WordPress is a very secure system, but like anything, there is always the possibility to exploit vulnerabilities. We often don’t worry about security risks until it’s too late, it’s human nature; but you should be taking extra precautions to keep your company’s website safe. Being proactive could save you a lot of stress and worry in the future. Some basic security concepts can be put in place to give your site an extra layer of protection.

What is WordPress Hardening?

WordPress Hardening is putting extra measures in place to ensure your site is as secure as possible. Your website getting hacked can be anything from a minor issue to a major headache taking days or weeks to fix. The best way to avoid this is to put preventative measures in place that will deal with an attack before it happens.

What are you protecting?

When you get a shiny new website you want to keep it secure. Of course, your website and files are important to keep safe but one aspect of security businesses often forget is their users data.

If you collect any information from your customers, names, addresses, emails, telephone or bank details you need to be able to ensure that information will not be compromised. Most major hacks these days directly target user information, selling off credit card details or releasing sensitive information for gains.

Protecting your website files is also important. Although they do not usually contain confidential information once a hacker has access to your files they can easily get to your user information.

Why would hackers target your WordPress website?


Backlinks are an important part of SEO. A hacker could use your site to insert backlinks to another site, using your sites good standing to improve the SEO of any site they wish.


Hackers can exploit your website for the purpose of sending spam emails, often this will cause your website to be blacklisted which is time consuming and stressful to have reversed.


Malicious software. It come in various forms and can do anything from spying on users actions to sending viruses.


If a hacker gets access to your WordPress site it makes it remarkably easier for them to gain access to your personal computer. Having this access could then allow them to steal any information you store on it. This can be passwords, bank account information and much more.

Attacking other sites

A very common type of website attack is a DDoS attack (Distributed Denial of Service). By sending too much traffic to a site the hacker makes it inaccessible for the users. In order to accomplish this, hackers ‘recruit’ websites to assist with their attack.

Sheer destruction

Some hackers may just enjoy causing chaos, wanting to destroy your records or put a disturbing message on your customers screen to destroy your reputation.

Why do you need to stay on top of security?

Your customers trust you. They expect you to keep their data safe and if it gets compromised, your customers will feel like you have violated their trust.

If your customers data is ever taken in a hack (especially credit card data) it will be very difficult for your business to recover. Putting preventative measures in place is much easer than cleaning up the mess after a hack.

A hack can cause all sort of damage that can cost a considerable amount of time and money to repair.

Once the damage to your site is fixed your reputation still may never recover.

Customers only like to do business with companies they trust. A small hack can even have a massive impact on your customers decision on whether to your business or your competition for future purchases.

How can you harden your businesses website?

Secure passwords

One of the most basic things to be done to secure your site is stop using a predictable/weak username and password. Everyone is guilty of that at one point using simple, easy to remember passwords. Passwords like these make it easier for hackers to crack the code using brute force automated scripts that continuously try to guess your password and username. 

No matter the extra precautions you put in if one of your staff with admin access to your site uses a weak username and password it can dismantle every other measure you’ve put in place too protect your site.

Chaining default usernames

By default, WordPress gives the primary account a username of ‘admin’ – this is a well known fact, so it is vital to always ensure that this username is changed to reduce security risks to your site.

Usernames should never be changed to something predictable. For example if your name is Tim don’t make your username ‘Tim’. If an attacker wants to hack your site using a predictable username, this gives them half the puzzle. A predictable username leaves the hacker only needing to guess your password to gain access to your site.

Limiting login attempts

Attempted logins for each account should be limited. As mentioned before hackers like to use brute force attacks where they continuously try to guess usernames and passwords.

WordPress by default does not have a limit to the number of attempted logins. A determined attacker gains a clear advantage  from this as they can keep going with their attack until they guess your login details correctly. Third party plugins are available to be purchased resolving this issue by creating a limit to the number of login attempts.

Changing the login URL

WordPress sets the login page for a site as www.mywebsite.com/wp-login by default. Relocating your login page to another URL can help to hide the fact that your site uses WordPress and limit the number of brute force attacks to your login page. If an attacker enters this URL and comes across an error page there is a higher chance of them being deterred from attacking your site.

Update themes and plugins

Keeping WordPress, themes, and plugins up-to-date is a very simple measure that can be put in place to reduce the risk of your site being attacked. Outdated plugins, themes and core open up a site for potential hacks, in fact they are the most common culprit of hacked WordPress sites.

Security plugins

Even if you are excellent with keeping your site up to date and using complex passwords using extra WordPress Security plugins is an obvious advantage when it comes to website security. 

You can follow all the measures above but if you do not use a secure host and a trusted developer these steps will be for nothing. Using a secure host ensure that there will be daily backups of your site. In the event of an attack the damage will be minimal and you site will be back up and running as soon as possible.

By using an experienced web developer you know that any third party plugins or themes installed will come from a trusted source ensuring they do not add any vulnerabilities to your site. Plugins such as those to transfer your login page, adding additional security and limiting login attempts will be installed correctly with you knowing they will not damage your site.

If you need help ensuring the security of your site or want to learn more about WordPress Hardening get in touch with one of our team today.