How to Secure Your WordPress Websites

About a year ago I heard some feedback from a meeting where, upon discussing the platform for a web design project, the client said:

“I’ve heard that WordPress is the most hacked CMS in the world?”

You know what? That might be perfectly true. Let’s have a closer look at that claim and then see what we can do about it…

WordPress is probably the most popular Content Management System (CMS) on the planet. A few years ago there was a statistic kicking around that said there were nearly 75 million live WordPress websites. There was another figure that stated 25% of all sites on the web were WordPress.

When you consider that the other two most popular CMS contenders are Joomla and Drupal, and that the “big three” make up something like 58% of all websites, then it doesn’t take a genius to realise that WordPress is the number one CMS.

By that very fact alone you can surmise that, statistically, a WordPress website is bound to be subject to a hacking attempt.

The worst thing that you can do is buy cheap hosting and install a vanilla WordPress site. Grabbing a theme and pasting all your content is not enough. What you want to do is…

Invest in Solid Hosting

There’s a universal saying that “you get what you pay for” and that’s not far off the truth when it comes to hosting. That’s not to say that all value hosting is bad or that an expensive hosting package will be the best. But it is well worth doing your homework to check the specs and reputation of where your website will be hosted.

I had one personal hosting recommendation, many years ago, that turned out to be a dud. The webserver crashed regularly and the support was poor. The next recommendation I got resulted in me being with the same host for over a decade. I then signed up to a re-seller account and still host over twenty websites with no problems. The support is good and reliable.

Another web host I found through researching for an enterprise level solution. Described by one detractor as “eye wateringly expensive”  the pros of the hosting deal were a dedicated box, 24/7, a great SLA, serious uptime, support via a freephone number and the most knowledgeable support staff ever.

And then there was the WordPress dedicated hosting. It was a superb choice – good value, good support and good performance. It’s early days yet but it’s been tested and is looking good.

So make sure you’ve got an excellent host for your WordPress site – they’ll support you and restore from backups if you ever need to.

Use a CDN

Another key choice you’re best advised to make is to employ a Content Delivery Network (CDN). The benefits are twofold:

1: By setting up an account with a CDN, giving it all your web service IPs and CNAMEs, you’ll be placing an extra layer of security between the World Wide Web and your site.

2: The main thing CDNs do is mitigate the risk of Distributed Denial of Service (DDOS) attacks. If ever a malicious force should focus a botnet to throw terabytes of data at your domain then the CDN will take the brunt and keep your site online. The basic CDNs will cache a few pages of your site so that there will be at least some limited availability until the cyber attack diminishes.

If you pay more for a decent CDN then you’ll be able to cache more of your website’s pages and your site will be available more often, more quickly and from all around the world too if you have an international audience for your products and services.

Get a Secure Certificate

There are free secure certificates.

There are paid secure certificates.

There are pros and cons to each. Quite often the basic human instinct will kick and website owners will say that if there’s a free cert then why should they pay for one?

Well, we’ve seen some free secure certificates which are “shared certs” and there are tools to check who else in on your cert. We’ve seen reputable businesses skimping on the quality and sharing certs with escort girls and porn sites, so we’d urge caution with that particular avenue.

As a business, you have certain standards to adhere to, so why not go for quality over quantity. Whilst it costs more to have a high quality secure cert the risk management department of your business will say that it pays to be safe.

So, free or paid, the choice is yours. But there are more downsides to a free secure cert when you have a reputation to manage and a mid-to-enterprise level business.

Make sure you make the right decision and get your cert from a reputable vendor.

WordPress Security Plugins

There are a number of WordPress website security plugins. Some are free and there are premium, paid-for versions too. What they do is allow you to manage server-side settings from your WordPress interface.

These plugins allow you to do everything from redirecting all HTTP to HTTPS, limiting failed logins, IP blocking and switching off potential weak spots in default WordPress settings.

iThemes Security and Wordfence are both very good but if you need assistance with installing, setting up and monitoring them, let us know and we’ll be able to help out.

Our preferred WordPress host doesn’t allow Wordfence because they already have native caching and security features that overlap, so there’s no point in having the same features twice, that’s doubling-up on effort and creates overhead which slows down your site further, so they optimise their platform by removing Wordfence. If you’re not using our WordPress hosting then it’s OK to use this plugin.

Change the Default Login Page

One of the first things hackers do is go straight to your login page. That’s where they test your defences, via manual input (that’s why you should lock people out after a certain number of failed logins) or brute force login.

By changing the name of your login page to something unusual, that will slow down any automated attacks on your website.

The remaining 1% of attackers will be a little bit more persistent but still this will slow them down.

iThemes Security has a feature that helps you change your default login page so you can get rid of the usual /wp-admin or /wp-login.php to something a little less obvious.


How to Secure Your WordPress Websites with Clever Marketing, the full service digital agency.These are just a few of the many things that can be done to secure your WordPress websites. If your business needs help then let us know and we’ll be happy to assist. And just to let you know, secure websites aren’t just secure – they’re trusted by users and tend to rank higher than unsecured websites.

So call us on 01276 534 680 or fill in our form and ask us to help secure your websites.