The WordPress Security Guide To Keep Your Site Safe

Security threats are not unique to WordPress.

Every platform, whether it’s private or open source, is under attack 24/7.

Fortunately, the WordPress community provides many solutions to make the job easier.

The following are a few key steps to take to protect a WordPress site from security threats.

How To Protect A WordPress Site

There are eight fundamental actions that all WordPress publishers should consider in order to mitigate malicious activities and vulnerabilities.

Following these best practices will help ensure that a WordPress site is ready to meet the onslaught of hackers that are probing websites every day:

  • Use HTTPS.
  • Don’t use the word “admin” as your admin username.
  • Enforce the use of strong passwords.
  • Update plugins and themes.
  • Website backup plan.
  • Minimize the use of plugins.
  • Two-factor authentication.
  • Install a WordPress Firewall and Vulnerability Scanner.

Let’s go over each of these in a little more detail.


By now, most sites are using HTTPS. But if your site is not using HTTPS, check with your web host about adding a free SSL certificate.

Just set the WordPress address and the site address using https://. This can be accomplished at the General Settings tab.

If the site is upgrading from an insecure to a secure state, then the Really Simple SSL plugin (used by over 5 million websites) is worth looking into, as it truly does simplify the conversion to HTTPS by handling redirects and other related tasks.

Really Simple SSL also helps mitigate security threats such as clickjacking and cross-site-forgery attacks by providing the option to add security headers.

These days, installing an SSL certificate is an easy task.

Many web hosts offer free SSL certificates – plus, it’s a known ranking factor at Google.

After converting to HTTPS, it’s a good idea to check that no pages request HTTP links or content.

Checking for mixed content is a must.

Mixed content is when insecure website assets (scripts, images, videos, etc.) are linked to from HTTPS pages.

Crawl your site with Missing Padlock to quickly identify instances of mixed content, and then fix the errors by linking to HTTPS assets.

2. Use A Secure Admin User Name

An overwhelming number of security attacks against the WordPress login screen are done with the user name “Admin”.

There are two main kinds of attacks that try to crack the login password:

  • Brute force.
  • Dictionary attack.

The brute force attack is when the automated hacking software tries guessing the admin password using different combinations of words, letters, and numbers.

A dictionary attack is when the hacking software uses common passwords to try to guess the admin login.

In many cases, the admin user name these software use is “Admin”.

Not using the word “Admin” as a username is a simple step that will help secure a WordPress site.

To take that one step further, you can create a firewall rule with the Wordfence security plugin to automatically block any human or bot that tries to log in with the user name Admin.

3. Enforce Strong Passwords

Don’t allow anyone, especially users with admin-level privileges, to create a password that isn’t strong.

Even users with low website privileges, like the subscriber level, can become an attack vector. So, it’s important to enforce strong passwords to everyone who can log into the WordPress site.

The popular iThemes Security WordPress plugin, with over 1 million users, offers login password strength enforcement, as well as two-factor authentication.

A password security policy that enforces strong passwords can also be enabled using the Wordfence WordPress security plugin.

4. Update Plugins And Themes

Some updates to plugins, themes, and the core WordPress installation itself are to fix (patch) vulnerabilities.

Failure to update the software can lead to the site becoming vulnerable.

Most updates work fine. On rare occasions, an update might change something in the software that begins clashing with another plugin or theme, causing the site to crash.

If that happens, it’s easy to roll back the site to a previous state if the site has been backed up.

The best way to update plugins and themes is to stage the site and check if the site functions as it should with the updated software.

But if you’re not staging the site, the second option is to back up the site and then update it.

Test the site to make sure everything works. If the site malfunctions, then roll it back with the backup.

The third option is to set all the plugins to auto-update so that you don’t even have to think about it. If something breaks, roll it back to its previous state.

5. Backup Your WordPress Website

Backing up a website on a daily basis is critical.

There are many things that can go wrong, and a backup will save the day when something catastrophic happens to the site.

UpdraftPlus WordPress Backup Plugin, with over 3 million users, is a popular and trusted solution.

I use it on all of my websites and can recommend it with confidence.

It has saved me on the occasion of a website redesign that didn’t go so well, allowing me to easily restore the site to a previous version.

