Like many, launching your website was likely one of the most fulfilling experiences you’ve ever had. After months (or weeks) of planning and coding, you were able to go live and share your business or passion with the world. But silently, in the back of your mind you’ve been wondering whether your site is as secure as it can possibly be. It’s a scary thought. Imagine your site getting hacked because you chose to use ‘password123’ as your administrator access password, or finding that a customer’s credit card details were stolen because your SSL certificate wasn’t installed correctly? These and many other horrors are possible, so in this blog post we’ll share eight easy ways to secure your WordPress site.

Secure your WordPress site with stronger passwords

WordPress websites get hacked regularly, so it’s a good idea to update the passwords you use to access your website back-end regularly. Password practices are not complex and here are three best practices to keep in mind when you update yours:

  1. Go alphanumeric and use special characters to add an extra layer of complexity.
  2. Make your password unique. Don’t settle for your name, the numbers 123, and an exclamation mark. Mix things up and try not to use personally identifiable information.
  3. Eight or more characters is good. The more characters you use, the more complex the password and the harder it is to crack.

Don’t miss an update

According to research, 83% of WordPress site hacks are due to outdated WordPress and plugin versions.

Source: WPBeginner

Updates matter for three reasons:

  1. Increased security. Updates to core plugins and themes patch vulnerabilities uncovered by developers, making it harder for hackers to exploit your website.
  2. Fix bugs. As with all computer applications, bugs are just a part of the deal. Regular bug fixes make the functionality element of your site work better.
  3. New features and functionality updates. With the web growing at an amazing rate, the demand for new design features and application functionality drives WordPress developers to enhance pretty much everything they can. Updating your version of WordPress gives you access to all of the new features and functionality.

A word of advice: be sure to backup your site before you complete an update (see ‘Backup your site regularly’ for details).

Backup your site regularly

Online threats can happen at any stage, as can natural disasters. Regular backups ensure that you’re always ahead of the curve. A tool that you can use for this is a plugin called BackupBuddy. It’s been around since 2010, is easy to use and will backup everything from your posts, pages, menus, database, images videos and settings, to your theme and core WordPress files and so much more.

Force HTTPS for all connections to your website

It’s no secret that having an SSL certificate active on your site will be the only way you’ll be able to have your site show up in Google. It’s been something that Chrome and many other browser vendors are pushing for to create a safer web experience for all. This means that having an SSL certificate is no longer just a nice thing to have, it’s a must have. Setting up your SSL certificate in WordPress can be pretty confusing sometimes, so we found a quick way to complete your install using a free plugin called Really Simple SSL. It’s easy to use and you’ll only need to have an issued certificate on hand before you can use the plugin. Note: your SSL certificate still needs to be installed on the server where your website is hosted. Activating SSL in WordPress is tricky and this plugin takes care of the activation for you. The plugin will handle all the complexities of the setup and push all of your traffic through an HTTPS connection.

Limit your number of login attempts

A smart feature that comes with is the ability to limit the amount of failed login attempts from a specific IP range. This helps you limit the number of attempts from hackers trying to gain access to your website. You can activate this feature with a really smart plugin called Login Lockdown. The plugin records the IP address of every failed login attempt and is smart enough to block all future attempts from the same IP range if the set limit is reached in a short period of time. While it is possible for hackers to get around the IP range limitation, the plugin helps limit a fair amount of the risk associated with access to your admin account.

Get a malware detector

While malware has been around for a while in different forms, threats have become more sophisticated. More recent outbreaks like Petya and Wannacry prove that it’s possible to bring some of the biggest organisations to their knees in a matter of hours. Worse, if Google spots malware on your site, it can blacklist it until even after the malware is removed.

Google Chrome error message for a malware infected website

When it comes to website malware, some of the more common instances are in the forms of infections and include:

  • Injection attacks such as code injection, command injections or database injections
  • Cross-site scripting
  • User created content
  • Malicious advertisements
  • Web application or server vulnerabilities

Having a malware detection tool helps you quickly find and remove malware. We offer a range of malware detection solutions. One of the most popular is the GeoTrust Web Site Anti-Malware Scan. It also comes in the Basic Website Scan version, and here’s a breakdown of features of both solutions:

Use AVS and CVV

Making sure that your website prevents fraud as much as possible is important when it comes to credit card purchases. Nobody wants to be caught in the middle of a credit card fraud case or be responsible for selling products to hackers with stolen credit card details. Enabling Address Verification (AVS) and Card Verification Value (CVV) are two way to protect consumers and your brand’s identity. Most ecommerce platforms support both AVS and CVV, however you may need to activate the feature on the back-end.

Invest in DDos protection

DDos (Distributed Denial Service) is a type of attack where a hacker takes control of a large group of computers and uses them to flood a victim’s server with requests for information. With the increase in requests that the victim’s server cannot manage, it crashes. Having a DDos solution used to be something that only large organisations could afford. Today, solutions are available to small businesses. One of the most prominent solutions is Cloudflare’s DDos Protection service.


Owning a WordPress website doesn’t have to be a security nightmare. Using these eight tips, you’ll be able to secure your WordPress site fast so you can focus on building your business.


Submit a Comment

Your email address will not be published. Required fields are marked *

Share This