Step 9: How to secure your WordPress site

In the previous article, we touched on two basic ways to secure your WordPress site:

  • Using a security plugin
  • Being careful when installing new WordPress plugins

Now, we’re going to dig into some slightly more advanced techniques for securing your WordPress site.

Why do you need to put more effort into securing your WordPress site? Because every year tens of thousands of WordPress sites get hacked. But not because WordPress isn’t secure.

These sites get hacked only because they fail to implement basic WordPress security tips. So as long as you follow WordPress security best practices, your site will be safe from the vast majority of WordPress attacks.

In this guide, we’ll give you some simple tips you can implement to make sure your site stays safe from hackers:

Use a Quality WordPress Security Plugin

Ok, we know that this was part of the last article. But in case you skipped that article, this one is too important not to include again. One of the best ways to keep your site safe is to use a well-regarded security plugin.

Security plugins add important security mechanisms like:

  • Firewalls
  • IP blocking for malicious actors
  • Rate limiting
  • Two-factor authentication
  • Security scanning
  • And more!

We know that you might not know what all of those terms mean, but here’s the only thing you really need to understand:

They make your WordPress site way safer.

Again, for a good all-purpose free WordPress security plugin, we recommend WordFence Security.

Always Keep WordPress Updated. All The Time. No Matter What. We Mean It.

Do you want to know the biggest reason why people’s WordPress sites get hacked? Their software or plugins are out of date. See, WordPress does experience vulnerabilities sometimes. But the developers always patch them quickly. So if you update, you’re safe. But if you don’t update, you’re at risk of a malicious attack.

It’s such a simple thing. But many people forget to update parts of their WordPress site. Don’t be one of those people. There are a few ways you can handle keeping your site updated:

1. You can always view a detailed overview of all the software, plugins, or themes that need to be updated by going to Dashboard → Updates:

WordPress showing available updates for installed pluginsYou’ll also see a red circle with a number in it next to your plugins when you need to update them.

Updating is super easy. You just need to check the boxes next to all the out of date plugins and click Update Plugins:

Update all out of date WordPress plugins at once2. All managed WordPress hosts offer automatic upgrade services. So if you don’t want to think about updates, you can just pay for managed WordPress hosting and have them do it for you.

3. WordPress actually has an automatic update feature built in. But depending on how you install WordPress, it might be turned off. If it’s turned off, enabling it does take a little code-savvy. If you want to use this feature, WordPress put together a detailed guide. As we said, it’s a bit of an advanced topic, so we don’t want to dig in too deeply in this beginner’s guide.

Keeping your WordPress site updated is absolutely essential. Don’t forget to do it. We seriously cannot stress this enough.

Always Choose a Strong Password

So yeah, this one seems basic, right? We all know to use a strong password…or do we? Despite how basic a security measure this is, a huge chunk of the world still uses “password123” as their password.

We don’t want you to be one of those people, which is why we’re reminding you to always choose a strong password. WordPress can even automatically generate a strong password for you. All you need to do is keep it safe.

One method hackers use to gain access to your site is something called a brute-force attack. In a brute-force attack, they just guess random passwords until they find one that works.

If you use a common password, this type of attack is easy for hackers to execute. However, if you choose a complex password, it’s nigh-on impossible for them to gain access to your site via this method.

Never Use “Admin” As Your Username

For a long time, all WordPress installs used “Admin” as the default username. That’s no longer the case, but it’s still a bad idea to ever use admin as your username.

See, for hackers to execute a brute force attack, they need to get two pieces of information:

  • Your username
  • Your password

Using a unique username in conjunction with a complex password makes it pretty much impossible for them to ever guess both.

Limit Login Attempts

Ok, let’s knock out the possibility of a brute force attack for good with one more tweak:

Limiting the number of login attempts allowed.

You’re probably familiar with this approach because it’s used by most banks and other sites with high security.

Basically, if someone enters the wrong password say, 3, times, then the login page is locked down for a period of time. Again, this prevents malicious actors from trying to repeatedly guess your password.

There are two ways you can limit login attempts:

  • Some WordPress security plugins automatically do this. So check that first.
  • You can install a plugin called WP Limit Login Attempts.

Install and Use an SSL Certificate

Ever wonder why some sites start with “http://” and some start with “https://”? It’s because some have something called an SSL certificate and some don’t. The sites with the “s” added are inherently more secure than the other sites.

How does this tie in with WordPress security? Because without an SSL certificate, your login credentials are vulnerable. All the protections we added above mean nothing if hackers get your exact login details.

So how can hackers get your details?

Say you log in to your WordPress site at a cafe or the airport (or any other public WIFI access point). Without an SSL certificate, hackers can steal your password and username over the WIFI. And bam, they have full access to your WordPress site.

With an SSL certificate, your username and password are encrypted and protected from hackers.

So how can you get an SSL certificate?

First, you’ll need to install one on your hosting. Unfortunately, we can’t give exact instructions here because the process depends on your host. But if you contact your host’s support, they’ll know exactly what you’re talking about and can help you out.

Once you have the SSL certificate properly installed, you can handle everything else by installing a plugin called Really Simple SSL.

Lastly, in addition to all of these security steps, we just want to remind you one more time to always keep a recent backup of your site as well. No matter how great your security is, you should always protect against the worst case scenario.

In the next step in this guide, we’ll break away from the internal mechanisms of your WordPress site and talk about a much more interesting concept:


We’ll discuss how to write articles that your visitors love reading, as well as how to best format your articles. Come along to the next step in our guide!

Next Guide

Content is king

If your content isn’t up to snuff, your site is going to suffer. In this article we’ll discuss how to write articles that your visitors love reading, as well as how to best format your articles.