The security of YOUR WordPress is YOUR responsibility!

If you purchase through a link on our site, we may earn a commission. Learn more.

Most probably from time to time you felt the need, or tried to secure your WordPress installation. You feel such urge because one of your websites got hacked, or a fellow blogger’s WordPress got hacked and infected with malware. Maybe you have heard the marketing mantra “If your WordPress website or blog is your main source of income, keep it secure and malware free to succeed in the online world!”. It might be a marketing mantra and scaremongering from security companies, but it is the truth!
Table of Contents
WP Engine High Performance Hosting
BionicWP Hosting

Most probably from time to time you felt the need, or tried to secure your WordPress installation. You feel such urge because one of your websites got hacked, or a fellow blogger’s WordPress got hacked and infected with malware. Maybe you have heard the marketing mantra “If your WordPress website or blog is your main source of income, keep it secure and malware free to succeed in the online world!”. It might be a marketing mantra and scaremongering from security companies, but it is the truth!

A website can be compared to a shop; it is what your visitors and customers are going to see. If your shop is run down and frequently broken into, customers wouldn’t come to your shop. The same applies for your website. Once it is hacked, it can be defaced (run down) and infected with malware (broken into), thus visitors will avoid browsing it. Let alone trusting you and paying you for a service.

Now that I probably scared you, or in better words explained to you why you need to secure your WordPress, let’s have a look and see what you should and should not do.

The wrong approach to WordPress Security

If you are a non tech savvy person, the first thing you would do to secure WordPress is to search the term WordPress Security on Google. The search results can be very confusing and frustrating; a long list of documents with titles such as “25 Golden Tips to Secure WordPress”, “Best WordPress Security Plugins”, “Secure your WordPress with 10 easy steps”.

The problem at this stage is that you will read a number of different articles which provide different solutions. Being a non tech savvy person is quite difficult to choose the way forward. To make it worse what most of the articles suggest are very good solutions, but unless you understand what you are doing and try to apply most of the changes, you might break your website.

The reality of WordPress Security

Although there are a number of procedures that you can follow to ensure better WordPress security, there are no golden rules. WordPress and Internet security are evolving, hackers are always one step ahead therefore securing a WordPress blog or website is not a something you do once and forget about it. From time to time you have to go back to school, update yourself and make further updates.

So, is WodPress security a daunting task? No. You do not need to be a rocket scientist to secure WordPress and you only need a couple of minutes every now and then. I can assure you that every blogger or WordPress webmaster who is able to upload a file to his website, and access his hosting provider’s CPanel is capable of securing his WordPress installation, if he or she is well informed.

The Three WordPress security pitfalls

Most of the hacked WordPress installations I have fixed were hacked because of misconfiguration. It was never a case of a hacker exploiting a zero day vulnerability in WordPress itself. In plain English it means that typically a WordPress website is hacked because of a human error rather than a bug in the WordPress software. As a matter of fact, the most common reasons why WordPress blogs and websites get hacked are:

  1. Running an old version of WordPress: Always make sure that you are running the latest version of WordPress to ensure there are no known security issues in the version you are running. For some of us this might sound like common sense, but even large corporations such as Reuters were hacked because they were running an old vulnerable version of WordPress in 2012.
  2. Weak credentials: Your girlfriend’s name, your secret lover’s mobile number or your car’s number plate are not good passwords. Many WordPress websites have been hacked because the administrator account was using a predictable easy password. A strong password should consists of at least 8 characters and consist of numbers, letters (UPPER and lower caps) and other symbols such as ?,! and $.
  3. Unrestricted access: Many bloggers and WordPress administrators fail to restrict access to other fellow bloggers and freelancers. A simple rule of thumb should be to only give access to people you trust and such access should be restricted to what they need only. Giving full FTP access to a freelancer or admin privileges to a fellow blogger is like leaving your house’s front door open at night.

As you can see from the above, WordPress security is more about properly configuring a WordPress installation and maintaining it rather than installing a lot of plugins, or being a WordPress security guru. To ensure WordPress security and learn more about the basics to keep your WordPress secure and free from hackers and malware, subscribe to the online WordPress Security course for Beginners.

The online WordPress security course is specifically tailored for any type of WordPress user including beginners, and is extremely easy to follow. It delivers quick and easy to implement solutions without the need to implement any third software and plugins. See for yourself how even non-technical people can secure their WordPress installation. WordPress security is not just for geeks and nerds!

If you enjoyed this post, make sure to subscribe to WP Mayor’s RSS feed.

Robert Abela

Robert is the CEO and founder of WP White Security, a niche WordPress security plugin development company based in the Netherlands, Europe. Their flagship product is WP Security Audit Log, the most comprehensive and widely used activity log plugin for WordPress sites and multisite networks.

Discover more from our , archives ↓

Popular articles ↓

One Response

  1. Let me add a plug-in that has been very useful to me. I received no fewer than 2,000 login attempts on my site, a young hacker used a proxy so I do not really have forbade IP and so I found “Country Code Login Failed” which bans the IP area exotic. For now, I have a real decline attempts. I hope I have been able to add my experience to your article.

Share Your Thoughts

Your email address will not be published. Required fields are marked *

Claim Your Free Website Tip 👇

Leave your name, email and website URL below to receive one actionable improvement tip tailored for your website within the next 24 hours.

"They identified areas for improvement that we had not previously considered." - Elliot

By providing your information, you'll also be subscribing to our weekly newsletter packed with exclusive content and insights. You can unsubscribe at any time with just one click.