Secure Wordpress image

If you are running a website, you need to prioritize information security. Moreover, if you are serious about your website, then you need to pay attention to website security best practices.

Although the tips we’ll discuss today are geared towards securing WordPress websites, you can still apply some of them to other online platforms. WordPress is a secure CMS (Content Management System) overall, but as with most software online, it still has vulnerabilities. Moreover, knowing what steps to take to secure your WordPress site makes things easier.

In this article, we’ll go through the most common security vulnerabilities that come with using WordPress. Thereafter, we’ll cover the tips you’ll need to manage a safe and secure WordPress website. While the WordPress software itself is very secure, and audited regularly by hundreds of developers, there is still a lot you can do to keep your website secure.

Why You Need To Secure Your WordPress Site/Blog

Wordpress Security lock

If your WordPress website is hacked, it can cause some serious damage to your business reputation and revenue. Hackers can steal user information, passwords, install malicious software, use your website as part of a larger attack, and even distribute malware to your users. Moreover, you may be put in a position where you have to pay a ransom to hackers just to regain access to your site (known as ransomware).

Let’s discuss the reasons why you need to prioritize security for your WordPress website. These reasons apply to businesses of all sizes, no matter the industry.

Your reputation and information

You might be thinking about what attackers might do if they get hold of your information. Security breaches open you up to data leaks, identity theft, ransomware, crashing servers, and the list goes on. Any of these events affect the growth and reputation of your business, and are in most cases a colossal waste of time, money, and energy.

Your Google SEO Rankings

Website security is a top priority for Google as they make a lot of investments all geared towards making the internet a safer place generally. This is evident when it was released as part Google’s Webmaster Guidelines for search rankings. In the guidelines, Google states “If possible, secure your site’s connections with HTTPS. Encrypting interactions between the user and your website is a good practice for communication on the web.” The fact that a strong HTTPS encryption is considered a ranking signal, is a big sign that website security directly affects SEO. Cybersecurity breaches will be seen by search engines like Google as a reason to lower the rank of your website. Your website may also be blacklisted after a breach.

Your website’s credibility

There is also a credibility/trustworthy factor. A website that has been compromised can drastically impact it’s credibility. This directly affects a brand’s credibility.  For example, we wouldn’t want to shop from a website that has no HTTPS connection, and the “Not Secure” label displayed in the top left of a browser. As a result, searchers will often find themselves visiting another website offering the same service instead. That is not what we want for our websites.

Common WordPress Security Issues

Common website threats

Brute-Force log-in attacks

One of the most common security issues to deal with is a brute force attack. This is a hacking method that uses trial and error to crack login credentials. The hacker tries multiple combinations of usernames and passwords until they find the correct login information.

Cross-Site scripting (XSS)

Cross-site scripting, also known as XSS in short, is a security vulnerability found in web applications. WordPress XSS allows attackers to inject malicious content under the guise of a trusted entity. In addition, an XSS vulnerability also compromises user-website interaction. It allows attackers to pose as legitimate users and upload malicious content, steal user credentials and information, deface your website and tarnish your brand.

DDoS Attacks – Distributed Denial-of-Service

A denial-of-service attack (DoS attack) is when the cyber attacker seeks to make a machine or resource unavailable to it’s intended users by temporarily or indefinitely disrupting services of a host connected to a network.  When the incoming traffic flooding the victim originates from many different sources, it is known as a distributed denial of service attack.


A backdoor is a way to access the control of a website by bypassing normal login authentication and without being detected by the website owner/admin. Moreover, a backdoor is usually a file containing some code that allows an attacker to bypass the default WordPress login and access your site at any time. Attackers tend to place backdoors among other WordPress files, making said files difficult to find by the average website owner and/or admin.

Wordpress info security

Steps on how to secure your WordPress site

  • 1. Use strong login credentials

One of the most common reasons for website hacks are due to unsecure admin passwords. Even in 2022, there are still people using “admin” as the username and “password” as their passwords. Most cyber attackers know this. By changing your username to something unconventional, you’ve already made 50% of the task more difficult for cyber attackers.

