an icon representing a computer displaying a WordPress site on an orange background

6 WordPress Security Tips and Best Practices Every Site Owner Should Know

WordPress security is one of the most important topics for any site owner. Whether you’re managing a boutique eCommerce shop or 50 client sites, experiencing a security breach can mean a loss in time, money, and credibility—all things no one wants to face.

While there’s no “one-size-fits-all” security solution for every WordPress site, there are a few best practices that can make a big impact. In this article, we’ll explain why sites get hacked in the first place, share security tips that are easy to implement in your workflow. Here’s a quick overview.

Follow these WordPress security best practices to keep your site secure:

Ready to boost your WordPress site security? Let’s start at the beginning!

two men in blue shirts work in a white office space

Why do WordPress Sites Get Hacked?

Before we jump straight into WordPress security best practices, it can be helpful to understand why websites get hacked in the first place. Generally speaking, hackers tend to target websites for the following reasons:

  • To send spam emails through your site.
  • To steal your information, such as data, mailing lists, stored credit cards, etc.
  • To trick your site into installing malware on your users’ machines (or your own).

While a security event might feel like a personal attack, it’s often part of a larger scheme, such as a Distributed Denial of Service attack. Rather than target a single site, hackers might target the infrastructure your site is operating on, affecting numerous sites at once. That’s why it’s important to know some basic WordPress security standards, even if you’re just running a personal website.

In addition to the above, WordPress may be targeted specifically, simply due to its widespread popularity. Because it now powers more than 43% of all websites, WordPress is a large “area of opportunity” for online attackers.

But that alone shouldn’t be cause for alarm. WordPress is an open source CMS with a highly dedicated and involved community of contributors, which means there are a ton of people continuously working to improve the security of the platform.

A man wears glasses and works in a green room

The truth is that any website can experience a security issue at any time, and the same goes for sites built with WordPress. Luckily, there are several best practices you can implement to increase the security of your WordPress sites and make it far more difficult for hackers to mess things up.


6 WordPress Security Best Practices

1. Keep Your Themes, Plugins, and WordPress Version Up to Date

One of the easiest ways to give your site an extra security boost is to keep everything updated. While it might feel tedious to keep up with plugin updates (especially if you’re trying to manage multiple WordPress websites) those updates are published for a reason (which is often security-related).

If developers discover a vulnerability in their code, they’ll usually push an update to fix it. The longer your site uses the outdated version, the more likely it is to be targeted by hackers.

While it might take some time, staying up to date with all plugins, themes, and WordPress core updates is a great way to limit security risks. If you’re using a managed WordPress host, WordPress updates should be performed automatically, helping you stay on top of the latest updates to core.

When it comes to keeping your plugins updated, solutions such as Smart Plugin Manager automatically check your plugins for updates at a pre-scheduled time. Using machine learning and visual testing, Smart Plugin Manager also ensures that your site doesn’t break when updates occur.


2. Apply Username and Password Best Practices

There’s nothing new about this security tip, but it’s absolutely worth a reminder:

Use unique passwords. Use strong usernames. Use a password manager.

Hackers weren’t born yesterday; they know all the most common passwords and will test every single one with the username “admin.” So, do a quick audit.

  • Are your usernames hard to guess?
  • Are your passwords unique?
  • Have your passwords been updated recently?

If you’re feeling overwhelmed trying to remember all these login credentials, I highly recommend a password manager, such as 1Password. Not only will it help you create and store complex credentials, it makes logging into sites a breeze. (Especially if you’re working with a team!)


3. Limit Login Attempts

Now that your login credentials have been strengthened, take your login security a step further by limiting login attempts! This is one of the best ways to defend against brute force attacks trying to gain access to your site.

To limit login attempts, you can use a plugin like Limit Login Attempts, which will block any attempt to log into your site after three errors, putting a block on it for twenty minutes.

Three men discuss a security issue on a WordPress site

Sure, it might get in your own way if you forget your password, but that’s what password managers are for, remember?


4. Move the WordPress Login URL

Another way to make your WordPress site extra secure is to change the login page. It’s pretty common knowledge that to log into a site, you just add /wp-admin to the end of the URL. By changing the link, you effectively hide the entryway to your site, making it harder for hackers to find.

There are a variety of ways you can change your login URL, but the WPS Hide Login plugin is a good place to start! Just don’t forget what you change the URL to, and remember to share it with any other site collaborators or clients.


5. Use Two-Factor Authentication

Another great way to make your credentials more secure is to use two-factor authentication. This security method acts as a temporary second password that updates every 30 seconds or so. To gain access to your site, hackers would have to guess both your true password and the temporary security code within that 30 second timeframe, greatly increasing your chances of blocking them!

Two-factor authentication is great because you can use it with a variety of logins related to the sites you manage. For example, WP Engine allows you to enable two-factor authentication on your WordPress hosting account, and you can also add it to individual WordPress sites.


6. Add Captcha to Your Forms

As you’ve probably gathered, locking down your site’s login page is incredibly important. That isn’t the only form you should focus on, however. Don’t forget about blog comments, checkout pages, or any other open form on your website!

Each of these forms present opportunities for hackers to submit information to your site, such as malicious links in a comment. Even if it doesn’t directly affect your site’s performance, having shady links will create a confusing user experience, and may even hurt your business.

To prevent this type of activity, you can install a WordPress plugin like Google Captcha (reCAPTCHA) by BestWebSoft.


WordPress security is an important topic for each and every site owner to understand, and while it’s a constantly evolving area of focus, the tips and best practices above should provide a solid baseline for keeping your WordPress sites safe and secure.

Get started.

Build faster, protect your brand, and grow your business with a WordPress platform built to power remarkable online experiences.