Over 23% of all websites use WordPress, a popular open source CMS. Whilst it’s an incredibly powerful platform, it’s popularity (and publicly available code) means that WordPress-based systems are heavily targeted by hackers. Whilst you can’t prevent people trying to exploit vulnerabilities in your website, you can make it harder for them to succeed.

We’ve put together 8 WordPress security tips you can implement today to reduce the risk of hackers accessing your website.

1. Backup your website regularly

The most important thing to do first is to save a copy of your website. If anything were to happen to your site, such as any malicious code injected into your Wordress files, plugins or theme files, at least you have a backup in place to restore your website to full working order.

There are many free and paid services available to backup your WordPress site:

  • VaultPress — This is a great solution if you want to fully backup and secure your WordPress site. VaultPress also performs daily security scans of your website automated backups, and restores when necessary. VaultPress comes with a small monthly cost, however the investment is well worth it.
  • BackWPup Free — This is a free plugin from WordPress that allows you to schedule and perform automatic backups of your WordPress website.

2. Use secure hosting

Many webmasters don’t think too much about their hosting provider. Don’t just go for the cheapest package available; do your research and make sure you use a reputable provider.

When it comes down to it, paying that little bit extra can save you a headache in the future.

3. Update to the latest version of WordPress

WordPress are constantly updating their software. Every new update that WordPress releases contains bug fixes, patches and other security updates that keep your website safe.

It’s important to update your website to the latest version of WordPress. Many hackers specifically target older versions to gain access, creating all kinds of security problems.

4. Create stronger passwords

This may sound self-explanatory, but you will be amazed at how many webmasters have simple and easy passwords. Try to avoid using the same password on multiple sites.

When creating your password make sure you use a combination of numbers, capitalised and non-capitalised letters. Avoid using passwords like your name, or abc123.

  • LastPass — Remembers and stores all your passwords so you don’t have to worry about remembering them again. LastPass has a password strength generator that chooses secure passwords for you with ease.

5. Don’t use ‘admin’ as your username & limit login attempts

Choosing your username is just as important as choosing your password. We know all too well that webmasters tend to use ‘admin’ as their username. This increases the effectiveness of brute-force attacks by providing the first half of your login credentials.

We recommend you create a new user account and delete your old ‘admin’ account.

6. Hide Your Login information from the Author Archive

Hackers can still find your username by viewing your author archives – a default part of any WordPress site. The best solution is to delete your username from the archive, or remove the archive entirely.

To remove your author archive, you can install a plugin called WP biographia that will do all the hard work for you.

7. Enable Secure Socket Layer login pages

Secure Socket Layer (SSL) adds an extra layer of protection by encrypting data sent between a user’s browser and the server. Whilst this is essential for sites that capture a user’s personal information, we also recommend protecting your own data by using SSL on website login pages. To emphasize the importance of data security Google recently announced ‘rankings boosts’ for sites using SSL. Your hosting provider should be able to provide you with an SSL certificate or a shared SSL.

8. Don’t reveal your WordPress Plugins

By default all your plugins are shown in the index file. Third party plugins which have not been properly maintained by the developer could include vulnerabilities which allow hackers to inject code into your site.

To prevent this from happening we recommend putting a blank index.html file into your wp-content/plugins/ folder. Doing so will show a blank page, hiding any plugins that you use.


The idea behind this post is not to scare you, but to leave you one step ahead of potential hackers. Whilst we (and millions of other people) LOVE WordPress, it’s important to be aware of the potential security issues. If you manage your own website and want to keep it safe, we recommend starting with these tips.