Let’s talk WordPress Security. Why? Because statistics say that 30% of you are using it. That’s a huge chunk. In fact, we are part of that crowd too. Not only that, WordPress is open source meaning anyone can see their code and how they use it. With great power comes great responsibility and unfortunately, there are many who use this knowledge for evil doing.

WordPress is a very affordable and powerful platform. The WordPress security is not lax, it’s more that so many users make it a veritable playground. Much like Facebook.  If you understand why sites are attacked, the top 3 most common security mistakes and how to fix them, you’ll be able to harness the power with less risk.


Think There is Nothing to Steal?

Bursting bubbles is not my favorite pastime though I’m about to do it again. A common misconception is that people are at their computers directly finding and attacking your website to steal your data. The thing is, it’s not often a single individual attacking your site. It’s more likely bots. Bots are created by humans, sure, however, they run the same codes and actions repeatedly on as many sites as they can access.

Once a bot has access, it can be used to do any number of things. Yes, the bots might want your user data. That’s not the only thing to be concerned about. In fact, we recently encountered a security issue. Caught it fast, mind you, however, the purpose of the attack was clear very quickly. The bot had used my domain and IP to send spam. This put me on a spam list and triggered my security protocols. If something like this happens and you aren’t aware and don’t fix it promptly, the consequences can be hefty.

Should your website become infected, it becomes a potential host to malicious content and even attack and infect other websites. Prolonged infection can place you on watch lists and severely penalize your SEO rankings on places like Yahoo and Google. Browsers will then catch these warnings, and your customers will end up directed away from your site when they visit.


Top 3 Common WordPress Security Issues

There are plenty of things that may pop up, though there are 3 that I would consider the most common. (Based on my experience, of course, being a web designer/developer.)

1 – Lazy Setup

Sure, setting up your website is hard. It takes time. Especially if you aren’t computer/website inclined. However, that is no reason to get lazy. Not taking the time to setup, review and change each setting appropriately can leave holes for bots to sneak into. Many bots look for default settings and use that default access information to slide on in.

The same goes for your users. There are some usernames and passwords that crop up all the time. Even I have been guilty of creating a main user “admin” which sits near the top of the bad username list. Pair that with a common password and you’re handing those bots the keys.

2 – Backlog of Updates

Your website is not a set-it-and-forget-it type thing. Having that attitude can lead to all sorts of complications. You see, bots and hackers are always finding new ways to cause havoc. In turn, WordPress and the associated plugin and theme builders need to continually update their products to stat compliant.

Updating your website and plugins regularly will mean that you are keeping up with the latest attack trends. Let’s say you don’t complete your updates. What happens is that the bots are steered away from the updated sites and directly to those that aren’t. Like placing a veritable target sign on one’s back.

3 – No WordPress Security!

The most disturbing thing is that many WordPress websites I see don’t have any security at all. Often my clients tell me they get inundated by spam form submissions or emails. The spam comments for SEO boosting can become overwhelming very quickly. Not to mention that they have no way of knowing what is happening on their website at any time.

Ignorance may be bliss in many things, though this isn’t one of them. A basic password lockout setup could be the difference between secure and insecure. That’s like leaving your Porsche unlocked with $500 on the dash next to a drug treatment facility….

By addressing the bare minimum of these three things on your website will drastically improve your security. So let’s talk about how you do that!



How to Beef up Your WordPress Security

First and foremost, if anything I said in this article leaves you baffled, please reach out to me. These are basic needs and your bare minimum. If you don’t do these things, you could be dealing with with the repercussion for years.

With that said, let’s look at how you can prevent these common issues and improve your WordPress security.

1 – Don’t be Lazy!

I know it’s easier to have a username you can remember and a simple password. I’m a fan of easy too, however, in this case, easy NOW does not equal easy LATER. For a username, consider using your email instead. Email addresses have more unique characters and are less likely to be easily duplicated. Plus, most people remember their email!

There’s no magic trick for passwords so you may need to use a password tracking tool like LastPass. Ideally, you want 10-16 characters which include symbols, numbers, upper and lowercase letters. The more complex it is, the harder it is for a bot to crack.

When setting up a WordPress site, you have the ability to include Loginizer which helps protect against brute force attacks. Make it so that someone can only try a password so many times before being locked out. Now, it’s hard to guess the right password and you interrupt the bot process with the lockout.

2 – Do Your Darn Updates!

This is no joke. Updating your site and plugins regularly not only keeps you up on the best features, it also makes a big difference to security. Anytime someone sends in a notification about a WordPress security issue, WordPress releases an update to adjust to fix it. Then all the active plugins update to match.

If a plugin is no longer active, it’s not updating for new issues found. Do you see where the issue could come in? Completing updates often ensures better security and allows you to see if a plugin becomes unsupported. Is it a little more work? Yes. You still need to do it.

3 – Get Some WordPress Security, Stat!

I’m only going to show you the tip of the iceberg, though if you want a more in-depth look, check out Divi’s article. They will walk you through all the things you need to ensure proper security.

If that’s a little too daunting for you, please at least choose one of the plugins I list below. That way, you’ve got SOMETHING. These are all great plugins that I’ve used on client projects and are a great place to start.


My go-to choice, and that of over 70+ million others, Wordfence is easy to install and very effective. The free version will set you up with your basic security features like a web firewall, brute force attack protection, and advanced manual blocking. You also get access to other helpful tools such as a site scan and email notifications of potential security concerns.

I trust them and recommend them. Especially at $99 or less a year. No brainer, IMO. The premium features will give you added peace of mind without the extra work.


A popular favorite! Designed by the same folks who designed WordPress, this plugin is a blend of functionalities. They boast hassle-free design, marketing and security all in one place. I have to give credit where it’s due, this is a pretty powerful tool. The free version is loaded and it only gets better as you invest in larger packages.

Their biggest selection is a mere $39 monthly or $389 annually and comes loaded with everything a business owner could desire. If easy is your bag baby, this is worth a look.

Securi Security

Another fan, and client, favorite is Securi. This is another great tool that bundles many solid features into one. Detection and Protection are part of the deal and they also offer backups and boosts to performance too. The free version is nothing to scoff at though the paid version runs perhaps a little higher than some of the others.

That said, it IS worth it if you have the funds to invest. All paid programs offer cleanup support, blacklist removal and amazing protection features like DDoS protecting and continuous scanning. A serious contender for sure.

When push comes to shove, you’ve simply got to get a little power in your corner. When there are amazing free versions of WordPress security plugins you really have no reason to slack. Take the time, install your security if you haven’t already, it will save you countless hours of hassle in the future.


The WordPress Security Ball is in Your Court

As a business owner, or even as the owner of an active website, it’s our duty to protect ourselves (and in turn others) from potential security breaches. When we experienced ours, although the issue never made it as far as the clients, we still spent days cleaning up the mess it caused. Oh, and we have security in place. Had we not, it could have been unrepairable. If it can happen to us, it can happen to anyone.

If you made it this far and still feel like a fish out of water, connect with me. I’m happy to consult and offer support where I can, free of charge! Otherwise, hop to, and make sure your WordPress security is in place.

~Sacha B