WordPress Security: Easy 10 Step Guide for Beginners

wordpress security featured image

More than 100,000 websites are hacked every day according to Internet Live stats. That’s why WordPress security should be your top priority.

internet live stats screenshot of number of daily hacked websites

It’s not clear exactly how many of those sites are WordPress websites, but after reading the latest hacked website trends report by Sucuri Security, I suspect WordPress accounts for the vast majority of them because …

According to the report, 94% of all hacked sites that Sucuri investigated and fixed in 2019 were WordPress websites – up from 90% in 2018.

WordPress is clearly an EASY target for hackers.

Not because WordPress is less secure than other content management systems (CRM) like Joomla, Squarespace, and Wix.

But because WordPress is the most popular CRM used by over 38% of website owners worldwide, which is hundreds of millions of websites btw.

It’s a numbers game.

There’s simply a lot more websites powered by WordPress than any other CRM, giving hackers more opportunities to exploit it.

But that’s not WHY WordPress sites get hacked!


After starting a WordPress blog, due to a lack of knowledge, or time, maybe even both, many people don’t take the necessary action steps to secure their website.

Whatever the reason is, I’m guessing that you’ve invested a lot of time and worked damn hard on your WordPress blog, right?

So don’t let some dirty little hacker destroy all your hard work! Follow the steps in this WordPress security guide to keep hackers out of YOUR WordPress website.

In This Guide

Ready? Let’s get started.

Why WordPress Security is Important

How would you feel if you woke up tomorrow, went to your website, and saw something like this …

At first, you’d likely want to cry, right? All your content is gone forever.

Then you’d feel angry and frustrated, of course you would. That’s to be expected.

But how would you feel if the hacker:

  • Stole your credit card information
  • Infected all your website visitors
  • Redirected all your traffic to porn and scam websites
  • Hijacked your domain name
  • Sold your information to unethical marketers

Being hacked can cause serious damage to your business reputation and revenue if you don’t take the time to secure your website.

Why Your WordPress Website is No Exception

“My website is new. I’m not getting much traffic or making money online yet. Hackers won’t be interested in my site.

Don’t make the mistake of thinking that there’s no motive for a hacker to target your WordPress website.

Not all hackers hack websites for monetary gain. Some do it just because they can. They do it because they’re bored and think it’s fun.

Even if your WordPress website is just a few months or even weeks old with zero traffic and zero income, given the opportunity, hackers will target you.

I’ve had this same conversation with many people over the years. Unfortunately, some take it with a pinch of salt until it’s too late – they’ve already been hacked.

How WordPress Sites Get Hacked

Hackers don’t review every site they target manually.

They write scripts that scan the web and analyze hundreds of thousands of websites automatically looking for open doors they can exploit.

Including but not limited to:

  • Insecure web hosting
  • Weak login credentials
  • Plugin and theme vulnerabilities
  • WordPress vulnerabilities

What’s really interesting though is that for three consecutive years now, when analyzing 30,000+ infected websites here, here, and here

Sucuri Security report that the lead cause of infection stems from outdated component vulnerabilities.

In other words, each year, roughly 60% of WordPress websites are hacked because site owners fail to keep WordPress, Plugins, and themes updated.

How to Secure Your WordPress Website

Now that you know why and how WordPress websites are hacked. And that your site is no exception, even if it’s a new site with little or no traffic and income …

Here are 10 things you can (and should!) do today, and continue doing on a regular basis, to secure your WordPress website.

1. Backup Your Website

Although backups don’t play a direct role in protecting a site from hackers, in the event of a hack, restoring a backup is often the quickest and easiest way to fix infected files.

You should backup your site daily and store it safely in the cloud. Somewhere like Dropbox or Amazon s3 – not on your website server.

If you store backups on your website server and the server is hacked, the backup files are useless to you. The hacker will likely infect those too.

You can use a WordPress plugin to schedule automated daily off-site backups. I recommend Updraft Plus.

2. Update WordPress, Plugins, and Themes

As I explained a few moments ago, roughly 60% of hacked websites are hacked because site owners fail to update WordPress, plugins, and themes.

So. By keeping your website updated you are 60% less likely to be hacked.

But don’t just login to WordPress and start randomly clicking update buttons. If you do that, there’s a possibility your site will break.

You should always test updates first on a staging area which is an exact copy of your WordPress website, on a subdomain name, on your web hosting account.

You can use a plugin to create the staging site with one click and push successful updates from staging to production. The plugin I recommend is WP Staging.

Or, if you want a more hands-on approach, you can create the staging site manually. Test the updates. Then manually apply them to your production site.

Note: you should create a new staging area every time you test updates, or website changes, to make sure the staging site is still an exact copy of the production site.

3. Install a Security Plugin

After backing up your site and updating everything, you should install a security plugin. I recommend Wordfence.

Wordfence is the best security plugin and it’s free and easy to use. There is a free and paid version, but in my experience, the free version is all you need.

Wordfence is a powerful plugin that includes:

  • A firewall to identity and block malicious traffic
  • A scanner to monitor your site for malware and vulnerabilities
  • Protection from brute force attacks by limiting login attempts
  • Two-factor authentication, login CAPTCHA, and more

If Wordfence detects any issues, it will alert you via email immediately. That way you can deal with the issue promptly to keep your site keep.

