Every website owner is concerned about its privacy and security. However, not everyone does necessary things to prevent cyber criminal attacks which might lead to the loss of data or the website itself.

There are some rumors that WordPress is an unsafe platform and has lots of gaps in its security infrastructure. If we’d take a look at the data of hacked sites in 2018, more than 90% of all hacked sites were based on WordPress (it rose by 7% comparing 2017 vs. 2018).

The goal of this article is to introduce you to five main steps you, as a site owner or admin should do to secure your WordPress website. After completing these steps, you will also minimize the chances to lose any website-related data or the website itself.

Two-factor authentication for the log-in.

As people are using different social media websites, banking, email services, it is already usual to have a 2FA set-up to secure your personal profile(s). If your website’s security is a concern, you should definitely implement a 2FA for the WP-Admin login page as well.

Just to let you know, no super hard coding is needed and everything can be done with the help of the Google Authenticator app. The app will send you a one-time use secret code directly to your phone every time you’re willing to log in to the admin panel. In that case, you will be aware of when someone is trying to log in to your site without your knowledge..

Secure Socket Layer (SSL) implementation to your WordPress site.

Secure Socket Layer (also known as SSL) implementation is one of the first things you should do after launching a new site. SSL protocol is something similar to a VPN (virtual private network): it creates a secure tunnel between two devices or servers operating over the internet. Also, keep in mind that SSL implementation will change your website’s address: it will turn to HTTPS://yoursite. Letter “S” in https stands for “secure”

Without SSL certificate, all the data that is moving inside your website is delivered in plain text, and that is extremely dangerous. It can be intercepted by hackers without any effort and we don’t want that, don’t we?

It is also important to know that having your site secured might change your ranking on Google: fast and secure websites are always ranked higher in the search results. I personally recommend using a plug-in called “Really Simple SSL”, as it will allow you to secure your site with only a few clicks.

Have a custom username

Once you are creating a WordPress website, it will by default offer you to have “admin” as a username. With this easy-guessed and most often used username, you and your site will be a real snack for the hackers if they will try to sneak into your site. We recommend having something different or not so easy to guess such as an email or a nickname you are not using anywhere.

We also suggest you to set-up a limit of login attempts. To do so, install WP Login limit plug-in, then go to go to Settings -> Login Limit Attempts and set your own rules. After that, users would get a temporary block if they try to log-in with the wrong credentials for a few times.

After finishing these two updates, you would minimize the risk of being hacked and it will be way harder to “brute-force” your password once the username is unknown.

Have a back-up of your site

If your website works smoothly it doesn’t mean it will stay like that all the time. No matter how secure it is, you never know what might happen. What to do in order to prepare for the worst? By saying “the worst”, we have a loss of the website in mind.

Website’s back-up is a thing you should definitely do at least once a month or a week, depending on how much content you have. Big organizations have automatic back-ups every hour or two, but if you’re a blogger having an off-site back-up at least once a week is a good idea.

There are many plug-ins that might help you to have a back-up of your site and we recommend taking a look at these:

– VaultPress
– BlogVault
– UpdraftPlus
– Codeguard

Having a back-up of your site will allow you to restore all the data in case of a hack or other cyber-threat. Once you make a decision and have website backup software in place, you’ll only need to turn it on and configure once. Select your web property that you’d like backed up, choose the frequency (how often you want it to do those back-ups) and that is it. The application will run in the background, backing up data in your site to your preferred locations.

Spend some time while choosing a hosting provider

Before ordering hosting services, spend some time to do research about a preferred provider. Leading hosting companies should provide extra features to your website’s security. Of course, we all want to save money, but in some cases, cheap hosting providers might ruin your plans with unexpected issues: URL redirects, data loss, data leaks, etc.

Do a little research on which hosting companies work the best with WordPress as there are lots of reviews and unbiased opinions about each hosting provider. We suggest you choose a provider who did not have any data leak scandals and can provide you a 24/7 customer support via phone, email or chat.


The security of your WordPress site is definitely one of the crucial parts of a website. If you don’t pay enough attention, it might lead to a big loss sometime in the future. Keep in mind that you don’t have to be “big” to draw hacker attention and it is better to be safe than sorry. There are many advanced solutions on how to secure your WordPress site, but we suggest you to go through at least these five simple steps in order to feel calm and confident about your website’s security. Here are 10 additional ways to help secure your WordPress website once you have completed the list above!

Andrew Palmer on FacebookAndrew Palmer on Twitter
Andrew Palmer
Andrew is the founder of Elegant Marketplace.