Another popular solution is called WP Rollback.

WP Rollback has over 200,000 installations, and the people who create the software are trusted and expert WordPress developers.

It works well with themes and plugins that are downloaded from

6. Minimize The Use Of Plugins

Every plugin that is installed increases the chance that one of them will expose the site to a vulnerability.

Aside from security reasons, using too many plugins can impact site performance, as well as increase the chance that the code between two or more plugins will have a conflict and crash the site.

Plan ahead which plugins you want to use to accomplish what you need.

Some plugins can do multiple tasks, eliminating the need to install a standalone plugin to accomplish that one thing.

7. Implement Two-Factor Authentication

Two-factor authentication is so-called because it takes two forms of identification to log into a WordPress site with this feature turned on.

The first factor is the username and password.

The second factor is a second form of authentication, usually with an app like Authy or Google Authenticator that’s on the user’s cell phone.

So, even if a hacker gains access to the username and password, they won’t be able to log in without the second authentication.

There are many WordPress plugins to choose from to add this feature, including:


WP 2FA is a popular choice for adding two-factor authentication.

It supports multiple two-factor authentication methods, including Google Authenticator, Authy, email link, email OTP, and push notification.

There are additional methods such as voice and WhatsApp authentication available with the Pro version.

Wordfence Login Security

Wordfence is a trustworthy brand. its standalone two-factor authentication plugin supports Authenticator, Authy, 1Password, and FreeOTP.

Additionally, security plugins like Wordfence and iThemes Security also have options for turning on two-factor authentication.

8. Install A WordPress Security Plugin

Security plugins are useful because they can close up any security holes and block the hackers that are trying to take advantage of those vulnerabilities.

There are two kinds of WordPress security plugins:

  • Security hardening and scanning.
  • Firewall.

Here are some tools I would recommend.

Sucuri Security

Sucuri is a trusted choice for a security plugin. It is owned by GoDaddy.

Sucuri scans a site for malware and offers options for hardening the site against exploits.

Choosing Sucuri is easy because it complements a firewall plugin, such as Wordfence.

The paid version also includes a firewall.

Jetpack Protect

Jetpack Protect is created by Automattic, the company behind, Akismet, WPScan, and WooCommerce, among others.

Jetpack Protect performs a daily malware scan of the WordPress core, plugins, and themes.

This free plugin is relatively new – it was spun off into a standalone plugin in 2022.

Wordfence Security – Firewall, Malware Scan, And Login Security

Wordfence is a popular choice for WordPress security. There are over 4 million active installations.

Wordfence acts as a firewall to protect a website against hacking attacks and can ban automated hacking bots and actual hackers in real time if the activity fits the pattern of a hacker.

Users can configure the Wordfence firewall with rules that can immediately block hackers.

Wordfence also helps to harden a site against hacking by providing two-factor authentication and disabling PHP execution in folders where PHP should not run.

Another benefit of Wordfence is that the plugin sends email reminders when a plugin needs an update.

The paid version of Wordfence receives firewall rules to protect against the newest exploits as soon as Wordfence knows about them.

iThemes Security

iThemes Security is an all-in-one plugin that scans and hardens a website as well as blocks bad bots as a firewall. There are over a million active installations.

iThemes handles many security-related activities, which makes it a popular choice for those who prefer one plugin to do it all.

Take Additional WordPress Security Steps

These are the additional steps for creating a strong security posture.

Check Your PHP Version

PHP is the software that WordPress runs on.

Outdated PHP versions can expose a site to security vulnerabilities.

Ensure the PHP version used has not reached end-of-life status (EOL).

Scan For Online Vulnerability

Here are three online tools that scan for vulnerabilities, or tell if a site has been hacked:

The Future Of WordPress Security

Hackers are attacking all sites, regardless of what content management system (CMS) is used.

WordPress is the most popular CMS in the world, which makes it a popular target of hackers.

Fortunately, WordPress has a massive community working to keep it secure, which is an advantage that other platforms do not have.

All WordPress website owners should consider taking the time to make sure that measures are in place to keep their WordPress sites fully secure.

More resources: 

Featured image: Shutterstock/fizkes