How to improve Your WordPress Website Security

WordPress is by far and away the most popular CMS (content management system) on the web. According to research released on the ManageWP Blog a staggering 74.6 million websites depend on WordPress, with approximately 50% of those hosted for free on

Its popularity should come as no surprise, for WordPress really is one of the most usable CMSs available. We covered the subject in a recent blog post – ‘WordPress, Drupal or Joomla? Which CMS Is Right For Me?’ – where we found that although WordPress’s most prevalent contenders are perhaps more powerful, this comes as a trade off in terms of ease of use.

Anybody can set up a WordPress site – and it seems that nearly 75 million of us have done just that. The templates available are very well made, easy to use and navigate, and, even though the likes of Joomla are perhaps more specialised for the creation of ecommerce and other business sites, the fact remains that to set up a professional looking and functioning website on WordPress will require you to have only the most basic IT skills – and that is something that is very attractive to the average user.
But, when something is as popular and as big as WordPress, it naturally becomes a massive target for cybercriminals, hackers and spammers all around the globe. Indeed, recently there has been a lot of coverage in the online press about an increase in hijacks, as well as a number of holes being discovered in some very popular WordPress plugins.

The security company Sucuri last year discovered a series of striking vulnerabilities in 4 very popular plugins for WordPress.

These were:
All In One SEO Pack
MailPoet Newsletters
It was reported that, combined, these plugins had been downloaded more than 20 million times, leaving a similar number of accounts dangerously exposed.
Nothing on the internet can ever truly be 100% safe. It’s simply not possible, and any piece of anti-virus or anti-malware software or plugin that you get conned into buying professing such a guarantee is simply telling porkies (and is probably loaded with a whole cache of nasty stuff to boot, so don’t be fooled).

No, 100% security is impossible to attain – or at least to maintain indefinitely. So, to get to grips with WordPress security, you must understand in the first instance that it is an ongoing endeavour. It never stops. As soon as one WordPress update gets released to protect against new security threats, then the engineers get to work straight away once more to protect against the next lot that will inevitably be coming through.

And this is because that as soon as a WordPress update gets released, hackers all around the globe immediately start trying to penetrate it – and on and on and on and on it goes.

But this brings me to the most important point that I can make in this blog post – if you take nothing else away with you then let it be this:
In order to try and stay ahead of the game, you need to make sure that you are always running the very latest version of WordPress, as well as the very latest versions of any plugins that you have attached to the back end of your site.

Developers are, as I have said, forever updating their software to stave off attacks – but these updates are only useful to those web masters who have installed them onto their sites. So, take advantage of all of their hard work, and make sure you’re always up to date.

Ok, here are 3 more great tips to help keep your WordPress site secure.

Never ever use ‘password’, ‘123456’ your date of birth, telephone number or anything else ridiculously predictable as your password. It might seem like an obvious point to make, but you’d be surprised how many people actually do it.

Instead, make a point of using a Password Manager to manage your online passwords (for WordPress as well as everything else). This is a much safer way to protect yourself online, so, make the effort, and be safe.

All attackers know that WordPress’s default settings will always insert “admin” as your administrative username – and now you do, too, so there’s no excuses if you don’t change it.
intro wordpress
Change it to anything you like – just don’t leave it as “username” (and it’s probably best not to use your own name either, as this is just as predictable). If you’re just installing WordPress for the first time then you will be asked for your administrative username during this process. If, however, you’ve already got a WordPress website, then provide a very handy tutorial on how to change your WordPress username.

There are literally thousands of hosting companies out there. So many, in fact, that it can be hard to know which one to choose. Our advice would be to go for one that specialises in security. With this in mind, look out for hosts who make the following offerings:

WordPress Optimised
Optimised Firewall For WordPress
Malware Scanning
Support For Latest Versions of MySQL and PHP
Account Isolation For Shared Hosting Plans
Daily Internal Backups

Leave a Reply