WordPress often gets a bum rap as an insecure platform that invites any passing hacker to simply reach in and mess with stuff like taking candy from a baby. This reputation is largely undeserved. The problem is not that WordPress has inherent security issues but rather that the website owner hasn’t taken the precautionary (you know, proactive!) steps to protect it.

So, if you are a WordPress site owner and mad as heck that you got hacked, don’t let your first reaction be to swear off the most massively popular CMS (content management system) in the galaxy. Instead, ask yourself what you have done to prevent being hacked. If your jaw has lodged open as your brain struggles for a thought, never fear. We’re here to show you…

15 Ways to Secure Your WordPress Site (That Anyone Can Do)


#1. Repel Brute Force Attacks with a Lockdown Feature

Hackers love to turn loose scripts on WordPress website that sit at the front door and automatically try thousands of different login combinations. This is called a brute force attack. By deploying a plugin like the All in One WP Security and Firewall you can set a limit on brute force attempts and much more.

#2. Two-Factor Authentication (2FA)

Rather than a single password, setting up 2FA (once again, not difficult) requires a user to provide a second type of password. One popular method is to have a one-time use code sent to your phone each time you login. Since it is unlikely a hacker would have hacked your website and your phone, 2FA makes it much harder to have your site penetrated.

#3. Use Your Email to Login

You can choose to have your email address serve as your login username. Since the usernames most people choose are easier to guess than an email, this step immediately puts you at least one step above the masses. Check out the free WordPress Email Login plugin for help setting this up.

#4. Change the Login URL

It’s a relatively easy path for a hacker to find his or her way to your WordPress login page. Out of the box, the address that follows your domain name is either wp-login.php or wp-admin. This is the route for hackers to launch brute force attacks. Why not change it to something harder to guess?

#5. Improve Your Password Game

Without focused effort and discipline, most humans become way too predictable with their passwords. Best practices in this area is to use at least an eight character combination that includes letters (lower and uppercase), numbers, and special characters. Lastly, change them every 3-6 months.

#6. Lockdown the wp-admin Directory

The wp-admin directory is the heart of it all. If bad guys get in, they can wreck your entire website in short order. A great idea is to create a password specifically for this area, one you have to log into separately from the dashboard.

#7. Get an SSL Certificate

Google has strongly pushed the idea of every website having a SSL (secure sockets layer) certificate. By the end of 2018, the search engine giant intends to begin penalizing noncompliant domains in search results. Here’s a good idea – get one!

#8. Bad Ideas in User Naming

When you first install WordPress, the username field is automatically filled with the word “admin.” You’d be surprised how many people leave it like that. That’s a gimme to a hacker. Then all he or she has to do is guess your password and they’re in your site.

#9. Did You Change that File?

Wordfence is one of the most downloaded WordPress plugins. In addition to being a fine overall security service it has one feature we like – it lets you know if there have been file changes by someone other than you.

#10. Re-Name Your Database

SQL injections are a common attack aimed at WordPress databases. One reason is that too many people leave the “wp” prefix in place as a table name. Don’t make it so easy for the bad guys to guess. Change the name to something like “mywp” or “wpsquirrels.” Use a plugin like WP-DBManager to change the name if it’s already set.

#11. Regular Backups – the Miracle Cure

Cure to what, you ask? Just about anything a bad guy can do to your website can be undone when you have a regular, comprehensive backup process in place. On the other hand, not backing up your website leaves with you with the prospect of starting again from scratch if it gets infected.

#12. Check Audit Logs

If you have a multi-user website, audit logs provide a visual record of what each person with login permissions has been doing. Maybe you think you can trust everyone. Regardless, make it a point to at least scan the audit logs regularly. It’s also a great place to start your detective work if something goes awry on the site.

#13. Choose Your Web Hosting Company Wisely

Not all web hosts are created equal. Each tends to do one thing a little better than the others. When it comes to WordPress web hosting, look for a company that specializes in that CMS. One-click installation should be a given.

#14. Stop File Editing

Wouldn’t it be great if there was a way to stop a hacker from editing files even if they managed to get into the system? Actually, there is, and it’s easy to implement. Find the wp-config.php file and add this line of code to the end: define(‘DISALLOW_FILE_EDIT’, true);

#15. Be Regular with Updating

Every time a theme, plugin, or the WordPress software itself issues a security update or new version, install it right away. When an update arrives, it normally means that bugs or security problems have been detected and fixed. That’s a good thing, right?

Final Thoughts


Don’t let yourself be overwhelmed by the sheer number of preventative measures covered here. Believe us, there are dozens more we could have included. The point is to get proactive about keeping hackers out of your WordPress website.

There are plenty of tools and strategies with which to do the job. Feeling overwhelmed? Call or chat up the tech support department at your web host – the one that specializes in WordPress – and ask for help.

The bottom line is that there is nothing inherently unsafe about WordPress that can’t be found in any other website development platform. The success or failure of repelling hackers lies squarely with the website owner and how motivated he or she is to keep the bad stuff and people out.