4. Install an SSL Certificate

If you haven’t done so already, you should install an SSL certificate on your web hosting server. Once activated, your domain name will start with HTTPS instead of HTTP.

Then, the data that’s transferred between your website and the users browser is protected behind an encrypted connection so hackers cannot steal it.

There will also be a padlock sign before your website URL in the browser letting website visitors know that your site is secure and safe to use.

Most web hosting companies now offer a free SSL certificate to all their customers. If yours doesn’t, contact support to purchase one.

5. Use the Latest Version of PHP

Just like WordPress core, plugins, and themes, outdated PHP versions have known security issues that hackers can find and exploit.

The latest version of PHP is currently 7.4 but versions 7.2 and 7.3 are still stable.

If your server is running on PHP 7.1 or below your website is at risk and PHP should be upgraded immediately – those versions are no longer secure.

Don’t know which PHP version you are using?

Login to your WordPress site and go to Tools >> Site Health >> Info. Then, scroll down to the Server section and click it.

If your web hosting provider doesn’t support version PHP 7.2 and above, you should move your site to another web host. I recommend Bluehost or a2Hosting.

6. Delete Inactive & Abandoned Plugins and Themes

Every plugin and every theme installed on your WordPress website is an opportunity for hackers to find a way in, even if they are deactivated.

And sometimes developers abandon free plugins and themes which means they stop updating them to fix known bugs and security vulnerabilities that hackers can exploit.

That’s why you should:

  • Only install plugins that you absolutely need
  • Delete all inactive plugins from your site
  • Delete inactive themes (all except one default theme!)
  • Replace abandoned plugins with alternatives

The Wordfence Security plugin will let you know when a plugin or theme has been abandoned. You should replace it as soon as you are notified.

And if you’re not in the habit of deleting plugins and themes immediately after deactivating them, make it a habit starting today.

7. Use Strong Usernames and Passwords

In an attempt to access your site during a brute force attack, hackers try to guess your WordPress username and password.

The first username they try is admin because that’s the default WordPress username and not everyone changes it. If your username is admin, use this plugin to change it.

For the password, I think you’ll be surprised to learn that there are lists of breached passwords available to hackers online like this one.

If your password is on one of those lists, you are guaranteed to get hacked, it’s just a matter of time. And if your username is weak, it’ll be sooner than you might think.

8. Enable Two Factor Authentication

Although using a secure username and password makes it significantly harder for hackers to guess your login credentials, that doesn’t mean it will never happen.

No website is 100% secure. There is always a risk.

But you can be prepared for that by adding two-factor authentication to your website.

So, even if some dirty little hacker does discover your username and password …

They will have to authenticate the login using a separate device, like your mobile phone, to which they don’t have access.

You can add two-factor authentication using the Wordfence plugin.

9. Lockdown WordPress Admin

Anyone familiar with WordPress knows that the login URL is your domain name followed by forward slash ‘wp-admin’.

To make brute force attacks harder for hackers, you should change the login URL using a plugin like WPS Hide Login.

You should also limit login attempts. There are lots of plugins you can use for this, but Wordfence security does it for you, so I won’t list them here.

If someone attempts to log in 20 times with the wrong username and password during a 5 minute period, they are automatically locked out from login.

10. Disable File Editing

If a hacker does somehow manage to gain access to your site, they can easily add malicious code to plugin and theme files right from your WordPress admin area.

To prevent this from happening, you should disable the file editing feature by adding the code below to your wp-config.php file.

// Disable file editor
define( 'DISALLOW_FILE_EDIT', true );

Or you can use the one-click hardening feature in the free Sucuri and Defender plugin.

Although I don’t recommend it unless you 100% know what you’re doing, you’ll still be able to edit files on your site using FTP software like FileZilla.

What to Do if Your Website is Hacked

Scanning your website for malware on a daily basis allows you to know exactly when your site was hacked.

So. If for example you are notified by Wordfence or any other security plugin that malware was found on your site on a Tuesday morning …

And you backup your site every day as recommended in this website security guide, in most cases, restoring Sunday or Monday’s backup will fix infected files.

After restoring the site, scan it for malware immediately. If it’s clean, great. All that’s left to do is tighten your website security so it doesn’t get hacked again.

But if the site is still infected, I recommend you hire a professional like Sucuri or Wordfence to clean it for you.


After starting a blog, many people don’t realize just how important it is to backup and secure their website until they’ve already been hacked.

I think that’s mostly because they believe hackers have nothing to gain from targeting their website, but that’s not how it works.

Don’t make the same mistake! As you’ve learned in this guide, your site doesn’t have to get lots of traffic, store sensitive data, or generate an income to be hacked.

And your blog isn’t just a website. It’s your business and income, so you should take the time to secure and maintain it properly.

If a lack of time is what’s stopping you, or tech just frustrates and overwhelms you, join one of my website care plans.

I will keep your site secure, functional, and updated while you focus on growing your business. Click here to get started.