How to protect your WordPress website from cyber attacks?

Author - Andrew Iontton

Posted By Andrew Iontton Lead Front End Developer

Date posted 30th Mar 2021

Category WordPress


From time to time you hear in the news of a high profiled website being hacked or of data breaches. For example in 2016, hackers were able to access over 4.8 Million emails from the accounting company Mossack Fonseca in Panama.

Some cyber security firms including WordFence blamed Mossack Fonseca’s outdated WordPress website as the source of the breach – if only they had updated to the latest version! No need to panic, this doesn’t mean that as soon as your WordPress site is outdated it might get hacked, but instead it underlines the importance of a few basic steps (like paying attention to updates and plugins) that will help minimise the hacking risk inherent in all websites.

In this article we will suggest ways to protect your website from cyber attacks and improve the overall security of your website.

wordpress security guide pdf

WordPress Security Guide


Use strong passwords

This seems a pretty obvious one, but many website owners make the mistake of using weak passwords for their website logins. In 2019, the UK National Cyber Security Centre ran a national survey that discovered that the password “12345” is the most commonly hacked password – a pretty easy one for hackers to guess if they have access to your login page. I suggest using Secure Password Generator to create strong secure passwords then using a password manager like 1Password or LastPass to save your passwords. A strong password should include a combination of numbers, lowercase and uppercase letters and, if allowed, special symbols like @#$%.

Update to the latest CMS version and plugins

As it was mentioned in the example of the hacking of Mossack Fonseca site, a lot of security professionals suggested the hacking was a result of outdated plugins and an old WordPress version. According to Sucuri, in 2019, over 56% of all CMS applications were out of date when hacks happened. This shows that a lot of people are ignoring the importance of updating their websites, which is a risky decision since CMS updates usually include solved security issues. For increased security, you should also consider deleting unused plugins and themes.

Get an SSL Certificate

SSL stands for Secure Sockets Layer and is a security protocol that helps encrypt and authenticate data transmitted over the internet.  

The SSL certificate will do several things: 

  • Authenticate your domain and make sure you are the owner of the site 
  • Encrypt any data sent via your site, so that hackers can not easily access or manipulate it
  • Changes your site from displaying an unsecure “http://” prefix to the secure “https://” one. This gives you an extra layer of credibility in the eyes of your site visitors (and improves SEO)

Disable JSON REST API in WordPress

The WordPress REST API brings lots of benefits for WordPress developers as it makes it super easy to retrieve data using GET requests, which is useful for those building a headless WordPress site.

However, most site owners are unlikely to need these features at all, while they can show important information like your username which could lead to brute force attacks. There are two main ways to disable JSON REST API. The easiest way is to download and install the Disable REST API plugin. 

The other way is to add this piece of code to the end of your functions.php:

Install a Security Plugin

WordPress security plugins are seen as an all-in-one solution for security. That means they (usually) enable you as the owner of the site to tackle everything from login security to access restriction using a single tool. These types of plugins can be very useful if you’re running a large site that needs protection from every angle. 

Notable features of security plugins include:

  • Hardening the login page by limiting login attempts and changing wp-admin login URL to prevent brute force attacks
  • Improve your database security by changing database prefix from wp_ to prevent SQL injections
  • Includes firewall protection which blocks malicious traffic on your WordPress Site and Cross-site Scripting(XSS) Attacks

In conclusion 

These are just a few of the security steps a WordPress user can take to run a secure WordPress site. Security at first might appear overwhelming, but by implementing the first key steps above, you are well on the way to creating a secure WordPress site.

Beyond that you don’t have to do it alone. Get in touch and let us focus on the security of your WordPress site.

Let's Talk

Do you have a web design and build project coming up that you would like to talk about?