Did you know that more than 70% of the world’s most popular WordPress sites are vulnerable to hacker attacks?

WordPress is the world’s most popular CMS.

For me personally, no other CMS comes even close.

But that doesn’t mean it’s perfect.

Pointing out WordPress security loopholes is one of the favorite activities of its critics.

And as a recent victim (and survivor) I can assure you that there are hackers out there waiting to pounce on any security vulnerabilities in your site.

And once your site’s security is compromised, Google won’t take long to strip you off any top search rankings since security is now one of the key Google ranking factors.

But don’t worry, fixing these loopholes isn’t that hard.

And in this post I’m going to show you exactly how you can do it with your WordPress site.

Bonus: Download our WordPress Backup Plugin Guide.  In this PDF we identify 10 must-have features you should consider in your quest for the right WordPress backup plugin.

1. Secure Your Laptop First

It might not appear so, but the security of your WordPress website is directly related to the computer (desktop or laptop) you routinely use to access it.

Malware and viruses can easily infect your computer while browsing the internet and by downloading unverified software if it’s not secured by an anti-virus.

And when you access the admin panel of your site and upload files to it from the same infected computer, your site’s security can be easily compromised.

So it’s crucial to have an updated anti-virus and anti-malware software installed on your computer before uploading anything to your site.

Avast antivirus

The free versions of AVG or Avast antivirus should keep you safe from most vulnerabilities. HitmanPro is another anti malware software that doesn’t allow suspicious files to go undetected.

Also ensure that your Wi-Fi network is secure and not accessible to any users on your network.

2. Invest in a Top Quality Web Hosting Service

The quality of your web-hosting service has a huge role in determining the security of your WordPress site. So don’t go for a cheap solution just to save a few bucks because it might come back to haunt you.

If you go for a shared hosting plan, choose a top hosting company like BlueHost or HostGator. But if you have the resources, go for a dedicated WordPress hosting service like WPEngine or LiquidWeb.

A reliable hosting service not only keeps your site more secure but also has a direct impact on its speed and performance (which affects your site’s search rankings as well)

3. Use a Unique Username and a Strong Passphrase

A large number of WordPress websites is hacked and compromised not because of an over-sophisticated hacking attempt, but because of a poor password and a commonly used username (‘admin’ in most cases)

According to Edward Snowden, the former CIA security cyber security expert living in asylum, users should look to create longer ‘passphrases’ instead of the standard passwords to stay secure on the web.

You can test the strength of your current password with this free tool. This is what I got when I tested my password.


secure password

Here are a few tips to make your username and password stronger

– Use your email address as your WordPress username (Use this plugin)

– Create 16 to 20 character passphrases

– Create your passwords using a combination of uppercase and lower case alphabets, numbers and special characters.

– Change your password every 6 months

– Never save your password as a text file on your computer.

Just by creating a strong username and password combination you’ll be able to survive most security scares on the web.

4. Enable 2-Step Verification on Your Site

2-step verification adds an extra security layer to your site and makes it almost impossible for any unauthorized users to access its admin panel.

When you enable 2-step verification, you will be asked for one of the following (depending on your choice) after you enter your WordPress username and password.

–  A secret code sent to your mobile phone (SMS)

–  A secret question

–  An extra password

Google Authenticator

Using SMS verification is usually the safest option. You can enable 2-step verification on your site by using Authy or Google Authenticator.

5. Use Google reCaptcha To Prevent Bot Attacks

Enabling Google reCaptcha on your site is an easy way to get rid of spam comments and automated login attempts.

google recaptcha

Once you sign up and enable reCaptcha on your site, you’ll need to manually click the check box to verify that you’re not an automate bot.


You can enable reCaptcha on your site by using Googles reCaptcha Plugin

6. Maintain a Regularly Updated Backup of Your Site

More than 30,000 websites are hacked every day.

If you become a victim one day, which isn’t entirely impossible, would a complete data backup be useful?

I think, yes.

