WordPress Security – 23 Tips to Secure Your Site from Hackers

WordPress security is a vital part of running a website. Like every other asset you own, you want to keep your site secure and safe from hackers
WordPress security is a vital part of running a website. Like every other asset you own, you want to keep your site secure and safe from hackers
blog image 41

Table of Contents

Table of Contents

WordPress security is a vital part of running a website. Like every other asset you own, you want to keep your site secure and safe from hackers, attackers and anyone prowling to steal or do damage.

You wouldn’t leave your home, car or office unlocked and available to everyone, now would you?! Protect your WordPress site with the same (or even higher) level of security.

Unfortunately, way too many site owners neglect their WordPress security thinking “Who would hack my small business website, anyway?!”, “Attackers only target big corporations.”, etc. Others might not have the skill or the time to deal with security by themselves.

It’s only when someone breaks into your home, steals your car, or hacks your WordPress website, that you start to worry. But then it’s probably too late; the damage is done.

Read on and learn 23 ways to harden your WordPress security and protect your most valuable digital asset – your website!

Why is your site security so important

With over 90,978 attacks each minute and over 102,623 hacked websites every day it’s pretty clear just how much WordPress security matters.

graphic showing 102,623 websites hacked each day

One thing is for certain; hackers don’t discriminate; they are targeting websites both big and small. Anyone with subpar security can be a target.

Recently, an unpatched plugin vulnerability caused a massive coordinated attack on WordPress websites. The hackers used this vulnerability to inject code into sites with Yuzo Related Posts plugin, that would redirect visitors to all sorts of malicious websites.

Email automation and delivery service Mailgun was among the many websites that got hacked.

And even big companies aren’t immune to hacker attacks. A few years back, one of the world’s biggest news agencies Reuters got hacked due to running an outdated version of WordPress.

Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users. They might even hijack your website, and the only way to get it back is to fork up a hefty ransom.

Attacks can deliver a huge blow to your revenue and cause a lasting dent in your reputation. The American Economic Association estimates that businesses and consumers experience costs of almost $20 billion per year due to spam.

The last thing you want people to see is a warning message that visiting your site may harm them.

Warning message on Chrome that says


Most common WordPress vulnerabilities – How hackers compromise websites

These are the 10 most common WordPress vulnerabilities hackers exploit to attack websites:

  1. Brute force attacks – This type of attack exploits weak passwords and has the potential to gain full access to your site. Hackers use automated scripts to constantly try to log in by guessing the admin username and password.
  2. Backdoors – Backdoors are vulnerabilities hackers can exploit to bypass security to gain access to your site, infect it and even compromise other websites on the same server.
  3. Cross-site scripting (XSS) – Hackers use this method to inject malicious script into a site without you even knowing it. This code can be used for all sorts of nefarious acts like stealing visitor’s session data, rewriting HTML, and even creating redirects.
  4. Malicious redirects – This insidious hacking technique can redirect your visitors to other websites with spam, malware or phishing sites.
  5. Phishing – The goal of phishing is to steal users’ sensitive information such as login information, credit card data, or even an entire identity. Hackers trick users by posing as a well-known trusted site then luring users to give up their information.
  6. Malware – This is a generic term for all sorts of malicious scripts or programs that try to infect a site or system. It includes viruses, backdoors, rootkits, adware, spam ware and other types of intrusive software.
  7. DDoS attack (distributed denial of service) – This is a coordinated attack by hack bots injected into multiple websites that send a flood of incoming traffic intended to overwhelm the site’s servers causing it to go down.
  8. Website defacement – Hackers use defacement to change the visual appearance of a website to make it unusable and promote unrelated (usually political or activist) messages.
  9. Php.mailers. – Mailers are tools that use php. commands to send spam or phishing emails directly from the infected website.

WordPress remains to top target for hacker attacks with 90% of all infected sites running on WordPress.

Graph showing that 90% of infected websites are running WordPress

Other studies suggest that over 73% of WordPress sites are vulnerable to attacks.

This begs a very reasonable question “Is WordPress secure?”

The Ultimate Guide to Hiring a Web Developer

In-house, freelancer or agency. Download the guide to make the right decision for your web development project by following 3 key criteria.

Is WordPress Secure

WordPress as a platform is very secure. It’s trusted to power 33.4% of all websites on the internet. WordPress has a dedicated security team (~50 security experts) hard at work to patch up any existing and discover new vulnerabilities, oftentimes rolling out fixes in less than 40 minutes.

