WordPress is the most popular content management system (CMS for short) on the web. CMS’s are great because they allow non-technical website administrators to manage their websites with ease. WordPress is widely recognised as the most user-friendly and feature filled CMS available.
Roughly 15 million websites on the web are powered by WordPress, which equates to roughly of 27% of all websites on the web. Many large businesses use WordPress for their website, including The New Yorker, Mercedes-Benz and TechCrunch.
Due to the popularity of WordPress, the platform has become a popular target for hackers and spammers. Taking time to focus on the security of your WordPress website is essential. This article covers some of the more important security measures you can take to secure your WordPress website.

Choose a Reputable Hosting Company


A good web host will have the latest versions of PHP and MySQL (the scripting language and database system WordPress uses behind the scenes) and servers that are optimised specifically for WordPress (e.g. WordPress optimised firewall, malware scanning, intrusive file detection etc).
If you choose shared hosting (i.e. your website is hosted on a server along with other websites), check if your host provides account isolation to ensure your website isn’t affected by any other website overloading the server.
Taking backups of the codebase and database of your website is a security measure both you and your host can provide, so it’s worth checking whether your host provides backups.

Code and Database Security Settings

There are a couple of security measures you can take to improve the security of your WordPress security:
WordPress security keys (which can be found in a file called `wp-config.php` in the codebase of your website) should be generated (via WordPress’s API) and added to your website. The keys improve encryption of the information that is stored in a visitor’s cookies and also makes it harder crack your password.
WordPress adds a prefix to all of its databases tables which is ‘wp_’ by default. Changing this to something less predictable will help prevent SQL injection vulnerabilities as hackers will need to guess the prefix of your database tables. You can change the prefix during installation of WordPress, however, if you have an existing website which has the default prefix, you can either change it manually or use a plugin (e.g. iThemes Security) to change it for you.

Keep WordPress Core and Plugins up to Date

WordPress typically addresses security issues found in previous versions of the software with each update of its software, therefore it’s important that you keep your WordPress version up to date so your website is less susceptible to attacks.
The same goes for plugins installed on your website, plugin developers typically update their plugins on a regular basis to patch security flaws as well as add new features. Having out of date plugins installed and activated on your website also increases your chances of being hacked.
When searching for a plugin to install on your site, it’s important to check the reviews for the plugin as well as how regularly the plugin author releases updates for the plugin. You drastically minimise risk by doing research on which plugins to install before choosing one.If you’re worried about forgetting to check regularly for updates, you can enable automatic background updates or install a security plugin (e.g. Wordfence) to set up an automatic alert whenever an update is available.


There are an endless number of security measures you can put in place to protect your website from hackers. Passion Digital, for example, are in the process of creating a WordPress Security Guru tool. 1) It lists out all the WordPress security measures a website admin should take to keep its website secure. 2) It provides a checklist so the admin can keep track of which ones have been completed for each of their sites. 3) It automatically scans the website and makes the security updates and recommendations for you. So stay tuned for that! In the meantime, doing these basics provided above will keep your website happy and healthy!

Check out Passion Digital’s web design and development services
We're recognised by
Digital Marketing Agency London +Mike Grindy