10 things to do today to secure your WordPress site

WordPress is the most popular content management system (CMS) in use today, powering somewhere between 25 to 33 percent of all websites on the internet. Because of this, WordPress sites are popular targets for cyberattacks. We’ve designed our hosting environment from the ground up with security features that reduce the risk of these attacks. But your host’s role in your site’s security is only part of the story.

Did you know there are things you should be doing to keep your site safe as well? More often than not, attackers exploit the software running your site rather than the hosting environment underneath. As a site owner, you play a big role in helping mitigate or prevent these sorts of issues.

Here are ten things you can check today to better protect your site against these attacks:

1. Make sure your host is proactive about security

If you’re not hosting with Agathon, contact your host to be sure that they’re providing security for your site at the server level. This includes things like providing free SSL certificates, disabling insecure FTP on cloud applications, and putting a firewall in place to block problematic SSH login attempts.

In addition to those proactive measures, Agathon also has the ability to block large groups of IP addresses when a site comes under attack. And our support team is available 24/7 to respond to any suspicious activity.

This is just one of the things professional bloggers should be looking for in a hosting company. See the others here.

2. Only install plugins & themes from their official sources

The official source for plugins is the WordPress repository. There are also trusted plugin and theme marketplaces (like CodeCanyon or Envato). And, of course, many premium plugins are sold and delivered right on the developers’ sites. These are all trusted sources.

However, you should avoid downloading plugins from unofficial or unprofessional sites. Plugins without oversight or accountability could introduce vulnerabilities to your site. You also need to be aware of sites that offer premium plugins for free. In addition to the ethical concerns, downloading pirated plugins opens you up to malicious code that could harm your site or your visitors.

3. Keep WordPress, themes, and plugins updated

It’s important to keep your software updated. Attackers can find a way into your site through outdated versions of WordPress, themes, or plugins. While we think of updates as providing performance improvements, they can also include security patches that reduce vulnerabilities. Update these whenever you see a notification in your admin dashboard in order to reduce the risk of successful attacks and keep your site running at its best.

In addition to regularly updating the software running on your site, you should delete plugins or themes you no longer use. Attackers can still access your site through deactivated plugins with vulnerabilities, so removing them reduces the chances of that happening. Conduct regular plugin audits to remove plugins that you no longer need in order to reduce the potential security risk as well as the clutter.

4. Rename your login page

Renaming your login page hides it from attackers and offers “security through obscurity.” You can do this by changing your login URL from the standard /wp-login page to a new URL that you define, which helps prevent automated, brute-force attempts to guess admin passwords. Hackers can’t try to guess if they don’t know where to look! We recommend the Move Login plugin for taking care of this. Read why here.

5. Customize your username(s)

Another simple strategy is to set up a custom username rather than the standard “admin” username. This makes the username harder for hackers to predict, which reduces the chance of them being able to get into the site even more.

6. Use strong passwords

In addition to renaming your login page and customizing your username, you should pick a strong password that can’t easily be guessed by attackers. This is true for pretty much anywhere you use a password, but it’s trickier to get right than most people think!

We recommend using either a random password generator with passwords of 16 or more characters or a string of 3-4 random words (e.g., shoeburgerflealift). This is significantly more secure than using a common phrase or word and simply replacing some of the letters with random characters (e.g., Il0v3c@ts!).

In addition, you should use unique passwords on every site. However, contrary to popular advice, both LastPass and 1Password (either of which we recommend as a password manager) say that choosing a strong password the first time is more effective than changing your password regularly.

Finally, never share your passwords over unsecured communication such as in an email, Slack, or text message. Instead, use something like 1ty.me to send them securely.

7. Be choosy when setting up user accounts on your site

Every user account on your site offers another opportunity for someone to hack in. Even when you trust the people you’re giving access to, you need to think about how they might store or transmit the password. Be very choosy about who you give Administrator access to. When setting up one-time or occasional contractors, be sure to downgrade their accounts to Subscriber when not in use.

8. Use SSL encryption

Another way to keep your site and user information secure is to set up an SSL certificate on your site. SSL provides encryption for any information passed between your users and your website. This includes things like credit card numbers (which require an SSL certificate by law) and WordPress login credentials. Without  encryption, others can snoop on the information that is being passed through your site.

9. Install extra security options

Security is like an onion. In addition to the security your host provides and the items above, adding a security plugin can provide additional layers against attacks. The Move Login plugin we mentioned above is one example of this. But, as with any WordPress functionality, there are several security services or plugins to choose from:

Stop XML-RPC Attacks blocks XML-RPC attacks that might otherwise slow down your server while still allowing things like JetPack to function properly. This is a lightweight plugin that we recommend for all of our hosting clients.

WordFence and Sucuri both offer security plugins (with free and premium features) with a firewall and malware scanner to protect your site. Keep in mind, however, that the extra security these plugins provide can potentially affect your site speed and performance.

Finally, services like CloudFlare provide distributed distributed denial of service (DDoS) attack mitigation to prevent a flood of malicious traffic from preventing your site from loading.

10. Backup your site regularly

We don’t mean to harp on this (even though it comes up in almost every post or email we write!). It’s just that regular backups really do provide the final layer of protection. If something does happen to your site, it can be restored from a backup. If you back it up regularly, then you’re able to restore your site without losing your latest changes, blog posts, or comments.

Your host should be providing daily backups (and have a way for you to easily restore those backups when needed), but we also recommend using Updraft Plus for an additional layer of protection on your site.


There’s no way to completely prevent your site from ever being attacked. But these ten things provide additional protection to reduce the chances and ensure you can respond quickly if something does happen.

How does your site measure up?

Download a printable version of this checklist here and do a security audit today.

Mandi Ehman

Director of Marketing at Agathon
With 10 years of experience as a professional blogger—and as a former Agathon hosting client herself—Mandi’s passionate about the good work Agathon does and sharing that message with more people.
Mandi Ehman

One comment on “10 things to do today to secure your WordPress site

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.