Improving and implementing WordPress security can be very confusing. New vulnerabilities and corresponding security patches are developed daily. Attacks are more and more advanced and sophisticated and pose more of a threat than ever before. Cyber security measures are often inadequate. Luckily, many plugins and tutorials have been developed to help ease the WordPress newbie into methods of maintaining good security practices.  In this post we discuss 20 of the first security measures you should take immediately after creating your site – all of which can be done without any coding knowledge!    


WordPress offers great flexibility for website design; granting users access to a large range of themes and plugins.  Since its creation in 2003, it has soared in popularity. In 2019 it was crowned the world’s most popular content management system (CMS) for the 7th year running (1).  Currently, WordPress powers over 35% of the internet (`World Wide Web Technology Surveys’)(2).

Graph from Sucuri

WordPress allows users to extend the basic functionalities of the platform through different components such as third-party plugins, adjustable CSS (Cascading Style Sheets) and themes. However, this adaptability brings corresponding vulnerabilities.  During their 2019 ‘Website Hack Trend Report’, Sucuri (a popular business offering website cleaning, fixing and securing services) reported that roughly 90% of all hacked CMS investigated in 2018 were WordPress sites (3). Despite this scary statistic, Sucuri experts claim that the main threat of hosting a WordPress site is not WordPress itself, but the vulnerabilities attached to installing third-party plugins and themes, faulty configuration and a lack of user maintenance (4). In fact, Sucuri’s study found that only 56% of investigated sites were running an up-to-date CMS!

While WordPress core software is very secure (audited and updated regularly by hundreds of developers (5)), the majority of your WP site’s security depends on user behavior. Luckily, there are some very simple steps that even complete WP beginners can take to harden their security.  


Large-scale data-breeches are exposed and broadcast across the world through modes such as newspapers, online articles, social media and TV. (Recall the devastating effects of  WannaCry and the Equifax breech which both hit headlines across the globe  and caused billions of pounds in financial losses.)

Small website owners may believe their websites are safe as they hold little or no value to a potential hacker. However, the `I have no information of value`  argument is not true for most sites; all businesses, irrespective of size, hold information valuable to the potential hacker (6). In fact, even if your site holds little valuable information, it could still be used for other malicious purposes such as hosting phishing pages, Malvertising, SEO spam and Drive-by-downloads (7).

If you still strongly believe that no one wants to hack your site, then you could be right. Unless you are an incredibly successful company, it is very unlikely that a specific individual will attempt to hack you – but this doesn’t mean you are safe. Automated bots are constantly scanning the internet searching for known vulnerabilities within WordPress sites. These bots also look for any known vulnerabilities in any plugin or theme you are using.

Smaller Businesses are commonly targeted because they tend to be easier to hack. Smaller companies typically do not have the funds or resources to set up sophisticated IT defenses and so their networks are usually much easier to infiltrate. In any case, if your website becomes compromised, then your company could possibly encounter penalties and fines, as well as a loss of reputation. 



Unfortunately, not every hosting provider will have your best interests at heart. Many unethical providers will use your email for spamming and your website for ads. Choosing the right server is therefore very important for security, and not just a case of picking the cheapest deal. Ideally, you should select a hosting provider with at least 99.9% uptime (the time your website stays online, and can be accessed), automated backups, potential SSL certificates and a secure data center (e.g. preference to those in a location not exposed to natural disasters).

All of this can be a lot to consider, so checking reviews and Clients per Server numbers can be of great help. Whois have compared the security of over 300 hosting providers .


Hacked ‘pro’ versions of themes can sometimes be found for free online. Although tempting, these could include malicious code and should be avoided. You should pick a ‘secure WordPress theme’ – one follows proper code standards, is routinely updated and doesn’t include any (known) security vulnerabilities. You should also ensure that any theme you chose is compatible with your version of WordPress and previously installed plugins. If you are unsure, the WordPress online theme directory has lots of secure options.


WordPress sites are known to be very susceptible to brute force attacks. Hackers target sites with scripts or bots which repetitively attempt login credentials until your website cracks. By default, your username is half the credential (can change this later with 2-step authentication), and having an easy to guess username such as your company or ‘admin’ makes these attacks more likely to succeed.

