How do I Secure a WordPress Website?

A whole lot of the web runs their websites using WordPress. WordPress is a content management system which makes building things from scratch a whole lot easier. It also provides additional access points on the back end for people to get into your website with less than desirable motives.

There are two pieces to securing a WordPress site. First, you’ll need a basic kind of web security. This is the kind of web security that you’d use even if you’re not using WordPress. Second, there’s a kind of web security that will be specific to your WordPress site. We’ll spend more time on the second component of WordPress security.

Web Security

Good Hosting

It doesn’t matter how great your extensions and widgets on WordPress are if your basic web security is in the tank. The best way to secure a website, from the start, is to use a good hosting company. Great hosting companies will help you manage your security systems, offering DDoS protection, firewalls at critical access points, daily malware checks, and quality support. 

One of the best security features that you can get from a host is automatic backups. With automatic backups that you don’t have to take care of, you’ll know that hits to your site can be recovered.

Our recommendation:


SSL certifications are absolutely vital for any site that is accepting sensitive information from the users of the site. In fact, Google has dinged the ratings on any website that tries to function without one of these. Many hosts can help you get setup with an SSL. If your host doesn’t offer that service, you might be able to find it through a different third party.

Have Good Code

If you accept file uploads to your site or have weaknesses in your code, this opens you up to hacking attempts. One of the best ways to secure your WordPress site is to use clean code and limit the kind of inputs that users can do to your site.

WordPress Security

Don’t Use Sketchy Stuff

WordPress is a completely open source web development option. Which is awesome. It means that there are a whole bunch of friendly, amazing people who love developing really cool themes and products. Some of these themes and plugins are given away for free who just love to create things, while other themes and plugins are sold on various marketplaces. 

Be skeptical of free themes and free plugins, especially things that lack reviews or don’t come from a trusted source. Also, beware of plugins or themes that are trying to copy really successful, paid plugins and themes. Sometimes people will offer premium themes for free but there will be malware inserted into the code that you won’t be able to see. Again, the majority of WordPress users and stuff that you can find online will be helpful and clean, but proceed with a certain amount of caution. Paying for legit themes and plugins is always better than loading infected themes or plugins onto your side. 

Update WordPress

WordPress is free and open source, but regularly updates the standard package of software. While this may not provide too much protection, it prevents you from being the target of hacking that was patched in a more recent version of WordPress. Once hackers find some sort of loophole, they will continue to exploit it on as many systems as they can that haven’t updated the system. You should do the same thing with all of your themes and plugins, keeping them updated so that they aren’t exposed by known weaknesses.

Protect Your Admin Access

The easiest way to hack a WordPress site is to gain Admin or user access to the site, through a username and a password. It’s super important that you create a strong username password combination that will prevent unwanted visitors from getting in. Additionally, protect the spread of development links. You don’t want people having access to the backend of the site.

You can also add 2-step authentication to your WordPress login, which might be super helpful for sites with only one admin or that need extra protection. 2-step authentication can send you a text code to make sure that your are in fact the person who is trying to login.

You can also limit the number of login attempts that people will get on your site. The default setting is still unlimited, which can create the perfect opportunity for brute force hacking attempts. If you go to settings, you can limit login attempts to prevent somebody from overloading the authentication system to gain access.

WordPress Security Plugins

There are tons of different WordPress security plugins for you to explore, which can help you keep things protected.


Checking your site code for malware consistently is exhausting. While your host might provide some kind of service for this, it might not be exhaustive. WordFence is one of the most popular WordPress security plugins for a simple reason: it protects you from unwanted code. The plugin also comes with 2-factor authentication and additional firewalls to prevent you from receiving unwanted traffic. It’s really the best all-in-one security plugin to add to your site. The best part is, it is free except for some premium functionality that some users might want to pay for.

Acunetix WP SecurityScan

When hackers want to go after your site, they sometimes need to collect some information first. On a WordPress site, this might include your theme information, plugin information, updates, and version of WordPress. Acunetix WP SecurityScan removes all of this information from your live site to make sure that the bad guys can’t get the information they want to make your site vulnerable.


One of the more recent WordPress security plugins on the market, Defender has an extensive list of features. You get free 2-factor authentication, logs of all of your site audits, and even an IP blacklist to keep things running smooth. It also has a cool feature called “login masking” which changes the default location for your login.