Marketing / Digital Marketing

A 10-point checklist to secure your WordPress website

Akshat Choudhary

Updated: May 28, 2020 · 8 min read

Toolkit for download in this article

secure WordPress website

Four hundred million. That’s how many online users view the 20 billion-plus web pages hosted on WordPress each month. This shows the massive global popularity of this free and open-source tool that powers some of the Internet’s most visited and popular websites today. This ever-increasing popularity has, unfortunately, also contributed to a growing increase in online hacks and cyberattacks in recent years.

Image Source

Whether you're a blogger or even a small business using a WordPress website, it’s important to devise a WordPress security plan that can keep your website safe from online threats. Why? A successful hack can severely impact your business.

Here are some of the business-related consequences of a successful hack:

  • Data breach that could result in the loss of sensitive business data like customer records, financial data such as purchase orders and invoices, and employee information
  • Loss or a significant drop in website traffic due to slow website performance, along with potential customers switching to competitors
  • Loss in generated sales and revenues as a result of lower customer engagement and higher customer churn
  • A major drop in the SEO ranking (or even Google blacklisting) of the business that could further reduce incoming traffic
  • Loss of customer loyalty and brand reputation for the business

Anxious or worried? Don’t be. Here's a 10-point checklist that can provide multiple layers of online protection for your website:

  1. A reliable web host provider
  2. Regular website backups
  3. Regular updates to the WordPress version and plugins/themes
  4. Stronger WordPress admin credentials
  5. CAPTCHA tool
  6. 2-Factor Authentication
  7. Limited user accessibility
  8. SSL certification
  9. Firewall protection
  10. Security plugins

Let’s examine each of these in detail.

1. A reliable web host provider

The first step toward website security is to select a reliable web host provider. Industry studies reveal that 41% of hacked WordPress websites happen due to security-related vulnerabilities on the web hosting platform.

A reliable web host provider performs various security-related activities for your website, that include:

  • Monitoring the entire network 24/7 for malware or any suspicious activities
  • Use of security tools to prevent DDoS attacks.
  • Devise the right website restoration plan in the event of any compromise

In addition to selecting the right website hosting, you must consider hosting your website on a managed hosting platform that is more safe and secure as compared to a shared hosting platform.

2. Regular website backups

This step is directed more toward securing your website data rather than your WordPress website. In the event of a successful hack that results in a major data breach, your priority would be to restore all your lost data on your website before taking care of the hack.

Website backups primarily take care of your existing data and restores it, when required. Additionally, they protect against data losses occurring due to human error or any system failure.

As a WordPress website owner, you can either opt for manual backups (that require technical know-how) or automated backups using a WordPress Backup tool like BlogVault or UpdraftPlus.

3. Regular updates to WordPress version and plugins/themes

A majority of online security threats or attacks occur due to the use of outdated versions of the core WordPress and plugins/themes. WordPress developers and trusted plugin/theme developers regularly release updated versions that contain the latest functionality and security fixes.

As a WordPress site user, you must ensure that you download and install the latest WordPress and plugin/theme versions as soon they are available for use. This not only enhances the functionality of your WordPress website (at no extra cost) but also fixes security loopholes that can no longer be exploited by hackers.

4. Stronger WordPress admin credentials

Hackers often deploy brute-force attacks to try to gain access to WordPress admin accounts. As “admin” users have the most privileges on WordPress accounts, hackers can inflict the maximum damage to backend files or steal confidential information by infiltrating admin accounts.

In most instances, WordPress users make it easier for hackers by using weak “admin” credentials such as the use of default usernames like “admin” or “admin123” or weak passwords like “123456” or “password” that are easy to guess.

