Submit a enquiry

    Back to all posts

    Making your WordPress site secure: what do you need to know?

    by Kishan Kotecha Partnership Manager

    WordPress remains the most important content management system online, and its position at the top has been unthreatened for a decade. Depending on your source, there are between 400 million and 800 million websites using it, and while most of those will be small sites, there’s still a huge number of large organisations using the platform – and that makes it a juicy target for hackers. After all, if a vulnerability can be found in one WordPress site, there’s a good chance it can be exploited in many thousands of others.

    But while the huge numbers present an opportunity for criminals, they are also one of the great strengths of WordPress. If a vulnerability is discovered by one of the thousands of people developing for WordPress, it can quickly be reported and fixes can be designed and distributed.

    That’s all fine, but it still relies on users keeping on top of their sites. Here are seven simple ways to make the job of hackers a lot more difficult.

    1. Keep WordPress updated

    The patches and upgrades we mentioned above are no use unless you actually install them. Hackers will be able to find out which version of WordPress you’re using and with that information they’ll know if it still has unaddressed vulnerabilities.

    Some site owners like to keep updates manual, so they can give any new versions a few days to run in the wild, just in case there’s an unexpected glitch. That’s fair enough, but just make sure you remember to update it after you’ve deemed it good to go.

    2. Always update plugins and themes

    Just like the platform itself, plugins too sometimes have vulnerabilities or bugs that could let hackers in. Once they have been discovered and corrected and a new version released, WordPress should inform you either by email or when you log into the back end.

    Again, this can be set to automatic, which is what many site owners choose, but if you prefer manual, don’t let them sit too long before updating.

    3. Enable two-factor authentication for login

    Passwords are fine, but if someone knows it, or finds it out, it’s like handing them a copy of your front door key. With two-factor authentication (2FA), they’ll also need something else to log in with, such as your phone, and won’t be able to access the back end without it.

    There are plenty of 2FA plugins available. If your host allows it, enable 2FA with your hosting package too.

    4. Ensure your hosting is using the latest version of PHP

    Another weakness is using outdated versions of PHP, the code that WordPress runs on. You’ll have to log into your site control with your host to update it, and WordPress will probably warn you if yours is out of date too. If you’re unsure how to update it, contact your hosting company.

    5. Backup your site

    Keeping regular backups of your site is useful. If it ever is hacked, you can revert to an earlier version, and along with beefed up security, you should be able to get back up and running with minimal disruption.

    6. Limit the number of users

    Often, hackers don’t need to brute force their way in. They might just rely on a careless or disgruntled member of staff or contractor. You might well need to grant back-end access to multiple developers and content contributors, but as soon as a person no longer needs access, suspend or revoke their account.

    7. Change the login URL

    A final simple step is to change the default login URL from or /wp-login.php to something else, whether it’s a few words or a random set of letters and numbers that only you know. It just makes it that bit harder for hackers to know where to start attempting to log in.