Security on your WordPress website

Security is a high priority here at The Website School. Why go to all that trouble of building a beautiful website that functions perfectly and then just having some hacker go in and mess it up.

Unfortunately it happens. Even to the best of us.

Just checkout how many websites have been hacked just today

Imagine having a bricks and mortar shop in your local high street and leaving the door unlocked and the windows open. That’s how your website can appear. However, there are a few easy rules to follow to help prevent unauthorised access to your precious files.


It’s important to have as good hosting for your WordPress website as you can afford as it’ll likely come with the bells and whistles required to make your site as secure as possible. Hosting agencies also don’t want the websites they host to be hacked as it can infect other website they host too so it’s also in their interests to lock security down as much as possible. Here’s a few pointers.

  1. You get what you pay for. Cheap solutions aren’t always all they’re cracked up to be. Don’t skimp on something so important.
  2. Look for a backup function included. That means there’s always a fall back if the worst happens. Lots of hosts have their own which is preferable, but you can also use a plugin like Updraft Plus which has a free version too.
  3. Up to date PHP. Having the latest version available will help your website run better as well as eliminating any bugs that older versions may have that hackers will look to exploit. This doesn’t necessarily mean you need to manage it yourself (or even know what it means) but look for a hosting solution that offers managed PHP.
  4. Use a CDN service like Cloudflare. CDN stands for Content Delivery Network which basically means that your content is placed on a globally spread group of secure servers so that wherever your audience is in the world, they’ll be served content from the nearest source which means faster page loading times. However, there are other benefits. Using a good CDN can also help protect your website against malicious attacks like DDOS. And no-one wants one of those! The good news is that Cloudflare has a free plan. That’s a no brainer.
  5. You can also install a security plugin like Wordfence or iThemes Security. They help protect against all sorts of things like brute force login attempts and malicious code injection. The good news is that there are free version for both these solutions.


This involves reviewing those who have access to the back end of your website. Specifically, this is for those with administrator access, but also, editor access. Those with administrator access need to adhere to these rules as they have ultimate access to your website.

  1. Delete anyone who doesn’t need access at all. There could be someone you provided access to a while ago to make a few changes or maybe another reason. If they don’t need access any longer, remove them.
  2. Try and have just 1 user with administrator privileges. This reduces the opportunity for abuse.
  3. Make sure that the username for anyone is not ‘admin’. This is an absolute no no, and one of the most obvious for hackers to try first. When you first install WordPress, it may have ‘admin’ as a default username. Override it and make it something else – less guessable.
  4. Ensure your passwords are ’strong’ passwords. Always. This is a series of random numbers, letters and symbols. Those generated by WordPress are fine. Never use a weak password. Or you can generate a strong password by using this free random password generator tool from Experte. Not only will it generate a strong password but you can use the tool to enter your own password, then it will show you how long it might take to crack it. I tried this with a couple of ‘old’ passwords I don’t use any more. The tool told me it would take a computer 446 years to crack. My preference is to use one of their generated passwords which will take a trillion years to crack!
  5. You could also look at using Two Factor Authentication. There are free tools around. Duo Security is a good one. It uses a second device (your phone) to authenticate your access.
  6. Lastly, when you’re finished with any changes or activity in the back end of your website, make sure you log out properly. Don’t just close the browser window. Hackers will look for active logins to exploit.

Statistics show that 35% of users use weak passwords

Top 5 worst passwords of 2019

Every year, SplashData and TeamsID compile a list of the worst passwords of the year. In fact, this is their 9th successive year. Here’s the top offenders for 2019.

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 1234567

Staggering isn’t it! Read the whole list of 50 here. (


Software that isn’t kept up to date also provides an opportunity for hackers as outdated plugins and themes can expose vulnerabilities which hackers can use to access your website files.

According to research, nearly 50% of the plugins in the repository have not been updated in over 2 years. (source)

  1. Make sure you check regularly (at least once per month) for any updates and action them asap. This is for any unused plugins too, but if you have plugins you’re not using and don’t intend to use, deactivate if necessary and delete them. To make it easier to keep plugins up to date, you can now enable ‘auto updates’ so that when an update is available, it’ll be done automatically.
  2. Delete any plugins that are no longer supported and find an alternative. The quote above suggests that there is a huge number of plugins that are no longer cared for. These are like gold dust to a hacker – a never ending supply of opportunities. Don’t let that opportunity be you.
  3. Update the core WordPress version as soon as you see an update is available. Lots of web hosts also make it an automatic option too to save you the trouble.
  4. Additionally, update your themes (even those you aren’t using) as soon as you see an available update. Hackers will look for anything out of date in order to gain access.

So, whilst you might be feeling quite nervous after reading through to the end here, don’t panic. As you can see, there are lots of things you can do to help protect your website. And lots you can do right now. So get to it. Today!

Sign up for email and never miss a thing

Share this Post

Leave a Comment