Tutorials UPDATED: 29 August 2023

How to Secure Your WordPress Website

Tassos Antoniou

12 min read
How to secure your WordPress website

Managed WordPress hosting services (like Pressidium) normally place significant emphasis on the security of their hosting platform. An array of features are deployed to help keep WordPress websites hosted on these systems secure.

There is however only so much that a WordPress host can do to ensure the security of a WordPress website. Website owners have their own role to play in making sure their websites stay secure. In this article we will take a look at the steps you can take to secure your WordPress website.

Keeping Your Website Secure – An Overview

Many website hacks happen as a direct result of actions (or inactions) taken by website owners. Things like failing to update plugins to the latest version or using a weak password all result in exploitable weaknesses running through your site that hackers will target. The good news is there are a number of simple steps that you can take to help keep your WordPress website secure. These include:

  • Ensure that you and any other website users are using strong passwords
  • Use a Captcha mechanism
  • Use Two-Factor Authentication (2FA)
  • Delete inactive users
  • Use a ‘limit login attempts’ system
  • Always keep your core files, plugins and themes updated to their latest version
  • Change your default login URL 
  • Avoid using nulled themes and plugins

Let’s take a closer look at some of these steps and find out how you can apply them to your website.

Ensure that your users are using strong passwords

There is no server-side firewall or other hosting security system that can protect your WordPress website from a weak password. Despite the known issues with using a weak password, stats suggest that an astonishing 35% of users still use weak passwords to secure their WordPress website despite being prompted by WordPress to choose a stronger password. 

confirm weak password

Perhaps the conclusion that can be drawn from this is that some users simply aren’t aware how vulnerable their website becomes when a weak password is used. Unfortunately, hackers long ago worked out how to take advantage of users who choose predictable passwords that follow certain patterns (like a date of birth or the name of a pet).

Others, whilst being aware of the vulnerability of weak passwords continue none-the-less to use these perhaps because it’s the easy thing to do. After all, remembering a simple password is much easier than a more complex one that is constructed of random letters, numbers and symbols. 

Without doubt, your password offers a critical line of defense against hackers. The stronger it is the better. Ideally a password should be unique, randomly generated and updated regularly. 

Use a Captcha mechanism in the login form

A captcha’s purpose is to distinguish humans from ‘bots’ which are software applications that carry out automated tasks. Hackers can make use of these to try and gain access to websites via the login page by instructing the bot to make continual attempts using random data in order to access a website. A captcha is designed to help prevent these kinds of attacks on a site happening by distinguishing between humans and bots. Captchas have been used for three decades and are still deployed on countless websites to help protect them against bot activity. 

A captcha can be added to your WordPress website with the goal of blocking bot login attempts. An easy way to do this is by installing the Login no Captcha reCaptcha plugin which takes advantage of Google’s captcha system. 

login reCaptcha

When installed you’ll see the familiar reCaptcha checkbox appear beneath the login panel. Tick this and you’re away (assuming you know the correct username and password anyway!). 

To get the plugin working you’ll need to sign up for a free Google reCaptcha account which will then allow you to generate a site key and a secret key. 

How to generate the site and secret key:

  1. Login to your Google account (you’ll need to register for one if you don’t have an account already). Head to the Google reCaptcha page and click on ‘Admin Console’ which appears to the top right. 
  2. Click on the ‘Plus +’ icon that is again on the top right to register a new website. Fill in the required information.
  3. Hit the submit button and you’ll see a page like this: 
Google reCaptcha site keys

You’ll then need to paste these values into the boxes in the plugin settings as promoted. 

Two-Factor Authentication (2FA)

Using a Two-factor authentication process will add an extra layer of security to your websites login pages by preventing what’s known as a ‘brute force’ attack. These kinds of attacks are where a bot tries to continually login to your website using passwords and usernames that have been guessed (normally following some pre-defined lists that take advantage of known ‘weak’ passwords such as 123password and so on. The bot will continue to try and access your site until it’s successful which is bad news on two fronts First, if it gets the password correct your website has now been hacked. Secondly, these continual login attempts can increase server load and thereby slow down your website for legitimate users. 

Try our Award-Winning WordPress Hosting today!

Fortunately, there are third party plugins available which can help stop this. 

Two-Factor Plugin

The Two-factor plugin by Plugin Contributors is a useful, easy to use plugin that provides websites with two factor protection by forcing users to supply an authentication code alongside their normal login credentials. This code can be sent via email or generated using a one-time password generator such as Google Authenticator. 

Two-Factor Plugin

Google Authenticator Plugin

The Google Authenticator plugin is another popular 2FA plugin that can be deployed to protect your WordPress website. This completely free plugin provides a raft of 2FA authentication options including SMS and of course by using the Google Authenticator app. Setting this up is fairly quick and easy. Just follow the prompts when you activate the plugin. 

