Is WordPress really secure? That’s probably the one question I am asked most often. My answer hasn’t changed much over the years:

Yes, in my opinion, WordPress is secure.

It certainly isn’t secure all by itself. Just like any computer or any other content management system or other piece of software out there. There are a couple of rules you need to follow. They are pretty straightforward and can be implemented easily.

Who do I need to guard my website from?

First and foremost, from myself. All the little things I, the one in front of the screen, might trigger. That could be faulty updates of plugins or themes. Or bugs in my code. And plenty of other options.

Plus, there are hacking attempts that come via the web. WordPress powers somewhere between 30 and 40 % of the web. Therefore, it is exposed to a lot of hacker attacks. But that are not real people, sitting in front of their computers. These hacking attempts are performed by bots. They surf the web and try to get into as many WordPress installs as possible.

Usually these attacks have nothing to do with your personal website. Nobody means to steal data from your website or get content that might be hidden somewhere. But a website that has been compromised can be used for all kinds of mischief.

How to secure your WordPress website


Make sure that your server space is clean.
What I often find on my clients’ server spaces: The previous (WordPress) website you did not want to get rid of yet. The WordPress installation you tested something with and kind of forgot about. Or installations of other CMS. Make a backup, if you are not sure, and then delete it from your server space. Also, don’t forget the database that went with your old website.

Automated Backups

Automate your backups. There are several plugins that allow to create backups automatically. You should make sure, though, that these backups are not stored in the same server space as your website. Most backup plugins have options to set up a connection to some cloud server, like Amazon S3, Google, Dropbox etc.

Depending on the type of data you save in your backup, you need to make sure to follow GDPR rules.


For our clients, we offer to take care of website maintenance. Including update-related bug fixes and some house-keeping.
Sounds interesting?
Get in touch!

This applies e.g., to comments on your website or information from contact forms, never mind more sensitive data like credit card information.

Please make sure to test how to restore your website from the backup. This way, you will know your way around in case of an emergency restore.


If you run updates on a regular basis, the risk that an update breaks your website declines.
Many plugin authors nowadays even add a warning if the update is a major update that might cause problems.

Your WordPress Website

You should be using the latest version of WordPress. And certainly the latest versions of the plugins and theme you are using. A lot of updates are security patches – it actually IS important to run the update when updates are available.

Your Workspace

The computer you or your employees are using to work on your website need to be secured as well. It generally is essential to run the most recent software possible, as on your WordPress website. 😉 And please, don’t forget to run regular security scans!

When working from public Wi-Fi: Please make sure to use a secure connection (VPN). Also, think about whether you really need to access your website backend via that network. If you do, don’t use the full admin account if at all possible.

Secure access

  • Safe passwords are the most critical part! And please: Do NOT use that safe password for more than one account.
  • Add another level of security: Activate 2-factor-authentication whenever possible.
    That means that on top of username and password, you need a third way of authentication.
    This information is generated on the spot, so there is no writing it down or memorizing it. It is usually a code that’s generated via an app (e.g., Google Authenticator) or, in some cases, sent as SMS.
  • While you are at it: Please remember to also add secure passwords to FTP accounts and your hosting account.
    You even might be able to activate 2-factor-authentication for your hosting account. If not, ask your hosting company about it.
  • Are the access rights of your WordPress installation correct?
    Directories should not have more than “755”, while files should not have more than “644”.
    Normally, WordPress has the correct access rights, and you don’t need to fiddle with it, but I truly have seen the strangest settings here, so don’t take it as a given.

Posts are written by an editor

WordPress offers different user roles, depending on what the needs of the specific user are. The author of your posts is visible from the outside. In this case, a bot only needs to guess the password, not the username.
Therefore, it does make sense to only publish posts as an editor. And log in as an administrator if you actually require it. Or, if you are like me and always forget to do that, you assign the blog post to your editor before publishing it.

To be able to keep an eye on things, there should be as little administrator accounts as possible. Not every user of your WordPress website needs to be able to handle plugins and themes, for instance. To enhance safety, you can be inventive when creating the username for your administrator. You can always add an easy name as display name.

Last but not least – Hosting and WordPress

The choice of hosting provider also has a big impact on how secure your website is. The cheapest hosting company will most likely not be the most secure. The less the whole package costs, the greater the risk that the company is cutting corners at some place. And the more projects get crammed onto one server, the higher the risk that a security breach will appear somewhere.

Designated WordPress Hosting

Meanwhile, almost all hosting companies offer special packages for WordPress websites.
Often this involves very specific WordPress services, e.g., backups, staging sites additional security packages. These packages are usually more expensive than the “standard hosting package”, but of course they offer a lot more: A sophisticated hosting package can facilitate or even relieve you of many of the points I listed above.

So if you cannot or do not want to deal with how to restore your website from a backup yourself, you are in a nice position with high quality hosting. There, you will be able to do all these things with the click of a button in the customer menu.

If you have invested in a hosting package that offers a staging environment, you have the option to try new things on an identical copy of your website. Whether that’s the latest WordPress update or things you want to change on your website, you can always abandon it and start again. Your live website remains completely unaffected by it.

And once everything is as you like it, you can easily replace the live website with your staging website. No drama, no nightmares.


Securing WordPress really isn’t that hard. You might need to change some things and be a bit more conscious about your procedures, but it’s not undoable.

If you keep in mind the basic rules we mentioned here, you are at least 80 % there. Sure, you can always do more. But hey, it’s the basics, and they get you pretty far. Once these are all in place, you can think about if you are ready to do some more.

If you are unsure about the status of your website, we are here to help. Drop us a line, and we can assess your website and give you an estimate of what needs to be done.