There’s a reason why WordPress is the world’s most popular content management system: it’s easy to install (takes 5 minutes or less), fully customizable, offers a clean user interface, supports interchangeable plugins and themes, and it’s free.  Like most content management systems, though, it’s susceptible to malicious attacks when certain precautions are not taken. To learn how you can protect your WordPress site against such attacks, keep reading.

WordPress Security - web design - security - hostingWordPress-Malicious-Attach- Web site design security

Create a Strong Password

Your first line of defense against malicious attacks is a strong password. According to an infographic published at, 8% of all compromised WordPress sites are the result of weak passwords. It’s certainly easier to use the same short, generic password across all of your online accounts, but this places your accounts – including your WordPress site – at risk of being hacked.

Here are some tips for choosing a secure WordPress password:

  • Use a combination of letters, numbers, and characters.
  • Avoid using your WordPress password on other online accounts.
  • Use non-sequential numbers.
  • A strong password should consist of a minimum of eight characters.
  • If you have trouble remember your login credentials, try using LastPass or 1Password rather than storing them in text or Word files.

Dashboard > Users > Edit

Change Admin log-in Username and Passwords

Many of us forget to change our log-in on a regular basis. I am not suggesting you do this every week, but twice a year is a good start. If any member of your staff was that was working on your website is let go, change the admin usernames and passwords for all accounts. Keep in mind that you can create a new admin user account in WordPress then delete the old admin account. Create a new username and password, not just change your password.

Dashboard > Users > Edit

Limit Login Attempts

A brute force attack involves the use of automated software to spam a variety of username and password combinations in an attempt to gain admin access to a website.

Using a plugin can protect you from brute-force attacks by limiting failed login attempts.

After reaching the specified number of attempts, the IP address of the hacker will be denied. Search the WordPress plugin marketplace for “limit logins, ” and you should see several different plugins that serve this purpose.

Settings > Login Attempts

Update WordPress

Hackers often target blogs and websites running older versions of WordPress because they contain unfixed vulnerabilities. Site vulnerability is why it’s important to keep your site updated to the latest version.

WordPress introduced background (AKA automatic) updates in version 3.7 to promote greater security. By default, however, it only updates core files, plugins, themes and translations. Significant upgrades, such as WordPress 4.0 Benny, require manual updating.

Dashboard > Updates

Run WordPress Under HTTPS

HTTPS is secure encryption protocol versus the unencrypted HTTP. HTTPS encrypts all data sent from the WordPress web server to a user’s browser. Hackers have tools that can listen and capture data transmitted between the web server and a browser.

If your site’s log-in page is not running under HTTPS, it is possible (although very rare) hackers could capture the username and password you enter into your admin login form. With HTTPS,  information transmitted between a computer and your web server is encrypted with military grade encryption, making it virtually impossible for a hacker to gather this information.

Also, Google has announced they are increasing their SEO signal for sites running HTTPS. Read our articles about Google’s HTTPS announcement here and here.

Use WordPress Security Plugin

Security plugins add advanced security; many WordPress owners are not familiar with these plugins.  Some security plugins are much more advanced that others. Be sure to review each security plugin and check with your WordPress hosting provider before you use any advanced feature.

If you contact your hosting provider and they can not help you with questions regarding security plugin functions. Always consider looking for a business-level WordPress hosting service like WebWize and

A few security plugins worth looking at are: WordFence Security, BulletProof Security, iThemes Security, All in One WP Security & Firewall, and Secure.

Backup WordPress

Although backing-up your WordPress site is not a security measure exactly, you should be backing-up your website. In the unfortunate case, your site is hacked, having a back-up copy of your site and the WordPress database is worth its weight in gold.

The last thing you want to do is to rebuild your website, especially from scratch. The time and cost to rebuild your site can run into the thousands or tens of thousands of dollars, not to mention your reputation if the hacker is very malicious.

Back-up your WordPress site daily! Backup Buddy is probably the most well known WP backup plugin. If you need a free option look at Ready! Backup.


Block WP-Admin Directory

Assuming you access the Internet via a static (not dynamic) IP address, you can prevent malicious attacks by blocking access to your WP-admin directory. The easiest way to accomplish this is by adding the following code to your .htaccess file.


AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “Access Control”

AuthType Basic

order deny,allow

deny from all

allow from (enter your IP address here)


These are just a few of the many ways you can safeguard your WordPress site from malicious attacks. For more information on WordPress security, check out the guide published at

Or Contact WebWize At 713-416-7111

Before making a final decision on a Web Design Company, spend a few minutes on the phone with us.

About Glenn Brooks

Glenn Brooks is the founder of WebWize, Inc. WebWize has provided web design, development, hosting, SEO and email services since 1994. Glenn graduated from SWTSU with a degree in Commercial Art and worked in the advertising, marketing, and printing industries for 18 years before starting WebWize.