WordPress security is also reinforced by an enormous user community that keeps a watchful eye to ensure new vulnerabilities are discovered and patched ASAP.

Much of the bad rep regarding security comes from the fact that site owners don’t follow security best practices and don’t take necessary security measures. Most common WordPress vulnerabilities are caused by:

  • Improper deployment
  • Security configuration issues
  • A lack of security knowledge and/or resources
  • Poor overall site maintenance (i.e. running an outdated version)
  • Broken authentication and session management

Even though WordPress is trying to keep the core updated and secure, only around 30% of WordPress sites are running the latest version (as of Apr 2019).

Pie chart showing how many sites use each version of WordPress

With that said, let me show you how to make your WordPress site safe with airtight security.


How to secure your WordPress site from hackers

Now that you know why WordPress security is so important, it’s time to protect your site from hackers. Although WordPress devs are constantly working to patch up any potential exploits, you need to do your part to keep your site secure.

Here are 23 actionable tips for hardening your WordPress website with impervious security.


1. Install a WordPress security plugin

Security is crucial to running your website smoothly and issue-free. Since we’re talking about WordPress here, you can bet there is a plugin to handle your site security. In fact, there are many of them.

These are the top 5 WordPress security plugins to consider:

iThemes security plugin dashboard

WordPress security plugins come with a ton of bells and whistles to cover most of your security needs:

  • WordPress firewall
  • IP and user blacklisting
  • Malware scanning
  • Strong password generator
  • Two-factor authentication
  • File change logs
  • Force passwords to expire
  • Monitoring for suspicious activity, etc.

Using a WordPress security plugin can take a lot of weight off your shoulders, making your site protection much easier and less time-consuming.

Even though these plugins can handle almost all your WordPress security needs, I recommend reading all the steps in this guide, so you understand all the features and know-how to configure them properly.

And of course, some security measures require more than just a WordPress plugin.


2. Scan your website for malware

If you’re experiencing a sudden drop in traffic, strange performance issues or some suspicious behaviour, you need to check your site for malware.

Even if everything is fine, it’s a good idea to run a malware scan every once in a while.

Some hacks work covertly, behind the scenes, so webmasters might not be even aware that anything is wrong. That is until the damage is done, like Google taking your site down from search results due to security issues or getting blacklisted, followed by a big revenue and reputation hit.

That’s why it’s very important to scan your site for malware regularly.

Most security plugins run scheduled malware scans in the background and routinely monitor for signs of any security breaches.

For an added bit of security, you can use a free online malware checker like Sucuri SiteCheck to run a scan of your website for malware and blacklist status.

Sucuri site check report

Make sure your site is clean and not on any blacklist. You can easily perform these checkups from time to time to verify the status of your website and ensure everything is fine.


3. Invest in secure hosting

Server-side security also plays a key role in keeping your site safe from hackers and malware. That’s why you need to be careful and pick a trusted hosting provider that takes security seriously.

Be sure that your hosting company knows a thing or two about WordPress security, has protection systems in place and provides fast and reliable support should the worst happen.

A solid hosting provider should offer:

  • Backups
  • Server-level firewalls
  • Malware scanning
  • DDoS protection
  • Latest operating system, software and hardware
  •  and Managed WordPress core updates, among other things.

Another key security feature is keeping each account and WordPress site isolated on the server. A good server architecture can protect you from cross-site contamination, which is when hackers use one infected website on a server to infiltrate and attack other neighbouring sites on the same server.

Hosting servers with poor account configuration and management where users can install and create as many sites as they want, are a prime target for malicious intruders.

On the other hand, safe hosting includes well-organized account management where live sites belong to a specially protected production environment, and everything else is in the staging environment.

Unfortunately, you can’t expect this level of security from shared hosting providers. They offer services for only a few bucks but come with looming security risks.

On the flip side, cloud hosting provides a much more secure environment with all security features listed above, plus additional backups, updates and security configurations.

what is cloud hosting and why it's better for website security

When choosing a provider for your business website, invest in secure hosting now and worry less in the future.


4. Fortify your site with strong credentials

Brute force attacks are among the most common hacking techniques. The main reason for their prevalence is that they’re so easy to execute. Almost anyone with a little tech know-how can launch a brute force attack using relatively simple hacking tools.

But the other reason why it’s so easy to pull off a brute force attack is that too many site owners use weak admin credentials.

