It’s true that WordPress website security is a concern. Because the content management system of choice is so commonly used, it’s much more attractive and therefore vulnerable to malicious actors.

A 2016 study showed that of more than 11,000 infected websites analyzed, 75% were on the WordPress platform. Over 50% of those websites were out of date.

It has also been reported that 73% of WordPress sites are vulnerable to attack.

But if you’ve bought into the hype that WordPress is inherently insecure, then you’re missing out on all the great things WordPress has to offer, for no good reason.

You can easily put a range of simple enhancements to your website security in place that will ease your mind while keeping your site safer.

Don’t let security concerns keep you from enjoying the flexibility and power of WordPress

WordPress sites do get hacked, but the fact is that they are no more dangerous than other php-based websites. And it is by no means the security risk some people would have you believe.

The problem is that WordPress is open source, which means that anyone can read the code — even the bad guys who spend all their time looking for vulnerabilities they can exploit.

Couple that with the enormous popularity of WordPress, and it’s easy to see why you hear about hacks on a regular basis.

But that doesn’t mean WordPress is unsafe. Your site’s chances of being attacked are substantially minimized when you implement just a few security best practices.

Good Website Security Practices Help Protect Your Site

Every time you drive a car your risk of having an accident is increased, but that doesn’t mean you don’t drive. You simply take steps to reduce your risk instead. WordPress is no different.

With a few security measures in place, your danger of being hacked is nearly non-existent.

To start:

  • Choose a secure hosting environment.
  • Keep your site and its themes and plugins up to date.
  • Use strong passwords and change them often.
  • Limit login attempts.
  • Add two-factor authentication.

Be Smart About Your Hosting

Unlimited domains! Infinite space! Limitless bandwidth! And all for around $8 per month. You’ve probably seen the claims and may even have a hosting account with one of these companies.

Here’s the problem. This type of shared hosting is inexpensive only because they overload their servers with thousands of websites.

Just as close proximity in crowded classrooms allows human viruses to quickly spread, the close proximity of websites on a shared server means one infected site is a risk to all the others.

Choose a host that allows you to isolate each site on its own cPanel, rather than looking for the least expensive (and possibly riskiest) hosting option. Doing so will greatly improve the security of your website.

Keep Your Site Up to Date

This is by far the biggest hazard when it comes to security. New vulnerabilities are discovered in WordPress and its plugins and themes on a regular basis, so if your site is out of date, it is at risk.

Most hacked sites are running old versions that are not optimized for protection against vulnerabilities, and are therefore more easily compromised.

Hackers actively search for outdated websites they can attack, so make it a point to keep your site up to date. That includes plugins, themes, and the WordPress software itself.

The WordPress security team regularly releases security patches and core updates to counteract weaknesses, continually strengthening the overall stability and safety of the platform.

Use Strong Passwords

Second only to out-of-date installations when it comes to inviting hackers, weak passwords are regularly exploited with a technique called a “brute force” attack.

Simply put, a hacker sets a computer program (or “bot”) to repeatedly attempt to login to your site using thousands of the most commonly used passwords and what are known as “dictionary” words.

This type of vulnerability can be easily avoided just by choosing good passwords. Ideally, your passwords should:

  • be longer than 12 characters
  • never be used for more than one site
  • contain upper and lower case letters, numbers and symbols
  • never be stored in plain text on your computer
  • never be sent by email
  • be changed often

Also, consider using a password manager such as LastPass to generate and securely store good, strong passwords. You’ll never have to worry about remembering your passwords, and you’ll greatly reduce your risk of being hacked.

Limit Login Attempts

It goes without saying that you should never use easy usernames like “admin” that are the first choice of malicious bots attempting a brute force attack on your site.

Another good defense is to limit the number of login attempts allowed before a visitor is blocked out. This is easily done with the use of any number of available security plugins.

Add Two-Factor Authentication

Requiring users to authenticate their credentials a second time prevents nefarious programs from entering your site in the event that your username and password are compromised in a brute force attack.

In addition to something the visitor knows (username and password), this system calls for identity to be proven again by something ONLY that visitor has. This is commonly a dynamic passcode generated specifically for the visitor to input before continuing to enter your website.

Again, this is easily implemented using one of many excellent website security plugins available at the WordPress repository.


In the end, the safety and security of your site and its data is entirely up to you. Keep your software up to date, use good passwords, and choose a secure hosting environment, and you’ll be well ahead of the curve.

And while this is by no means a comprehensive article covering every aspect, these actionable tips can ensure that your WordPress website security is, if not impenetrable, at least so difficult to hack that it’s simply not worth the try.

Do you have favorite plugins or processes to help protect your website? Let us know in the comments below!

Digiprove sealCopyright secured by Digiprove © 2018
%d bloggers like this: