Website Security

Website Security

stay safe // stay secure

Website Security is about understanding how to keep your site safe. It’s essential first to know why hackers attack websites in the first place.

Website Security – Why do sites get hacked?

There’s no foolproof way to make your site secure, but there are some simple steps you can take to boost security and put up a good fight.

Understanding how to keep your site safe, it’s essential first to know why hackers attack websites in the first place.

Hackers go after websites for three main reasons:

  1. They want to use your site to send spam email.
  2. They want to steal access to your data, mailing list, credit card information, etc.

In simple terms, hackers want to cause your site to download malware onto your or your user’s machines.

Malware, or malicious software, can be installed in a way that makes it very hard to tell it’s even there. Great for the hackers, not so great for your site.

Hackers will often do this to use your machine in larger-scale attacks, such as a Denial of Service attack.

Why Do Hackers Target WordPress Specifically?

The short answer – because WordPress is widespread, with an estimated 75 million sites worldwide.

Put yourself in the mindset of a hacker for a second. If you want to take over many websites for your nefarious purposes, would you spend all of your time trying to find vulnerabilities on a platform only used by 500 websites?

Or would you try to break the platform with hundreds of millions of sites?

WordPress is incredibly popular, and as such, a target for hackers. The WordPress core is very secure, which makes it pretty hard to hack.

Website Security – Themes and Plugins

Because anyone can write additional tools for WordPress, such as themes and plugins, not all extensions may live up to the same code review standards as the WordPress core.

A plugin can have security flaws that can impact thousands of WordPress sites all at once.

Don’t worry. The open-source nature of the code is also what makes it strong. It allows white hat hackers to find exploits and report them quickly so they can patch security holes. It enables developers to help improve security over time.

Security patches also allow third parties to create even more robust security solutions.

Website Security – The Bottom

The bottom line is that your WordPress site could get hacked at any moment (that’s true for any website). But there are several things you can do to increase security and make it a little harder for hackers to mess things up.

Here’s a list of some of those different ways to enhance your site’s security, starting with the most basic (and essential), working up to the more advanced options that may not be necessary or practical for everyone.

1. Use Smart Usernames and Passwords

It seems obvious, but many WordPress users overlook this important security measure.

Your username and password are to WordPress what locking your front door is to home security, and it doesn’t matter how good your security system is if you leave the door open for anyone to walk through.

As for the username, steer clear from picking something typical like “admin” or the name of your site. Those will be the first thing a hacker tries to guess.

The same rule of thumb goes for the password; don’t pick anything obvious. If your WordPress password is too short, something readable, used on multiple sites, or even just something someone could guess, chances are it should be more substantial.

If you have trouble remembering a random password (or you want to be extra secure) you could always try using a tool such as 1Password or LastPass.

And, if you have a site with several WordPress users or allow visitors to create their own accounts, you can add the No Weak Passwords plugin to make all users keep their passwords beefy.

2. Keep Themes, Plugins, and WordPress Updated

Updates can be a pain to keep up with, especially if you have lots of plugins installed on your site. But you must try.

Themes and plugins can occasionally have security vulnerabilities patched by the developer as soon as they’re discovered. It’s important to update regularly because many malicious bots specifically search for out-of-date plugins and themes with known vulnerabilities.

Plus, updates often patch other bugs and enhance usability, so it’s a win all around. When installing new plugins, be sure to check if they have any known and unfixed issues.

You don’t have to give up on a plugin that has a history of vulnerabilities – most of the best plugins will show a few – but it’s definitely something to note when comparing options.

Aside from updating your themes and plugins regularly, staying on top of WordPress core updates is crucial. recommends it for security protection.

If there’s an update ready, you’ll see a notification in the WordPress dashboard. Or if you’re on a managed WordPress host like Flywheel, they’ll take care of core updates for you. You don’t have to worry about them at all.

3. Uninstall Inactive Plugins and Themes

Even deactivated plugins and themes can have vulnerabilities, and for that matter, can still take up your server’s resources. It’s best to uninstall any plugins or themes that aren’t consistently active.

