1. Home
  2. WordPress
  3. How Do I Keep My WordPress Site Secure?

How Do I Keep My WordPress Site Secure?

WordPress is the world’s most used tool for building websites. There are thousands of themes and plugins for WordPress, which provides a wide range of functionality and appearance options.

The large number of WordPress sites also makes it an attractive target for hackers, who look for poorly protected sites they can take over and exploit as they wish. Fortunately, you can easily secure your site to make it harder for hackers.

Basic Security

If you ensure your site has secure passwords and updated software, you already have a more secure site than the majority of all WordPress sites. It’s also important that you have an antivirus program installed on the computer you use to access your site, so your password isn’t picked up by any viruses that might be on your computer.

Use secure passwords

Hackers’ methods for cracking passwords become increasingly sophisticated, which raises the requirements for password design. A good password should be long, unpredictable, and not consist of known words.

When you change your password in WordPress, there’s an indicator showing how strong the password is. This can be a good guide when choosing a password.

We also recommend changing your site’s passwords regularly and removing users that are no longer used on the site.

wordpress-password-strength

Uninstall plugins and themes

Security vulnerabilities in plugins and themes account for the majority of entry points hackers use to get into a WordPress site. One way to reduce this risk is to have as few themes and plugins as possible installed on your site. Uninstalling plugins can also often make your WordPress site faster since it has fewer functions to load.

For themes, there’s no reason to keep installations of themes you don’t use. These only pose an unnecessary security risk as long as they’re still installed. You uninstall themes in the admin panel under “Appearance” > “Themes”.

The same applies to inactive plugins. These are uninstalled under “Plugins” in the admin panel. Often you also have active plugins that provide features you don’t use. These can be deactivated and uninstalled with good reason.

For the plugins you actually want to keep and use, check that they have reputable publishers who release updates regularly. This brings us to the next point.

Keep your site updated

Security vulnerabilities are regularly discovered in WordPress and the plugins and themes that exist. Usually when this happens, developers are quick to release an update that patches the security hole. It’s then up to you as the site owner to install these updates on your site. If you don’t do this, you leave the door open for hackers to exploit these security holes to get into your site.

WordPress updates are usually very easy and can be done manually from the admin panel. Try to establish a routine to log in and check for updates a few times a month.

You can also use plugins to automatically update installations on your site. There are several such options. One example is Simple Automatic Updates.

Note that there’s a risk that things on your site may stop working as a result of updating. However, it’s always recommended to keep your site updated, as a potential breach can be many times more damaging.

wordpress-update-core

Don’t use “admin” as your username

If a hacker tries to log in to your site, they need to know both your username and password. If you use “admin” or another common username, the hacker already knows half of the information required to log in.

For the same reason, you should not display your username on the site. In the profile settings in the admin panel, you can set it so that, for example, “First Name Last Name” is displayed instead of your username if you publish a post on the site.

wordpress-display-name

Enhanced Security

Once the basic security measures described above are in place, you have good protection for your site. However, strengthening your site’s security further is a good idea, both for large and small websites.

Install a security plugin

With the help of a security plugin, you can with relatively simple means adjust your site’s configuration to secure weak points. The plugins have various functions, such as making login to the site more secure.

Here are some examples of security plugins (the recommendation is to use only one):

Add a website firewall (WAF)

If you want to maximize your site’s security, you can purchase external services that provide additional protection. With the help of a firewall, many intrusion attempts can be stopped before they reach your site.

These are services that involve an additional cost, unlike the tips above. However, if you have an online store or another website that you want to protect extra, this can be a good investment.

An example of a good firewall is Sucuri’s Website Firewall.

Even if you follow this guide to secure your WordPress site, we cannot guarantee complete security. We are not responsible for any breaches.

Updated on 9. July 2026
Was this article helpful?

Related Articles