Essential WordPress Security Tips Any Website Owner Can Implement


Learn how any business owner can protect their website from hackers, brute-force attacks, malware, and other online threats.

WordPress Security, Your Website, and You!

We build WordPress websites for clients around the world. But when we first mention WordPress we often hear from folks just like you that WordPress is not secure. Many business owners distrust it for that reason. They mistakenly believe that WordPress sites are inherently vulnerable. And while your WordPress website is a target for hackers our essential WordPress security tips will help you protect it!

This is the first in a two-part series dealing with common WordPress security issues and concerns. In this post, we want to explain why WordPress gets hacked and give you simple and effective WordPress security tips to help you secure your WordPress website. Even better, our WordPress security tips can be implemented at no cost to you!

In part two we will outline some telltale signs your WordPress site got hacked, how to restore your WordPress website, and give you a few bonus WordPress security tips to help you protect your site even further.

Let’s get started, shall we?

A Few Simple Facts About WordPress Security

We believe that before you can effectively protect your WordPress website you first need an understanding of what you are protecting against. This is especially true for WordPress and WordPress websites. There are all kinds of rumors out there that cause needless fear and confusion among existing and potential WordPress users. To help you better understand our essential WordPress security tips we first want to give you a better understanding of WordPress security.

Yes, WordPress gets hacked. But before you blame WordPress let’s think about that for a moment. First of all, WordPress is the most popular CMS, and runs over 60% of all websites in 2019. That alone makes WordPress a tempting target for hackers. But the main reason that WordPress websites get hacked are not hackers, but YOU, the website owner! You simply make it too easy for hackers to gain access to your website.

Many business owners we talk to simply launch their WordPress site, and then seemingly forget about it. Yes, we know that you have or had good intentions, but time and other things simply got in the way. And WordPress is doing its best to keep your site secure. Automattic, the company that actually runs WordPress, has a highly skilled and expert team of programmers that is responsible for securing the WordPress core from hackers and malicious attacks.

But they can only do so much. To complicate matters, you can install a variety of themes and plugins to extend the functionality of your WordPress website. While many of these themes and plugins are from reputable developers and are tested for security loopholes some are not. But that leaves the rest. According to Wordfence, WordPress plugins are a frequent reason why WordPress sites get hacked.

What Are the Top WordPress Security Issues?

We already mentioned that WordPress does make a tempting target for hackers. And WordPress does get attacked and hacked more often than other content management systems or website platforms. But WordPress in and by itself is not entirely to blame. As you can see from this infographic from iThemes the top 5 WordPress security issues also lie with WordPress themes and plugins. And both your WordPress website code and the database behind your WordPress website are major targets as well.

Who is Attacking Your WordPress Site?

The individual website hacker is actually only one of the most common WordPress threats. While most website owners believe that individuals pose the greatest threat to website security that is actually not true. As a matter of fact, most website attacks are made by bots or botnets. This infographic from Wordfence shows you who is actually attacking your WordPress site, how they get information, and what parts of your WordPress site actually get attacked.

Protecting Your WordPress Site

Protecting your WordPress website or e-commerce store is actually less complicated than many business owners believe. It basically requires some good old-fashioned common sense, and a bit of time and effort on your part. And any effort and time you put into securing your WordPress site will be considerably less than the time and cost it takes to restore a WordPress website.

Our WordPress security tips will walk you through the steps required to protect your WordPress website, and share some strategies on how to protect your website from being hacked, what steps to take if it was hacked and what measures you can take to prevent future attacks.

Most of our WordPress security tips can be implemented free of cost. A few of our recommendations do need some additional investment. But we never said having a business website is free, did we?

Regardless, we highly recommend you carefully consider our WordPress security tips. See where you may be falling short and implement those tips on your WordPress website today.

We guarantee you will be more secure once you do. You may even sleep better at night!

The Top 5 WordPress Security Vulnerabilities

Infographic courtesy of iThemes

9 Essential WordPress Security Tips

Let’s start our essential WordPress security tips by taking a look at the precautionary steps you must take to prevent hackers from breaking into your WordPress site. As we mentioned at the beginning of this post; implementing these WordPress security tips simply takes a little time and some common sense!

1 – Focus on WordPress Login Security

We begin our WordPress security tips with an area unfortunately often overlooked by websites owners. The easiest and most common way hackers gain access to any WordPress website is through insecure logins. Here are 5 simple rules every WordPress website must follow.

Infographic courtesy of iThemes

2 – Use Strong Passwords

This is one of the most common security flaws our team comes across, and we are starting our list of essential WordPress security tips here. Folks, we hate to tell you this (again!!), but MyPassWord, LetMeIn, 123456, or anything like that is NOT SECURE! Do you really believe hackers are that stupid? In that case, you deserve your WordPress site to get hacked!

If you want to prevent easy access to your WordPress site, you MUST use strong passwords and change them often. If you can’t come up with suitable passwords on your own we highly recommend you use one of the top free password managers for 2019.

Here are some more WordPress security tips to protect your WordPress login information:

Frequently change your WordPress login password. We recommend doing this at least every few weeks.
Don’t use the same password over and over. Be sure to create a unique password for each site and application.
Create a strong password that has a minimum of 12 characters, including numbers, upper and lowercase letters, and at least one special character such as “#”, “%” “_” or “$”.

BONUS TIP: These WordPress security tips are also useful for your hosting account or FTP account password.