If this idea stresses you out, remember: You can always reinstall themes or plugins later if you need to.

4. Add Captcha

There are several variants of Captcha out there, but the idea is the same between plugins and methods. Force any site visitor who tries to fill out a form first to prove they’re human.

While it was once a troublesome and inconvenient option, Captcha has improved dramatically in recent years. Plus, it protects all kinds of forms on your site, so it does double duty by helping to stop hackers and prevent spam.

5. Limit the Login Attempts

A tactic for some hackers is to continuously try to guess your username and password to get through your site’s front door, also known as brute-force attacks.

Various plugins out there will help prevent this by blocking an internet address from making further attempts after a specified limit on retries.

This tactic is highly effective at making a brute-force attack difficult or even impossible to perform.

If you host your site with Kevin Oliver Web Design, you don’t have to worry about this step – you’re welcome.

6. Add an SSL Certificate

SSL, or Secure Sockets Layer, is a protocol used to secure and encrypt communication between computers.

In other words, it helps keep sensitive information on your site incredibly secure and includes things like passwords, credit card information, banking credentials, etc.

The little green padlock visually indicates it in the address bar of your browser. While this isn’t technically necessary for all sites, it’s incredibly beneficial (and essentially required) for any WordPress site collecting sensitive user information.

But even if that’s not the case, an SSL certificate still helps secure your site’s transmissions and builds trust with your users.

Another big reason for adding an SSL certificate to your WordPress site is Search Engin Optimisation (SEO).

Google has announced that they will flag sites that store passwords or credit card information without SSL as insecure, as part of a long-term plan to mark all websites, whether they collect data or not.

You can read more about SSL in my article, SSL – Secure Sockets Layer.

7. Add Two-Factor Authentication

Another way to prevent brute-force login attempts is by setting up two-factor authentication.

This method requires two verifications – a password and an authorization code sent to your phone or email – to log in.

While it takes a little more time for people you trust to log in, it also makes it a whole lot harder for people you don’t trust to gain access to your site.

You can add two-factor authentication to your WordPress site login, and some hosts offer it for your hosting account as well.

8. Move Your WordPress Login Screen

Many WordPress hacks come from malicious bots that are programmed to crawl the web looking for WordPress sites.

Once they find one, they’ll add “/wp-admin/” to the end of the site’s URL to get to the login screen and try to force their way through.

The Rename wp-login.php plugin allows you to change the location of your login screen from /wp-admin/ to whatever you want. You could use something like /mysitelogin/ or /open-sesame/ or anything else your heart desires.

Whatever you choose, any user who tries to use the old /wp-admin/ link will only see an error message, which will help stop bots and would-be hackers in their tracks.

Note: Moving your WordPress login screen will mean that you’ll have to share the new login URL with anyone who logs into WordPress on your site, or they won’t be able to access the admin area.

9. Use CloudFlare

CloudFlare is more of an advanced option and certainly not one that everyone needs, but CloudFlare is an external service that acts as a sort of filter between your servers and your users.

A good thing about CloudFlare is it offers many security and performance options, several of which are available on their free plan.

While most sites don’t need to worry about DDOS attacks, CloudFlare is excellent at preventing those since the IP address of your server is entirely masked. CloudFlare also offers a variety of other security options, including blocking IP addresses or specific regions.

10. Back Up Your Site Regularly

Backing up your site routinely is a safety precaution that will make your life easier if hackers find their way into your site.

By having a recent copy of your site, you’ll be able to restore your content smoothly before it was compromised. You won’t be in the position of trying to figure out what to do next.

Website Security – Moral of the Story: While WordPress is very secure, be smart with your site and have a game plan for the day it does get hacked (AKA backups).


Website Security – Conclusion

While WordPress is a secure platform, being smart with your website security is the obvious thing to do. Have a plan for the (unlikely) day it does get hacked (AKA backups).


If you think I could help you with your website security, get in touch.

(All fields are required because those spammers are a pesky bunch)