padlock on a door

How to Secure Your WordPress Website

There are some scary articles these days about hackers busting into WordPress sites. Sometimes it seems that every day yet another plugin has been compromised or declared unsafe. And sometimes it even seems like it’s the same plugin over and over again (I’m looking at you, Elementor). With all the hacking going on, it seems impossible to secure your WordPress website.

It’s not impossible. In fact, WordPress can be one of the most secure platforms out there. Unfortunately, you can’t just set-it-and-forget-it. Think of your WordPress site as a living thing that you have to tend to, like plants or your cat. To keep hackers out, you need to be an active participant in your site’s care — or hire someone to manage it for you.

Still, you might think that all these hand-wringing articles about security breaches don’t apply to you. Think again, my friend.

Yes, someone wants to hack your site. There are people around the world whose main job is to hack into WordPress websites. It’s not personal. They don’t care who you are, how popular (or unpopular) your site is, or what your site is about. So yeah, your lil’ ol’ personal blog about backyard snails is ripe for hacking. But why do they want to hack your site? It’s just snails, for crying out loud.

Hackers may not care about your snails. What the hackers want is access to your host’s server. And the way they get in is through your site. And why? For some hackers, “because they can” is enough. Shutting down sites or servers is a fun hobby for them. Or, they could be doing it to extort a site for money. No matter what the reason, you’re being targeted even if — especially if —your site isn’t very active.

That’s the scary part. But what to do about it? First, don’t blame WordPress. The platform is designed to be secure, but like I mentioned it’s going to take some active participation on your part. You can do it without any technical knowledge, and in this article I’ll show you how.

Keeping the Hackers Out

You might be surprised to learn that it’s not very hard to protect your WordPress site. You don’t have to know any coding languages or have a degree in cyber security. Let’s get to it.


This is the easiest thing you can do, and one of the most oft-neglected methods by WordPress users everywhere. There are three main areas of your site that need to be updated on a regular basis:

  • Core
  • Themes
  • Plugins

Most of the time, you can update everything on your site in just a few minutes. They also make it super easy to do.

  1. Log in to your site’s admin.
  2. In the Admin Dashboard, navigate to the left-side menu and click Updates.

This screen will show you all the areas that need updates. You can take care of them all right there.

screenshot of WordPress site showing the Updates screen

How does this make your site more secure? It’s just like your computer or your smartphone. Developers sometimes create updates just to plug security holes. Leaving outdated plugins running on your site is like leaving your front door unlocked. Hackers can exploit those outdated plugins. Depending on the plugin, they can even grab user login credentials, and that’s all they need to shut you down.

So imagine if you didn’t update your site for a few years. If you’re like a recent client of mine, you arrive at your website to find that it’s been replaced by a blank space. We were able to get them back into their site, but their content was gone forever.

Updating is the easiest thing you can do. Put reminders in your calendar and check your site updates at a minimum once a month, preferably once a week. It only takes a few minutes to save you from ultimate doom.

Usernames and Passwords


Let’s talk about your password. If you’re still using 1234 or (gulp) password as your WordPress login password, then I’m going to make a logical leap and guess that you’re using the same thing on other sites as well. If that’s the case, then I implore you stop reading this article right now and go change all your passwords everywhere to something better. Right now. Please.

Hey, I get it. So many passwords. You just want it to be easy. But if it’s easy for you, it’s easy for hackers, too. I highly recommend using a password manager like 1Password to help you to wrangle all your passwords. It’s secure, encrypted, and the best part is that they’ll generate impossible-to-guess passwords for you. Try it!

If you prefer to choose your own password, that’s fine. I do that sometimes, too. Make it as difficult to guess as possible. A few tips:

  • Don’t use your name, site name, or username as part of your password.
  • Use a combination of lowercase and uppercase letters, numbers, and symbols like # or +.
  • Make it longer than 13 characters.

A strong password will go a long way towards making your site more secure.


You know the first username hackers check? Admin. Yup. It’s fairly common, and that’s what hackers want — the lowest-hanging fruit. The top usernames tried on this site in the past month were:

  • admin
  • user
  • wp-dj
  • dj
  • djbillings

None of these are active usernames on this site and they failed, of course. But it demonstrates the thought process behind guessing usernames on a WordPress site.

So how to choose a secure username? Thankfully, it’s not as challenging or complex as choosing a good password. Here are some tips on creating a good username:

  • Don’t use admin, editor, or any other WordPress user role.
  • If you do use your name, change it up a little. For example, instead of using “Nancy,” use something like #nancy# or nancy1000.
  • Don’t use your birthdate as part of your username, like “chad1985.” It’s easy to guess that the number is your birth year, and you just gave away some private information about yourself. Even if they don’t hack your site, they might piece some info together from your blog and try using that info on other sites you frequent like, say, your bank.
  • That said, if your name is Nancy and you were born in 1970, then using chad1985 is brilliant.


The secret to real estate investing is location, location, location. The secret to securing a website — or any digital info — is backup, backup, backup. Backing up doesn’t actually keep hackers out. The reason it helps make your site more secure is because if you do get hacked, you can restore your site to the way it was before you were robbed. Trust me, knowing that you can restore your entire site after getting hacked or if something just goes wrong is a huge relief.

Backing up your site’s data can be difficult or easy.

The difficult way is to FTP (SFTP) into your site folder on your host’s server, then copy all the files and folders to your hard drive, cloud drive, or external drive. It’s tedious. And while you can back up your site sucessfully this way, you don’t have to.

The easy way is by using a plugin. The best plugin for this IMO is UpdraftPlus. I use it on all my sites and it’s never failed me. UpdraftPlus lets you back up your entire WordPress site with a click. You can choose to backup your database, themes, plugins, uploads, or any one at a time. You can run a manual backup any time, and you can schedule backups to run without having to log in to your site.

Backups can be stored on your server (not the best place), or in a cloud drive like Dropbox or Google Drive — or you can get it emailed to you.

UpdraftPlus is free to use, and they have an upgraded version that lets you do cool things like migrate a site. You can download it on their page, or just search for it in your WP Admin.

Security Plugins

I saved this one for last, because you can implement everything else I’ve mentioned and have great security. However, you can take it one step further and lock your site down at an even higher level.

There are many security plugins out there for WordPress, but the one I use consistently is WordFence. It’s free to install and use, so there’s no risk to try it. WordFence monitors your site for threats constantly in the background, so you don’t have to be actively involved. You can configure a firewall and tons of options for everything from logging in to blocking/whitelisting IP addresses.

The feature I like the most and always set up is 2FA, or two-factor authentication. For each user, you can configure 2FA login. So even if a hacker guesses your username and password, they still can’t get in.

The email reports are gratifying to see, which is how I found out the top ten failed usernames hackers are trying on this site.

While not necessary, using a plugin like WordFence will go along away towards making your site as secure as it possibly can be.

Secure Your WordPress Website Now

Bottom line, securing your WordPress site is largely in your hands. WordPress needs regular maintenance. Whether you take these steps yourself or you hire someone, you have the power to keep the hackers out.

Learn more!

Sign up to receive my latest website tips directly in your inbox.

I’ll never send you spam or share your email address.
Find out more in our Privacy Policy.






Leave a Reply

Your email address will not be published. Required fields are marked *