To minimize this risk, choose a username at least 16 characters in length which would be resistant against dictionary and brute force attacks. I recommend using a secure password generator for usernames and determining a secure, encrypted storage method (e.g. “efvdLF7Tfw5YcWoE” and “FiQqpcy16Dh0Hcxs”). For attributions, you can set a nickname so that your username never appears within your website.

If you are adamant on keeping a username which is memorable, using your unique WordPress email address is much more secure than using your name or personal email address which might be included on your website. 


How many people really need access to your WordPress Dashboard? Keeping the number of accounts to a minimum not only minimizes the chance of a brute force attack succeeding (more credentials means more chance of a correct combination), but also prevents against some human errors. Although WP user functionality is great for site aesthetics, it opens many opportunities for disaster.

For example, uneducated ‘tinkering’ within the wp-config-php file could potentially break your entire website; installing a plugin before updating to a specific WP version could create security holes in your site’s code in which a scanning bot could detect and exploit; and installing a malicious plugin could launch a physing attack on your contacts. Suppose a contributor reset their password to ‘P@ssword’ and your site was targeted by a brute-force attack. From a security point of view, you should leave as little trust to humans as possible.


In most cases, a WordPress site will require multiple accounts. When adding new users, granting account privileges should be carefully managed. Each account holder should have the absolute minimum access required to fulfill their role. ‘Granting users unnecessary privileges or data access rights means that if the account is misused or compromised, the impact will be more severe than it needs to be (8).’  In larger corporations, it is good practice to determine the needs of users require in advance and implement a ‘least privilege’ protocol. You should never just someone admin rights without utmost justification.

It is also important to ensure the default setting for new accounts is set to ‘contributor’ (currently the account type with the least privileges), and to regularly scan for inactive accounts which can be removed from your site. 


Passwords should be viewed as a final line of defence. Similar to usernames, these should be resilient against brute force or dictionary attacks – ideally you should choose a password with at least 16 characters, one number, one uppercase letter, one lowercase letter and one special symbol. Avoid using any words as dictionary attacks will deduce these quickly. Keep in mind that ‘Hello` and ‘He77o` are equally easy to deduce, since dictionary attacks have evolved to determine simple adaptations. Be wary of Social Engineering attacks; resist using any personal information such as family or pet names, as these can often be easily found through scanning public social network accounts.

Humans like convenience, even when it poses serious security risks. You should never use identical passwords across different accounts: if one account gets compromised, then the hacker is granted easy access to all of them. Similar passwords such as “knowledge4strengthdropbox” and “knowledge4strengthgmail” should also be avoided.


 In general, you should not let your web browsers to remember your passwords, since these can potentially be revealed by experienced hackers. Anytime you log into your WP account you need to consider both the device and network. You should be cautious of public devices, or any device that you do not own. Even new devices coming into your business network should be avoided until a full security scan has been conducted. Never log in to your WP account when connected to a public Wi-Fi hotspot, free VPN or web proxy. No matter how strong your password is, passwords still get hacked. It is important to routinely change your password every 10 weeks. You can install a WordPress plugin which reminds all users to change their passwords.


Hackers attempt to break into your account by guessing login credentials. This can be achieved by scripts or bots which run repetitive login attempts until your website cracks. By default, WordPress allows users to enter passwords as many times as they want, making your site automatically vulnerable to brute force attacks. Limiting the number of login attempts before a temporary block out adds an extra layer of security against brute force attacks. I used a plugin called ‘Login Lockdown’.


Placing /wp-admin at the end of your domain will redirect you to your site’s WordPress login page. Having this accessible makes your site an easy target for brute force attacks and SQL injections. I recommend the plugin ‘WPS-hide’ to change login URL to something less predictable. Malicious software can only target your website if it knows it’s structure (9).  Hiding the WP login page also hides the fact that your website is powered by WordPress (although this can still be deduced by observing common themes and plugins), potentially saving your site from attacks exploiting known WordPress vulnerabilities.


