Website Security 101: Keeping Your Site Safe From Hackers


Are security concerns keeping you from enjoying the flexibility and power of WordPress? If you’ve bought into the hype that WordPress is inherently insecure, then you’re missing out on all the great things WordPress has to offer, for no good reason.

The fact is, while WordPress sites do get hacked, they are no more dangerous than other PHP-based websites. The problem is that WordPress is open source, which means that anyone can read the code — even the bad guys who spend all their time looking for vulnerabilities they can exploit. Couple that with the enormous popularity of WordPress, and it’s easy to see why you hear about hacks on a regular basis.

But that doesn’t mean WordPress is unsafe. By implementing just a few security best practices, you can greatly reduce your risk of being hacked.

Keep Your Site Up to Date

This is by far the biggest risk when it comes to security. New vulnerabilities are discovered in WordPress and its plugins and themes on a regular basis, and if your site is out of date, it is at risk. Hackers actively search for outdated websites they can attack, so make it a point to keep your site up to date. That includes plugins, themes, and the WordPress software itself.

Updates are one of those things that most people know are important…but most people also quickly forget about.

Don’t be like most people.

WordPress has put in so many features to make updates easy. In fact, nowadays all you need to do is click a button and WordPress does everything for you.

If you’re not sure how it works, you just look for the red icons

update notifications

Then, you can go to Dashboard → Updates and run all your updates at once:

run updates


  • If you hold off on updates because you’re worried they might break your site…stop doing that. Instead, pick a host with a staging site feature so that you can quickly test on your staging site and then push the update live once you know it won’t break anything.
  • If you can’t check your WordPress dashboard that often, you can use the WP Updates Notifier plugin to get email notifications when there’s a new plugin or theme update.

Follow Good Plugin And Theme Best Practices

The great thing about using WordPress is how easy it is to extend your site with themes and plugins.

The bad thing about WordPress security is how easy it is to extend your site with themes and plugins.

That is, because it’s become so easy to install new themes and plugins, most people do it without thinking.

But as I showed you above, plugin and theme vulnerabilities are a huge attack vector.

I’m not trying to stop you from installing new extensions, you just need to be discerning about which extensions you actually install:

  • Use trusted sources. While this won’t solve all problems, if you stick to extensions at or trusted third-party developers/marketplaces, you’re going to eliminate most issues.
  • Don’t use nulled plugins. Yeah, I know you’re on a budget…but it’s not worth it to install the nulled plugin that might have malicious code added. Just find a free alternative if you can’t afford it.
  • Check for known vulnerabilities. WPVulnDB does a good job of collecting these. Note that most of these vulnerabilities get fixed — so check whether or not the developer has addressed it before you write the plugin off.
  • Read the reviews. Reviews are a great spot to see if any existing users have experienced any security issues.
  • Read the support forums, too. Support forums can also help you spot issues. Better yet, they also let you see how responsive the developer is to issues, which is another helpful piece of information.
  • Delete unused plugins/themes. Even if you disable a plugin or theme, its code is still sitting on your server, which means it can be exploited.

Be Smart About Your Hosting

Unlimited domains! Unlimited space! Unlimited bandwidth! And all for around $8 per month. You’ve probably seen the claims and may even have a hosting account with one of these companies.

Here’s the problem. This type of shared hosting is inexpensive only because they overload their servers with thousands of websites. Just as close proximity in crowded classrooms allows human viruses to quickly spread, the close proximity of websites on a shared server means one infected site is a risk to all the others.

Rather than looking for the least expensive (and riskiest) hosting option, choose a host that allows you to isolate each site on its own cPanel. Doing so will greatly improve the security of your website.

In the end, the safety and security of your site and its data is entirely up to you. Keep your software up to date, use good passwords, and choose a secure hosting environment, and you’ll be well ahead of the curve on this.

The right WordPress host can go a long way towards ensuring the security of your site.

There are two parts to this:

First, if you’re on shared hosting, you want a host that isolates your sites from other sites on that server. This ensures that your site doesn’t get cross-contaminated just because someone else’s site on your shared server got hacked.

You can get isolation even on cheap hosting, so this isn’t something that’s unique to premium hosts.

To figure out if your host offers isolation, you can:

  • Ask the pre-sales support staff
  • Look at the feature list (many hosts that offer isolation are proud to say it)
hosting isolation

The other way that hosting can protect you is via proactive measures.

A quality managed WordPress host will:

  • Properly configure your server to prevent many types of exploits
  • Set up WordPress-specific firewalls at the server level
  • Run malware scans and ensure file integrity
proactive hosting security

Kinsta’s Security page has a good explanation of the various ways in which a host can protect you from issues.

While you can get some of these same features via WordPress plugins, having your host implement them at the server level is a better approach for both performance and security.

Use Strong Passwords

Did you know that the most popular password is “123456”? If that’s you…well, hopefully, you change your ways after reading this post.

Second only to out-of-date installations when it comes to inviting hackers, weak passwords are regularly exploited with a technique called a “brute force” attack. Simply put, a hacker sets a computer program to repeatedly attempt to log into your site using thousands of the most commonly used passwords and what are known as “dictionary” words.

