Image default

How to protect your WordPress website

WordPress, the popular blogging and website platform, is only as insecure as its users allow it to be. Unfortunately, the fact that WordPress remains one of the most used blogging software makes it a golden target for hackers and malicious users. It may be little consolation that hackers have been known for getting into even the most secure mainframes – but their target would have to be more than worth the effort to do so. For most regular WordPress sites, a few simple steps can help to deter would-be hackers from gaining access to your dashboard.


Keep Your Plugins and Themes Updated

Having outdated plugins or themes on your WordPress website can be a huge security risk, especially if hackers have already tried to tear through past versions of those plugins and the plugins have recently been updated to address those vulnerabilities. Failing to update your plugins and themes to the latest version presents hackers with an opportunity to exploit those vulnerabilities and get into your website.

Additionally, it is always best to remove the plugins and themes you do not use. Not only will it free up storage space, but it also removes the need to keep all of those unused add-ons updated. These updates are more likely to go unnoticed if you do not use them, possibly creating a security breach.

In fact, this extends to not just your plugins and themes, but also your WordPress version. While hackers are continually trying to exploit the WordPress system, WordPress is also doing its part to defend against these security risks. WordPress automatically updates for all sites it hosts, but when WordPress is downloaded and installed on your server, the responsibility falls to you to keep only the latest software versions on your website.


Use a Strong Password

One popular method for guessing a password is brute-forcing, where hackers will go through a dictionary list of common words and phrases to see if they get lucky and hit the jackpot on someone’s password. Simple passwords are especially vulnerable to this attack as they can be easily guessed via brute-forcing.

To create a strong password, make sure to use a mix of alphanumeric characters in your password, including at least one uppercase and one lowercase character. Adding a symbol or more also reinforces the strength of your password.

A password can fulfil all the requirements for strength, but it can be easily compromised if you use it for many other websites, especially under the same email or login name. When it comes to your WordPress site, make sure to use a unique password that you do not use for any other sites, as there is always the possibility that one of those other sites may get compromised and your password may leak out into the hands of a hacker.

Additionally, it is good practice to change your password regularly – every few months is a good interval. Try not to use any of the previous few passwords you have already used for this account. This resets any progress hackers may have achieved in guessing your password.


When doing this, remember to also keep your hosting account secure. Hackers mostly target websites and emails, however they can also try to hack into your hosting itself. cPanel, WHM, and others allow you to setup strong passwords for your hosting services. These also often include numerous security features for your emails, such as restricted logins or two step security.


Update Your User List

If you have not already, create a new administrator account and delete the default account called “admin”. Using a default name such as “admin”, “administrator”, “webmaster” or “host” makes it easier for hackers to guess your username, allowing them to move on to guessing your password. It is also a good idea to set a different public nickname for each user, so that posts and pages show a different username to the name used to sign in to the admin area.

You may also want to look at your user list and remove any inactive users. Ensure that none of your users have the “Administrator” role unless absolutely necessary. Most users should sit at the “Contributor” level. You can also use a plugin to customize user roles and their privileges, but be very careful when granting administrator-level permissions to any user or role. Even if the person is someone you trust, there is always the possibility of their account being compromised, allowing a hacker administrator access to your WordPress website.


Limit Login Failures

By default, WordPress does not limit the number of failed logins to the administrator dashboard, potentially allowing hackers an infinite number of attempts to guess your login credentials. Fortunately, there are plugins out there that set a limit on failed login attempts, locking the user out for a set amount of time before they can try to login again. Typically, anywhere from 5 to 10 attempts should be sufficient to enable a regular user to log in to their account. Any more than that, and it can become easy to brute-force your WordPress login.


Firewalls and other security suites can also block weak spots and prevent the bad bots from even getting to try your website. Check the WordPress plugins for available options, there are many that are completely free and have paid upgrades. Something is better than nothing in this case.


Moderate Your Comments

If you enable comments on your website, you should definitely also enable the Akismet Anti-spam Filter, which comes by default with most WordPress installations. It is also a good idea to enable Captcha on comment forms. Spam comments can be used to insert malicious media or redirect users to harmful sites.

While the anti-spam filter usually blocks most spam comments, you may want to be extra safe and choose to manually approve comments. Although moderating every single comment can be more work, it is the most effective way to ensure that there is no spam or malware in your comments.


Select Your Hosting

While shared hosting works for many and is generally quite secure, having your own hosting setup (such as a dedicated server or VPS) can allow higher levels of security. A VPS or dedicated server can give you higher levels of protection against attacks, as the setup can be adjusted to your individual website or websites. However, if you are not an expert, then it would be advisable to at least hire an expert to setup your server securely initially.

Depending on your website’s incomes, it could even be worth hiring a server management team to keep things secure and updated, if you are unable to do it yourself. Fortunately, there are services that provide website management at reasonable prices, from around 50US for initial setups and as little as 30USD per month for management.