If you care about your WordPress website, you need to learn how to protect it from getting hacked. In this article, we share the best website security measures you should know.

Before we start talking about WordPress security, we’d like to ask – how would you secure your home? Would you wait for burglars to strike before installing a security system, or would you take proactive action and install a security system beforehand to thwart a potential burglary?  

How do you secure your home? Securing websites follow the same principles.

This might seem like a silly question because the answer is obvious: you install the security system beforehand. And though this is a similar situation for websites, most website owners fail to recognize the importance of preventive website security.

Unfortunately, it is not hard for hackers to break into websites. Nor do they care about the size of the website – all they need is a website with vulnerabilities that they can exploit to spread their net wider on the internet. 

Now, what are these common vulnerabilities, and how do you fix them? You can address them with a series of security measures that are easy to execute and implement to improve your WordPress site’s security posture. So, let’s dig a little deeper and see what these are and how to implement them on your website!

How to secure your WordPress website?

To put it simply, securing your website is just like securing your home with surveillance systems, security alarms, and using security lockers to protect your cash or jewelry. In other words, a rock-solid line of defense that can deter the best of hackers. Security professionals call this “WordPress Hardening”.

We recommend a total of eight website security measures, five of which are primary and highly recommended and the remaining three as secondary measures. 

Here is the complete list:

Now, let’s discuss why they are needed and how you can implement them.

Essential Security Measures

1. Enforce strong passwords 

Now, you might think this is obvious, so why do we need to mention it? That is because WP site users continue to configure weak passwords like – “password,” “123456” and so on – for their login accounts. This makes it easier for hackers to break into a user’s login account and take control of it.

Among the common ways of login page attacks, brute force attacks are specifically designed to guess username-password combinations using automated bots. How do you implement this measure, then? 

First and foremost, ensure that all your website users configure 8-to-10-character passwords, with a mix of uppercase & lowercase alphabets, numbers, and special symbols. Another great way is to install a password manager tool that can be used to generate and store fresh passwords.

2. Update your WordPress components 

Hackers commonly target sites using old or outdated versions and even websites with obsolete plugins/themes. That is because older versions do not contain fixes for security bugs or patches, that are regularly released by the WP team or the respective plugin/theme developers. 

Hence, as a primary security measure, ensure that your website only contains the latest or updated version, along with plugins/themes.

You can easily update your Core WordPress and all your installed plugins/themes from your hosting account or using any WP management tool. Follow our guide on how to safely update WordPress for complete peace of mind.

Additionally, remove any old or outdated plugins/themes that you are no longer using, or those that do not have any updates from your installation.

3. Secure your admin account 

In addition to the target login pages of regular users, hackers also target admin accounts using brute force attacks. This is because a successful hack into an admin account allows them to inflict the most damage to the backend files and database tables. This is like a burglar breaking into your locker box at home containing the most valuable things!

As a security measure, you need to safeguard your WordPress dashboard (aka wp-admin) by restricting easy access.

How do you do this? 

For a start, assign “admin” rights only to selected users whom you trust the most. For the rest, you can set lesser privileges.

Then, implement two-factor authentication (2FA) that is a proven safety standard for login pages. For 2FA, you can install plugins like Two Factor Authentication or a security plugin with that feature.

Thirdly, you can stop brute force attacks by restricting the number of failed login attempts. To do this, install a plugin like Limit Login Attempts or a security plugin with this feature.

4. Install an SSL certificate

Do you know that hackers commonly intercept data being transferred between your web server and the user’s browser? This data can include valuable information like personal data, financial transactions, or any such sensitive data. 

A website without SSL vs one with
A website without SSL (not secure) vs a website with SSL (padlock icon)

The best defence against this practice is to encrypt the data being transferred, for which you need to move your website from the HTTP to the safer HTTPS protocol.

But how do you move to HTTPS? By installing an SSL or Secure Socket Layer certificate on your site. 

The easiest way of obtaining an SSL certificate is from your web host provider. If that does not help, you need to install a third-party SSL plugin like Let’s Encrypt.

5. Install a malware scanning and removal tool 

And last but not least, you must invest in a malware scanning and removal tool to prevent future attacks. Most operations are automated and can be used to scan and clean your website in a few clicks. 

Security plugins such as MalCare and Wordfence automatically scan your website for any malware infections and even remove them from the site if found. These tools are specifically designed for WordPress and therefore can detect even new and unknown malware, and stop them from damaging your site. These tools can easily be activated just by installing a WordPress plugin.

MalCare is a premium security plugin which uses deep and intelligent scanning. A point to note is that the scans are run on Malcare’s own servers to avoid additional burden on your own website’s server. This also allows the scan to be in-depth and comprehensive to ensure it catches even the most sneaky malware. Learn more about MalCare’s plans at malcare.com

After installing your security plugin, be sure to set up automated scans your website to continuously monitor for malware and security issues.

Once you are done with all the five primary measures, it is time to consider a few more for bonus credits to your website security. 

1. Set up a web application firewall (WAF) 

How about a safety measure that can stop hackers before they even approach your site? Yes, that is what a web application firewall does. 

It monitors every IP request made to your web server and determines each request’s IP address. If the request has been made from a hacker’s computer or suspicious source, it blocks it from sending any further requests to your website. As a result, firewalls effectively keep away “harmful” bots and hackers from your site. 

How do you implement this? 

Our web host Kinsta has an in-depth guide on what firewalls are and picking the best one for your situation.

2. Create a complete backup 

Though not precisely a security measure, backups are the first things you wish for after a successful hack or crash. That is because backups can help you restore both your website and database files so that you have no website downtime. 

Depending on your security needs, you need to develop a reliable WordPress backup strategy –  daily, weekly, or monthly backups of both website and database, or for real-time backups that are useful for WooCommerce sites. 

There are many ways of performing a backup, but the easiest and most efficient method is by using backup plugins like BlogVault or the free UpdraftPlus plugin. Easy to install, these plugins automate the entire backup and restore process and can be executed by any novice user.

3. Maintain an Audit log for your website 

The final website security measure is to maintain an audit log that can record every user activity, be it signing in or out, file additions or modifications, and tool installs on your website. 

Additionally, audit log tools send out immediate notifications when any critical change or suspicious activity is recorded.

How do you implement this measure? 

Install WP Activity Log or Simple History plugin for tracking and monitoring your website activity. Along with security, this plugin can help in improving user accountability and productivity.


While a cliché, the saying “Prevention is always better than cure” is a golden rule to remember when it comes to WP security. In other words, you should not wait until your website is hacked to implement each of the hardening measures outlined in this article. 

As a proactive step, these eight security/hardening measures can significantly lower, by adding more layers of security to your site. 

What do you make of these eight security measures? Do you think they are enough or have we missed out on anything important? 

We would love to hear your thoughts, so do let us know in the comments below.

Picture credit: @stories on freepik