Website Security with WordPress – Don’t Get Hacked!

By April 12, 2021 March 15th, 2023 Web Development, Website Security
Guide to Website Security with WordPress

WordPress is a great content management system (CMS) that allows you to create beautiful websites through an intuitive interface. It’s free and comes with many customizable themes and a huge library of plugins that can extend the core functionality. With any CMS-based site, however, website security is a major concern.

WordPress has many great security features (some of which we shall share below), but a website’s integrity can be easy to compromise if it isn’t adequately protected. Here’s how you can protect your website (and your data) in WordPress with better website security.

Before You Do Anything Else with WordPress Website Security, Do This!

The absolute, number one critical priority in keeping WordPress secure and safe from cyberattacks is this:

You must keep the WordPress CMS (core) plugins, and themes updated.

Why? Older versions of WordPress and out-of-date plugins or themes often have security holes that have been since plugged. So, you need to keep WordPress up-to-date. WordPress, unlike some CMSes, makes it easy to update the software. You basically click a button and it will update. You can even set WordPress to auto update.

This was always one of WordPress’s best features, whereas with some content management solutions, updating from one version to another can be a huge effort (particularly in Drupal, though they have come a long way towards making updates easier). Especially with other CMS solutions, updates can often “break” the website.

Perhaps because of this, people are often reluctant to hit the “update” button in WordPress, or they don’t login to the website for months on end and forget to update it.

Bad idea.

Your chances of completely breaking WordPress due to an update are relatively slim, especially if you update often and regularly back-up the site. On that note, make sure you backup your installation first (there are many free plugins that make this easy for you) and update as soon as an update is available. It is far better to troubleshoot a glitch from a plugin update than try to rescue a site that has been taken over by hackers.

In short, always keep your WordPress installation up-to-date. Otherwise, be prepared to visit your website someday to see that a Russian spammer has taken over your homepage.

WordPress Website Security Tools to Use

As the world’s most popular CMS, WordPress users have developed a robust library of free and premium plugins over the years. There are even dozens, if not hundreds of security plugins available directly from the plugin repository. Some offer paid upgrades but still offer amazingly robust functionality even in their free version.

The easiest way to add these plugins is to go into the plugins section in the WordPress backend, select “add new,” and search for the plugin or plugins you need. You can also read reviews there. Here are a few to try:

Wordfence Security

One of the best and most reliable WordPress security tools is Wordfence. The basic version is free, and comes with a ton of functionality. Wordfence can be set to block IP addresses that are hitting the site too much trying to login, or even ban entire regions.

It is not uncommon for hackers to try to hit WordPress sites from three major countries: Russia, China, and Ukraine. If they are hitting your site too much, and you don’t need to reach people in these countries, you can block the entire country from accessing your website. This may seem extreme but can be an important stopgap if your site is experiencing a massive attack.

If you are an educator, you are in luck. Wordfence is now offering free site cleaning and site audits to k-12 public schools.

Wordfence Central website security dashboard screenshot
A screenshot of Wordfence Central, a new service from Wordfence making it easier to monitor and manage Wordfence across multiple sites. Source:


Jetpack is developed by Automattic, the same company that manages WordPress. It offers basic website security protection for free, plus paid a la carte add-ons. In the free version, you get brute force attack protection, downtime monitoring, and the option to enable auto-updates for plugins. Paid options include site scanning, real-time backups, and anti-spam measures. In addition to its security features, Jetpack offers a wide array of other features to help enhance or improve your website.

Contact Forms, Captchas & Honeypots

Rather than putting your email address on the website for everyone to see (and for spammers to collect, which could lead to phishing), many site owners prefer to use a contact form. In order to add a contact form on WordPress, most users will install a special plugin.

There are many popular ones to choose from—such as Gravity Forms or Contact Form 7—and most can be protected with captchas (such as Google’s reCAPTCHA) and honeypots, which attempt to weed out spammers and bots using AI or subtle tricks.

CDNs and WAFs

You can use a CDN (content delivery network) and website application firewall (WAF) to protect against attacks on your web server. These are services offered by external companies like Cloudflare or Sucuri. Cloudflare offers a free CDN but charges for WAF; Sucuri’s pricing starts at $199 for a suite of security features. Both offer WordPress plugins.

Other Best Practices for Website Security

These recommendations are just a start. Other best practices and suggestions include setting strong passwords (which WordPress can force users to do by default) and even two-factor authentication. (Both Wordfence and Jetpack will allow you to set or require 2FA for admins and other users.) Additionally, you should avoid easily guessable “admin” account usernames (such as “admin” or your name or even the name of your site).

Does your business need help with cybersecurity? CDS Office Technologies has the expertise. Contact us today for a custom solution to your cybersecurity needs.