How Secure Is Your WordPress Site? Follow These 7 Tips To Stay Safe

If you’re concerned about the security of your WordPress website, it’s for a very good reason. 

Recent statistics suggest that a website hacking attempt occurs on average every 39 seconds, and with WordPress sites making up an enormous proportion of total webpages, WordPress sites are often specifically targeted in hacking attempts.

As worrying as this reality is, there are simple steps you can take to keep your WordPress website locked down and secure. As it turns out, most hacking attempts take place at a very basic level, such as on your admin login page or via plug-ins. Read on for the top seven simple ways to protect your website from becoming another hacking victim.

Unique Login Usernames

Do you login using the “admin” username? If you do, changing this username needs to be your number one priority. The “admin” username is automatically generated with every new WordPress installation, so it is usually the first and easiest avenue that a hacker will use to gain access to your WordPress site.

With a new WordPress installation, you will initially need to log in using the “admin” username, then create a unique username, sign administrative privileges to the new username, then delete the “admin” username. If you are already using the “admin” username, you will need to take the additional step of assigning your existing posts to your new username when you delete the “admin” account. 

You will be prompted to take this step when deleting the username.

When choosing a new username, avoid anything that could be easily guessed, such as the name of your business, the name of your domain, or your personal name.

Strong, Unique Passwords

A lot has been said about the importance of strong, unique passwords, so we won’t belabor the point here. 

As a reminder, ensure that all passwords for every user account are unique (unique from each other, and also unique from passwords used on other sites), are a minimum of ten characters, and contain a combination of lowercase and uppercase letters and special characters. 

The best practice is to use a strong password generator to create unique passwords for every site, then save these passwords in a highly secure password management system like Lastpass.

Remove Inactive Users

Every user account attached to your WordPress website is another potential gateway to unauthorized access to your site. While there may be legitimate reasons for your WordPress site to have a large number of associated user accounts, make sure that you remove user accounts that are no longer being used.

For example, suppose you hire a freelancer to make some changes to your website, like performing SEO work, uploading articles, or making some changes to the layout of your site. 

Once the freelancer had completed their work, remove their user account. This task is easily performed in the Users section of your WordPress dashboard.

Keep WordPress Updated

New updates to the WordPress software are released regularly, and you must keep your version of the software up-to-date at all times. One of the most common reasons for the WordPress software to be updated is to fix or patch a security flaw. Since tech-savvy hackers can see which version of WordPress you are running, it becomes easy for hackers to specifically target websites running outdated versions of WordPress.

Keeping your WordPress software updated is as simple as enabling automatic updates, however, it is always a good idea to manually check your WordPress version from time to time, particularly after you hear of the release of a new update.

Keep Your Themes And Plug-Ins Updated

Plug-ins and themes are extremely common ways for hackers to gain entry to a WordPress website. 

Simply put, an out of date theme or plug-in is an open doorway for hackers to access your site. Luckily, there is a simple way of keeping that door firmly locked, and that is to ensure that your plug-ins and themes are constantly updated.  

Within your admin dashboard, you can see at a glance if any of your plug-ins are out of date. 

Updating an out of date plug-in is as simple as a click of a button, so make sure you take the time to update your plug-ins as soon as you notice that a new update is available. There are also additional plug-ins that will automate this process for you.

The same is true for your theme. Choose a theme that is updated regularly, rather than one that was created some time ago and has since been abandoned. For more information, check out 7 questions to ask yourself when choosing a WordPress theme.

Regularly Purge Unused Plug-Ins

Here’s a worrying fact about WordPress hacking attempts: it is widely believed that as much as 98% of successful WordPress hacks originate via plug-ins. This means that it is imperative that you keep only the most essential WordPress plug-ins and completely remove any plug-ins you are no longer using.

It’s perfectly natural to install different WordPress plug-ins from time to time to test out their functionality and to see if they may be of long-term use to you. However, once you have decided that a particular plug-in is not for you, rather than leaving it sitting idly in your dashboard, take the time to completely remove it. Doing so removes yet another doorway for unscrupulous hackers to access your site, and may even improve your site’s loading speed as a bonus.

Regular, Comprehensive Backups

If your website has been hacked or compromised, you will need a recent, comprehensive backup of your WordPress site so that you can restore to a recent version and get back online with the smallest possible amount of downtime.  

Not only should backups be performed on a regular schedule, but you should also manually instigate a backup after you make any changes to your website. There are plenty of reputable plug-ins that will handle the entire backup process for you, including allowing you to set a schedule for automatic backups. 

Look for a plug-in that stores the data in at least two different formats, and take the time to backup your backup (so to speak) in a different physical location. For example, if you keep all of your backups on one laptop, you risk losing everything if your laptop becomes lost, stolen, or damaged. Backup in a different physical location like online cloud storage or a physical hard drive obviates this risk.

To read more on this topic, check out how to recover your website after a plug-in or theme breaks it.


By prioritizing the above tips and ensuring that you take regular action to keep your WordPress site safe from hacking attempts, you can avoid becoming yet another victim of online hackers. 


At Asquared, we can keep your WordPress site safe and updated at all times. Learn more about our retainer packages by contacting us.