In addition, set more complex passwords for your WordPress admin accounts.  WordPress has a built-in secure password generator. We recommend a minimum of 12 alphanumeric characters including at least 1 special character. An example can be seen below:

If you are worried about remembering complex passwords, we recommend using a Password Manager to keep all your passwords secure. Bitwarden is a great password manager app that you can use as a desktop app, as well as on Android/iOs and is free to use. This will help with brute force attacks.

  • 2. Enable 2-factor authentication

2-Factor authentication or 2FA is a method implemented by adding a 2nd requirement to the login process in addition to the password. This is usually done by requesting an OTP from a third party app after the password has been inserted correctly. By adding this extra layer of security, it is 1 of the most simplest and yet effective tools to secure your login. In WordPress, this can be easily setup by just installing a plugin called WP 2FA and using an app like Google Authenticator to generate the random OTP codes on your mobile phone. This will also help mitigate brute force attacks.

  • 3. Use secure hosting

The hosting you use for your WordPress site plays one the most important role in terms of it’s security. A good hosting company takes extra measures to protect servers against common threats. When choosing a hosting company, make sure they offer things like continuously monitor their network for suspicious activity. Also ensure that they have tools in place to prevent large scale DDoS attacks. Moreover, check for whether they keep their server software and hardware up to date. A good sign of this is to check whether they offer the latest PHP versions or older ones. Lastly, make sure they have disaster recovery and incident plans which allows them to protect your data in case of a major incident.

  • 4. Use the latest PHP versions

Updating to the latest version of PHP is one of the most important steps you can take to secure your WordPress site. Newer versions of PHP addresses the security vulnerabilities found in the older versions. If you’re running an old version of PHP on your server, attackers may exploit these vulnerabilities.

Updating your PHP version can be easily done by changing 1 setting in most hosting control panels. Please remember to make a backup of your WordPress site before making any PHP changes in your hosting control panel. In addition, we recommend you update all your WordPress software (Plugins, Themes, WordPress Core) prior to updating PHP to ensure compatibility.

If you don’t have access to your hosting account, get in touch with your hosting company or web developer to do this on your behalf. This process can assist your website with faster load times, improved security, and support for new features/functionality. This can help mitigate known cross-site scripting attacks.

  • 5. Regularly update your WordPress software

Older software on WordPress are more prone to cyber attacks. When software developers release a product/service, they usually release updates or patches frequently thereafter. They do this to release new features, fix bugs, and/or when security vulnerabilities are discovered. Updating to the later versions addresses these vulnerabilities and makes the software more secure. That being said, regularly updating your WordPress plugins, theme and core software helps keep your WordPress site as secure as possible.

We recommend doing this on a weekly or monthly basis as part of a website maintenance schedule. In addition, we recommend starting with your plugins, then update your themes, then lastly the WordPress Core version.  The reason we do this is to avoid software compatibility issues with older plugins/themes/Wordpress version.

  • 6. Install a security plugin

We recommend installing a reputable security plugin to take care of most of your WordPress security requirements. These plugins do a lot of the security settings heavy lifting for you such as malware scanning, auditing, firewalls to control traffic, scanning for vulnerabilities, backups/restoring, securing your login process, security alerts and implementing 2 factor authentication.

There are many to choose from. Some security plugins are free to use, and others have a cost attached to them. In our experience, the top 3 we recommend are Sucuri, Wordfence and iThemes Security. Here at Symbiote Web we recommend using the Sucuri plugin as it is easy to setup and offers some great features even in it’s free version.

  • 7. Enable SSL on your website

Secure Sockets Layer (SSL) is a protocol for establishing a secure link between servers and web browsers by encrypting data as it travels between them. This refers to the lock icon in the top left of web browsers as shown in the image below:

Having SSL installed on your website is especially imperative if you’re running an online store as it allows users to securely transmit confidential information such as credit card numbers, social security numbers, and login credentials over the internet. SSL will encrypt your customer’s data and credit card information.

