Keeping WordPress Websites Safe

Updated March 1, 2025

A Recent WP Community Event

Keeping WordPress websites safe has been big news lately. In response Automattic hosted a WordPress MeetUp last Wednesday evening featuring discussions to keep this awesome open source platform safe from hackers. If you didn’t make the schlep into San Francisco, no prob. Here’s a recap of the dialogue and idea-sharing event:

Why Attack WordPress Websites?

Actually WordPress websites aren’t alone. Hackers are opportunists, seeking out all website platforms including Joomla and Drupal. Even a custom html site isn’t immune from brute force attack attempts. Even itty-bitty websites — defined as low number of monthly visitors or few pages of content — are targets. Why? Because hackers aren’t really interested in the website per se. They are more interested in gaining access to the server. The server is where a WordPress website’s files live. Breaking through security systems to hack into a server can mean big business. They sniff around for larger sites where they can install malicious software (e.g., spyware that records keyword strokes) in the hopes to infect unsuspecting visitors. Capturing bank passwords, credit card numbers, and other personal and sensitive information is their true goal.

What Are the Risk Factors?

It’s important to know that attacks on WordPress websites are usually automated. Hackers typically use algorithms to scrape user names and then guess at password combinations. So here are the top 3 factors that can put your WordPress website at risk:

1. Poorly configured server — this is at the hosting service level. Unauthorized entry is like getting into your back door and then jumping your backyard fence to gain access to your neighbor’s house.
2. Weak WP-Admin / FT / database passwords – check out our recommendations on creating strong passwords
3. Old versions of WordPress software, plugins, php, etc. — this is the equivalent of leaving your front door open (not just unlocked)

Solving the Problem

Keeping WordPress websites safe is actually pretty simple. If you know what you’re doing, that is. If you’re comfortable with the technical aspects of managing your WordPress installation, then follow these guidelines. If you’re not technical, my best advice is to hire someone (like us). It’s money well spent to keep the bad guys out of your website and server.

Sadly there’s never going to be a foolproof solution that will keep WordPress websites 100% safe… however, the WP community is doing a pretty darn good job of it. Website security is all about setting things up properly, installing ways to detect attacks and then taking action.

Prevention starts with:

• Controlling who has access to your site. It’s a good idea to create protocols for new employees or vendors as well as when they leave your employ.
• Ensuring that WordPress software is updated regardless if the release is big or small.
• Updating old or outdated versions of plugins and other software.
• Backing up your site and having copies if you need to restore your site.
• Educating yourself on what to do if your site gets hacked, including what support your hosting company provides (or doesn’t offer).
• Keeping current on what’s happening in the WordPress ecosystem.
• Securing your WP installation using this best practices and WP’s checklist. This is a handy list if for DIYers or for questions when hiring this out.

Since I manage hundreds of WordPress websites, you probably can’t stump me when it comes to WP security questions. Even so, I invite you to give it a try.