The popularity of WordPress makes it a popular target for hackers. The WordPress community does a fantastic job of keeping WordPress secure. However, this is only part of the picture.

Users are still the most significant vulnerability in WordPress. In this post, I’m going to go through some of the simple things you can do to keep WordPress websites secure.

Use a password manager.

The first and most important line of defence is a strong password. Using long, complicated and unique passwords will dramatically increase how secure your WordPress login is.

The easiest way to manage lots of unique passwords is to use a reputable password manager. Most good password managers can also generate strong passwords for you. I use and highly recommend

Keep WordPress, plugins and themes updated.

One of the things that makes WordPress such a great content management system is the ecosystem of themes and plugins. However, all these plugins and themes need to be kept up to date. Failing to apply updates as and when they are released can leave a site exposed.

I generally recommend checking for outstanding updates once a week if you can. If this proves challenging, you might want to take out one of my WordPress Care Plans and let me take care of it for you.

Remove unused plugins and themes

Most WordPress sites will have themes and plugins that are not required. In some cases, plugins and themes get replaced by alternatives. Some plugins, such as migration plugins, are only needed for a one-off task and are left installed. Many plugins outlive their usefulness.

All plugins and themes can potentially introduce vulnerabilities. Leaving plugins and themes installed when you don’t need them increases that risk. This is true even when the plugins and themes are not active.

It is good practice to go through your plugins and themes periodically and remove any that you don’t need. In most cases, you can easily reinstall plugins if you need them again.

Only use reputable and actively maintained plugins and themes

Another way to protect a WordPress site is to be careful what plugins and themes you install in the first place. Not all plugins and themes are created equal.

Reading the reviews and looking at the number of active installs will give you a good idea about how reliable a plugin or theme is. It is also worth doing some independent research online.

Checking how regularly new updates are released will give you a good idea how well maintained it is. You can also check if it is compatible with the current version of WordPress


Another simple change that can increase the security of any website is to use an SSL certificate. An SSL certificate allows users to view your site over an encrypted HTTPS connection.

SSLs have become so important now that there is a non-profit organisation called Let’s Encrypt that provides SSL certificate for free. Let’s Encrypt is backed by many of the big tech companies and most good web hosts will issue Let’s Encrypt SSL certificates at the click of a button.

Don’t share user logins.

Another unfortunate common practice is for people to share WordPress logins. Sharing login details can increase the risk those details are intercepted. It also means that some users will have additional access they may not need.

Having separate login details for everyone makes it far easier to control the access each person has.

Regularly review user access

Following on from the point above, it is also essential to periodically check the list of users and the access levels they have. It is common to come across websites where former employees have continued to have access long after leaving the company.

There may also be instances where someone may need access to WordPress temporarily, such as a contractor. If you give someone access, remember to remove it again once they no longer need it.

Add 2 Factor Authentication (2FA)

2 Factor Authentication is an additional level of security that works alongside your username and password. It involved registering a device you own using a 2FA app. The app on your device then generates unique codes that you can then use along with your username and password when you want to login to your account. It means that even if someone gets your username and password, they still won’t be able to log in as you.

More advanced security

The list above should be sufficient for most WordPress users. However, there is plenty more you can do. There are technical settings you can configure and security plugins you can install. You can even use services that will monitor and filter your website traffic, stopping suspicious visitors from reaching the site.

I’ve not included these additional security measures because they start to get quite technical and potentially expensive. If you have a website that needs that extra level of security, it would be worth speaking to an expert about these options.

Make sure you have a sound backup system

While not strictly speaking a method of improving security, I couldn’t post this article without mentioning backups. No website is ever completely secure. There is always a risk the worst could happen. If it does, having a backup system in place (if not two) will make it far easier to repair the damage.

Make sure you have a backup system that is independent of your hosting company, and stores your backups remotely. Remember to check your backups regularly to make sure they are still working.