These Steps to WordPress Security Will Save You Headaches

One of Wordpress’ problems is actually its own popularity.

People often claim that alternative content management systems are more secure than WordPress.

But is this because those other platforms are more secure, or is it because hackers have a greater incentive to target WordPress?

If your goal was to spam links across the internet, which platform would you target? WordPress, which powers 33% of the internet, or Drupal which only has 1.9%?

WordPress’ popularity is not by accident.

The WordPress team make decisions to ensure the software is easy to use and widely compatible.

This can sometimes compromise security. For example, WordPress is currently compatible with older versions of PHP and MySQL.

WordPress themselves acknowledge that using these legacy versions of PHP and MySQL is a security risk, but still allow it.

So whether WordPress is insecure, or just too popular, WordPress site owners need to take security seriously.

Here are some of our best tips to prevent unauthorized access to your site.


Since outdated code is a security risk, updating these technologies is an obvious first step towards protecting your site.

In addition, you should make sure that plugins, themes and WordPress itself are all kept up to date, which can be handled in the WordPress backend.

Also make sure to only use themes and plugins that are regularly updated by their developers.

The best things in life are free: we all love to extend the functionality of our websites by using a plugin given away for free by some super-generous developer, but be careful.

It’s unlikely that a developer will spend so much of their time on plugin that earns them nothing.

This is a big advantage of premium plugins: the developers have a financial incentive to continue to support them and ensure they are secure.

If you use a free plugin, check to see how regularly it is updated.

Regular updates are likely if there is a business model that  offers an incentive for the developer to keep the plugin updated.

An example of this would be WooCommerce.

The core WooCommerce plugin is free, but there are plenty of extensions to sustain the business, and a comprehensive support team.

The WordPress login

Another common point of entry for hackers is basically via the front door. Fortunately, this is the security issue you have the most control over.

According to themetrust.com, 8% of WordPress hacks can be attributed to something as simple as an insecure password.

The worst offenders use passwords such as ‘password’ or ‘12345’. Worse still, they chose the username ‘admin’.

Consider using the complex auto-generated passwords and a less obvious user name. Keep a note of it somewhere for your eyes only.

A step up on a complex password is a plugin which limits user login attempts. WP Limit Log-in Attempts will block a user after a certain amount of failed attempts to log in to your site. This stops bots making hundreds of millions of attempts to guess your password.

You could prevent bots even finding your site’s login page by hiding it with a plugin.

This plugin allows you to change the admin URL of your site from the default /wp-admin. It’s much more difficult to break into a house if you can’t find the door.

Install a Specialist Security Plugin

To take your site’s security to another level, consider installing a specialist security plugin.

iThemes security and Sucuri are two of the biggest names in the market.

Both are plugins available for free, with premium upgrades for an extra layer of security.

A common feature of both plugins is malware scanning.

If hackers breach your defences, it often won’t be immediately obvious that your site has been infected.

Malware can lie dormant for months before becoming active, meaning you won’t be able to fix your site with a simple backup. Malware scanning will help you detect any malicious code within your site as soon as it arrives.

Both plugins also have further features to block unauthorised access to your site. They can blacklist IP addresses of potential threats, make backups of your site and force other legitimate users of your site to use strong passwords.

Whether WordPress is an insecure platform or merely a victim of its own success, there is plenty you can be doing to secure your website. Keep the front door locked, be careful with other ports of entry and hire additional security.

Leave a Comment

Your email address will not be published. Required fields are marked *