The Blog

5 Strategies That Secure Your WordPress Website

It only takes one chink in the armor for hackers to attack your site. Since WordPress is used by 27 percent of the web and relies on open-source coding and plugins, it is vulnerable to cyber criminals that are looking for sites to take hostage. But there are several things you can do to prevent this.


Websites need to be backed up—just like computer files need to be backed up. WordPress offers a variety of plugins—many of them free—that offer backup features. When you’re selecting a backup plugin, look for one that:

  • has a high rating (the more stars, the better),
  • has been reviewed by a number of people (preferably more than 10),
  • has a good number of active installs,
  • has been updated within the last several months,
  • says it is compatible with your version of WordPress,
  • offers both database and file backups, and
  • offers automated backups.

UpdraftPlus and BackWPup are two highly-rated backup plugins that have hundreds of thousands of active installs.


The “S” in “HTTPS” stands for “secure”. Website URLs default to start with “HTTP”, but that is changing. Google is encouraging webmasters to move their sites to HTTPS by instituting it into their ranking algorithms. What this means is that websites that have that added security feature will be given more ranking points by Google and move up higher on online search results.

To get an HTTPS URL, you will need to purchase an SSL certificate from your hosting provider. Some providers offer this for free as part of their hosting package while others offer it at an additional price. Your hosting provider will install it on your site. From there, you’ll need to set up your site to redirect from HTTP to HTTPS.

Secure Login

A secure username and password will thwart would-be hackers even more. There are several ways to implement this:

  1. Use a different username than “Admin”. WordPress defaults to “Admin” as the main user, and hackers know this. To eliminate this threat, set up another username with admin rights. Then login as the new user and delete your admin username.
  2. Create a secure password. To make a password more hack-proof, it should have at least six characters and should include a combination of letters, numbers, symbols, and letter cases. It’s best not to use things like your birth date or your name that are more easily guessed.
  3. Use two-factor authentication. Even a good username and password can be hacked. To further prevent this, you can set up two-step authentication, in which you will be required to verify your identity in two different ways. This is done by requiring you to enter a code you receive on your smartphone in addition to entering your password. The downsides to this are that it makes your login process longer and it could make logging in impossible if you lose your phone.

Malware Scans

It’s highly advisable that you set up an automatic malware scanner on your WordPress website. As with many other things on WordPress, this is done by installing a plugin. Some of the top-rated ones are Wordfence Security, All In One WP Security & Firewall, Anti-Malware Security and Brute-Force Firewall, and Sucuri Security. Fortunately, a number of these scanners are free, so if you’re operating on a budget, you can still protect your site from malicious code.


There are three things that regularly need to be updated on your site: your WordPress version, your theme, and your plugins. These updates are extremely important because hackers search the web for WordPress sites with outdated core software and plugins and then attack them via those vulnerable gaps in security.

You can set up automatic updates to update your site; however, there is one huge downside: your site could crash if a core update or plugin isn’t compatible. In this case, you would need to restore your site from a backup or contact your hosting service to retrieve your beleaguered website. While this isn’t ideal, it may be the lesser of the two evils. Just make sure you get notified every time your site goes down so you can address it immediately. This is best done by setting up an outside monitoring service, such as Uptime Robot,, Montastic, or even Google Search Console.

As they say, “An ounce of prevention is worth a pound of cure.” If you implement most or all of these security measures, you may be able to completely avoid the devastation of a hacked website. And if you’re too busy running your business to stay on top of your website, check into a reliable WordPress security service that will take care of all these details for you. Your website will thank you.

About the Author

Marlene SlabaughMarlene Slabaugh is a resident business copywriter for Optimize Worldwide. She writes for Optimize and for a number of Optimize’s clients. As a result, she knows a little bit about everything, and her encyclopedic knowledge is growing by the day. She knows the woes of hacked sites first-hand and now is an avid supporter of strong security measures that keep the bad guys out.