This is installed on the server side, although some basic configuration may be required in the WordPress admin dashboard in some cases. Nowadays SSL comes as a standard with most hosting plans. If your host does not include SSL, you’ll have to purchase an SSL certificate. At Symbiote Web, all our hosting plans include free SSL certificates that are already configured for you.

  • 8. Backup regularly

There are many benefits to making regular backups of your WordPress site. By creating regular backups, you can secure your website WordPress site from threats and easily recover important information whenever you need to in the event of a security breach or a server crash. Some hosting companies might offer regular backups of your hosting environment as part of your hosting plan. If not, you can perform regular backups of your WordPress site using plugins. As with security plugins, there are many to choose from.  In our experience, we recommend All-In-One WP Migration, Updraft Plus or Duplicator Pro to handle your website backups. All 3 of these are fairly easy to setup.

  • 9. Limit WordPress user permissions

In information security, there is a concept called The Principle of Least Privilege. This concept entails  that a user should only be given the privileges needed for it to complete it’s job/task. For instance, in a WordPress blog website there may be multiple users working as part of the same organization that will have access to the blog’s admin dashboard.

Each user will have a prescribed roll within the organization. This role may be an author, subscriber or an admin and so on. The idea behind this is to give the blog Author access to write, edit, and publish their own posts ONLY.

It is not recommended to give an Author full administrative access. A rule of thumb would be to try and keep the Admin accounts in WordPress to a minimum. This way, you lessen the chances of an Admin account being compromised. It is much easier for a website admin to deal with e.g. an Author or Editor account that has been compromised, instead of another Admin account.

As a result, if all you have are admin accounts and your site gets compromised, attackers will have administrative level access to do as they please with your website. WordPress has a built-in User management system under the Users tab. Here you can set the user role.

  • 10. Disable file editing in WordPress

This is a little advanced and requires a small amount of coding experience. We highly recommend having your web developer do this part for you. However, if you have the Sucuri plugin you can do this with a simple 1 click solution.

WordPress comes with a built-in code editor which allows you to edit your system files (theme and plugin editor) from your WordPress admin area. This feature can be a security risk if it is made available to attackers which is why we recommend turning it off. To disable this the manual way, navigate to your wp-config.php file and add the following lines of code:

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

Alternatively if you have the Sucuri plugin installed, you can do this from the Hardening section of the plugin settings.

  • 11. Logging user activity

Logging user activity is a great way to stay ahead of potential attackers. By logging everything your users do on the backend of your website, you’ll be able to notice suspicious activity before the real harm has been done. You will be able to track if users are behaving suspiciously by trying to change account passwords, adding code files etc. when they are not authorized to do so.

Logs are also useful when cleaning up after an incident as already taken place. You’ll be able to determine what went wrong and the timing of the hack. A great plugin to use for this purpose is called User Activity Log. It is easy to setup and provides all of the information you’ll need on user activity.


Let’s recap on the 11 steps to help secure your WordPress site.

  • Use strong login credentials

  • Enable 2-factor authentication

  • Use secure hosting

  • Use the latest PHP versions

  • Regularly update your WordPress software

  • Install a security plugin

  • Enable SSL on our website

  • Regularly back up site

  • Limit WordPress user permissions

  • Disable file editing in WordPress

  • Logging user activity

There are many more steps you can take to secure your WordPress site. For example, there’s a great tool called Cloudflare which helps improve the security and performance of your website. It helps mitigate things like DDoS attacks and has a global CDN to speed up your website. However, it requires a fair bit of server side configuration so we recommend that you have a developer or your web hosting company assist with the setup.

In conclusion, we hope this WordPress security guide will help you on your journey of managing and maintaining your website. At Symbiote Web, we offer monthly WordPress website security & maintenance packages and do all the above for you. Feel free to click on the Website Maintenance link in the bottom right of this website to learn more.

Share this post

One Comment

  1. January 22, 2023 at 5:30 am - Reply

    Good post!

Leave A Comment