3 – Use Strong User Names

Next on our list of essential WordPress security tips are user names. And once again, user names like Admin, Admin123, User, or anything like that are just not going to cut it! We also recommend that you don’t use your own name, or the name of a department (Finance, Sales, etc.) as your user name.

Instead, you should create user names that have meaning for you, as that will make them easier to remember. But make sure they do not include any info that is known to others. One of our clients used BestBossEver. He may well have been, but we still talked him out of it.

4 – Update WordPress to the Latest Version

As of the date of this post, the current version of WordPress is 5.1, which is used by about 22% of all WordPress sites. Another 18% use the earlier version, WordPress 5.0. Yet according to WordPress, one-third of all WordPress sites are still using WP 4.9, and the rest of WordPress owners are even further behind! That is 60% of all WordPress sites and presents a huge opportunity for hackers.

Many people fail to update their WordPress to the latest version either because they are unaware of this or forget about it. This exposes them to a lot of security threats as each new update comes with new bug fixes and security patches. Since WordPress powers millions and millions of websites, this poses a serious security risk to a significant number of them.

5 – Don’t Use Free WordPress Themes

While this is a tempting option for especially small or new business owners we have to warn you against using a free WordPress theme or template. Not only are you not likely to get much, if any, support from the theme developer. But free themes or templates often contain security loopholes that will leave your site vulnerable to attacks. Instead, our WordPress security tips include either having a professional WordPress designer or agency build your site, or purchasing a WordPress theme from a reputable theme repository.

6 – Update Your Hosting Server to PHP 7.2

While not directly related to WordPress this is still an important WordPress security tip. PHP is the programming language that runs website servers. And as with anything software related newer versions offer greater performance and enhanced security. The current version of PHP is 7.2.  Yet the majority of websites still run on outdated PHP 5.6. As of December 2018, all support for PHP version 5.6 has officially ended. This means that in 2019 over 60% of websites will face increased security risks. Don’t let your WordPress site be one of them!

7 – Create Frequent Offsite Backups

Next on our list of WordPress security tips are backups. Most website owners realize the importance of backing up their websites, but most of them fail to do so. While backups don’t protect your WordPress website from malicious intrusions, they do serve a purpose here.

Because no matter how many security measures you take, there is always a chance your WordPress website will get hacked. And once your WordPress website has been compromised you may not be able to restore it without a backup.

For that simple reason, having a recent backup of your WordPress site is essential. Many WordPress hosting providers offer regular backups as part of their hosting plans. And backups are also a part of WordPress website maintenance plans offered by service providers. Of course, you can always use one of these popular WordPress plugins to schedule your own backups.

8 – Install WordPress Security Plugins

In general, WordPress as a platform or CMS is extremely secure. But many WordPress themes and plugins you install on it are not. This is especially true for free themes and plugins which we recommend you avoid at all cost! They usually contain gateways to your WordPress website that hackers can exploit. And before you know it, your WordPress site is hacked and blacklisted by Google.

For this reason, it’s important to regularly scan your WordPress sites for malware and other malicious forms of code. In addition, it’s also equally important to actively check your website for any incoming threats as well. Therefore, installing a WordPress security plugin is one of our essential WordPress security tips.

Right now, the two best WordPress security plugins are Wordfence or Sucuri. Both offer great security features such as scheduled malware scanning, real-time IP monitoring, spam detection and much more. Both of them have free and subscription plans which you can subscribe to.

While the free versions are certainly adequate for personal blogs and small commercial WordPress sites, we recommend the paid plans for extra security. The yearly cost is a fraction of what it will cost to restore a hacked site or e-commerce store.

9 – Install WordPress Monitoring Software

The sooner you learn if something is amiss on your WordPress website the sooner you can take steps to protect. Therefore we want to include installing site monitoring software as part of our WordPress security tips. The simplest way to do this is through the extremely useful Jetpack plugin. Simply install and activate it on your site, and it will alert you if anything is amiss, such as your site being down. Here are some other WordPress monitoring tools for you to consider.

Final Thoughts on WordPress Security

Once you have followed our essential WordPress security tips and implemented our recommendations on your WordPress site you will have greatly reduced the chances of your site getting hacked or compromised.

And even if your WordPress website or e-commerce store does get hacked, you can rest assured that you will be able to quickly restore your online presence to complete functionality and appearance.

But we do need to caution you. WordPress security needs to be an ongoing concern and effort of yours, not a one-time task. For this reason, we recommend that you keep our WordPress security tips in mind as you work on and update your site over time. That way you will always have a handy reference to keep your online presence safe and secure from outside threats and interference.

Do You Need Help with Our WordPress Security Tips?

Here at, we offer a full range of WordPress business website services, including WordPress web design and development, e-commerce solutions, search engine optimization, and technical support services. Contact us to learn more about our small business digital marketing services, and how our team can help you get a WordPress business website yourself.

Did You Implement These WordPress Security Tips?

Did you protect your WordPress site by implementing any of our WordPress security tips or strategies? Do you have any other WordPress security questions or concerns? Please feel free to let us know so our audience can benefit as well, and grab our feed so you don’t miss our next post! And feel free to share these essential WordPress security tips with your audience!

Thank you! We appreciate your help to end bad business websites, one pixel at a time!

By ESPRESSO Team Mobile-first experts translating innovative web design ideas into measurable business results! @ESPRESSOcreates