How to Secure Your WordPress Website

WordPress websites are being hacked at an alarming rate, putting businesses and livelihoods in danger.

Yet WordPress itself is secure.

The problem is, most WordPress websites aren’t set up and maintained properly.

Note: The ‘How to Secure Your WordPress Website’ section applies to independent copies of WordPress downloaded from If you’re on, WP Engine, Webhive’s managed WordPress hosting, or any other managed WordPress hosting, then your hosting company is responsible for your WordPress security.

How to Secure Your WordPress Website

If your business depends on a WordPress website it’s essential that you have a solid backup and maintenance routine. We recommend:

  • Setting up automatic updates for plugins, themes and minor releases of WordPress.
  • Run regular, offsite backups.
  • Check regularly that your backups are running.
  • Perform regular plugin and theme audits. Replace any plugins and themes that do not support the current version of WordPress.
  • When a new major version of WordPress is released, immediately:
    1. Back up WordPress
    2. Upgrade

We also recommend that you:

  • Install a good WordPress firewall. We recommend Wordfence. There’s a free version but a premium licence gives the best protection.
  • Regularly check your firewall logs. Where necessary, blacklist attacking IP addresses.
  • Use a CDN (content delivery network) that blocks most brute force attacks, for example Cloudflare.
  • Make sure that WordPress is set up as described on the WordPress Hardening page.
  • Require that users use strong passwords. Wordfence has an option to force this.
  • Only install plugins and themes from the WordPress repository. If they’re listed on, they’ve been checked and passed.
  • Only use secure, quality web hosting. Avoid cheap hosting providers – they’re a disaster waiting to happen.
  • Install an SSL certificate and make sure that a green padlock appears when you view your website. Google likes SSL certificates and so do your readers.

How to Avoid Spam Comments and Emails on WordPress

To avoid spam comments and emails:

  • Install Google Recaptcha on your web forms. Contact Form 7 now includes special support for Recaptcha.
  • If you’re not using comments on your website, use the Disable Comments plugin to disable commenting site-wide.
  • If you are using comments on your website, activate an antispam plugin, for example Akismet.
  • Delete the ‘Hello World’ post and ‘Sample Page’ that come with WordPress.
  • Avoid ‘admin’ administrator users. If you have an ‘admin’ account, delete it! (Create another administrator account first!)
  • Avoid creating users with the same name as your domain. If your domain’s is, don’t create a user called ‘mydomain’! It’s too easy for hackers to guess!
  • Likewise, avoid creating users with your domain registrant’s name. Some hackers check the name of the person who registered a domain and try and crack that user account.
  • Avoid publishing email addresses in plain text on your website. Make sure you disguise them by changing the ‘@’ character.

Our WordPress Security Service

If you’d like help setting up and maintaining your WordPress Security, contact us for a quote.