WordPress Security

Don’t think that your website needs to be high-ranking or receive a lot of traffic to be the target of attacks.

In fact, have a look at the following stats. They are taken from a brand new WordPress website 24 hours after it was put live on the internet. It had no backlinks, no Google juice, no social media promotions. The site was launched on March 7th, 2021.

WordPress is so popular that it’s fairly easy for attackers to automate an attack on all registered domain names, just to check if it is indeed a WordPress site.

So it’s absolutely clear that you need to protect your website. Now let’s have a look at what you can do.

1. Protecting your visitors

One of the most important assets of a website is the privacy of its visitors. To ensure that, there is one basic technology to implement: HTTPS.

What is HTTPS?

HTTPS means Hypertext Transfer Protocol Secure. It is an encrypted version of the HTTP protocol that supports the whole Web. In short, your browser (Chrome, Safari, Firefox, etc.) encrypts all the traffic to and from the HTTPS-enabled website.

This encryption is done through a certificate, a unique key that your server holds and that allows it to cipher and decipher the traffic.

Your browser indicates if a site runs on HTTPS by showing a little lock next to the URL.

Why should I care about HTTPS?

There are two main reasons:

  1. To protect your visitors. If someone signs up for a newsletter on your HTTPS-enabled website, someone “listening” would not be able to see your email address. It would be encrypted.
  2. For Search Engine Optimization. Google already gives a boost to HTTPS-enabled websites, but Chrome is eventually going to actively block non-HTTPS websites.

Securing your site with HTTPS

There are several options to secure a website with HTTPS.

Many hosts provide an SSL Certificate. Here’s a non-exhaustive list of hosting companies that do that, generally for free.

  • Cloudways (affiliate link) – SSL included in all plans
  • Bigscoots (affiliate link) – SSL included in all plans
  • WPEngine – SSL included in all plans
  • Kinsta – SSL included in all plans

The alternative and simpler option is to protect your site with Cloudflare. Their free plan includes an SSL Certificate (among many other great benefits).

You need to be aware that it secures the traffic between Cloudflare and a visitor’s browser, but it doesn’t secure the traffic between Cloudflare and your own server – unless you also have an SSL certificate there.

2. Protecting your website

Now that your visitors are safer with HTTPS, you also need to make sure your website and data are protected.

Here are the steps to follow.

  1. Choose a host that puts security first
  2. Protect against DDoS Attacks
  3. Protect against Bruteforce Attacks
  4. Lock the WordPress Admin
  5. Stay Protected

Choosing a secure-aware host

Why do you need your hosting company to care about security?

It’s simple. Even if you implement the best-in-class security on your website, someone could access all its information if they had access to your hosting console. Getting a copy of the database, accessing the files from the FTP server, injecting malicious Javascript or PHP code in your pages. The possibilities are endless if someone had access to your backend.

Therefore we recommend always choosing a hosting company that can implement 2-factor authentication (2FA) to connect to your hosting console. 2FA is a way of making sure that you are who you are by requiring a code that only your phone can generate.

Therefore, someone that has your passwords could still not connect unless they also have your phone.

The following hosts have 2FA on their console:

Beyond 2FA, it’s important that the host implement standard security practices. All the hosting companies promoted on Hobbysness.io put security first.

Protecting against DDoS Attacks

Distributed Denial of Service attacks (DDoS) are voluntary (or sometimes involuntary) flooding of a server with more requests than it can handle.

It results in a loss of service for most users and sometimes damages to the infrastructure.

It is typically performed by instructing many computers to send at the same time hundreds of requests per second.

DDoS attacks are sometimes unintentional.

For example, a bruteforce attack which consists in trying to guess a password by trying all combinations, can result in the server crashing under the load.

If your server has no protection against DDoS or malicious bot traffic in general, its CPU will spike when under heavy load, and visitors will start seeing errors (typically time-outs or error 500).

To protect against DDoS attacks, the easiest thing to do is again, to use Cloudflare.

Cloudflare’s DDoS protection is absolutely top-notch and is free for all users. Because it works at the Network level, before the requests have enough reached your host, it is 100% impactless on our website.

On top of that, some hosts like Cloudways (affiliate link) also offer free Bot protection. This system detects bad or malicious bots and blocks them at the network level.

This is impactless for your website, but does mean your host takes the load.

Finally, you can also implement some DDoS and bot protection using plugins like Wordfence. Wordfence is a free plugin that gives a lot of protection.

There is a premium version that goes way beyond and that we highly recommend (all our websites are protected by Wordfence Premium).

Because Wordfence runs on your server, it can’t bring a full DDoS protection. But since it does so many things beyond bot protections (Malware, Firewall, etc.), it is still essential.

Protecting against Bruteforce Attacks

Bruteforce attacks are the cheapest and oldest way of getting access to a system. Think about it as if you were trying all the combinations of a bicycle lock. Except that a computer does that for you.

