How to Improve WordPress Security [Infographic]


Is your WordPress site locked down?

Ok, there is no such thing as 100% safe or secure.

All you can do is take some proactive measures to protect against any potential security issues.

If your site is hacked it is a hassle to get it back to where it was, you lose valuable time that you could have put to better use like creating or promoting content. Not to mention the headache and hassle of going through some investigation and restoration.

Here is an infographic that covers WordPress security and can give you an edge. Some of the tips are applicable to any website.


How Do WordPress Blogs Get Hacked?

  • Hosting 41%
  • Themes 29%
  • Plugins 22%
  • Weak Passwords 8%



  • 83% of WordPress Blogs that are Hacked are Not Updated
  • 30,000 Web Sites are Hacked a Day
  • On Average, a Website is Hacked Every 5 Seconds


Image credit

If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack and is one of the primary reasons you should always keep WordPress up to date –

How to Prevent WordPress Security Issues?



Don’t Use the Default Admin Account – This is one of the most common and elementary mistakes you can make from a security perspective. What username do you think hackers try first when trying to gain access to any site? Admin, that’s right. Create another username and assign admin rights to that user before deleting the old admin user account.

Close Comments After 30 or 60 days – OK, this might be controversial and not everyone is going to agree with this. If you are getting hit by a lot of spam comments you can try closing comments after 30 or 60 days – it certainly has cut down my spam comments drastically. Using spam comments filtering plugin like Akismet is a must.



Get Rid of the Login Link from your Blog – Regardless of what CMS your website is running on (WordPress or similar) having a login link to the admin interface is like giving the location to the locker in the bank. Now removing the login link from your website does not guarantee safety from hackers but it just puts another step for them to go through; the more barriers the better!

Always Keep WordPress Up-to-Date with the Latest Version – This is a no-brainer; especially when you know 83% of blogs that get hacked are not up-to-date. Most big blogs use the WordPress auto update feature to keep their blogs away from security vulnerabilities.

Report WordPress Bugs and Security Issues – WordPress is the most used CMS on the web and the user community is huge. Every day new issues are being reported and patched. If you find a bug or an issue report it so the whole community can benefit. You can report bugs here.

Lock Down File Permissions and Write Access – If you want to take your website security a step further you can lock down files and who has write access. You can do this in many ways: a plugin or even through the settings (cPanel) of your web host. If you are not sure how to do this; it is best to contact your web host support team and they should be able to help.

Use a WordPress Security Plugin and Limit Failed Login Attempts – If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery – Login LockDown


After the research for this post, I have started using Login LockDown plugin to see if I can block malicious login attempts. I am not sure how good this is so if you have any thoughts please leave a comment below.

Consider Two-step Authentication – The traditional login requires a username, password and this is a one-step authentication. In order to increase security, you could have two-factor authentication (2FA) like an SMS code used by some banks. You can use Google Authenticator for 2FA if your site is eCommerce/WooCommerce store or similar that needs added protection. This, of course, depends on what kind of site you have and the information you are trying to protect; for a simple blog it may not be worth the effort or hassle.


Web Site Host, Themes & Plugins

Most of the above WordPress security tips are for protecting your site from security issues and the below tips are for being prepared in case of a security breach.

Re-Evaluate Your Web Host’s Backups and Recovery – If your site is hacked you need a backup to restore your site to its previous glory (pre-attack). It’s too late to find out that you don’t a have a weekly or daily backup; otherwise, you will lose content and valuable time. The backup should also be offsite and not on the same server as your website files are as they may be down or even infected. Check with your web host before it is too late!

Check Your Host’s Speed, Stability, Security and Uptime – When selecting a web host if you did not consider security, stability and up-time then now is a good time as ever. 41% of security issues are through the host.

Re-Evaluate Your Website Theme and Plugins – 51% of security vulnerabilities are through the theme and plugins used by a site. Keep your plugins up to date and constantly remove unwanted plugins; this also helps with speeding up your WordPress site.


Your Computer and Network

Ensure Your Computer is Free of Malware, Spyware and Virus Infections

Work From Trusted Networks – Avoid Internet Cafes and Free WiFi, Where Possible

Make Sure Your Passwords are Strong (including WordPress, Emails etc.)

Take Advantage of a CDN’s (Content Distribution Network) Firewall – Not only CDN’s can help with reducing website load times but they also have a firewall as an added layer of protection that the hackers need to breach before getting to your site and its data. I use CloudFlare CDN as it is free and easy to set up.


