How to keep your WordPress site secure

The chances are that if you have a website you’re (somewhat) familiar with WordPress. As of June 2021, the market share of major sites using the free blogging software turned website content management system was nearly 42%. With its customisable nature and extensive range of plugins, its popularity comes as little surprise. 

However, its universality hasn’t gone unnoticed by cybercriminals. It’s estimated that 86 billion password hacking attempts were blocked by the platform’s firewall in the first half of last year. So what kind of attacks should you be aware of, and how can you prevent them? This blog will arm you with four tips to keep your WordPress site secure.

1) Adopt secure login procedures

The temptation to use the same decades-old password for everything is strong. However, doing so puts your WordPress site at risk of these three common attacks:

  • Credential stuffing attack: criminals targeting WordPress sites often use lists of compromised passwords in their attempts to breach a site’s security. If you or your customers reuse passwords across multiple sites (or use predictable ones) there’s a higher chance of them becoming compromised. Once your password has been stolen, criminals can store it and use it to access your data elsewhere.
  • Dictionary attack: following this technique, hackers use a list of dictionary words to guess someone’s password and gain access to their accounts. This approach is surprisingly effective, as many people use weak passwords that lack complexity.
  • Brute force attack: this refers to randomly guessing a password using a combination of numbers, letters, cases, and characters. 

Hackers and their software can easily guess nicknames, addresses, birthdays, and pets. A lack of predictability is therefore vital for throwing them off. Switching between cases, and using special characters or numbers is a simple way to make passwords stronger. You can also use online tools to help with this. Using two-factor authentication and adding a captcha are further ways to keep your WordPress site secure. 

2) Use the latest version of WordPress 

It’s easy to ignore the reminders to upgrade WordPress – but doing so can jeopardise your site’s security. 

Older versions of the software are more likely to have weaknesses which hackers can exploit. One of the reasons that WordPress developers update their system regularly is to remove these security flaws. So, if you want to keep your WordPress site secure, it makes sense to make sure it’s up to date!

Before updating your software, it’s best to back up your website first. You should also ensure that your WordPress plugins will work with the latest update – if they won’t, you might need to update them. Ideally, you should be doing this regularly regardless, as out-of-date plugins are targets for hackers – the same applies for your WordPress themes and templates.

3) Obtain a Secure Socket Layer (SSL) certificate

An SSL certificate offers your site’s users a secure connection that allows for safe browsing. SSL prevents cybercriminals from reading data passed between a web browser and a web server by encrypting it. You can purchase an SSL certificate, but many hosting providers will supply one for free (or at a discounted rate).

As well as helping improve overall security, it shows your site’s visitors that you take security (and their data) seriously. On top of this, it improves your site’s ranking in Google, so it really is a bit of a no-brainer!

4) Install a security plugin

Equipping your site with a reputable security plugin will go a long way to help keep your WordPress site secure. Doing so will do much of the ‘manual’ security work for you, including defending your site against brute force attacks, malware and spam. WordFence Security and iThemes Security are two free plugins that we’ve used ourselves. They both come packed with additional security measures above and beyond the standard features of WordPress. Sucuri is another great example of such a plugin, although it’s provided via a paid subscription. More information on how to install WordPress plugins can be found here.


Runner-up in the 2017 Scottish Cyber Awards ‘Best new cyber talent’ category, NSDesign is well-placed to help your business boost its cybersecurity credentials! To find out more about our cybersecurity services, including our ‘Cyber Security Essentials’ training, get in touch with our friendly team today.

Share this on social media...