No website is fully secure and you should be prepared if something bad were to happen. Backups allow you to quickly restore your WordPress site if it were to become compromised.  These should be scheduled, done regularly and saved to a remote location. Certain hosting sites offer free backups as part of their package, but there are lots of free WordPress Plugins that can do the same (I recommend Up-Draft Plus). If your site becomes infected with a ransom attack, keeping these backups could render the attack useless.


Since WordPress is open source, hackers can study the source code and find new ways to break it. Luckily, anyone can view the source code, so security patches are developed and released quickly for every reported vulnerability. If you are not using the latest version of WordPress, then you are using software with known security vulnerabilities (10), making you susceptible to attacks which could have easily been prevented. Running an old version of WordPress can also lead to problems with configuration. If you are using WP-Engine as a hosting server, then this offers automatic update installation, otherwise it is good practice to install updates as they appear on your dashboard.


Access to plugin and theme code is readily available in the WordPress dashboard. This feature can be a security risk, since if a hacker gained access, they would be able to adapt this code and potentially break your entire website. Even tinkering with harmless intentions could have dangerous consequences. It is therefore a good idea to disable Theme and Plugin editing unless you are experienced. Go onto your website’s c-panel and add the code into the wp-config.php file:

{code type=php}

Now, when you’re in the dashboard it is impossible to access the theme or plugin editor, even with the admin account.


Adding a SSL (Secure Sockets Later) certificate to your site will add a layer of encryption to any data transferred between your website and end-user browser making it harder for hackers to steal important information. Once an SSL certificate is obtained, your website will use HTTPS instead of HTTP, and a padlock icon will appear next to your URL making your site appear more secure to visitors. These certificates can either be obtained through your hosting server, or for free through sites such as ‘CloudFlare’ or ‘Let’sEncrypt’. 



It is is setup an auditing and monitoring system that keeps track of everything that happens on your website.

This includes file integrity monitoring, failed login attempts, malware scanning, etc.

Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.

You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.


Incredibly long log-in sessions under inactive  users affects both the speed and security of your systems.  Consider a receptionist logging into their computer in the morning and leaving it logged until the evening, when they leave for lunch their computer is unattended and exposed to  ‘evil maid attacks’. Other employees might also use the logged-in computer and get elevated privileges. Alongside the security risks, Idle users causes other systems in the network to become really slow due to applications left running on the unattended machines.

It is important to ensure inactive users are also logged out of your word press dashboard. You can install the ‘inactive logout’ plugin to set a countdown and boot-off from inactivity. 



Locking down access to vulnerable files can prevent a hacker from causing damage even if they do hack login credentials. Many all-in-one security plugins such as WordFence can assign additional password options, but this can also be  done manually by creating a .htaccess file and .htpasswds file for your wp-admin directory.


Removing the ability for users to install new plugins and themes prevents poorly executed upgrades. Upgrading without first conducting a backup or  determining compatibility can cause a host of vulnerabilities and issues.

Go onto your website’s c-panel and add the code into the wp-config.php file:

{code type=php}

Now, users are unable to install or update themes and plugins. 

This is only really applicable if you have set up a WordPress site for a client and don’t want them mindlessly upgrading. For your own website, being aware and following the right upgrade and installation practices will be sufficient. 


Even if a hacker guesses or gains your login credentials through a brute force attack, two-factor authentication adds another layer of security as it often requires a hacker to steal your possession in order to gain access to your wp-admin dashboard. The ‘two-factor’ plugin adds SMS authentication to your log-in page.  After entering the WordPress username and password, you will receive a text message via SMS on your phone with a code.


IP white listing allows you to create lists of trusted IP addresses or IP ranges from which your users can access your domains. For a hacker to gain access, they would have to spoof  their identification to an accepted IP address, adding another layer of security to your website and important files.


We have discussed how plugins are great resources in securing your wp-site, but these plugins come with their own security risks The more plugins you have, the greater the risk of a plugin-based security risk. You should only keep and activate plugins which are essential to the running of your site, and you should always un-install inactive or idle plugins.  



Leave a Comment

Your email address will not be published.