For many people contemplating hosting their websites through WordPress, The big question stands. "Is WordPress secure?" 

Even though Wordfence's 2021 report attested that there are approximately 2 800 attacks on websites per second, for the most part, WordPress is secure. It just happens to be an open source software. This means the code WordPress is built on is available to you as well as hackers. This is probably why WordPress is the number one targeted CMS by hackers. 

Even so, each WordPress site secureness greatly depends on the owner. It is the security measures as well as actions you make on your site that determine just how secure your WordPress site is. 

In this post, we are going to discuss important Dos and Don'ts that contribute to your WordPress's security. 

Is WordPress secure? (Dos)

1. Change your passwords regulary

Weak passwords is one of the main gateway for hackers. This is why it is important to have a strong password and also change your username from the default "Admin" username. 

Strong passwords are usually a combination of upper and lower case letters, numbers and symbols. Above all, you always want to make your password as long as you can despite how complex the combination is. 

After you stop working with people, make sure to remove their administrative access or any type of login access to your site to reduce the risk of being hacked through old passwords. 

2. Enable two factor authentication

Considering that one of the ways hackers are able to guess site's login details is through Brute force, which can access any password protected information, enabling two factor authentication is the best thing you can do for yourself. 

In the event hackers were successful in guessing your login information, they would hit a block when required to authenticate the login through a second device or whatever security measurement you put in place. 

3. Change WordPress default login page 

WordPress has a default login page you can access any WordPress site through. Fortunately, you can minimise the risk of being hacked through this page by changing the login area that's specific to your site. You need a plugin to do this and WPS Hide Login is good for it. 

4. Install up to date Plugins 

Even though they bring great functionality to your site, WordPress plugins are thrird party scripts. Which is why hackers use plugins and themes to attack sites. To be on the secure side, you should only install plugins that are compatible with your WordPress version and have active developers who are committed to updating their plugins. Such plugins usually meet and progress with WordPress standards and are more likely to have available support. 

5. Use the latest PHP version

WordPress is built on a programming language called PHP. And because WordPress is open source with a public code anyone can contribute to, the owners are always committed to releasing more secure and better functioning versions of their PHP code. 

When a new version is released, this information is public to hackers too. By failing to update your site to the latest and more secure PHP version, you leave your site vulnerable and open to be attacked through the identified and refined vulnerability. 

6. Always keep a backup of your site

In the unfortunate event of a successful hack on your site, you want to have your site's backup. At most, there is a high success rate of getting your site back after being hacked. However, the availability of a backup means you can restore your site to what it was before the hack without losing valuable information. 

Many hosting offer backup on different frequencies depending on your chosen package. However, it is highly adviced you keep an offline one yourself using third party applications i.e Updraftplus. 

7. Install a SLL certificate 

An SSL certificate is a digital certificate that authenticates your website's identity and enables an encrypted connection. When not installed, your WordPress site is not secure. When installed, it activates the https protocol that prompts a secure connection between your web server and the browser. 

This encryption protects information communicated from the visitor browser to your website.  E.g. when they enter a password to login or enter credit card numbers to purchase. An SSL certificate turns this information into an unbreakable cryptographic code third parties can't read.

8. Install recommeded security plugins

There are security plugins you can install on your site as a preventative measure. Most of these plugins offer firewall, scan your website and are alert to any new security threat. They will block bad traffic and illegitimate login attempts.

It is crucial you choose a security plugin that is reputable and progresses with security standards and offers support i.e. Sucuri, Wordfence, Jetpack security, etc. You also want to choose a security plugin that offers firewall, or choose an alternative route for firewall. 

Is WordPress secure (Don'ts)

1. Don't install nulled applications 

We get it. Small businesses don't have money to throw around, but cutting corners on premium WordPress themes and plugins might just cost you more than you bargained. Not matter what, don't ever install nulled applications on your website. These are pirated premium applications you get for free. Most of these third party knock offs contain malicious code and will be the gateway used to gain access to your site. 

2. Don't keep inactive plugins installed 

Keeping inactive plugins installed is unneccessary. It adds weight on your site which may even affect your site's speed. On a security level, inactive plugins can be used to place malicious code on your website. Asssuming you don't check on your inactive plugins, there's a high chance you might miss it should an inactive plugin develop a security risk. Inactive or not, that security risk will be on your site. 


Overall, WordPress is a secure platform. You just have to pull up your socks and implement security measures that protect you from security risks. But hackers and cyber attacks are never at rest, so don't ever be comfortable with your security.

If for any unfortunate reason, your security is at risk, don't hesitate to get in touch with us. 

John Hooley
President, Steward

John is a graduate of 10,000 Small Businesses, a certified Customer Acquisition Specialist, and a Zend Certified Engineer. He speaks and writes on connecting digital strategy to association goals. Outside of work he's an avid traveler, climber, diver, and a burgeoning sailor. He also volunteers with Rotary and Big Brothers Big Sisters.