WordPress is the most popular content-management system in the world. For that reason alone, it is vulnerable to hackers who delight in finding large pools of potentially insecure websites. Cleaning up a hacked site is not fun or easy. So, it’s important to take some simple measures to protect your site.
My Recommendations
- Choose a reliable webhost that ensures a safe platform for your site.
- All user accounts should use strong passwords: at least 12 characters, including a number and a special character. Password managers can generate passwords for you. Check out Bitwarden, Last Pass, 1Password, and Dashlane.
- Passwords should be changed at least twice per year.
- Never use the name “admin” for a user account. Hackers are well-aware of this default username. Usernames should be obscure and difficult to remember.
- Protect the login page. You can enhance the security of the login page in the following ways:
(a) Limit the number of login attempts.
(b) Add a second layer to the login process (reCAPTCHA or 2-factor authentication).
(c) Change the login page URL address. - Backup your site on a regular basis. Both the database and files (images, plugins, WordPress, etc.) should be backed up at least once per month (more frequently if the site content changes often). You can backup the site manually in your webhost account or use a backup plugin. Check out my blog post about backup options.
- Keep all themes, plugins and WordPress installations current. Outdated software is one of the causes of hacked WordPress sites.
Each new version of WordPress fixes bugs and security vulnerabilities. If you’re not updating WordPress, then you are intentionally leaving your site vulnerable.
~ WPBeginner - Never use illegal downloads of themes and plugins, because they could contain malicious code (virus, trojan horse, hacker code, etc.)
- Always check ratings and reviews for themes and plugins before installing them.
- Install an SSL certificate. This certificate makes the website more secure, providing encrypted traffic and domain authentication. The “s” in the “HTTPS” part of the URL address indicates that SSL has been configured. Double-click on the URL address to reveal the HTTPS. With SSL, a padlock appears to the left of the URL address. When the address is merely “HTTP”, there will be no padlock and a warning may appear about the site not being secure.


You obtain, install, and activate SSL in your webhost account. Many hosts provide the certificate for free, others charge an annual fee.
- Install a security plugin, like Wordfence or Sucuri, to monitor site activity and help block unwanted visitors. Watch for security notifications about themes and plugins.
- Use a SPAM filter, like Akismet or Antispam Bee.
- Restrict file uploads. If your site allows users to upload images or text files (via a plugin), be very cautious. You can restrict the types of files allowed (no PHP files, for example) as well as their size.
- Install Google Analytics and Search Console. These tools provide a lot of useful information about your site’s traffic and performance. For example, you’ll be able to spot SPAM in the keywords area and receive security alerts.
Protecting your site is not a one and done effort. If you take the time to monitor things on a regular basis, you’ll sleep better knowing that your site is safe. Reach out to me if you have any questions or concerns!
Related Posts
Manually Clone a WordPress Site in 5 Steps
Site Migration From WordPress.com to WordPress.org
Why and How You Create WordPress Child Themes
How to Choose a WordPress Theme
Leave a Reply