As a WordPress website owner, you must strengthen your WordPress admin credentials through the following measures:

  • Change the default user credentials (including your admin user) to a more unique and distinctive user ID
  • Follow a stronger password policy that features 8- to 10-character passwords (for all users) that must include uppercase and lowercase characters, numbers, and special characters
  • Follow a policy of periodically changing passwords for all users
  • Restrict the number of “admin” users with access to the WordPress dashboard (or wp-admin folder)

5. CAPTCHA tool

As a WordPress website owner, you must also deploy the industry-accepted CAPTCHA tool to protect your login page. As mentioned earlier, hackers often use brute-force attacks to try to gain access to WordPress login accounts. They do this through automated bots that guess the login credentials of WordPress users (including “admin” users) by trying out various username-password combinations.

Image Source

The CAPTCHA tool has built-in mechanisms to identify if a “human” user or an “automated” bot is trying to gain access and can restrict the number of failed login attempts to just 3.

6. Two factor authentication

Apart from the use of the CAPTCHA tool, you can prevent unauthorized access to WordPress accounts with the two factor authentication (also referred to as 2FA).

Image Source

Two factor authentication is an industry standard where users trying to access their account have to first enter their correct user credentials, followed by a unique verification code that is sent to their mobile phone. This tool ensures that hackers do not have easy access to any WordPress account.

For WordPress websites, you can implement 2FA with WordPress plugins like Google Authenticator or Two-Factor that are easy to install and configure for your login account.

7. Limited user accessibility

Backdoors are often used by hackers to hide malicious files in selected folders of your WordPress installations. Difficult to trace, backdoors can inflict website damage even after it's cleaned from all malicious files. For example, backdoors can be hidden in the WordPress plugin folders.

As a security measure, try to limit user access to common WordPress folders that are exploited by hackers. Among the conventional methods used to protect critical folders is to protect the folder using passwords (stored in the .htaccess file) or by disabling the execution of PHP files in these folders.

8. SSL certification

Secure Socket Layer (or SSL) protocol is effective in encrypting data transferred between your WordPress web server and the user’s browser tool. Thus, SSL encryption or certification makes it difficult for hackers to steal sensitive data during the transfer.

An SSL-certified website is the industry standard to make every website transaction secure. Previously restricted to websites handling sensitive financial data or with login credentials, SSL certification is now recommended for every website.

Additionally, an SSL-certified website is certified with the HTTPS (short for Secure HTTP) protocol that is used to secure communication over the Internet. In addition to improving online security, SSL-certified websites have a higher SEO ranking on search engines and can increase business trust among online users.

How do you obtain the SSL certification? Here are some reliable sources:

  • From your web host provider
  • Third-party companies like
  • Non-profit companies like Let’s Encrypt

9. Firewall protection

The best way of protecting your WordPress website is to block any malicious requests even before they reach your website. This can be achieved by using website firewall protection. Essentially, there are 2 types of firewalls:

  • Cloud-based DNS Level Website Firewall that monitors website requests through its cloud-hosted servers and then directs only the genuine traffic to the respective website server
  • Plugin-based Application Level Firewall that monitors incoming requests after it has reached the website server and determines if they are genuine requests

10. Security plugins

For today’s WordPress websites, any business must look to invest in a comprehensive WordPress security solution that protects websites from a variety of cyberattacks. Security plugins are easy to install and configure—just like any other WordPress plugin. They offer capabilities like early detection and prevention of malware, along with automated and tech-supported clean-up processes that leave no traces of malware infections on your website.

Some ecommended plugins are Sucuri and Malcare, which combine security and backups to enable comprehensive security for your website.


This 10-point checklist for your WordPress website security plan is the best plan to follow even for non-technical or novice WordPress users. However, no checklist guarantees complete immunity against an online attack as hackers keep coming up with ways to compromise websites. That’s why you should be aware of vulnerabilities and actively work toward keeping your data secure.

Was this post helpful?
Illustration of Keap growth handbook
How can you grow your business to the next level? Take our assessment to find out.

The Small Business Growth Assessment will reveal where you are on your path to growth and help you identify common pitfalls so you can avoid them. Plus, you’ll get FREE curated resources to get you to the next stage.

Take the assessment

You may also like

{{ deSlug(record.displayCategory || record.secondaryCategory || record.primaryCategory || '') }} | min read

Knowledge is power, get some more...

Hello, have a question? Let's chat.

Got it