Blog Menu

I write and curate content for Bluehost. I hope this blog post is helpful.
Are you looking at creating a blog, website or an online store? Bluehost has something for everyone. Get started today.

According to Pandalabs, 18 million new malware samples were captured in Q3 2016 alone; roughly 200,000 per day. By all accounts, cyber threats are expected to continue to rise in 2017, with cybersecurity spending hitting more than $1 trillion from 2017 to 2021.
The kinds of massive data breaches and ransomware attacks affecting companies like HP, Verizon and Yahoo might not seem relevant to your small WordPress blog. But given that the cost of recovering from a cyber attack can hit $1 million or more, it’s clear that web security must be a priority for every business.
Making your WordPress website more secure requires an understanding of what security options are available to you from within the platform and from third-party tools.
WordPress is an open source content management system (CMS), which means that its founders have made its source code available to those who want to study it, change it, distribute it or develop supporting technologies that work with the platform. Because of this open source nature, WordPress users are able to access the platform’s vast selection of free and paid themes and plugins that work seamlessly with the CMS.
Understandably, this extensibility has made WordPress popular with users who can customize the look and feel of their sites, without much manual coding. Indeed, the WordPress team reports that the CMS is used by 27% of the world’s top 10 million websites.     

Keeping WordPress Secure

In an effort to protect WordPress users, the platform’s developers have built-in a number of features intended to support site security. Taking advantage of these settings, introducing third-party security plugins and following WordPress security best practices offer the best odds of keeping your site safe.

Built-In Security Features

A few of the options built into WordPress for the purposes of security include:

    • Automatic WordPress version updates
    • Theme and plugin notification updates
    • User roles that allow you to control access to different capabilities within your site
  • Complex password generation

Behind the scenes, WordPress shares sets of functions and APIs with developers which can be protect data and to limit hackers’ ability to penetrate WordPress installations. These and other similar efforts were instituted as part of WordPress’s compliance with the recommendations of the 2013 Open Web Application Security Project (OWASP).

Third-Party Security Plugins

Despite the steps taken by WordPress, many users take the additional step of installing a third-party security plugin. These security plugins can be broadly categorized into two groups: full security suites and single-issue security plugins.
Full security suites encompass multiple security needs within a single plugin. Both plugins that can be installed within the WordPress dashboard and ongoing monitoring services that watch WordPress activity remotely for security risks can be included in this group. Popular options include:

These tools cover everything from bot-driven brute force attacks to manual blocking of malware injection attempts and other hacks. They may be available on a free or paid basis, and represent a great choice for beginning WordPress owners who want one solution to cover multiple needs.
Beyond these security suites, more targeted security plugins exist that remedy specific weaknesses within the WordPress platform. Some of the most commonly used include:

The specific plugins you’ll want to install will depend on your own assessment of your security needs. Whichever you choose, practice good WordPress hygiene by not installing more plugins than is necessary and by monitoring the plugins you do choose for ongoing security issues.
Further, don’t assume that you’re safe just because you’ve purchased a paid security plugin – either a full security suite or an individual-need plugin. In 2013, of the top 10 most vulnerable plugins, five were commercial plugins available for purchase, according to wpmudev.

WordPress Security Best Practices

Finally, all the built-in security features or third-party plugins in the world won’t protect you if you don’t actively manage your site’s security.
While the list below is by no means complete, it represents a good starting point for beginning webmasters who are learning to keep their sites safe.

    • Regularly update your passwords
    • Regularly update your WordPress installation, theme and plugins (if you don’t have these set to update automatically)
    • Limit the people who have access to your website, and remember to revoke access from those who no longer need it
    • Avoid using WordPress’s default usernames, as hackers are familiar with these common options
    • Keep your personal computer updated, as hackers who have gained access to your personal information may be able to use this to access your website
  • Choose a WordPress host that prioritizes WordPress website security and takes the steps necessary to keep their clients’ websites safe

Ultimately, WordPress security isn’t about turning on or off a few options. It isn’t about adding a security plugin to your site and calling it a day.
Instead, it’s about being proactive regarding your site’s security. It’s about regularly checking in on your website to ensure the options you’ve chosen are functioning appropriately, as well as continually familiarizing yourself with new vulnerabilities that have been discovered.
Security is everyone’s responsibility. While taking the steps described above won’t guarantee your site will never be put at risk, they’ll go a long way towards making you a less-appealing target to hackers.
What other steps are you taking to protect your WordPress website? As this article is only intended to give a surface overview of WordPress security, there’s still plenty of additional ground that can be covered. Leave us a note on your experiences in the comments below.

  • Machielle Thomas

    Machielle is a content enthusiast who has a passion for bridging the gap between audiences and brands through impactful storytelling. Machielle has also spoken at dozens of WordCamps throughout the years.

    Texas State University
    Previous Experience
    Brand Content, Content Marketing, Brand Lead, Operations Lead, Course Instructor
    Other publications
    Shopify, Contently
Learn more about Bluehost Editorial Guidelines


  1. Leila Steward Reply

    Thank you for the best practices for word press security. My account is always getting hacked before.

  2. Web Hosting Karachi Reply

    Great post! I think WordPress should already suggest security plugins and settings at the time of installation.
    As an admin I come across many WordPress sites that are comprised due to lack of security precautions which can be achieved by plugins mentioned in the article.

  3. dhruv raina Reply

    I am doing digital marketing course and this blog has helped me a lot in completing my assignment too…
    thanks for sharing ..
    keep it up..

Write A Comment