It’s a sad fact that malicious malware and website hacking are an all too common reality. Therefore it’s imperative to seriously consider your WordPress website security and take appropriate steps to keep it out of the clutches of hackers.

Our list below outlines 20 easy steps you can take to maintain your WordPress website security at a high level, and give those pesky hackers the runaround!

1. Secure the login page

The standard website login page can easily be reached by adding /wp-admin/ or /wp-login.php to the website URL.  Change this to prevent hackers from finding your login page with ease.

2. Change the admin username

Never use “admin” as the username for your main administrator account.  Change it to something which hackers won’t be able to guess.

3. Password control

Ensure your passwords are strong by using upper and lower case letters, numbers and special characters. Change them regularly.

4. Use a login captcha

Add the captcha function to your login page to prevent robots continually trying to access your website.


WordPress website security captcha code


5. Set up a lockdown feature

Use a plugin such as iThemes Security to lock down access after a predetermined number of failed login attempts. The user’s IP address also gets banned.

6. Protect the wp-admin directory

Use a password to protect entry to this directory which is at the heart of any WordPress website.

7. Use an SSL (Secure Socket Layer) Certificate

This encrypts data between the browser and website server protecting it from attack by hackers.

8. Manage user accounts carefully

If you grant another user access, ensure that they too have a strong password. When the user no longer needs access, ensure you deactivate their access.

9. Set appropriate levels of access

Any user with admin access to your site can edit files, plugins and themes. Manage this by giving users the level of access they need. For example, if a user only requires to edit pages and posts and add new images etc. then they only need “Editor” level permissions, not an admin.

10. Use security orientated plugins

Eg. Sucuri Scanner and WP Security Audit Log

11. Use only reputable themes and plugins

Only ever use themes and plugins from reputable suppliers and ones which have been recently updated. Which indicates they will be optimised as far as possible from malware threats and be compatible with others

12. plugins or themes that you don’t use

If you’re not using them, you’re likely to forget to update them. So best delete them to prevent hacking. This also helps to improve the speed and operation of your site.

13. Choose a secure hosting company

Opt for the best hosting you can afford, ensuring that the company addresses security vulnerabilities on its own host.

14. Make regular secure backups

Ensure your website is fully backed up. So in the event of hacking, you have the backup to revert to. BackUpBuddy is a great plugin which automatically backs up your site.

15. Monitor for Malware

Run regular Sucuri checks (which are free) but bear in mind that, depending on the infection, they don’t always show a problem.

16. Remove any malware as soon as possible

If your site has been infected, you may not be able to remove the malware yourself. So, in that instance, you will need to pay a WordPress specialist company to fix the problem.

17. Update core system

As new versions are released – WordPress versions are regularly updated to fix bugs and prevent vulnerabilities that have been identified in the previous version.  Your dashboard helpfully shows when new versions are available. However, before doing any updates, ensure your site is fully backed up.

18. Update plugins

As new versions are released – check for new releases in the plugin section of your website. But before you update any plugins, ensure they are compatible with the core WordPress version you are using. Also, make that all-important website backup before you do anything.

19. Accessing your website

When logging in from your computer, ensure your PC is virus-protected by installing antivirus software (eg. AVG, Avira, Comodo).

20. Use some common sense!

Never log into your website on an unsecured network!

We hope you find these 20 tips about WordPress website security useful and that you’ll crack on with implementing them – the sooner you do, the sooner you’ll be giving potential hackers a much tougher time!

If you need help to maintain your WordPress website security – or indeed have any other WordPress related question – why not drop us a line? We’re sure we’ll be able to help!