It is a bit more complicated than a lock because passwords use many different characters and don’t have a fixed length, but the principle is the same.

And the login or username might not be known.

A script would iterate through all typical usernames, and for each of them iterate through all possible character combinations. This can take hundreds of billions of combinations, but computers are very fast.

A slight variation of bruteforce attacks are dictionary attacks. Instead of trying all character combinations for the password, they use a list of known passwords (sometimes a list of username and password combinations) from previous security breaches.

To protect against bruteforce attacks, there are a few simple strategies.

  1. Use unique passwords. Don’t reuse the same password for all your accounts.
  2. Use complex enough passwords. For example, passw0rd is not complicated enough.
  3. Don’t use standard usernames. Never create an admin account with administrator privileges.
  4. Enable rate limiting. Rate limiting is a technique to restrict the number of queries a single source can do per second/minute. If a bruteforce script can only send 10 attempts per minute, it would take millions of years to break a password.
  5. Enable throttling. On top of rate limiting, throttling reduces the throughput after a set number of calls – even to 0. For example, you can set it to block access after 100 calls are attempted over 1 hour.

While Cloudflare does provide some bruteforce protection from its firewall, the best option is to use a plugin like Wordfence. It gives you all the throttling, rate limiting, password complexity, etc.

Protecting the WordPress Admin

The wordpress administrator account can do everything. Therefore, you have to protect it as much as you can.

There are a few rules to follow, they will by now sound familiar:

  1. Implement 2-factor authentication
  2. Sharing an admin password
  3. Implement alerts and logging

Implementing 2FA on WordPress

2-factor authentication has become a standard for all critical accounts. As an aside, your main email addresses, your Google account, your Facebook account, etc. should all be protected by 2FA.

Imagine what a malicious person could do if they had access to any of these.

Two-factor authentication is the best way to protect your WordPress Admin. And the easiest way to implement 2FA is with Wordfence, once again.

Sharing Admin Passwords

Administrator users can do everything. Because of this, try to avoid sharing your password with anyone. If you do need a third party to access your WordPress console, a better practice is to create an account specifically for them.

When creating this account, tick the box to send them an email so they can generate their own password. Wordfence can enforce specific password requirements.

As soon as the third party doesn’t need their account anymore, make sure to delete it!

Security Alerts and Logging

Despite your best efforts, there’s always a slim chance that someone can break through.

You, therefore, need to implement alerts – to know when a security event happens and logging – to be able to do some forensics analysis after it happens.

To implement alerts, use Wordfence. The plugin can alert you of any connection on any administrator account, it tells you where the connection came from.

If you are alerted of a suspicious connection, you can act swiftly.

For logging, the best option is to have it active on the server itself.

A host like Cloudways has full security logging, so in case something happens, you can browse the security log on the console or download the full log to review on your computer.

Staying protected

Security is a continuous battle. On one side, you have malicious groups always trying to find a vulnerability in any code; WordPress itself, popular plugins, popular themes, hosting technology, etc.

And on the other side, you have the developers of all these plugins, themes, and tools who fix any vulnerability they know of.

As a result, it is essential to keep upgrading your WordPress, plugins, and themes.

Just have a look at the current known vulnerabilities (they have been patched by the developers but not everyone has updated their plugins). Some of these plugins are very popular!

WordPress has introduced automatic updates for plugins. It is highly recommended to turn it ON for any non-critical plugins.

Critical plugins (your Recipe plugin if you own a recipe blog, WooCommerce if you have a shop, etc.) should still be upgraded reasonably quickly. But it’s better to test them on a staging site before upgrading.

Useful WordPress Security Plugins

Sucuri Security

Sucuri Security, formerly SucuriScan, is a plugin for hardening and scanning your WordPress install. It does things like:

  • Checking that core files haven’t been modified
  • Comprehensive audit logs (who logged in, what post was published, what plugin was updated, etc.)
  • Web Application Firewall (paid add-on). Don’t need that, Cloudflare does a lot of it for free!
  • Hardening of the configuration (in Settings > Hardening). This checks that your WordPress configuration has the right settings for security and will alert you if there are risks


AntiMalware is a simple malware scanner for WordPress. It scans all your files for known malware and for anything that uses typical malware code.

It also has a free Firewall that, similar to Sucuri, hardens your installation by changing a few settings.


WordFence is the most popular security plugin on WordPress with more than 3 million installs.

Like many other plugins, it has some free features and some that are behind a paywall. But the free features already provide very good protection, including:

  • 2-factor Authentication: where you need a code on your phone to log in
  • a simple Web Application Firewall
  • a malware scanner
  • checking that core WordPress files have not been compromised

The paid version is however excellent and highly recommended!


Securing a WordPress site is not hard work, in fact, it only takes a few best practices and simple plugins.

But it’s absolutely essential so you can sleep knowing that your revenue-earning assets are protected.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.