WordPress Security Plugins

A simple first step towards protecting your WordPress site is to start with a security plugin. Here is a list you can choose from. Don’t install more than one as they might have compatibility issues or overlapping functionality.



Use this post as a proactive reminder to check your WordPress site for security issues. You can start with your username and password. If you are using ‘Admin’ as your username your first step is to create another Admin user and delete the default account as you can’t change the username. Make sure your password is strong and not something like ‘password’ that can get hacked easily. Keep WordPress, theme and plugins updated. Use a CDN for better performance and as an added layer of protection. Good luck with locking down your WordPress site. Remember, prevention is better than cure.



  1. Hi Cent,
    To a large extent, the security of a website is in the hands of the webmaster. With WordPress there is flexibility in usage as well as security measures.

    For a WordPress site to be secure, proactive measures need be in place. Luckily, the above infographic just about highlighted the basic security measures that can apply to just about any type of WordPress site.

    Prevention is better than cure, and this readily applies to WordPress security. Thanks for sharing this piece!

  2. Hey Cent,
    Its sure important to be reminded of WordPress security. The security of every website is quite fundamental to its success.

    From the details above, it is clear to me that the plugin Login LockDown should be a must have.

    I am intrigued with its features and I am sure going to ensure I install and test run it.

    Talking further about WordPress security, there are many aspects to it and it is fundamental to put proactive measures in place for increased protection!

    This post is worth bookmarking for future reference!

  3. Hey Cent,
    A very important post I must state. Computer insecurity is a scary discussion and every WordPress owner readily needs to take steps to manage or control it.

    Its a good thing that we can actually implement some “security controls” in the form of plugins and tactics.

    Being safeguarded from malware, viruses and hacks should be priority for improved marketing.

    Thanks for sharing this infographic and for outlining the grey areas, plugins, tools and links that can be administered for improved security.

  4. Hello Cent! Wow now that is one amazing infographic with some great suggestions and statistics!

    A girlfriend of mine got hacked last month and has been having nothing but challenge after challenge getting her site back up. So when you stated “If your site is hacked it is a hassle to get it back to where it was!!””

    OH SO TRUE!! I am sharing this post with all my blogging friends.
    Thank You!!
    Chery :))
    Chery recently posted…Get Your 30 Day Social Media BlueprintMy Profile

  5. Thanks for writing this great article.

    This is something that has flitted through my mind then got discarded for something more pressing.

    After reading your post, it was as if the heavens were telling me something.

    So I have now backed up my website, updated my wordpress, sent an email to web host asking about their back up schedule. I tried to create a new admin user but it wouldn’t let me use the email I use for the admin. What do you suggest? I have also removed the meta widget that allows for login on my blog

    Of the security plugins, which do you recommend I get and why?
    Segilola Salami recently posted…Do you NEED to increase your blog exposure? #MUSTREADMy Profile

  6. Hello Cent,

    Thanks for this very informative post.

    WordPress is great but the security aspect has always been a big problem.

    Almost everyone with a WordPress site has been hacked multiple times.

    I was surprised to read that 83% of blogs that get hacked are not up-to-date. It makes sense then that updating WordPress site can help but doing that for dozens of sites all the time is difficult.

    Hopefully with what you have shared in this post we can better protect our WordPress sites.

    One question I have is regarding the use of WordPress Security Plugin, are the free ones enough or do we need to pay for premium ones?

  7. Hello Cent,

    This is a very useful post for improving WordPress security.

    With how vulnerable most WordPress sites are, every site owner definitely needs to know about security.

    But do you think a time will come when such WordPress hacks will be a thing of the past?

    Will WordPress themselves ever come up with a permanent solution to all WordPress hacks?

    Unlikely, right?

  8. Hello Cent,

    Thanks for sharing this infographic on how to improve WordPress security.

    I must admit I have a couple exact match domain sites built with WordPress.

    I haven’t updated most of them for a long time. I set them as set and forget blogs.

    I am off to check them now. I hope they all haven’t been spammed to death.

  9. Hey Cent,

    It’s so vital to protect your website and have maximum security. I’ve had a few hack attacks before, and it’s not pretty. I learned the hard way to take extra precaution steps. Luckily, wordpress makes this pretty sufficient for on to do.

    It’s always wise to upgrade your wordpress blog. It’s so easy to forget this.

    Really good tips you’ve laid out here.