Let’s face it: there is no 100% secure software, and WordPress is not an exception. The long records of hacking attempts proved once again that our well-known master of website empowering is far from being safe. This is why taking precautions should be your number one priority before launching your website.

You may think there is no reason for anybody to target your website, especially if traffic is not going so well. And you are right, hackers’ intentions have nothing to do with your database. Unfortunately, what they crave for is to use established servers for sending spam emails. The purpose of this article is to prevent you from facing this kind of issues.


The sad truth is that websites can never be 100% protected, which means that an exposure risk will always exist. Yet, there are two main steps you need to undertake to cover most of your protection. First of all, you need to ensure that your website is properly protected. Second, you have to sustain your site’s security coverage during its entire online presence.

The meaning of ‘web security’ has changed nowadays: it no longer means that you have to eliminate the risks. The term now refers to finding a way of keeping them as far as possible from your website. Take a look at what the WordPress Codex has to say about it:

“Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked”

Luckily, there is a WordPress security tip kit that will reduce the risk of hacking your website. Save your time and money by following our ‘WordPress security journey’ of defeating the most common attacks.

Security is an issue from the very first moment


You should consider your website’s security from the first moment you create your account. Why won’t you create a double obstacle for the hacker by forcing him to crack both the username and password to break in? Tagging yourself as the WordPress’s ‘admin’ turns you into a potential victim, so you must get rid of it.

You will need to get yourself a new username. There is nothing complicated about setting this up: just click on ‘Users’, choose the ‘Add new’ option from the menu and entitle your new account with an administrative role. It means that you’ll get absolute authority of your website without hackers being aware of your new admin user.

Once you’ve done with the registration, logout from the admin account and login with your new user instead. The authority of your new account allows you to delete the old admin user. You may continue your work by keeping the same privileges.

Make your password as strong as possible


People are usually afraid that they will forget their passwords. This fear makes them choose simple phrases (password, 123456789, date of birth, etc.), or even their usernames as their passwords. If you can relate to this, please, immediately stop doing that! It will take only a couple of minutes before the hacker will figure them out and you will loose your website. Is the fear of forgetting passwords worthy to loose your work? I think it’s not. Use the strongest passwords and always keep them safe. If you still prefer simple phrases, choose a sentence or a word that has no sentimental meaning for you.

Install a plugin that limits the number of login attempts


This new feature provides an extra security layer for your website: it will block anyone who is trying to guess your password.

If somebody will try to enter your account more than a few times (usually 3 attempts), his IP address will be immediately blocked (since the IP address is the unique signature of every computer). This is how you will prevent this person from further entering your website.

To perform these actions, you must choose a plugin from the many available ones that cover this specific issue. The best thing about this setting is that you can review the history of all blocked attempts with the IPs that tried to break into your website.

Double login authentication


This authentication type will make it almost impossible for hackers to access your website. It means that everyone who wants to log into your website will need to have an authorization code. You can provide codes in many ways – the most popular one is to send an SMS to the authorized user’s phone number. 

You can use Google Authenticator: its plugin app proved to be the most reliable authentication tool on the market. The app is available for Android, iPhone, and Blackberry, but you can check other plugins as well. As the authority of your website, you can choose whether the app will be only an admin privilege, or it will be available for every user.

Disable login hints

In most cases, after inserting a non-existent username or a wrong password, a small hint is displayed, revealing the mismatch between the current and the actual data. This short message tells you that the username is wrong or that the username and the password are not related. But the issue is that you are not the only one who may see this information.

While this is a good feature in case of misspelling, the fact is that it opens doors for hacker attacks, too. The best thing to do is to disable the option and get rid of any hint. You just need to access the functions.php file, and disable it with the following script:

function no_wordpress_errors() {
    return 'Your username or password are incorrect';
add_filter( 'login_errors', 'no_wordpress_errors' );

Instead, you can replace it with any message you want, like ‘What do you think you’re doing?’.

Manage your website as you manage your kitchen

Do you know that installing WordPress is equal to bringing a ticking bomb under your bed, without being aware of it?

If you’re not taking proper care of your website, like keeping outdated plug-ins, you might as well lean back and countdown for hacker’s next attempt. A messy website is not something that a professional would tolerate, so neither should you. Keep your site as clean as possible.

Keep spammers on the spare bench


In a subtle form of website safeguarding, spammers are the number one suspects. They are your visible enemies that will do impossible things to see your business going down. They will make you bad rates, dislike your content, or even make unpleasant comments to your post. But what you don’t know about spammers is that they are the most powerful hacker allies.

Spammers are strong trouble signals, leaving poor SEO and quality issues aside. A bunch of spammers blowing the trumpet on your website’s leave you little chances to keep malicious visitors away. You should control spam by installing a personal plugin or access the WordPress’ spam controls to reduce the threat. Once the website is out of spam, legitimate visitors will return and the site’s reputation will start to recover.

Keep an eye on the server log files

Go on and name ten people who do this, before they’ve noticed some suspicious behavior. I either can’t. Most people find it exhausting and senseless, but they are not aware of their importance.

Server logs contain full website data that can show you every hacking attempt (details of IPs and dates, related to both human and bot attacks). These logs are an awesome resource that can warn you when something bad is happening. From now on, take advantage of them to detect unusual behavior on your website.

Forbid pings

The reason why you should do this is that pingback-active sites can be easily abused for DDOS attack against similar sites. They are automatically enabled when you create your WordPress site, so you must disable them manually. Go to ‘Settings’, and look for the ‘Discussion’ option. Click on ‘Default Article Settings’ and tick the ‘Allow link notifications from other blogs (pingbacks and trackbacks)’ off. It’s done.

Constantly monitor your dashboard activity

If your website has many users, you should consider having a full picture of what they’re actually doing there. Their activities are usually displayed on the dashboard, meaning that you have to check it and monitor each notification.

The main purpose of this check is not spotting some wrongdoings, but staying in control of the number of people which are accessing it, in order to prevent them from performing activities the wrong way. As a matter of fact, you can even retrace your own behavior (quite useful for savvy users). It may reveal useful hints for further improvements.

This is one of the best things you can do for the sake of security since it connects actions and reactions in a logical manner. Therefore, if someone uploaded a file that caused the website to crash, you can investigate how it was done, and whether it was a malicious code that produced such unfortunate effects.

Regularly update your WordPress toolkit


There’s no catch in staying updated on security issues. New features will always be welcomed to fix your bugs or to improve your functionality. You should never hesitate to install modern plugins and constantly improve your website. Still, this depends on your business’s nature, as you may not be able to afford neither too rich tools nor an excessive maintenance. What you should do in any case is to go for at least one ‘vulnerability reducer’ or stay in control of change-logs that may cause software crashes.

Following these 11 security tips will definitely protect your website form harmful invaders. Yet, if you have any recommendations from your past experiences, don’t hesitate to share it through a comment.

A secure website means a secure business. Don’t forget that!

there are no comments added

Reset fields

back to top