No matter how secure your site is, keeping a regular backup always comes handy for a number of reasons.


More than 30,000 solopreneurs, agencies and corporate websites use our services at WPBackItUp to maintain secure data backups.

It’s super easy and doesn’t take more than few clicks to set up.

7. Use the Latest Version of WordPress

This one’s a no-brainer yet so many WordPress users ignore it and suffer later.

WordPress regularly releases new versions to counter any new vulnerabilities hackers can exploit to gatecrash your site’s security measures.

And it literally takes a second to update WordPress.

wp version update

updated wp version



So don’t be lazy and make sure you’re always using the latest version of WordPress on your site.

8. Stay Away from Outdated and Unreliable Plugins

One of the biggest strengths of WordPress is its seemingly unlimited range of plugins. There’s a plugin for almost anything you want to do on your website, and that’s what makes WordPress such an attractive option for bloggers and website owners.

However, plugins are also the biggest source of security vulnerabilities in WordPress. According to studies, more than 54% of WordPress security breaches occur due to insecure or outdated plugins.

WordPress Vulnerabilities

But WordPress is not even half as useful without plugins.

So how do you stay safe?

Here are a few tips

– Avoid using plugins unnecessarily

– Only download plugins from WordPress plugin library.

WP Plugins

– Always read user reviews and ratings before downloading a plugin.

WP Plugins Ratings

WP Reviews

– Never download a plugin that hasn’t been updated for a long time.

WP Plugins NOT Updated

WP Plugins NOT Updated (2)– Always keep your plugins updated to the latest version. You can find all the updates in your WordPress dashboard.

Updates in WP Dashboard

Update Plugins

And as a rule of thumb, never download any plugins from forums or private communities because you never know what dangers they might carry.

9.  Enable Login Lockdown

Why take the risk of allowing anyone to guess your password and username when you can simply block out any unauthorized access?

By using a login lockdown plugin, you can limit the number of failed login attempts to your site after which that particular user will be banned from making any more attempts.

10. Rename Your Login and Admin Page URLs

Everyone and their grandma knows the URLs of your WordPress site’s login and admin page – wp-admin and wp-login

No one will be able to hack these pages just by knowing their names. But this does make the target much clearer to any potential intruder.

So to completely eliminate any chance of unauthorized access, simply rename your login and admin pages.

rename login

But don’t do it manually.

Instead install a simple plugin like Rename wp-login.php or iThemes Security

11. Disallow File Editing on Your Site

If you implement all the measures I’ve discussed in this post, no one should be able to break into your site’s admin area.

But even if a hacker or an unauthorized user somehow manages to access your files, you can stay safe by simply disallowing file editing for your core WordPress files.

You can do it by adding the following line of code at the end of your wp-config.php file.

define(‘DISALLOW_FILE_EDIT’, true);

12. Limit User Access for Multi Author Sites

If you’re running a multi author blog or a magazine website, you really need to be careful about user permissions.

You can add new users to your site from your WordPress dashboard. But while doing so, make sure you’re assigning them the right roles.

Add New User

As a rule of thumb, never assign the editor or administrator roles to anyone you don’t trust.

If you want to add new authors, you can use the contributor or author roles which gives limited access to such users.

13. Make Your Life Easy With a WordPress Security Plugin

All the things I’ve discussed in this post can be done manually.

But that’ll require significant time and expertise in WordPress.

The smarter and easier route is to use a reliable WordPress security plugin.

There are many great plugins but I personally love 2 of them – Wordfence and iThemes Security.

Wordfence in particular is an awesome plugin to keep an eye on even the smallest of changes that are happening to your site.

It notifies you about any login attempts, malicious files, outdated plugins or suspect users.

Wordfence Alert

Plus, it will implement all the tips I’ve shared in this post by default.

Wrapping Up

There’s no question about the security vulnerabilities of a WordPress website (there are many). But thankfully they can be easily countered by taking the measures I’ve discussed in this post and, more specifically, by using a reliable WordPress security plugin.

Image credit: Pixabay.