For years WordPress has maintained its top spot as the go-to content management system. In fact in 2015, the CMS housed more than 25% of all websites. With this said, chances are you too use WordPress to run your website, enjoying the vast amount of plugins, themes, and other customizations to turn your site into an internet hotspot.

The fact is that no CMS is 100% secure. Most of the time, even the best WordPress host in the market can’t guarantee 100% security. This means that it’s up to you to make your website a hardened and secured location on the web. So before you release your site for public use, ensure that it’s properly secured and hardened to minimize the risk of a hack or data breach. Here are 5 security essentials for WordPress sites.

1. Update Often

When you’re hard at work designing your website or adding content to a page, there’s nothing more annoying than that pesky “update available” notification. What’s even worse is when there are plugin updates you have to make as well!

While you may not welcome updates immediately, they aren’t pushed just to annoy you or to deliver the latest and greatest functionality. Updates are made available by developers to patch a vulnerability in the system. By keeping your site up-to-date, you’re less likely to be targeted by a malicious hacker exploiting a hole in a plugin or script.

2. Use Strong Usernames & Passwords

The most effective way to minimize the risk of a hacker gaining access to your site is to use strong usernames and passwords. When you create a website on WordPress, you’ll automatically be given a default admin login. While this is a standard and easy to remember username, it gives hackers one foot in the door to your website.

By using the admin login, a hacker only needs to brute force or dictionary attack the corresponding password.

With WordPress 3.0 and higher, users have the ability to change the admin username. This change takes no time at all and greatly strengthens your website.

The next step is to use complex passwords. We know, remembering a long and strong password isn’t the easiest thing to do, but the temporary frustration beats a hack that results in the loss of millions of dollars.

If remembering passwords just isn’t your thing, consider using a password manager like 1Password or LastPass.

3. Limit Login Attempts

Even with a strong username and password combination, users can still find other ways to gain administrative access to your site. A quick Google search shows just how easy it is to navigate to a WordPress site’s dashboard (we’re looking at you wp-admin!)

By knowing this website location, a hacker could brute-force their way into the website. To prevent this form of attack, be sure to set a limit for login attempts from a single source within a set time frame.  This means that if someone tries to unsuccessfully log into your site using the same IP address in the span of 5 minutes, they would be blocked.

The easiest way to limit login attempts is to require the use of captchas on your site. A firewall that blocks fishy login attempts can also be quite beneficial.

4. Backup Your Site

Backups are often forgotten about, until you’re in the situation where you need to retrieve lost data but can’t. In the event that your website is hacked or some other catastrophic event, you’ll want the peace of mind knowing that your website has an adequate backup process.

Depending on the amount of information that your website collects as well as how often, you may want to run backups on a weekly or bi-weekly basis. In general, the more data you have, the more often you’ll want to run a backup.

Not a computer geek? No worries! There are all sorts of WordPress backup plugins available that can get the job done for you. To make backups as efficient as possible, ensure you have enough online and offline storage to maintain the ever-growing libraries. Be sure to also age off old backups to ensure you never reach space capacity.

5. Use a Web Application Firewall

Just as you have a firewall installed on your computer and locks on your home, you want to properly protect your website. The most effective way to do this is to use a web application firewall. This will block all malicious traffic before it ever reaches your WordPress site.

Top web application firewalls, like Sucuri, are able to block a variety of attacks include fake bot access, blacklisted IPs, virtual patching exploits, and even scanning tools. Many of these applications also offer malware cleanup and other protections.


A business owner’s worst nightmare is finding out that their website has been hacked. Take the time to beef up website security to minimize the risk of a hacker taking down your site or stealing confidential information.

Are there any other tips that should be on this list? Leave a comment with your thoughts in the section below.


Spread the love