WordPress security tips & best practices every site owner should know

WordPress security tips & best practices every site owner should know

WordPress security is one of the most important topics for every single site owner to understand the basics of. Whether you’re managing a boutique eCommerce shop or 50 client sites, having a site get hacked can mean a loss in time, money, and credibility – all things no one wants to face.

While there’s no “one-size-fits-all” security solution for all WordPress sites, there are a few best practices that make a big impact. In this article, I’ll explain why sites get hacked in the first place, share security tips that are easy to implement in your workflow, and provide a free downloadable security guide! Here’s a quick overview.

To keep your WordPress site secure, follow these best practices:

Ready to boost your WordPress site’s security? Let’s start at the beginning!

Why do WordPress sites get hacked?

Why do WordPress sites get hacked?

Before we jump straight into our security best practices, it can be helpful to understand why websites get hacked in the first place. Generally speaking, there are three main goals of hackers:

  • To send spam email through your site.
  • To steal your information, such as data, mailing lists, stored credit cards, etc.
  • To trick your site into installing malware on your users’ machines (or your own).

While having a site get hacked might feel like a personal attack, often it’s part of a larger scale plot, such as a Distributed Denial of Service attack. Instead of targeting a single site, hackers might target the infrasture your site is operating on, in turn affecting lots of sites at once. That’s why it’s important to know some basic security standards, even if you’re just running a personal site.

This is also why some hackers will target WordPress specifically; since it powers over 30% of all websites, it’s a large “area of opportunity.” Don’t let that worry you, however. WordPress is open source software with a very involved community, which means there are a bunch of people working to continue improving the security of the platform.

The bottom line is that your WordPress site could get hacked at any moment, which is true for any website. Luckily, there are several tips you can follow to increase security and make a lot harder for hackers to mess things up.

WordPress security best practices

6 WordPress security best practices

Keep your themes, plugins, and WordPress version up to date

One of the easiest ways to give your site an extra security boost is to keep everything updated. While it might feel tedious sometimes to keep up with plugin updates (especially if you’re trying to manage multiple WordPress websites) those updates are published for a reason. (And that reason is often security.)

If developers discover a vulnerability in their code, they’ll usually push an update to fix it. The longer your site remains on the outdated version, the more at risk it is to be targeted by hackers.

So while it might take some time, stay up to date with all plugins, theme, and WordPress core updates. If you’re using a managed WordPress host like Flywheel, we’ll take care of the WordPress updates so you can focus on themes and plugins.

Pro tip: If you’re managing updates for multiple client sites, you may want to consider bundling this work into a security package that you sell on a recurring basis, that way you’re getting paid for this simple but tedious task!

Sell a security package to earn recurring revenue

Use username and password best practices

There’s nothing new about this security tip, but it’s absolutely worth a reminder:

Use unique passwords. Use strong usernames. Use a password manager.

Hackers weren’t born yesterday; they know all the most common passwords and will test every single one with the username “admin.” So, do a quick audit.

  • Are your usernames hard to guess?
  • Are your passwords unique?
  • Have your passwords been updated recently?

If you’re feeling overwhelmed trying to remember all these login credentials, I highly recommend a password manager, such as 1Password. Not only will it help you create and store complex credentials, but it makes logging into sites a breeze. (Especially if you’re working with a team!)

Limit login attempts

Now that your credentials are nice and strong, take your login security one step further by limiting the login attempts! This is one of the best ways to defend against brute force attacks trying to gain access to your site.

To do this, you can use a plugin like Limit Login Attempts. It’ll block any attempt to log into your site after three errors, putting a block on it for twenty minutes.

Sure, it might get in your own way if you forget your password, but that’s what password managers are for, remember? ;)

Limit login attempts to keep your site secure

Move the WordPress login URL

Another way to make your WordPress site extra secure is to change the login page. It’s pretty common knowledge that to log into a site, you just add /wp-admin to the end of the URL. By changing that link, it’s like you’re hiding the door to your site, making it harder for hackers to find.

There are a variety of different ways you can swap that link, but the WPS Hide Login plugin is a good place to start! Just don’t forget what you change the URL to, and remember to share it with any other site collaborators or clients.

Use two-factor authentication

Another great way to make your credentials more secure is to use two-factor authentication. This security method acts as a temporary second password that updates every 30 seconds or so. To gain access to your site, hackers would have to guess both your true password and the temporary security code within that 30 second timeframe, greatly increasing your chance to block them!

Two-factor authentication is great because you can use it on a variety of logins related to the sites you manage and the business you’re running. For example, Flywheel allows you to enable two-factor authentication on your hosting account, and you can also add it to individual WordPress sites.

Add Captcha to your forms

As you’ve probably gathered, locking down your site’s login page is incredibly important. That isn’t the only form you should think about, however. Don’t forget about blog comments, checkout pages, or any other open form on your website!

These are opportunities for hackers to submit information to your site, such as malicious links in a comment. Even if it doesn’t directly affect your site’s performance, having shady links will create a confusing user experience, and may even hurt your business.

To prevent this, you can install a WordPress plugin like Google Captcha (reCAPTCHA) by BestWebSoft.

Bonus: Free WordPress security guide

Boost your WordPress site security with this free guide!

I’ve covered six useful WordPress security tips in this article, but there are a few other best practices you can implement to keep your site safe. We’ve packaged up all this advice (and more!) in an actionable ebook that’ll have your site optimized for web security in no time!




WordPress security is an important topic for each and every site owner to understand. What else are you doing to keep your site secure?

1 Comment

Join the discussion

Get more great content in your inbox

More articles

Delightful managed WordPress hosting

The #1 choice of over 70,000 digital creatives

Tour the platform
[if lte IE 8]
[if lte IE 8]