This type of vulnerability can be easily avoided simply by choosing good passwords. Ideally, your passwords should:

  • Should be longer than 12 characters
  • Contain upper and lower case letters, numbers and symbols
  • Never be used for more than one site
  • Never be stored in plain text on your computer
  • Never be sent by email

In that Wordfence survey of hacked website owners, 20% of the sites got hacked simply because the hacker somehow got ahold of a valid username and password combo.

That’s dangerous because getting access to a WordPress Administrator account basically gives someone complete control over your site.

To stop that from happening, you have a bunch of tools and tricks at your disposal:

Simple passwords are easy to guess via a brute force attack, which accounted for ~15% of the hacked sites in Wordfence’s survey.

The solution is pretty simple — always use a strong password.

To do that, you can just use WordPress’ password generator:

update password

Then, because that password is impossible to actually remember (that’s kind of the point!), you can use a tool like LastPass to securely store all the passwords for your different sites (LastPass also includes a great password generator, itself).

If you have other users at your site, you can use the free Force Strong Passwords plugin to make sure they have strong passwords, too.

Don’t Use Admin As Your Username (Required)

Since WordPress has stopped forcing admin as the default username, this one is less of an issue.

But plenty of users still choose to use admin as their username, despite the fact that it makes them vulnerable to brute force attacks (if you use “admin” and “123456” at the same time, you should probably run a malware scan on your site right away!).

This one is easy to fix — just pick a unique username when you create a site.

If you’re already using admin as your username on an existing site, you can:

  • Use the Username Changer plugin to change your username
  • Manually create a new Administrator account and then delete the admin username

Use HTTPS On Your Site (Required)

Moving WordPress to HTTPS has all kinds of other benefits — but one great thing that it does is secure your login page.

Without HTTPS, your login credentials aren’t encrypted (which means that a malicious hacker can steal them if you’re, say, working over public WIFI). With HTTPS, though, those credentials are always encrypted.

Limit Login Attempts (Should Do)

Brute force attacks work by repeatedly guessing different combinations of usernames and passwords.

Using a strong username/password combo makes that much harder. But to make things even more difficult, you can limit the number of login attempts at your site with the Loginizer plugin.

limit login

With the plugin, anyone who enters incorrect login details too many times will be locked out for a period of time (that you can customize).

Move Your Login Page (Good Idea)

I don’t really think this makes your site any more secure if you’re following the above tips. But it is still a good idea because it can greatly reduce the botnet traffic to your site, which lessens the load on your site’s server.

So…not as big a security necessity as some people make it out to be, but still a good idea for other reasons. It’s also super easy to do with the WPS Hide Login plugin (many security plugins can do this as well).

2-Factor Authentication (Not Necessary For All Sites)

I don’t think this one is a necessity for most sites. But if you’re really concerned about people getting unauthorized access to your site, 2-factor authentication kicks things up a notch by requiring users to enter a one-time code in addition to their password (lots of banks use this technology).

They can get this code via email, SMS, or a smartphone app.

The Google Authenticator plugin makes this pretty easy and uses the free Google Authenticator app. The miniOrange plugin is a more flexible option, though the free version is limited.

Back Up Your Site Regularly

Backups are the ultimate security blanket.

They ensure that, in the event that something does go wrong, you’re never dead in the water.

If your host doesn’t already offer automatic backups, then I recommend:

  • UpdraftPlus for a free solution that lets you schedule automatic backups
  • VaultPress for a premium solution (that includes malware scans)

Make sure your backup is going to a place that you can easily get to. I have mine going to my Dropbox account, but there are lots of different options.

Keep a working backup of your site and any security issues will be a lot less catastrophic.

Let me be honest — I don’t use a security plugin on my own sites. A big part of the reason is that my hosting covers all of my security issues for me. If you’d like more information on my hosting plan you can go here.

But security plugins definitely exist for a reason — they can perform a good number of the hardening tips that I’ve discussed above. Especially if your host isn’t already doing these things for you.

Security plugins can definitely be helpful. But they’re not an absolute necessity if you follow all the other best practices and choose a proactive host. Nor are they a cure-all — you still need to keep the security philosophy I outlined above in mind if you want to keep your site secure.

If you want to try a security plugin on your site, two good options are:

Follow The Principle Of Least Privilege

If you’re giving other people access to your site, you should understand the principle of least privilege.

It essentially says, “only give someone as much access/power as they need to do their job”.

With WordPress, this means smartly using user roles.

For example, if you hire a new content writer, make sure you only give them the Author user role. They definitely don’t need the ability to install plugins, nor do they need the ability to edit Pages (the latter is something the Editor role allows).

Similarly, you should pretty much never give someone else an account with Administrator privileges unless you 100% trust them and they truly need that much power.

Has all of this caused your eyes to glaze over or has it instilled fear in your heart? Let me help!

Check out my annual maintenance plan. It covers all of this and is very affordable at only $120 per YEAR!!! Have questions or comments? I’d love to hear from you! Just leave a comment below.

How To Prevent Your WordPress Website From Being Hacked



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store