How to secure your WordPress website

Lock it down in 10 steps

UPDATED: July 17, 2017

I can still remember the day it happened. I was sitting at my desk with tea in hand, and logged into my site to publish my daily post. But wait, what?! That’s not my site, I thought…

Yes, I’d been hacked. Every day, hackers (which are typically ‘bots’ rather than humans) are scanning the web looking for easy targets. When they find a WordPress site with questionable hosting, a weak password, an outdated version of WordPress, or themes and plugins with security issues, they know they’ve found their next target.

Not sure how to secure your WordPress website? In this post, we’ll go over 10 simple ways you can beef up security on your site. That way, you’ll hopefully never have a morning (and afternoon) like I did!

How to secure your WordPress website

  1. Choose reputable hosting.

  2. Use a strong password.

  3. Do regular backups.

  4. Block malicious login attempts.

  5. Scan for malware.

  6. Keep on top of WordPress, theme and plugin updates.

  7. Implement a two-factor authentication solution.

  8. Restrict user access.

  9. Use SSL.

  10. Make smart theme and plugin choices.

Ready to take a deep dive into how to secure your WordPress website? Let’s go!

1. Choose reputable hosting

A secure website starts with a quality web host. We’ll focus on two popular ways to host your WordPress site: shared web hosting and managed WordPress hosting.

If you’re a DIY type of person — or on a tight budget — you might opt for shared hosting.


You’ll be in charge of site maintenance, but you’ll be sharing your web host with other, potentially less security-conscious users. While some popular hosts provide a reliable shared platform (such as GoDaddy, of course), you can’t control any unexpected security issues on the host’s end. Reputable hosts do, however, have the staff and expertise to get issues resolved quickly — something that can’t always be said about smaller, cheaper shared hosts.

Managed WordPress hosting, on the other hand, relieves you from much of the day-to-day site maintenance and upkeep:

How To Secure Your WordPress Website Managed WordPress
Optimized especially for people with sound-proof earphones.

Servers are protected, backups are scheduled, plugins are pre-screened, and security updates are performed automatically. You can sleep well at night knowing your hosting is in the hands of experienced WordPress technicians.

2. Use a strong password

By default, WordPress creates a login user called admin. Plus, people are notorious for choosing weak passwords. Hackers know both of these facts, and they repeatedly try to log in to your site by means of brute force attacks – i.e., trying to guess your username and password.

With that in mind, here’s how to improve your login security. First, change your password and make sure it’s strong. While you could use an online password generator (or WordPress’s built-in solution), a password manager such as 1Password or LastPass enables you to store long, complex passwords without having to remember them.

Use a password manager to store strong passwords.
How To Secure Your WordPress Website 1Password
1Password is a great third-party password manager, with a number of security benefits.

Next, if your username is admin or administrator, it’s time to switch to something new. This can be practically anything: your name, a nickname, an email, or just something unique. However, make sure you still set your user role to Administrator.

This step can be a bit fiddly, but it’s not too hard. What you’ll need to do is log in as the new user, attribute your existing content to it, and then delete the old admin user. That’s all there is to it, and you’ll be much more secure to boot!

3. Carry out regular, scheduled backups

How To Secure Your WordPress Website WPBackItUp
WPBackItUp is a powerful, free backup plugin.

Backups are essentially copies of your WordPress website, which are stored in a safe location. They’re vital for restoring your site after a hacking attempt, or reversing changes if an update goes wrong.

To paraphrase the old adage: “Unless your data exists in three places, it doesn’t exist at all.”

To that end, many backup solutions now offer multiple locations, such as Dropbox and other cloud providers. This means you can keep multiple copies of your backups well away from your main server, so they can get you back online quickly if necessary.

There a few different solutions you can opt for here – for example, GoDaddy offers a Website Backup service that features automatic daily backups and one-click restore. Of course, there are also many plugins available that can do the job. WPBackItUp is a solid free options, while BackupBuddy is a great premium solution.

Editor’s note: GoDaddy’s Managed WordPress includes free daily backups and one-click restore.

4. Block malicious login attempts

As we mentioned earlier, brute force attacks are a common concern for website owners. To secure your site from these hacks, you’ll simply need to use a plugin that blocks malicious logins. For example, the Jetpack plugin’s Protect feature automatically records the IP address of any login attempt:

How To Secure Your WordPress Website Jetpack

Jetpack uses this data, combined with information gathered from other Protect users, to block unwanted logins.

If you’re not interested in using Jetpack, a targeted plugin like Cerber Security & Limit Login Attempts is another smart option. Plus, many popular security plugins, such as Wordfence Security and iThemes Security, also provide this functionality as a standard feature.

5. Scan your site for (and potentially eradicate) malware

Malware (or “malicious software”) is not new to WordPress, but it still makes its mark on user sites every day. This software is specifically designed to intrude on your website and gain unauthorized access to your files. It’s usually accidentally installed via a corrupted file, although certain advertisements can also contain malware.

The effects of malware are wide-ranging.


