Popularity has its own side effects and more or less, it applies to everyone and everything. Internet has changed dramatically in the past decade but not every change has been positive. Malpractices like hacking websites and misusing them has been on the rise more than ever before. WordPress being one of the most popular CMS platforms on the web is exceedingly vulnerable to these threats. In a WordPress security survey conducted by Wordfence in the previous year, 38.5 % of the respondents agreed to have got their WordPress site compromised at some point of time. The good thing is that you can still be safe. By being vigilant and following some safe practices, you can save your website from being hacked without taking the help of any website security professional. In this blog, we will discuss about 10 best practices to keep your WordPress website secure.

1. Keep your WordPress updated

A security report, released by Securi earlier this year, reveals that 50% of the total WordPress sites hacked were out of date. WordPress keeps on launching updates that deals with the security issues of the previous version. There are major updates as well as minor updates. While major updates comes up with new features and functionalities, minor updates aims at fixing bugs and managing security issues. Therefore, it is important to apply these minor updates also to your website. You can also turn on automatic updates by finding an appropriate code here. Considering the fact updating a WordPress website is the easiest amongst all web platforms, there is no reason why you shouldn’t update it regularly.

2. Use strong login credentials

When you install WordPress, the WordPress admin account username is set to ‘’admin’’ by default with user id 1. This knowledge, coupled with the fact that most WordPress users don’t change the admin username or the default account, makes it easier for hackers to access the site. To make sure that the hackers can’t easily guess your username avoid using “admin” or any other basic name. You should either set a difficult admin username during setting up WordPress or (and this is a better alternative) simply create a new admin account with a strong custom username and delete the default admin account. This not only makes your username unpredictable, but also changes your account user id to something other than the default value.

Then comes the password. The password should also be strong so that the hackers can’t guess it. One of the worst things you can do is use “123456”, “abcdef”, “password”, or any other basic names as your admin password. You may be amused to see such passwords, but the reality is that a frightfully large number of people use such passwords. To be on the safer side, mix uppercase and lowercase letters with numbers and special characters that are not commonly used. Also keep the character length as long as possible. The longer the password the more difficult it is to use brute force attacks.

3. Keep a check on login attempts

Hackers attack websites by brute force, i.e., by attempting to put the admin name and password repeatedly until it matches using software. You can make your website safe by limiting the number of login attempts to 2-3. There are several plugins that help you do so. These plugins ban the IP address attempting to login for a certain period of time (that you can decide) and also send an email to the admin every time someone gets banned or tries to break in.

4. Managing Plugins and Themes

You need to be extra cautious while you activate any plugins on your site as more than half of the WordPress hacks are due to security holes in the plugins. Opt for plugins that are updated regularly and if you can manage without the functionality of a particular plugin, remove it. Also, keep in mind that a poorly coded plugin can make your site more vulnerable to hackers. Your themes should also be up to date. Avoid using plugins that are not updated in the past one year. As a thumbrule only use plugins which you absolutely must need and download the most popular plugins for that particular need. Popular plugins tend to be safer as they are updated regularly.

5. Choose the right Hosting Company

A certain percentage of the total WordPress hacks is also due to security issues with the hosting company who don’t follow server security best practices. While choosing your website hosting company, make sure that the company doesn’t compromise with security related issues. Among other features the company is offering, you should make sure that the company provides support for the latest PHP and MySQL versions and is optimized for running WordPress. It should also have web application firewall and intrusion detecting system.

6. Anti-virus updates for your computer

It’s not always the website that has security holes. The devices you are using to access your website should also be malware free. If your computer is infected by viruses, your admin name, password, and other crucial information is at risk. Make sure all the computers used to manage your site have an up to date anti-virus program installed in them.

7. Go for two step login authentication process

A two step login authentication process removes almost all the probability of your website being hacked by brute force attacks. It asks for an authentication code every time someone tries to login to your website. The code is sent over only to the authorized phone number or can be any secret code you set by default. It can be little cumbersome to follow this, but certainly protects your website from dangerous hacking attempts.

8. Move the location of your login page

The default login address of your WordPress account is http://www.yourwebsite.com/wp-admin/ or http://www.yourwebsite.com/wp-login.php. Like us, everyone else knows it too. When an attacker knows your login page, he can easily try to decode your password by brute force attack. To hide it from hackers, you can change the location of your login page by installing a good plugin or changing the source code, if you know PhP coding.

9. Backup data at regular intervals

Not matter how careful you are, nothing is 100% secure on the web. In spite of all the steps you take to secure your website, there is always a chance of it being compromised. Therefore, you should always be prepared for the worst. Frequently backup your database, theme files, and media files. It can be painless by using plugins that automatically backs up your website at fixed intervals.

10. Use a good security plugin

For implementing some of the points mentioned above, you will have to use a plugin if you are not a web developer yourself. So instead of adding different plugins for different security needs, you should choose a good plugin that takes care of most of the above points and also some advanced security measures like database prefix customization and .htaccess modification. Use any of the popular wordpress security plugins like Wordfence, iThemes or Securi. Using any of these will ensure that all the security concerns are taken care of. If you are more serious about your website security, go for their premium versions. It wouldn’t harm to pay up a little for the assurance that your website is completely secure.


The Securi report mentioned above also found out that out of 11,000+ sites hacked this year, 75% of them were on a WordPress platform. But that doesn’t mean the CMS system has shortcomings within itself. It is mostly compromised because of improper configuration, poor maintenance of the sites or vulnerable plugins. A watchful eye and adherence to the best practices is all you need to keep your website safe.

But if taking care of all the above points becomes too much for you you can also go for professional WordPress maintenance services. Professionals would know about maintaining a website the best possible way (including taking regular backups) and can be extremely helpful in protecting your site from unwanted malwares, phishing, and other mal practices. Make sure the company is reliable and provide 24×7 support services and solutions to their customers.