WordPress is the most popular Content Management System (CMS) in the world that powers over 35% of all websites. These growing number of WordPress users attracts an increasing number of malicious attacks and hackers. However, there are a lot of preventive measures you can take to stop these attacks from taking down your website, and the last thing you want to happen is to wake up one morning to find out your site in rubbles.

This post will guide you through the steps you can take to keep your website secure to prevent being the target of these attacks.

Disclosure: When you purchase a product or service through affiliate links on this page, I may earn a commission. There will be no extra cost to you at all. Thanks!

Update Your WordPress Regularly

According to WordPress statistics, over 64% of all WordPress powered websites are running on an outdated version.

Updating to the latest version of WordPress is one excellent way to secure your website. The developers and the community behind WordPress work hard to release security patches, and updates regularly to improve the stability of the platform and address the security issues that may happen.

By keeping updated to the latest version, you are protecting your website by plugging the loopholes and exploits the hackers can use to get inside to your site.

By default, WordPress will automatically install minor updates. For major releases, you will need to start them manually from the WordPress admin dashboard.

To verify that your WordPress is running on the current version, go to your admin dashboard, and on the left sidebar click the "Updates" menu.

WordPress Updates Screen

If there is a major release that needs manual installation, you will see similar to this:

WordPress Has an Update

Remove Unused Themes and Plugins

Considering that themes or plugins can have vulnerabilities, it's not a good idea to install and leave them on your site for no reason at all considering the security of your WordPress. From a security standpoint, a hacker might find an exploit and leverage those unused themes and plugins to their advantage.

Using an outdated theme and plugin increases the risk of attacks as hackers can use them to infiltrate your website. Just like WordPress itself, the theme and plugin developers release regular updates as well; either to add extra features or to patch some security issues. So, always keep in mind to update your installed themes and plugins.

Avoid Nulled Themes and Plugins

WordPress premium themes look more appealing and have more available options compared to free themes. The same goes for the premium plugins, which offer more features than the free ones. Expert designers and programmers develop premium themes and plugins to offer more options and versatility to WordPress. Each item they create has to go through extensive testing to ensure that it is are safe to use and of top quality. When you purchase one, the developer will provide full support and you will receive regular product updates from them.

Although there are sites that give nulled themes or plugins for free, it is illegal and dangerous to use them. A nulled theme or plugin is the hacked version of their premium counterpart. Using them will put your website at significant risk because the hacked version contains hidden malicious codes that can destroy your website from the inside. Other than that, using a hacked version will not provide you any support or product updates from the developer since the item illegal.

Backup Regularly

Your backups are your first line of defense in case of any attacks. Technically, it's about creating a copy of all site data and storing them in a safe location, and if something wrong happens, you will restore them quickly and get your site back online.

There are lots of backup plugins available for WordPress that you can use; one of them is the UpdraftPlus. This plugin offers a free version that covers the important features of backing up and restoring a WordPress website.

Limit Login Attempts

By default, the number of login attempts WordPress allows to the users is endless. This makes your site vulnerable to brute-force attacks. This permits hackers to use the trial-and-error approach by entering a random username and password until they find the correct combination.

You can prevent the brute-force attacks by limiting the number of attempts a user can make when logging in using the Limit Login Attempts Reloaded plugin. The key aim of this plugin is to allow you to set the number of login attempts they can make to your site before they get temporarily blocked.

Upon activation go to "Settings" then "Limit Login Attempts" and last the "Settings" tab to change the plugin settings.

Limit Login Settings

Basically, on this page, you can easily set the number of allowed login attempts, and the time needed to wait to try to login again. Even if you didn't change the plugin options, it has default settings which you will notice just right after you activate it.

WordPress Limited Login Attemps

Use a Secure Login Credentials

One of the most common mistakes and many users still do is using easy to guess usernames. Most attackers assume that your administrator username is "admin" or "administrator". This little but disastrous mistake will put your website at a higher risk of successful brute-force attacks.

With the use of a unique username, you can easily block most of those attacks and other malicious attempts.

By default, WordPress doesn't allow users to change or update the username. If you already have an account but not using a unique username, you can change it to something strong with the use of the Username Changer plugin.

After activation, go to "Users" then "Your Profile". Find the "Username" field and click the "Change Username" button to change and update your username. After updating, they will ask you to re-login using your new credential.

Change Username Button

Your username is just one part of your credentials, the other part is your password. Using a weak password is also a poor choice as this too will still lead to your site to successful brute-force attacks. When choosing a password always try to combine variations of uppercase and lowercases of letters, numbers, and special characters.

To change your WordPress account password, navigate to "Users" then "Your Profile". Find the "Account Management" section, and just below click the "Generate Password" button to either randomly generate your new password or enter your password. To save it, scroll down to the bottom of the page and click the "Update Profile" button.

Change Password on WordPress

Use SSL Certificate

SSL (Secure Socket Layer) certificate is used to create an encrypted channel between your website and your user's browser. With this, the data is encrypted before being sent through the internet and can only be decrypted by the server to which you intend to send it. Data such as credit card details, account login information, and other sensitive information.

If your website accepts sensitive information like credit cards or profile information - it would be best to get a premium SSL. Their price starts from $70 up to hundreds of dollars per year.

For regular websites that do not accept any sensitive information such as portfolios or blogs, you can use the free SSL certificate from a non-profit organization called Let's Encrypt.

Let's Encrypt offers free certificates for website owners and supported by organizations like Mozilla, Cisco, Google Chrome, and Facebook.

Today, a lot of hosting provider includes the free SSL from Let's Encrypt to every hosting plan. But if you're hosting provider doesn't offer one, you can use the Really Simple SSL plugin to move your site to SSL.

Choose Good Hosting Company

One of the easiest ways to keep your site secure is to go to a reliable hosting provider that you can trust. There is a web server-level security in which your hosting provider is responsible. Some hosting providers do not properly secure their hosting platform, thus making all the websites on their server vulnerable to malicious attacks.

While there are many hosting providers out there, I will still recommend the Bluehost. Other than being a reliable WordPress hosting provider, Bluehost offers many security features for your website.


Security is one of the most crucial elements of a website and needs to be taken care of seriously, neglecting this will make your site prone to attacks or worst - crash your website.

Maintaining the security of your WordPress website isn't that difficult, all you need to do is to take the precautionary measures and always keep your WordPress, theme, and plugins updated.