How I secure my WordPress website

Wordpress security is overwhelmingly the biggest fear small business owners have about using WordPress. But most developers still recommend WordPress. Your friends might too, depending on how comfortable they are with it.

Admittedly many people choose Wix or Squarespace because the visual editor is easier (although you can get visual editors for WordPress too). I also recommend WordPress for those who need an out of the box content management system (CMS). It is my platform of choice for a lot of reasons. Mostly because it has a lot of free functionality, is SEO friendly, and flexible enough to grow to meet many business needs. Because WordPress is open-source, you can pack up your content and store it offline or change hosting providers at any time.

As great as WordPress is, people have the feeling that a WordPress website is not secure.

Technically WordPress is secure. The problem is that the structure and directory files are not managed for you like on monthly commercial platforms like Squarespace, Shopify, etc. With WordPress, you are the manager (if you don’t have a maintenance package with your developer) and it’s up to you to keep the website secure.

Here are some of the ways I secure my own WordPress website by addressing some security holes that an average website owner might encounter.

Protect against brute force attack

Brute force attack is when a hacker simply tries multiple times to enter your website. They can do this when they know your login URL and username or email. Then they guess the password until they get it right. This can be done via a computer program or manually. Because WordPress doesn’t limit the amount of login attempts, a hacker can keep inputting passwords until it lands on the right one.

How to prevent a brute force attack:

1. Change your login URL

Yours is probably set to, right? That’s because it’s the default URL for every WordPress site. You can change it so your login screen becomes something that won’t easily be guessed like Hackers are going to default to trying to login using /wp-admin and one of the simplest ways to avoid the wannabe or lazy hackers from breaking in is simply to change where they enter from by changing the login screen URL.

You can change the login URL with a free security plugin like WP Cerber. After installing the plugin, go to WP Cerber Dashboard > Main Settings > Custom login page > and change the custom login URL. Make sure to write it down. If you forget it, you’ll have to go into your cpanel and delete the plugin to get back into your website. It’s a pain in the ass and causes some unnecessary panic when you realize you’ve forgotten your login URL. I wrote mine on a sticky note that is on my monitor so I won’t misplace it.

2. Limit login attempts

By default, WordPress allows unlimited login attempts. That means you can keep entering the password you’ve forgotten but just need to try one more variation until you get in and oh! finally you’ve got it. But it also means anyone else (hello hackers!) can try to login as many times as they need until they get the right password.

You can lock the amount of times someone can try to get in with plugins like WP Cerber, which has the URL change functionality. Another popular plugin that can do this is iThemes Security, which has some additional paid options to increase your WordPress website security.

3. Don’t use “Admin” as a username

Everyone who can log into WordPress needs a username, email, and password. As a techy kinda lady, I’m always tempted to make my initial username “Admin” when setting up a website because I’m logging in as the administrator, so it makes sense to be “Admin”. But “Admin” is common in the IT world and hackers often guess that username as a base to start guessing passwords with.

Make sure you don’t have an “Admin” user by going to your WordPress dashboard > Users > All Users. The first column is all the Usernames of people who can log into your website. If one is “Admin” create a new User profile for that person with a unique Username.

4. Have a tough password

I’m the worst at remembering passwords. The. Worst. I’ve been guilty of having the same password for everything. Not anymore since I made up a brilliant formula for writing unique passwords that are easier to recall. Whatever method you use, make sure you’re choosing strong passwords without guessable words (like your kid’s name) and include symbols and numbers.

Do this for all the login areas of your WordPress site. Include strong passwords and unique usernames for your cpanel and database also.

Force your staff or other members of your site to have a strong password with free plugins like Force Strong Passwords

Avoid exploitation through bad code

Your WordPress website works as a collection of PHP coded files that run in a cascading flow to populate your blogs, header, navigation, footer, and every piece of your website pie. Mmmm… pie. A common way to break into a site is to use sloppy, outdated, or malicious code to load remote files that allow hackers to gain entry to your website.

To prevent bad code from allowing access to your site, do the following:

Update WordPress, your theme, and plugins when new versions become available.

Only get plugins and themes from trusted developers who update their plugins and themes frequently to work with the latest version of WordPress and maintain secure code.

Keep the licence for your theme active and up-to-date. I know it’s a pain to have to shell out every 6 or 12 months to renew a theme licence. But it can save you the hassle of an attack through outdated code. Not to mention, an outdated theme might not work with the latest versions of WordPress as they come out. Keep your theme up to date.

Never get a cracked version of a premium theme or plugin from a torrent site, as it may contain malicious code.

Lookout for malware

I love the term “Malware” because it just sounds cool. But malware is not cool. It’s short for malicious software, which is code used to gain unauthorized access and gather data. Malware is usually injected into your website’s files via a file exploit, or bad plugins and themes, and other dubious methods.

To combat malware – start by taking the steps already outlined in this article.

Use the free tools at ManageWP to create a complete backup of your website. If needed, you can use to restore to an older un-infected version of your website. You should already be backing up your site regularly because you never know when an update or change can break your site. You need backup copies to prevent having to start from scratch.

iTheme Security is a free plugin I already mentioned. It sends you a report when files are changed on your website. If you receive a report and you haven’t recently updated the files in question, you may suspect malware on your site. A good place to start the removal process would be those recently changed files.

You can also get malware scans and some other security features with the free McCafee plugin and signing up for an account.

Final tidbit of info…

Of course there are other more complicated ways hackers can gain access to your website and this is not the complete list. Obviously no system is 100% secure (umm, Ashley Madison). I wanted to include things you can do to prevent attacks on your website even if you’re non-techy. Hopfully you can rest easy and feel more secure with choosing WordPress as your platform.

If you follow some of these tips you’re far better off with your WordPress security than most people.

I hope you enjoyed this article. Drop a message in the comments or email us at if you have a question.

Don't let your friends get hacked. Share this post

About the Author

Rachel Di

Facebook Twitter Google+

Rachel is the owner of Geek Unicorn. She helps women-led businesses elevate to a professional playing field by creating brands and websites that stand out online, like a Unicorn in a field of horses. On top of that, she's a shameless sharer of knowledge and loves to give away her best web design, branding, and SEO tips.

Drop some love via a comment if you thought this tutorial helped you