Short Guide on Securing Your WordPress Site from Hackers

Secure WordPress from Hackers

WordPress powers approximately 33% of the websites on the internet. That’s a considerable percentage when you find out that giants like Shopify, Joomla, and Drupal occupy measly single-digit CMS market shares.

In a nutshell, WordPress’ success is attributed to the following factors:

  • It’s easy to install
  • It’s easy to use
  • Its theme store has a wide collection of responsive themes
  • It’s highly customizable
  • There are tons of plugins available that add serious functionalities to your site

We could go on and on…

But here’s the thing. Because of its popularity, it’s a constant victim of cyberattacks. From a report in 2018, it was estimated that 90% of hacked websites in the year were WordPress websites.

WordPress’ popularity and security lie on opposite ends of the spectrum. This prompts one to ask the question, “is WordPress really secure?

Yes, it is. WordPress developers constantly roll out new updates and modifications to make the WordPress experience better for users. That said, there are things you need to take into account from your end to ensure your site is safe and secure from hackers.

In this article, we’ll be talking about the five essential steps you can take to secure your site. While not a comprehensive article, this article is aimed at providing you with a general overview of what you can do to protect your site from attacks. Moreover, it prompts the reader to conduct further research on WordPress security.

1 – Make Your Passwords as Strong as Possible

Strong passwords are the mainstay of the modern internet.

Any website password you set should always be a combination of uppercase letters, lowercase letters, numbers, and symbols.

WordPress websites, in particular, are plagued by the scourge of brute force attacks. These attacks are essentially constant login attempts aimed at guessing your password. If they’re successful, hackers can “get in”, so to speak, and cause significant damage to your site.

A strong password that follows the conventions mentioned above can prove to be your first line of defense against brute force attacks and login attempts.

If you fear that you won’t remember your strong passwords, you can always use a password storage software like LastPass or Passbolt.

2 – Limit WordPress User Privileges

If there are certain users on your site that you don’t fully trust, or they’re falling at the bottom of your official hierarchy, you can always restrict those users’ access.

WordPress comes with a variety of different user roles like Editor, Administrator, or Contributor. You can divide users into these categories to reduce the chances of social engineering.

Social engineering, yes! It’s very much active and has the potential to cause serious damage to your website. With credentials in hand, a former employee turned social engineer can add spam links, comments, and irrelevant content that can hamper your website’s credibility in the eyes of search engines.

While this is not always the case, it’s best to be vigilant rather than sorry afterwards.

3 – Plugins and Themes Should Always Stay Updated

At its core, WordPress is secure. However, it does have a range of plugins and themes that, while hosted on the platform, are developed externally.

WordPress Plugin and theme development is a very rewarding industry but more often than not, we’ve seen developers and designers lose interest in their WordPress-hosted projects. The projects decay, and aren’t updated to the latest standards with each WordPress update. Eventually, they become infected and those who install it, run the risk of propagating that infection onto their site.

On the other hand, there are developers and designers who are actively involved with their plugin and theme projects and roll out updates for both minor and major WordPress updates – the developers have done their part. If you keep delaying updates to your themes or plugins, you run the same risk mentioned in the previous paragraph.

Now that you have the background of how the theme and plugin process works on WordPress, here’s what you should do:

  • Always make sure that the theme or plugin you install is still maintained by its developers. There are plenty of ways to find out if the theme you’ve selected is maintained or not.
  • Your WordPress dashboard gives out a notification every time there is an update available to either the WordPress theme, plugin, or the core. If you see a notification near your plugins or WordPress dashboard icon, always visit the pages and keep everything updated.

4 – Hardening Your WordPress Core

There are plenty of ways you can harden the security of your WordPress site:

  • Add additional rules denying/allowing access to your WordPress .htaccess file
  • Limiting login attempts by specific IP-addresses
  • Preventing spam comments through plugins like Akismet 
  • Keeping your wp-config file safe
  • Keeping your server secure
  • Deleting obsolete of unused plugins
  • Creating a strong username
  • Using a security question at your WordPress login screen

Following just these methods can help you gain that additional layer of security for your website.

5 – Install a WordPress Security Plugin

While all the aforementioned steps are enough to ensure that your site is secure, there is no beating the awesome potential of a WordPress security plugin.

A security plugin is similar to how you would use tools like Google Analytics to gauge your business performance. Instead of the business end, it shows you the performance of your site from a security perspective. It’s a digital security specialist.

Now there are plenty of security plugins available on the WordPress platform. For the sake of the article, we’ve selected the best two plugins from the fray. They are WordFence and Sucuri security.

Both are very powerful plugins that provide you with both a birds-eye-view and an overall performance report on the security of your website. Moreover, each of the plugins have a built-in firewall that analyzes bad sectors and vulnerabilities on your site.

Which one would we recommend?

If you’re willing to invest in cybersecurity for WordPress, we would recommend Sucuri. It’s free version is good, but doesn’t provide you advanced features unless you upgrade.

If you’re just starting out or your budget is tight, then we would recommend you use WordFence. Its basic version comes with a variety of tools and features that unfortunately, Sucuri has reserved for the paid version.


In this short article, we gave you an overview of WordPress security and how you can go about securing your WordPress site from hackers and malware specialists. Hopefully, this article prompts you to dig deeper towards researching WordPress security. If you’ve just read this article to secure your WordPress site, then following the steps mentioned in this article is enough to get you on the right track towards ensuring WordPress security.

Leave a Reply

Your email address will not be published. Required fields are marked *