This is a guest post written by Richard Nolan. I didn’t receive any compensation for it. You can find out more about Richard in the ‘About the Author’ section at the end.


WordPress is, without doubt, the biggest Content Management System (CMS) in the world, supporting about 30% of all websites.

Therefore, it is not surprising that most hacking attempts by bots, malware, and hackers target WordPress sites.


Unfortunately, a lot of them succeed because of lax security measures, which are mostly due to lack of knowledge or lax attitude on the owners’ side.

If you own a WordPress website or are planning to own one in future, know that you can’t afford to take the issue of security for granted unless, of course, you are not earnest in your endeavor.

Below are some WordPress security tips that I compiled to help you keep website (and your investment) safe!


1. Avoid Common Passwords

Common passwords like QWERTY, or 123456, or your name are very easy for hackers to crack if they have your email address.

Keep your WordPress website safe by having a password that’s at least eight characters long and that consists of uppercase and lowercase letters, as well as numbers and symbols.

If you can, and there’s no reason why you can’t, change your password every month or so, improving the complexity every time you do.

2. Two-Factor Authentication

Brute-force attempts are the most common hacking strategy, and they almost always succeed.


They involve hackers using sophisticated machines or “password dictionaries” software to crack user passwords.

Even when your password is long and complex, it could be cracked, if someone spends adequate time and effort on it.

Two-factor authentication (2FA) adds an extra security layer to your login process by requiring additional information that only you possess, on top of the usual username and password combo.

For instance, you can set up a 2FA protocol that sends a “One Time Use” code to your phone when logging in to WordPress. With that, even when someone becomes privy to your password, they won’t be able to access your site.

3. Watch Your Username

Understandably, most people have their personal or professional email addresses, or “admin” as their usernames, which hackers find easy to guess and crack.

To be safe, change your username to something else that doesn’t include your name.

As WordPress restricts the number of times you can change your username, the best way to do it is by creating another user account, granting it admin rights and deleting the default account. Do this by going to Users > New User and follow the prompts.

Note that a different email and password are required for every new account.

After you’re through with the registration, use your default account to assign administrative duties to the new one.

Afterward, log out and log in using the new account, then go to the ‘Users’ dashboard and click the delete option under the old account.

You are safe now – sort of!

4. Update WordPress and Plugins

You probably know that WordPress is an open source system that’s under constant maintenance and updating by tens of developers.

Updates and upgrades usually come with improved security tools, among other features that improve performance.

Using outdated plugins or software can expose your site to security threats and other issues, such as slow loading time, and so you should get the latest updates as soon as you can.

Minor WordPress updates and changes from maintenance are always updated automatically, but you will need to install major upgrades manually, unless you use a plugin or add some code.

5. Use Web Application Firewall (WAF)

In the spirit of being proactive, rather than reactive, use a Web Application Firewall to prevent malicious scripts and malware from reaching your WordPress site.

Firewalls typically block all “suspicious” traffic including bots, DDoS attempts, and blacklisted IPs, and, depending on the provider, also clean up your website after an attack.

For your information, it’s very costly to clean up or restore a hacked website, and the bill can run into hundreds of dollars.

WAF services, on the other hand, only cost about $100 per year, which is a small price to pay for keeping your website safe.

Popular WAF services include:

  • Sucuri;
  • CloudFlare;
  • Indusface TAS.

6. Implement SSL Protocol

If your WordPress website requires users to register using personal data, or it’s an eCommerce platform, the least you can do is put in place measures to protect not only your site but also private user information.

Secure Socket Layer (SSL) protocol, symbolized by a green locked padlock on the address bar, encrypts all data exchanged between your server and user browsers.

This ensures that hackers and other nosy people can’t intercept customer data and leave you with a customer relations disaster.

The first step to SSL integration is getting an SSL Certificate from a Certification Authority (CA). The next step is to redirect sensitive data from HTTP to the more secure HTTPS.

With that, your data will be secure, and your customers will see that from their end.

7. Be Cautious with Plugins

Using cheap or poorly developed plugins can make your site vulnerable to malware attacks.

As such, keep off all free or cheap plugins that you see being promoted on social media, and only buy yours from reputable sites. And even then, search for user reviews, or even better, expert reviews from trusted sites, before opening your wallet.

Most importantly, check the date of the last update for every plugin or theme that you intend to buy, and its compatibility with the WordPress version that you’re using.

Avoid plugins that were updated more than a year ago, as it indicates a lack of interest or hope from the developers, and may have outdated security features that may endanger your WordPress site.

8. Regular Backups

Sadly, no matter how much you try to prevent it, a hacker can still manage to get through to your website.

Sometimes, your WordPress site might be damaged by mistakes and errors, such as problems when installing plugins, or administrative errors.

Backing up your site data several times a week, including all files, emails, databases, and posts greatly minimizes the impact of such situations, and makes it easy and cheap to restore your site.

Backup services are commonly provided by hosting companies, so you might want to check with yours to see what plans they’re offering.

Final Take

Running a WordPress site would be a more exciting undertaking if you were not perpetually worried about losing data from security breaches!

I hope that you have learned something new from this post and that your WordPress website will be much safer from now on.

If you have other relevant tips, share them with us!

That’s a wrap

If you have any questions or thoughts, drop a comment, contact us or message us on Facebook.

You can also follow us on Twitter and subscribe to our YouTube channel.

If you want to start your own WordPress blog, or need a website for your business, our WordPress services are at your disposal! We also provide WordPress support and maintenance!

You can also purchase a ready-made WordPress website with hosting and support included!