WordPress is the most popular website platform. Period. That hasn’t stopped the naysayers from yowling that this open source software is inherently less secure than, well, almost any other choice. The reality is that a WordPress site is as secure or unsecure as the owner chooses to make it. There are plenty of relatively simple tricks to lockdown one of these websites and make it as safe against hack and spam attempts as any other CMS (content management system) and most static HTML sites.

The thing to understand is that properly securing website requires proactivity, which is sometimes in short supply. If, however, you’d like to know the secrets to turning WordPress into an impenetrable (or something resembling that) fortress, keep reading and we’ll tell you how to protect your new WordPress website against today’s best hack attempts.

Stop Brute Force Attacks

Hackers are nothing if not persistent, as we can see by the growing number of brute force attacks. With the low password quality that exists, it’s a low-risk, high-reward undertaking. A brute force hack takes the form of an automated program turned loose at the front door of your WordPress site. It sits there and tries thousands of username and passwords in search of the right combination to get in. Brute force refers to the idea that automated software can sift through exponentially more possibilities than a human ever could.


The good news is that there are a healthy selection of plugins available that allow you to limit the number of failed login attempts to a reasonable limit like three or whatever other small number you like. If you’re determined to spend a hundred bucks a year for access to this login lockdown feature, feel free but the All in One WP Security & Firewall lets you implement this and a lot of other security measures at a no cost.

Furthermore, you can ban specific IP addresses if the plugin determines that a high number of failed login attempts have originated from it.

2-Factor Authentication

This approach has gained steam among security-minded WordPress site owners in recent years and it’s easy to see why. Regardless of the method a cyber criminal acquires the information, if they manage to crack your password, they’re into your site and all hell could break loose. But what if there were some way to require an additional piece of information, one that is generated on the spot independently of your computer or mobile device?

That would be pretty secure, right?

wordpress 2-factor authentication

You bet it would and that’s what 2-factor authentication is. While the specific process can take many forms, one popular iteration is for a code to be generated and sent to your cell phone for use to login. The code serves as the second piece of required login information and presumes that a user would have to know the regular password and also be in physical possession of your phone to be able to successfully beat the login process. The Google Authenticator is a free plugin that generates these kinds of codes.

Update Frequently

To anyone who has spent much time in the “beloved” WordPress dashboard, the frequent reminders to update themes, plugins, and the platform itself can become something of an annoyance. Guess what? You should thank the creators that they choose to annoy you because it means they are patching known security issues in the code and offering to close them for you automatically. All you have to do is click that little “update now” button.

What website owners also should keep in mind is that updates aren’t released just because a pointless new feature was added. That could be the case but it also could be that a website vulnerability was detected and repaired. If you choose not to update, you might as well roll out the red carpet to welcome the hackers of the world into your website because they’ll find out you have an old, unrepaired version soon enough.

If you have trouble remembering to regularly update your software, set it to do so automatically when you first install it. Once the bad guys are inside your website, you’ll be lucky if all they do is post spam because other options are to steal sensitive information, destroy your database, or even use your computer resources to launch attacks on other computers and you might not even known it’s happening.

It’s Time for SSL

Even though Google is in the process of making a SSL (secure sockets layer) certificate mandatory for anyone who wants to rank well in search engine results, it’s probably worth a reminder why. SSL applies encryption to all data that passes between your server and a website visitor’s computer. This is a good thing when it comes to upgrading security. As opposed to unprotected data, the encrypted variety is tough for even skilled hackers to crack.

WordPress SSL encryption

A SSL-protected website can be detected by looking for the letters HTTPS in front of the domain name in the URL at the top of the page. Many web hosts offer them for free as a bonus for signing up for their service but even if you have to pay for one, it’s a good idea to do it!

Keep an Eye on Site Changes

Too many WordPress owners have no idea of file changes that actually occur behind the scenes of their website. WordFence (either the free or premium version) helps you monitor user logs and trace exactly what changes were made and who made them if you allow others to have posting, editing, or admin rights.

The Bottom Line

Obviously, there are many more security precautions available to WordPress owners than the handful we’ve mentioned here. Our best advice is not to shy away from WordPress or resign yourself to the fact that you will get hacked or spammed if you use it. With a little effort on your part, this open source platform can be, if not Fort Knox, then at least as secure as can reasonably be expected for any website.

Published by Hans Desjarlais

Founder @ Themely, entrepreneur and travel addict. Always learning, maverik at heart, speaks 3 languages and hope's to go to space one day.

Error: Please enter a valid email address

Error: Invalid email

Error: Please enter your first name

Error: Please enter your last name

Error: Please enter a username

Error: Please enter a password

Error: Please confirm your password

Error: Password and password confirmation do not match