You’ve just launched your WordPress site and decked it out with all of the best widgets and a nifty theme. Because you’ve also managed to come up with a decent password, you just assume that your website is secure. Little do you know, this assumption leaves your WordPress site vulnerable to attacks and security breaches.

Fortunately for you, however, there are many steps you can take to improve website security by making the most out of WordPress’s host of features. Below is a list of 7 things that you can do to bolster your site’s security:


While there are a number of web hosting services available to you, some of them are more compatible with WordPress. A popular choice for WordPress users is Bluehost. Not only is Bluehost popular among WordPress users, but it’s also recommended by WordPress. According to the hosting site’s home page, it is the “#1 recommended web hosting by WordPress.org.” Further still, their basic plans come with SiteLock CDN, SiteLock Pro, and a free SSL certificate.

Of course, Bluehost is not the only company that puts an emphasis on secure web hosting for WordPress users. WP Engine or Pantheon, for example, are other web hosting options that provide secure hosting environments, which are simple to manage. WP Engine lists all the features of their “security environment” here. And Pantheon declares they have a “relentless, around the clock commitment to website security,” and their platform is built for organizations and agencies who don’t compromise on website security.

Cost is not always the best way to select a hosting provider. Be sure to look over added features and security enhancements, for instance, Pantheon has added free HTTPS with their Global CDN rollout.


When using WordPress, almost any username is preferable to “admin,” which is the default username WordPress assigns to its users. In all honesty, if you are even remotely interested in security, you must change the username as it makes it just too simple for hackers to get into the account.

To be fair, while most people don’t stick with a username as common as “admin”; we’re often much more concerned about guessable passwords. Seems like everyone has been parroting this piece of advice for years now. Unfortunately, however, the advice continues to fall on deaf ears. Indeed, there are still people who, for convenience’s sake, still choose to use their birthdays and hometowns as their passwords. Not only do they use these predictable passwords, but they also make the mistake of using the same one for a plethora of different accounts. Needless to say, these types of passcodes are weak, and if you are someone who happens to be guilty of this, you could definitely benefit from learning how to create a strong password.

There are actually several ways you can go about selecting a solid password, one of which involves stringing arbitrary words together. In this case, the resulting passcode is called a “passphrase” rather than a “password” because of the unpredictability of the string.

If you don’t trust yourself to create a password, you can instead rely on a password manager to generate one for you. As a matter of fact, password managers can actually put together stronger passwords than humans, which means that you might just want to use a password manager anyway.

Even if you have a strong password, however, you should take care to update your passwords once per quarter.


While WordPress normally allows users an unlimited number of login attempts, the site does allow its users to limit the number of login attempts by using plugins. Here’s one called WP Limit Login Attempts we’d recommend. These plugins can also block certain IP addresses as a means of deterring hackers from trying to crack your passwords.

Unlike some of the other tips here, this one is easy to implement, which makes it perfect for those who are looking to improve website security right this instant.


If you are familiar with online banking platforms, you probably have some experience with two-factor (or multi-factor) authentication.

Two-factor authentication, simply put, requires that users provide more than just their passwords and usernames in order to gain access to their accounts. Two-factor authentication often relies on “what you know” and “what you have”. This can manifest itself in the form of a text message to your phone or a service like Google Authenticator.

Sometimes asking questions such as, “What was the name of your first pet?” or “What was the name of your first school?” can offer additional layers of security to just a password. While not true two-factor authentication, you may choose to answer these types of questions however you see fit, but your answers to the questions need to be strong. You cannot, for instance, use information that could easily be taken from your Facebook profile and expect your site to be more secure.

The added layer of security two-factor authentication provides is strong, but it is only as strong as you make it. That said, there are plugins available to WordPress users that provide some form of two-factor authentication in order to improve website security. Check out two of our favorites Clef Two-factor Authentication and WP Simple Firewall to get started.


As much as we all love open-source software (i.e. WordPress), it comes with some inherent security risks. As a result, WordPress users need to stay on top of their game by keeping every element of their sites updated. They should be quick to download the latest versions of WordPress, the most up-to-date plugins, and the newest versions of their favorite themes. Putting off these vital updates for a while might seem harmless, but outdated software and plugins leave your site vulnerable. And hackers will take advantage of these vulnerabilities. Luckily for WordPress users, there is a core functionality to automatically update plugins. If you are able to use this feature it is a great way to make sure you’re always up to date.

You should also take a look at the security plugins WordPress has to offer. Some of their featured plugins, for example, help fight malware and provide firewalls.


We sometimes become so preoccupied with other aspects of our sites that we completely forget to do something as basic as keeping an eye on them. The task isn’t very complex; you need only look for oddities, unauthorized changes, or any sign that your site has been compromised. Performing these checks frequently can help you stay on top of your site’s security (and help you reduce the amount of work you have to do to improve website security in the long run).


Truth be told, if you are determined to keep your WordPress site secure, you’re going to have to eventually spend some money. That said, there are few better ways to spend that cash than investing in secure key management.

And if you think you can skimp on secure key management in order to save a few bucks, you’re wrong.

Key management completely bolsters your website’s line of defense by protecting passphrases your site uses to connect to services like payment gateways and email marketing services. Not only does it protect you, but key management prevents you from spending precious time and money to clean up some hacker’s mess months or years down the line.

Secure key management, however, is not just for your benefit. It improves user experience because visitors to your site can rest easy knowing that you’ve taken the right steps to protect their information and ensure that they get the most enjoyment out of your site.

Maintaining your WordPress site to improve website security takes time, money, and effort, but the maintenance doesn’t have to be incredibly difficult. If you stay on top of things, you’ll seldom, if ever, have a problem with keeping your site secure.