Studies show that passwords like “123456”, “password” and “qwerty” are still among the most popular, even in 2018 after all those security breaches.

The best (and obvious) way to protect your WordPress website from brute force attacks is to have strong credentials. Follow the CLU framework and conjure a password that’s: Complex, Long and Unique.

Come up with a password that includes letters (upper and lowercase), numbers, and other special symbols like $&#@%*. Avoid using your name, pet’s name, birth dates or any “real words” for that matter.

Example of a strong password

Since you’re WordPress admin password guards the entrance to your entire business website, make sure it’s long with at least 15 characters.

And finally, make sure that your password is unique and you don’t use it for any other account (like for Facebook, Twitter, Netflix, etc.). That way, if any of your other accounts get compromised, your WordPress site will remain safe.

If coming up with a strong password is too much of a hassle, you can use free online generators or premium services like LastPass, 1Password. or DashLane.

These services can also store your strong passwords so you can do away with having to memorize or jot them down on sticky notes.

WordPress core also comes with a strong password generator that you can access from your account management in the WP dashboard.

Suggested strong password in WordPress dashboard

I recommend taking a few extra security steps and changing your generic admin username to something unique and more difficult to guess.

And finally, enable WordPress to force strong passwords. You can enforce your users to use strong WordPress passwords by configuring the following:

  • Password minimum length
  • Use of both lowercase and uppercase letters in passwords
  • Inclusion of numbers in passwords
  • Use of special characters in passwords

We’ll get to even more security tips that can protect you from brute force attacks later in the article. Keep reading if you want to foolproof your WordPress security.


5. Update your WP, themes and plugins

You’ve probably noticed your devices constantly get updated, including your computer, smartphone, apps, etc. These updates come with enhancements, new features, bug fixes, but most importantly security patches.

Same goes for your WordPress website. Your WordPress core, plugins and themes all get frequent updates. These updates can enhance the look and feel, improve stability and functionality, and patch up security vulnerabilities of your site.

Around 74% of known vulnerabilities are in the WordPress core. Luckily, most of them belong to old WordPress versions, like 3.X.

WordPress Security Team does a great job of quickly fixing these security issues. So, keeping your WordPress up-to-date can mitigate a huge chunk of security risks.

By default, WordPress automatically installs minor updates, so you get urgent patches in a timely fashion. For major version releases, you need to initiate the update manually.

How to update WordPress core


Keep your plugins in check

The other major security risk comes from plugins and themes. They’re developed by hundreds of third-party developers who are also responsible for keeping your site safe with updates.

Unfortunately, plugins are often laden with security vulnerabilities making them a prime target for hackers.

According to Wordfence, almost 56% of compromised WordPress websites were attacked through plugin vulnerability exploits.

Graph showing how hacked WordPress sites were compromised

The critical step towards higher WordPress security is keeping your core, plugins and themes up to date.

Although updating your WordPress plugins and themes can help fix security vulnerabilities, you need to be careful. Some updates can create new problems like bugs, plugin conflicts and may even cause your site to break.

I advise you to test each update in a staging environment before you decide to run it on your live WordPress site.

Also, make sure to avoid getting your plugins from obscure websites with a suspicious background. Only download plugins and themes from reputable sources such as WordPress repository, Themeforest, Themeisle, Code Canyon, and the like.

Last but not least, always delete unused plugins and themes. Some of them may have unpatched vulnerabilities that can be a potential security risk. Inactive plugins can also bog down your site performance and speed, so it’s good to keep your WordPress neat and clean.

Following the logic of this Wordfence study, if you can protect your site from plugin exploits and brute force attacks, you’re safe from over 70% of attacks. But for the other 30%, read the rest of this guide.


6. Backup, backup, backup

No matter how many steps you take to ensure your site stays secure, the single most important one is to backup your WordPress site.

You should always have a backed-up version of your site ready to restore should the worst happen. After all, even government sites get hacked and the only 100% effective security measure are backups.

WordPress doesn’t come with a built-in backup option; however, some hosting providers do offer their own automatic backups.

There are also other third-party backup options; you can use plugins like BackupBuddy, BackUpWordPress, VaultPress, or cloud services like Amazon, Dropbox or Stash.

BackupBuddy dashboard

You can set your backup frequency depending on how you use your website and how often you make changes and updates. For example, you can choose daily, weekly and even real-time backups.

Make sure you always have a backup, so you can quickly restore your site in case hackers do manage to somehow pierce through your security.