It can compromise your login data, steal personal information, create spam, or hijack your computer. Some hackers even use malware to launch Direct Denial of Service (DDoS) attacks, so making sure your site is clean should be a top priority.

The first step is to scan your site for any pre-existing malware. While some plugins such as Wordfence Security include a malware scanner, there are also dedicated services you can turn to, such as GoDaddy’s Website Security, powered by Sucuri.

Next, you’ll want to eradicate the malware itself. Fortunately, most of the services we’ve mentioned will do this for you. Finally, you’ll also want to change your passwords so you don’t get compromised again.

6. Keep on top of WordPress, theme and plugin updates

The latest versions of WordPress automatically perform minor security updates, while leaving you to install the major ones manually. Plus, you’ll need to keep your themes and plugins up to date on your own.

Remember: even if you aren’t currently using a plugin or theme, if it shows up in the WordPress update screen hackers can still take advantage of any security exploits:

How To Secure Your WordPress Website Update Plugins

When it comes to security, you can do everything right and bad things can still happen.


In short, it’s important to update often. Unfortunately, there’s no automatic way to ensure you’re notified if a theme or plugin hasn’t been updated in a while, which makes it an even more important security aspect to keep on top of.

7. Implement a two-factor authentication (2FA) solution

Two-Factor Authentication (2FA) is a security measure that has come sharply into focus recently. Many large online companies, such as Google and Facebook, use this technology to help protect your accounts.

Essentially, 2FA is an extra layer of security.


When you log into your account, you’ll be asked to verify your identity through your smart device. Without that authorization, you’ll be locked out. This is vital technology for anyone who values their site’s security – and it’s easy to implement for WordPress users.

Our personal recommendation for getting started with 2FA is the Two Factor Authentication plugin. This tool uses the Google Authenticator app to generate passcodes on your device, and is simple to set up. Some larger security plugins also include 2FA as a premium feature, such as Wordfence Security, and Automattic’s Jetpack offers a secure, free authentication option.

8. Restrict user access to your WordPress website

How To Secure Your WordPress Website User Role Editor
User Role Editor is a popular choice for creating new user roles.

WordPress user roles are essential in setting boundaries for the various people who use your site. For example, Administrators have complete access to your site, whereas Subscribers can edit their own account details, but nothing more. However, if you set up your user roles incorrectly, you could give improper access to those who might (knowingly or unknowingly) damage your site.

Fortunately, you don’t have to figure out your ideal user hierarchy alone. Here are some simple tips for getting it right:

  • Stick to one Administrator account if possible.
  • Since they can also delete content, keep a small group of Editors and make sure you liaise with them regularly.

There are also a number of plugins that can help you set the correct user roles – User Role Editor is a solid option. This plugin lets you create brand new roles and easily edit existing ones, all from the familiar WordPress interface.

9. Convert your site to use Secure Sockets Layer (SSL)

Of course, it’s not just your own personal data you need to worry about – your users’ information is just as important. After all, if customers feel there are trust issues with your site, they are likely to leave in droves. Secure Sockets Layer (SSL) is the solution to this dilemma, and one that’s particularly pertinent to WordPress users as of late.

In short, SSL encrypts your users’ data as it moves between their browsers and your servers, meaning that hackers can’t intercept and steal it.

It’s becoming a crucial (and in some cases, legal) requirement if you handle a lot of sensitive customer data, such as bank and credit card details.

There are two parts to setting up SSL: obtaining a certificate and implementing it on your site. Getting a certificate is easy; for example, GoDaddy provides them as a yearly subscription. Once you have a certificate, you’ll need to link it to your site. To do this, you can either follow a solid walkthrough, or download an easy-to-use plugin such as Really Simple SSL.

10. Make smart theme and plugin choices

Unless you’re experienced with WordPress, for the time being you should probably stick to downloading themes and plugins from the Theme Directory and Plugin Directory, respectively. Alternately, you can get them from a reputable premium provider, such as ThemeForest, StudioPress, or Elegant Themes.

Themes and plugins downloaded from unknown websites can be infected with dangerous code.


While there are thousands of themes and plugins to choose from, picking the right ones isn’t difficult. Look for those that have been updated within the last six months, and have good reviews and ratings from other WordPress users. If you’re unsure how secure your currently installed themes are, you can install and run the Theme Authenticity Checker plugin, which will tell you whether you need to make a change.

How To Secure Your WordPress Website Genesis
The Genesis Framework is a theme that’s had security input from top WordPress developers.

It can be tempting to add more and more plugins to your site, but try to restrain yourself. New security exploits are discovered every day, and each additional plugin or theme you install increases your exposure to future security problems.

Wrapping up

If you have confidence in your hosting provider and your login information is secured, you’re off to a good start when it comes to how to secure your WordPress website.

In this piece, we’ve offered 10 smart ways to secure your site. Choosing reputable hosting is a must, but strategies such as implementing strong passwords, using two-factor authentication, blocking brute force attacks, and backing up regularly are also important ways you can shore up your site right now.