WordPress Security: A Simple, Non-Techy Guide

On the last count, there were easily more than a billion websites on the Internet. Over a third of those websites are powered by the leading key platforms: WordPress, Joomla, Drupal, and Magento.

Of those, more than 60% of websites are on WordPress alone. Now, Sucuri found more than 11,000+ infected websites of which 75% of the websites were on WordPress. At least 50% of those infected websites were out of data (and not updated).

WordPress dominates a large percentage of total infected websites (77%), and as we write this, more vulnerabilities are being uncovered every day.

Note: RevSlider Plugin, Gravity Forms, and Tim Thumb have been the culprits when it comes to causing compromises for WordPress websites.

On another note, Malware is often the type of problem that goes unnoticed until you really have to. More than 66% of all compromises had a PHP-based Backdoor hidden in the site. On an average, more than 132 files per compromised site were fished out by Sucuri.

If you use WordPress, you ought to be careful. Active management plays a key role to ensure that your site is safe.

But then, you have some housekeeping to do.

Pick Hosting with Care

It’s understandable that you’d jump at the next shared hosting offer you get your hands on, but watch what you pick.

Your choice of hosting determines the foundation you’d give for your business. It wasn’t easy for me to change my host but when I did, I really saw the difference.

Web hosts like WPEngine & Flywheel help with active hacker control, malware protection, robust security technology stack, CDN, and more to keep your WordPress site secure.

Plus, you also get “staging areas” so that you don’t mess around with plugin and theme updates on a live site.

Please Update Your Site. How Hard Is That?

WordPress websites get affected because you don’t bother to update to the newest, stable version of WordPress.

Use WPEngine or Flywheel, and this is automatically taken care of for you. If you aren’t, the responsibility lies on your shoulders. While you are at it, delete themes and plugins you don’t use.

Just keeping your WordPress core, themes, and plugins goes a long way to keep out trash hitting the website more often than not.

WordPress Login URL. Change it.

When you login to WordPress, the usual URL is http://myawesomewebsite.com/wp-login/.

That’s got to change.


Everyone knows that.

Use a plugin like Custom Login URL (CLU) or WPS Hide Login and change the URL to something else altogether (name it Wendy?) and then never share it with anyone except your team.

Limit Login Attempts

Limit Login Attempts Plugin adds a layer of security. Install this plugin when you install WordPress. Limit Login Attempts limits your attempts to log in and that takes care of hackers who have nothing better to do than to try to login to your site multiple times

It also keeps out bots and acts as front-line defense by using automated prevention for brute force attacks.

Change WordPress Default Database

This step is only recommended if your website is a new WordPress Install. Changing the default database prefix could be disastrous and affect your entire website (or even kill it). I know, because it happened to me.

The generic WordPress database which looks something WP_XX is also a well-known route to hack through to your website. Instead of using this generic database prefix, customize it to anything else you like such as KL_XXX or WL_XX or whatever.

Get Security for WordPress

The trouble with things like security and insurance is that the real importance of these doesn’t come to light unless disaster strikes. By then, it’s usually too late.

Pick up plugins like Sucuri to make sure you build a fortress around your WordPress website. Sucuri protects your website from DDoS and brute force attacks, multiple infections and reinfections, and stops hackers in their tracks from their attempts to exploit vulnerabilities.

Say No to random theme or plugin

Brenda Barron of WPMU Dev Blog reveals that out of the ten most vulnerable plugins, five of those plugins were commercial plugins available for purchase

If purchased plugins were crappy, how would the “free” ones be?

The WordPress Core itself is stable (Automattic takes care of that) but anything else you bring home to your WordPress website is your responsibility.

Test out plugins you purchase (or download) first and then push it to the live site. Get hosted with Flywheel or WPEngine if you want staging functionality.

How secure is your WordPress?

Leave a Comment

Some of the links in posts and elsewhere are partner links and affiliate links (the only way I keep some money flowing in). You can purchase some of these products and I make commissions which keeps the lights on. You never pay more. Sometimes, you get discounts. Thank you for understanding. Here's the Aff Discloure Policy (if you love that kind of stuff).