise you will see this error message when visiting your site: SSL certificate problem, verify that the CA cert is OK.

9. Backup your website regularly

Backing up your website regularly is one of the most important things you can do to maintain its security. When your site is backed up, you’re able to roll back any problems that may have occurred when making changes or additions to it.

You should do backups of your site as often as possible. How often depends on how much change there has been since it was last backed up, how much data was added and whether or not those changes were successful (i.e., did they successfully upload?). If so, then a new backup might be unnecessary; if not—and especially if something went wrong during the upload process—it probably is necessary.

10. Monitor for malicious code insertion

You can also monitor for malicious code insertion by looking at the files on your site. If a file has been inserted that shouldn’t be there, then you’ll know. A tool called WPSSO is one example of a WordPress plugin that can help you detect this kind of activity.

Other things to watch out for include suspicious activity and URLs, suspicious email addresses, suspicious IP addresses, suspicious user agents (the software used by visitors), and referrers (the websites visitors are coming from).


We hope that these tips have helped you take your website security to the next level. If you’re still unsure about how to secure your WordPress site, we recommend contacting an expert for help. 

And if you have any questions or need a professional team to design and develop your WordPress website, please contact us!


to our Blog

Keep your business up to date with the latest branding, design, and digital marketing news & tips.

“We are committed to your privacy. We use the information you provide to us to contact you about our relevant content and services. You may unsubscribe from this newsletter at any time.”