Skip to main content

WordPress is currently one of the most popular content management systems (CMS) on the web to date, powering millions of websites from small businesses to big corporate enterprises.  But when any CMS platform becomes popular enough, it soon becomes a target for hackers.  The good news is that the majority of cyber-attacks can be prevented by implementing some simple security strategies.  Here are some quick tips to help you keep your WordPress site secure and reduce the chances of becoming a target.


  • Be Creative With Your Passwords –The number one reason why many websites are compromised is due to weak login passwords that are easy to figure out. A good strategy to follow when creating a password (especially for your administrative account) is to use at least 8 characters or more along with 1-2 capitalized letters, one symbol, and a couple numbers.  It should be complex enough that it will be difficult to guess but unique enough that you’ll easily remember it.  If you want to be on the safe side, use a password generator that will give you a long string with a combination of letters, numbers, and symbols.  And lastly, be mindful of what you post on social media.  Sometimes we unknowingly leave a trail of breadcrumbs that hackers could potentially use to guess your login information.
  • Stop Living In Your Admin Account – You should never use an admin account to post or update content publicly on your WordPress site. The reason is because if a hacker sees the words “Posted by Admin…” plastered on all of your blogs, then he already knows your administrative username and all he needs to do then is try to crack your password.  Ideally, you should have a contributor or subscriber account for updating public content and one administrative account strictly for making technical changes on your site’s back-end.  If a hacker gains access to your public account, he won’t be able to do a whole lot of damage as a subscriber.  Additionally, you should also make sure your administrative account has a unique username instead of the default “admin”.  If your login credentials = admin / admin, then you need to make some changes ASAP.
  • Update Your WordPress Software & Plugins – Always try to keep your plugins and WordPress core software up to date, especially when critical security vulnerabilities are identified. Doing so will reduce the chances of your site being compromised through some backdoor loophole.  Before making any updates, always be sure to make a complete backup of your site, which brings me to the next tip.
  • Backup Your Site Often – Not backing up your site regularly is one of the most common mistakes you can make. Because no system is completely perfect, it’s important to make sure you’re always prepared for the worst case scenario.  How often you should backup your site obviously depends on how often you update your content.  Ideally, a good backup plan should use redundancy by combining on and off-site methods.  On-site methods include using thumb drives or portable hard drives for local backup while off-site methods include using cloud-based services like DropBox or Google Drive.
  • Don’t Install Unsecure Plugins – When choosing new plugins to add to your WordPress site, make sure they’re coming from trusted sources like the WordPress plugin search page. Avoid downloading software from third-party sites that you’re not familiar with.  Additionally, check to see if the author has updated the plugin within the past year.  Plugins that haven’t been updated in over a year are potential security risks because hackers look for known loopholes in older software that can be exploited.  Also be sure to read the user reviews and see what experiences other users have had with a specific plugin.  If it’s been discontinued by its author(s) or has too many poor reviews, then it’s best to steer clear.
  •  Utilize Login Security Plugins – By default, the login URL for every WordPress site is YOURSITE/wp-login.php. Hackers know to look for this URL and when they find it, that’s when they start cracking.  Luckily, there are plugins, such as Better WP Security and Bulletproff, that can help protect your admin login page by limiting the number of failed login attempts, along with masking the default URL with a longer, more complex one.  This adds another obstacle for hackers, which is good for you.

Remember, hackers are opportunistic and will usually go for easy targets.  Again, no system is completely immune to cyber-attacks.  However, by following these simple tips, you can greatly reduce the chances of your WordPress website becoming a target for those with malicious intent.