WP Security Header

Did you know that over 30,000 websites on the internet get hacked every day?

And, when it comes to hacking, WordPress websites are usually one of the more popular types of websites targeted by hackers. This is mostly because over 70% of WordPress installations have vulnerabilities that hackers could easily manipulate to their advantage.

These stats may sound a little scary, but there’s no need to panic.

We’re not trying to scare you off from using WordPress to build your website. Actually, any type of website on the web is vulnerable to hacker attacks, unless you take the necessary precautions to protect your website.

In this article, we’ll give you some of the best WordPress security tips that you can follow without any expert skills to keep hackers away from your site.

Most Common Ways Hackers Attack WordPress

Before you take any steps to protect your WordPress site from hackers, you’ll need to learn about some of the things that could make your website vulnerable to attacks.

Ever since WordPress became the most popular CMS on the internet, hackers have been spending more time to find new ways to attack vulnerable sites and use them for their evil bidding.

Here are the three most common methods they use to launch attacks:

Weak Passwords: The first thing hackers are going to do is try and guess your password for the WordPress login page. Believe it or not, “123456” is still the most popular password used by millions of people around the world. If you’re using this kind of password it should make the hacking process much easier for attackers.

Unsafe Plugins: There are so many wonderful WordPress plugins out there that it’s difficult to resist the temptation of installing them all. Unfortunately, most of these plugins are so poorly coded that they leave large security holes for hackers to easily squeeze into your website.

Weak Web Hosting: Using a web hosting provider with a poor security system is a welcome sign for hackers, especially when you use shared hosting plans to build WordPress sites.

So, what can you do to secure your website? Let’s find out.

#1 Use Strong Passwords and Two-Factor Authentication

Start your WordPress security challenge by adopting the habit of using strong passwords.

A strong password has to be at least eight characters long with a mix of uppercase and lowercase letters, numbers, and symbols.

Strong Password

Of course, remembering such a password will be impossible unless you have some sort of a superhuman memory.

That’s why you should consider using a password manager like LastPass, which keeps your passwords safe and also provides you with a nifty tool for quickly generating secure passwords.


The next thing you need to do is implement two-step verification for your website. This will prompt you to enter a secret code every time you login into WordPress, making sure that only you get access to your website.

WordPress doesn’t have this option in its system so you’ll have to install a third-party plugin. Google Authenticator for WordPress is the best way to add a two-factor authentication to your website.

Google Authenticator

These two strategies will protect your website from brute force attacks.

#2 Choose the Right Web Host

Don’t let those special offers or “lightning speed” web servers fool you into hosting your website with a hosting provider that doesn’t have a proper security system.

Look for a hosting provider with excellent security. Including server level protection, where the company takes care of server-side vulnerabilities and account isolation, which makes sure your website stays safe even when another website on the same server gets hacked.

Go for a managed WordPress hosting plan if you can afford it.

#3 Monitor Your Website

If your website suddenly goes offline for a long period of time for no apparent reason, it’s probably a sign of an attack. As soon as this happens, you need to take action to see what went wrong, check with your hosting provider, and start your fight against the hackers.

Get started with Uptime Robot and add a monitor to your website to check every 5 minutes for uptime. If your website goes offline, the Uptime Robot will send you an instant alert via email, SMS, or via Twitter.

Sucuri Plugin

To take things to the next level, install a WordPress security plugin, such as Sucuri Security and use its special scanning features to scan WordPress for malware and check blacklist engines to see whether your website has been flagged with a security related issue.

#4 Watch Out for Malicious Comments

When you receive suspicious comments with shortened links or weird usernames, never click on those links. Always throw them in the trash.


More importantly, remember to disable Pingbacks and Trackbacks on your WordPress website. These things appear whenever another website links to a page on your website. Pingbacks have been the source of one of the worst kinds of WordPress security vulnerabilities.

In 2014, a team of hackers used Pingbacks and Trackbacks on over 160,000 WordPress websites to deliver a DDoS attack on other websites.

#5 Download Plugins & Themes From Trusted Sources

While surfing the web, you may see some illegal websites that allow you to download premium WordPress themes and plugins for free.

Beware! Most of those websites are home ground for hackers who edit themes and plugin codes to add malware and release them online to take control of websites.

Remember what your mom told you: If something sounds too good to be true, it probably is.

proteusthemes wordpress themes

So, instead of being cheap and paying the ultimate price later on, spend some money to buy high-quality themes and plugins from verified sources like ProteusThemes.

#6 Keep WordPress and Plugins Up-To-Date

WordPress will automatically upgrade itself whenever a minor update rolls out. But it will prompt you to take action when a major update is available.

Update WP

These updates usually include fixes for WordPress issues and vulnerabilities. It’s vital that you always update your WordPress database every time a new update comes along.

Same goes for your plugins. If you hear any news about a vulnerability or security risk in a WordPress plugin, check and update to its latest version as soon as possible. Or remove the plugin from your website immediately.

#7 Backup Your Website Daily

Even if you go through all the trouble to prevent hacker attacks, learn to accept that some attacks are impossible to stop.

Apple certainly learned its lesson after its embarrassing celebrity photo leak. At the time, Apple was the world’s most valuable company. Even they couldn’t see that attack coming.

So, the next best thing you can do in addition to preparing a plan for preventing attacks, is creating a plan for recovery.

Having a reliable backup of your entire website content is the only way you can get your website back to normal after an attack.

WordPress Site

Choose a good backup service like VaultPress or BackupBuddy and keep daily backups of your website and all of its content. So that if something goes wrong, you have the ability to restore your site back to normal.

There are many more ways you can add security to your WordPress website. If you know any of those tricks, let us know in the comments.

Take a Look at Our WordPress Themes

Choose from a wide range of beautiful niche designs that you can try for free.

View All WordPress Themes
About the Author
It all started almost a decade ago when I got my first book about HTML. I instantly fell in love with the web, but I soon realized that with basic HTML it's not possible to provide a great user experience. So, I started to learn some advanced UI/UX techniques. Now I'm a designer way beyond just being a pixel pusher. If I'm not working, you are going to find me at the gym.