How to keep your WordPress website secure

By June 2, 2017 May 24th, 2021 No Comments

Over 74.6 million websites are using WordPress today. Of these, 18.9% use, the self-hosted CMS which I personally love building with. That’s around 14 million websites. With more and more people starting to use CMS for their websites for ease of use and updating with no programming knowledge, Wordpress is almost always the first option due to its user-friendliness compared to other CMS out there on the market. If you can write a blog, you can manage your own WordPress website with no problems! It’s almost the same thing! If your website is built on WordPress, keeping your website secured should be at the top of the priority list.

Besides having a strong username and password combination, what else can you do to make sure that you can install as many locks as possible (no matter how small) on your website to keep hackers out?

Steps to secure your WordPress page

  1. Hiding your WordPress login pageOne of the principles of security would be to stay away from the defaults. The default login page for every single WordPress installation out there is /wp-login. If someone were to try to look for your login page, this would be the first thing they’d try. That’s one layer of protection down. One of the first few steps I’d take when securing a website would be to hide it’s login page with a custom URL. Doing this makes it harder for the hacker to even find your login page!
  2. Do not use the default admin username.While we are staying on the topic of defaults, another default username created when you install WordPress is admin. A lot of hackers perform Brute Force Attacks to gain access to a website. What this does is a computer trying out every single combination it knows, hoping that at least 1 of which will crack open your website. If you use the default username admin, the computer gets a huge head start already knowing what your username is. A computer is potentially able to run millions of combination a second, so it would take absolutely no time at all it will be able to guess your password. Once in your WordPress Dashboard, the hackers can log you out, deface your website or even upload viruses into your website.
  3. Disabling XML-PRCXML-PRC is how other applications log-in to communicate with your site. Wordfence reports that a majority of attacks don’t even attack the login page, but instead XML-PRC. XML-PRC is used by applications such as Jetpack, the WordPress mobile app and pingbacks. If you are not using these services, it is best to disable XML-PRC altogether.
  4. Keeping your core WordPress and plugins updatedI cannot stress this enough. Owning a website is a little bit like owning a new car. When it is purchased, everything is spanking new and works perfectly. However, as time goes by, you realize that some features stop working or seem buggy. Just as a car wears down through daily use, technology on a website gets outdated (at a startling pace, I might add). Every day, a community of WordPress developers are hard at work improving WordPress and their plugins and most importantly, patching up vulnerabilities. Hackers get smarter everyday, finding new holes and tears in plugins and writing code to attack the flawed logic. That’s why plugins always seem to have new updates. It is absolutely important for your website’s core WordPress installation and plugins to up-to-date and properly maintained. Do note though, that sometimes it is not as easy as clicking the update button. Sometimes, due to customizations required for your website or incompatibilities between different plugins/scripts, things may stop working. Which is why you should always get a developer to backup your website and be on-hand if bugs happen after the upgrade.
  5.  Using 2-Factor AuthenticationIf you want to be super secure, you can also install 2-Factor Authentication. Doing so, creates an extra step in your login process similar to making online payments with your credit card. The system will send a text to your mobile phone with the pincode, which is required to log in.
  6. Implement an SSL CertificateIf you are really kiasu, another way to add a layer of protection to your website is to sign up for an SSL Certificate. So your website would have a https URL instead of a http. SSL protects transactional data, which means any data that you are passing over from the website to the backend such as customer’s payment information. SSL is definitely a must if you are accepting credit card payments through your website (and credit card information is passed through your website instead of a 3rd party service like Paypal).

Soooo…. Is WordPress secure? Should you build your own CMS?

Without doubt, WordPress is the most popular CMS out there today. Statistics say that it is being used 4 times more than Drupal and Joomla combined (They tend to look too techy). It is no surprise that it therefore becomes the #1 target on hacker’s to-do list. When there is a vulnerability scare and due to the sheer amount of websites using WordPress, it is understandable to feel as though WordPress is less secure than than Joomla or Drupal.

The sheer number of WordPress websites out there means that an active community of developers are constantly working around the clock to improve it. Due to this huge global community, any security scare of vulnerability gets patched in almost no time at all. Compare this situation to one where you had built your own CMS. Your small team of developers would have to work on a patch or fix for their customized system. Furthermore, custom-built systems run the risk of being badly coded by inexperienced developers – and that makes it very difficult to understand for new developers you engage in the future.


Nearly 80% of hacked websites occur due to a bad username/password combo or WordPress core/plugins that were simply left unupdated. Having some sort of maintenance program in mind is definitely a must for anyone who is serious about their business. Once your website is hacked, Google removes it from the results page entirely and you need to go through a lengthy procedure to scan and clean the website, and resubmit the cleaned website to Google for analysis. It also reflects poorly on your business, especially if the hackers had defaced your homepage with malicious texts or graphics.

Hello Pomelo offers maintenance programs for every website that we launch for up to 6 months. However, we strongly encourage our clients to continue taking up a maintenance package in order to keep their website updated, safe and secure! Ask us about our maintenance packages today.