Blog post

WordPress Security: How To Keep Your Website Safe

Date of post

18 December 2018

Blog categories

Read time

4 mins

WordPress powers 27% of the websites on the internet and dominates as the most popular content management system (CMS). However, it’s vast size leaves it vulnerable to cybercriminals and hacking attempts.

Implement these tips to help keep your business’s digital assets safe!

Hacking is a serious subject and can affect any business with digital assets. For many small and medium-sized businesses (SMEs), cybersecurity is never discussed and the correct digital security measures are not implemented. Unfortunately, in most cases, action is only taken after a damaging breach has occurred. Failure to safeguard your website is like leaving your high-street shop front door open day and night with breadcrumbs for criminals to follow!

Cybercrime is a growing danger to British businesses with hacking attempts being carried out round the clock. Over the last few years, hacking and cyber criminals have inflicted damage on numerous well-known brands, including TalkTalk, Wonga, Marks & Spencer, Three Mobile, British Gas, and many others. Do you remember back in early 2017 when 47 NHS Trusts, hospitals and doctors surgeries around the UK were crippled by a WannaCry ransomware attack?

Attacks and internal cybercrime, including fraud affecting SMEs, rarely make the news, but they are a lot more common than you might think. Recent data suggests that 16% of SMEs have encountered a security breach in the last twelve months with 21% of businesses reporting that it cost them over £10,000 to fix.

Cyber criminals aren’t amateur’s. They want customer data and intellectual property (IP): Information that would do real damage if it was published online. Businesses can simply no longer afford to do nothing. With General Data Protection Regulation (GDPR) now in full force, businesses could be fined up to €20 million (£15.8m), or 4% of turnover (whichever is greater) for data breaches.

For this blog post, we have focussed our security measures around WordPress – the world’s most popular CMS website platform. For hackers, this makes websites with a WordPress CMS an irresistible target. If your business uses WordPress, we strongly recommend implementing these measures to safeguard your assets.

  1. Create a unique username and use a strong password for access

    password generatorThis may sound very basic but did you know, ‘administrator‘ and ‘P@ssword‘ are the most common username and password on the internet – see the list for yourself!  Build on strong hacking-preventing foundations with a username and password that is unique and tailored to you. This will stop scripts and hacking bots in their steps as they try (and fail) to guess your login details during what’s known as ‘brute force’ attacks.

    Google – and numerous security experts – recommend using numbers, letters (lower and upper case) and symbols within passwords – try this great tool that randomly generates super strong passwords. A password that contains numbers, symbols and mixed-case letters has 30,000 more potential combinations than one with only lower case letters!

  2. Change the default WordPress login URL page

    custom WordPress URLFollowing on from creating strong usernames and passwords, it is also advisable to edit / hide the default WordPress login page – this is where you normally access the backend of your website to make changes and updates. As standard, WordPress logins are accessed through the following web address: or a version of that (/admin/ or /login/). Any hacker or automated bot knows to search for those access points, especially if users are logging in through an unsecured and unencrypted web connection.

    Creating a custom URL login page, for example, simply makes finding the entrance to your WordPress site harder for hackers – giving you an edge on millions of other WordPress site entrances that are much easier to find. For a relatively low cost, a WordPress web developer can easily change the URL to make it harder to find and attempt access. Don’t forget to keep your new login URL hidden from visitors and be sure to update your team!

    Looking to seriously lock down access to your WordPress website? Try two-factor authentication tools. Using your phone or email address, every time you attempt (or someone attempts) to log in, you will be sent a verification code that grants access. Two-factor authentication is perfect for business owners who want a little more control.

  3. Keep WordPress themes, plugins and extensions up to date

    keep wordpress plugins up to dateOften neglected, WordPress theme and plugin updates provide important security tweaks that help to keep your website safe from prying eyes. Failure to keep your WordPress CMS platform up to date can leave your plugins and theme files more vulnerable to hacking attempts. Recent data highlights that 83% of hacked WordPress websites we’re running out of date theme and plugin files. Updating themes and plugins is a simple but effective way to minimise the risk your website being hacked.

    Updates provide peace-of-mind and security and can be easily carried out by your WordPress web developer. Note: if you DO NOT have a maintenance plan with your web developer, it is not their responsibility to keep your website safe. Our best advice is to discuss regular updates with your web developer to ensure your WordPress site is as secure as possible.

  4. Run an SSL certificate to encrypt data

    SSL secureSSL (Secure Sockets Layer) certificates provide business owners with another opportunity to protect their WordPress website and help build a reputation of trust with visitors. In addition to quickly offering customers a signal of trust and security, SSL certificates also encrypt data to avoid snooping. Websites with an SSL are displayed with a padlock and extension ‘HTTPS’, instead of ‘HTTP’ in front of the URL, for example;  Acting as another security layer,  SSL certificates can also help boost Google rankings as the search engine favours websites who take their security seriously.

    SSL certificates can be purchased via 3rd party providers or arranged directly through your hosting company. It is at the business owners discretion to implement and maintain an SSL certificate. If your WordPress site is currently running on HTTP and not HTTPS, our best advice is to contact your WordPress web developer for help.

  5. Take back-ups of your WordPress website

    Wordpress website backupsThe 5th and final tip is an indirect measure, just in case your website is to get hacked. WordPress website back-ups are mainstream and normally added as standard to hosting packages. However, for a few cash-strapped businesses, website back-ups may not be in place. For the sake of a few extra pennies every month, we strongly recommend adding back-ups to your monthly plan with your host or web developer. Regular back-ups of your WordPress site offer the ability to restore previous versions of your website in event of a damaging hack, saving thousands if you’re site needs to be rebuilt!

Unfortunately, your WordPress website can never be 100% secure online but taking defensive action against hacking will help keep you safe and make it harder for cybercriminals to gain access. Pretending it won’t happen is not going to reduce the risks to your business. Now is the time to increase security, to protect your company and customer data.

Marketing Labs are here to help if you have any WordPress security questions – we also offer ad-hoc WordPress security audits and can advise on how best to secure your digital assets.

Post author

Josh is a talented web developer and designer who loves all things creative in life. He started out working in graphic design but quickly realised that his real passion was in web development.

Table of contents

More content like this

Get in touch with Marketing Labs®

Recent blog posts

Psst! Did you know we’ve got our very own podcast?