7. Enable WordPress firewall

Another critical WordPress security measure is to set up a web application firewall (WAF). Your WAF is the first line of defence that prevents malicious attacks before they even reach your site.

WordPress firewall plugins protect your website against hacking, brute force, and DDoS attacks. There are plenty of WordPress firewall plugins which can protect your site at DNS or application level, like:

  • Sucuri
  • Wordfence
  • SiteLock
  • Cloudflare

Diagram showing how Web Application Firewall works

Firewall plugins work by either routing your traffic through proxy servers or by examining traffic once it reaches your server but before loading WordPress.

WAF adds another layer of security to your WordPress site, which is very important. Still, they are ineffective if a hacker has already infiltrated your site. That’s why you still need to take other security measures to keep your site safe as a vault.


8. Hide your WordPress login URL

Hiding your WordPress login URL is a simple, yet effective security trick to protect you from brute force attacks.

Changing your login page works relatively well because brute force hackers use bots that are configured to attack a site with a typical setup. These bots target your login page, and if they can’t find your page (because you changed the URL), chances are the bots will move on from your site.

By default, your WordPress site’s login URL is domain.com/wp-admin. You can hide your login page by simply changing the URL. You can do so with a free plugin like WPS Hide Login.

WPS Hide Login plugin configuration in WordPress dashboard

This type of tactic is called “security through obscurity” and can protect you from less experienced hackers. However, by no means can it be a go-to security measure against more advanced hackers.

Still, it’s a worthwhile security tactic and will only take a few minutes to configure.


9. Limit login attempts

Another proactive way to protect your site from brute force attackers is limiting failed login attempts.

By default, WordPress allows users to attempt to log in as many times as they want; however, this leaves your site vulnerable to brute force attacks. Hackers can target your website by trying to guess your username/password combination millions of times until they break in.

You need to put a safeguard in place that would limit the number of times anyone can try to log in with incorrect credentials.

This is similar to what bank cards do; if you type in a wrong PIN into an ATM machine a few times, your card will get blocked. In the case of WordPress, the IP address from which the failed login attempts come will get blocked instead of your entire website.

You can limit login attempts through plugins such as Cerber Security or Login Lockdown, or all-in-one security plugins like iThemes.

How to limit login attempts in iThemes

Just set the max number of allowed failed login attempts before a username or IP is locked out. A lockout temporarily disables the attacker’s from making login attempts.

If a user gets locked out three times, they are banned from even viewing your website.


10. Use two-factor authentication

Two-factor authentication is becoming an increasingly popular security measure to keep online accounts safe. This type of protection involves a two-step process where the first step is to enter your username/password and the second step is to verify your login using a code that’s delivered to your phone, email, etc.

You can enable two-factor authentication using plugins such as DUO Two-Factor Authentication or Google Authenticator.

Two-factor authentication for WordPress

It’s a simple, yet very effective method to ward off intrusions since it’s next to impossible that hackers have both your credentials and your phone at the same time.

This makes it a reliable security measure that Google and other major tech companies use to keep their users’ accounts safe.

You can even go so far as to add a security question to your login screen using a WP Security Question plugin.

Screenshot of a security question in WordPress login


11. Password protect your login and admin pages

For extra peace of mind, you can add another layer of security that would keep your admin page safe with a password. This measure requires users to enter another set of username/password before they can even access the login page.

Screenshot of a site requiring username/password authentication to access WordPress login page

Restricting access to your login, admin and other critical pages is a surefire way to protect your site from bots as well as some DDoS attacks.

This is server-level protection so you’ll have to create a .htpasswds file and edit your .htaccess.

Keep in mind that this security measure is quite technical. It can also become very annoying having to type in your username/password every time you want to access your admin pages. So, use this method at your own discretion.


12. Automatically log out inactive users

Inactive users who are still logged in to your WordPress back-end can pose a security risk. Hackers can hijack their sessions, modify credentials and make changes to critical files.

That’s why a security best practice is to log out idle users automatically. Users will have to log back in after being inactive for a set amount of time, ensuring higher hacker protection.

You can enable automatic logout with a plugin like Inactive Logout.

Screenshot of inactive logout configuration

Just configure your timeout settings, redirects and add a logout message. Now your WordPress site as that much more secure.


13. Encrypt your connection with an SSL certificate

SSL encryption secures the connection between your site and visitors’ browsers. This means all the data that passes through is encrypted and private, preventing hackers from stealing information like passwords and credit card details.