Google Authenticator Plugin

Delete Inactive Users

Another easy target for attackers are website user accounts that have not been used for a long time. The result of this is that the password is often weaker than it might be if the user had created the account recently or was regularly logging in to the website. Because of this it’s well worth periodically deleting any accounts that are inactive. 

You can use a plugin to easily detect these inactive users such as the When Last Login plugin.

Once activated, it simply adds a custom column to your admin users list table that displays the timestamp of the last login date and time of that user. You can sort this column thereby at a glance being able to identify inactive users which means you can then delete them if appropriate.

When Last Login

Then on User -> All users sort by the added “Last Login”  column:

When Last Login last login column

Limit Login Attempts

Another way you can add an extra layer of security to your WordPress site is by limiting the number of login attempts allowed within a certain timeframe. This technique thwarts bots that make continual login guesses. In addition, some plugins that provide this functionality can also block the IP address from which the login attempts originated from and in doing so stops that particular bot operating from that IP address from trying repeated attacks on your site in the future. 

A good plugin that offers this functionality is the free Limit Login Attempts Reloaded plugin.

Limit Login Attempts Reloaded plugin

With 1+ million installations at the time of writing you can be confident that the plugin works well.

After you install and activate it head to the Settings menu and then click on ‘Limit Login Attempts’. You’ll be able to alter a range of parameters including the number of retries allowed before the user is locked out of the website.

Limit Login Attempts settings

Limiting login attempts is an extremely effective way to protect your website which is why we enable this as a default on all Pressidium hosted websites.

Note: If you are using Jetpack a recent feature release called the ‘Protect module’ includes a limit login attempts system as a default. This system also provides information on the login attempts blocked and the option to whitelist IPs. If you are using this plugin then there is no need to install a separate ‘limit login’ plugin.

We would also like you to know that we have developed our own version of the Limit Login Attempts plugin by Johan Eenfeldt, by reconstructing it in an Object-Oriented approach. If you are interested in how we accomplished that you can find all you need in our repository. Keep in mind though, that this version is for educational purposes only and not production ready.
Also, we provide an extensive series on how to create a WordPress plugin with object-oriented programming where we use the Limit Login Attempts plugin’s reconstruction as an example.
In these articles, we have tutorialized the techniques that improve the plugin’s reusability and extensiveness, as well as security, scalability and maintenance. Don’t miss out on this valuable resource!

Keep your core files, plugins and themes updated to their latest version

Among many other benefits, updating your WordPress core, theme and plugins is critical for your website’s security. Stats show that outdated versions, themes and plugins are the most popular way hackers gain access to websites making keeping these up-to-date a top priority.

At Pressidium we automatically update the WordPress core to the latest version after first testing it to ensure there are no key issues that would cause our clients problems with their websites. Because these updates are carried out automatically, you can rest assured knowing your website is always running the latest version of WordPress. 

Host your website with Pressidium



In addition, we make updating plugins on websites hosted with us as easy as possible by providing a plugin update facility that is accessible via the Pressidium dashboard. This allows our clients to see at a glance if their website(s) plugins need updating. If so, the update can be undertaken with a couple of clicks from within the Pressidium dashboard. We also regularly scan websites hosted with us for plugins that have known vulnerabilities and will inform the website owner of this vulnerability via email. In cases where an out-of-date plugin poses an extreme risk to a website we will even proactively update this on behalf of the website owner.

Change your default login URL 

Now that we’ve run through ways of securing the login page (in effect protecting the ‘front door’) let’s take a look at options for hiding the front door ensuring a burglar (or hacker!) can’t even try to gain entry. 

A great way of doing this is to change the location of the default WordPress login URL by changing it to a custom one. In doing so you instantly block traffic from wp-login which in turns means you shouldn’t experience any brute force attacks on your website. 

One such plugin that allows you to quickly change the location of the login page is WPS Hide Login.

WPS Hide Login

Avoid using nulled themes and plugins

Nulled themes or plugins are ones which typically contain malware or modified code designed to cause harm. They are often available ‘on the cheap’ which is why they appeal to people. After all, no-one really likes having to spend money on premium themes and plugins. With some nulled themes and plugins available for a fraction of the cost of the ‘genuine’ version, you can see why they are tempting to use. 

In reality, the ‘savings’ you make using nulled versions can often be overshadowed by the costs incurred as a result of your website being infected with malware. Even if they don’t contain malicious code, they will often have annoying ads and popups that can ruin the experience of the plugin or theme. In addition, they are of course not supported by the original developer meaning there is no-one to turn to if something goes wrong. 

In short, don’t use nulled themes or plugins… it really isn’t worth it! 


A hacked website is in no-one’s interest (apart from of course the hacker). Whilst high quality, managed WordPress hosting can significantly improve the security of your website it’s also important to remember that you, as the owner of the website have a role to play in securing your website as well. 

Following even some of the simple steps outlined above can really help improve the security of your website and are well worth implementing.

Start Your 14 Day Free Trial

Try our award winning WordPress Hosting!


See how Pressidium can help you scale
your business with ease.