Many of us know that WordPress is a hugely popular CMS platform, powering over 27% of the internet (that’s over 18,000,000) websites. This makes it a very popular target for cyber criminals.

WordPress is all about making a website simple, with little to no need to work on the code or command line. Forgetting about the technicalities also leads to users forgetting about security.

I’ve explored some of the top tips to making your WordPress site more secure.


Two Factor Authentication (2FA)

Although we shout about the importance of changing your passwords and keeping them all different, particularly after a breach, many people forget about 2FA.

The problem with changing passwords is that you need to remember all of them. Users often result to ‘password’ as their default choice, but even if a malicious visitor was to guess this password, with 2FA enabled they would also need access to the users authentication device. Stopping them in their tracks, assuming they didn’t have your device.

Free WordPress plugins such as the aptly named ‘Two Factor Authentication’ makes it super easy for you to enable 2FA for any admin or user logins.


Login Limit

We’ve all done it. You’ve forgotten your password and frustratingly try a number of combinations it could be, but to make matters worse you end up locking your account and have to wait for a few hours or contact customer services to get it unlocked.

Although annoying, this can be a very reliable way to block hackers from brute forcing your website who guess passwords or use a bot to try every combination. Limiting login attempts can also allow you to identify troublesome IP addresses that may be out to harm your website.

Again, there are a number of plugins here to support you. The most popular of which is free ‘WP Limit Login Attempts’ which is self explanatory.

Bonus Tip: Make sure to exclude your own IP when testing login attempts. Creating screenshots for this blog caused a few issues where ionCube Towers were blocked from accessing our test website.



Many new users to WordPress don’t think about backing up their website because they haven’t experienced the pain of when it goes wrong. They assume it won’t happen to them, or it requires more time and effort.

Backups are vital to getting your website back online when a file is accidently deleted, your website is hacked or your server breaks down.

UpdraftPlus allows you to backup to a number of online cloud providers, your own PC or server and more.

As with everything, plugins make this super easy. The most popular free resource is UpdraftPlus, however premium offerings such as BackupBuddy are widely used for small to medium businesses.



As WordPress is open source, anyone can study and edit the code, including hackers. But this also means community members and security experts can identify holes and improvements.

WordPress sets an excellent example of pushing out updates to fix security vulnerabilities. Being on an older version means you’re running a website with known security flaws, and as hackers have the ability to search for older versions of WordPress, you could find yourself getting into a lot of trouble.

It’s also important to update themes and plugins, as these are often roads in for cyber criminals.

You can identify if there are updates available on your WordPress dashboard, where a number in a circle will appear, corresponding to the amount of updates available. It’s a one click process and in some cases is done automatically.


Themes & Plugins

Many users can forget that themes and plugins can be the heart of security flaws. Searching the WPScan Vulnerability Database catalogues thousands upon thousands of registered flaws in plugins and themes.

Back in December 2016, researchers at RIPS Technologies reported that over 8,800 of the roughly 48,000 plugins had at least one form of vulnerability.

Our best solution to vulnerabilities in plugins, themes and WordPress itself is to have some form of security software, such as ionCube24, and only install extras from recognised marketplaces such as WordPress itself and Envato Market.



WordPress is under constant attack, plugins, themes and outdated versions leave a door open to hackers that ionCube24 shuts by blocking the execution of any unauthorised changes. Instant notification allows you to act quickly, although the blocking of foreign code means you can wait until you’re back in the office.

ionCube24 can also act as a safety net by containing security holes until a patch has been issued.

Although WordPress has the reputation of being insecure, rather it’s huge popularity makes it a huge target. We recommended that you follow the tips above, use secure passwords and only install plugins you need.

Bolstering WordPress Security