With an SSL certificate, your site will use HTTPS and give you that familiar padlock icon that means your site is using a secure connection.

Screenshot of a website with HTTPS and padlock symbols

It was originally used for e-commerce sites that needed a way to secure transactions. However, in recent years HTTPS has expanded to become an industry standard for security.

Having an HTTPS and SSL gives you multiple advantages, like:

Make sure your hosting provider can hook you up with an SSL certificate so your site can enjoy all the benefits of a secure connection.


14. Manage your WordPress file and server permissions

Permissions, in this context, govern who can read, write, modify and access different files and directories in your WordPress installation.

You want to protect your vital files from hackers that could potentially modify them and wreak havoc on your site. At the same time, permissions that are too strict can impede your site to function properly.

You can use iThemes to check the permissions of critical files and directories on your site.

Screenshot of WordPress file permissions in iThemes

iThemes also provides suggestions for your permissions to solidify your security.

You need to ensure that only authorized parties have permission to access vital files and directories. Set directory permissions to “755” and files to “644” to protect your entire file system – directories, subdirectories, as well as individual files.

To manage your file permissions use File Manager from your hosting control panel, or through a terminal (connected with SSH) using the “chmod” command.

Managing your permissions is quite a bit technical, so if you’re not comfortable doing this yourself, be sure to contact experienced WordPress developers for help.

If you do decide to do this yourself, check out WordPress Codex for more detailed instructions on managing your permissions.


15. Hide your WordPress version

Hiding your WordPress version is a small, yet important security measure. When potential attackers know your exact WP version, they can tailor an attack to target a known vulnerability of that version (especially for older versions of WP).

Your WordPress version is shown in plain sight for anyone that knows how to view your site’s source code (hint: right-click in Chrome and open “view page source”).

WordPress version in site's source code

Hiding your versions is another “security through obscurity” tactic. You can hide your WordPress version using a string of code that you add to your functions.php file.

function wp_version_remove_version() {
return ”;
add_filter(‘the_generator’, ‘wp_version_remove_version’);

WARNING: Bear in mind that changes to your source code can cause your site to break if you don’t do it properly!

The alternative is using a premium plugin like Perfmatters to hide your WP version with a simple toggle.

Screenshot of


16. Manage your WordPress user permissions

If you’re like many site owners, you have multiple people working on your site. Some are responsible for running your site like admins and developers, while others contribute to your site with content like authors and editors.

It might seem obvious but it’s still worth mentioning, you don’t want to hand out top-level user permissions willy-nilly. You need to assign roles and permissions appropriately to each user.

For instance, guest bloggers that write articles on your site shouldn’t have user permissions to edit your HTML. Also, they don’t need access to your theme, plugins, etc. Someone messing with your code or making changes to your page can break your site (white screen of death).

White screen of death (WSOD)

On the other hand, developers and admins that maintain your site need site-wide access to add plugins and themes, make updates, etc.

A good way to manage user permissions is to follow these three steps:

  • Give each user only the level of access they need
  • Limit the number of users that have top-level permissions
  • Use plugins to customize user roles (i.e. User Role Editor)


17. Disable hotlinking

Hotlinking issues arise when someone posts an image from your site through the image’s URL. This results in performance and cost issues because the other website is hogging your server resources to show the image on their own site.

In such a case not only are they stealing your image but also your bandwidth. With hotlinking enabled the image remains on your server and all traffic that comes to the other site uses your server resources.

Content scrappers heavily exploit this technique, which can rack up a large bandwidth bill.

You can check if someone is hotlinking your images using Google search operators:

inurl:https://stablewp.stablewplite.com -site:https://stablewp.stablewplite.com

Use this command to look for every image from your website that doesn’t contain your own URL.

Screenshot of Google search for hotlinked images

We’ve seen this problem even just a few months after our redesigned site went live. So the safe way to go is to disable image hotlinking altogether.

You can disable hotlinking by:

  • Editing your .htaccess file
  • Configuring your CDN

Some WAF plugins (firewalls) can also provide protection, at least when it comes to preventing others from hotlinking your images.


18. Protect yourself against DDoS

DDoS attacks are different from hack attacks and malware. They don’t harm your site or steal your information; rather they temporarily take down your site.

Still, DDoS attacks can cause revenue loss as well as potential costs to recover your system. Because of the way they work, term cyber-terrorism is often associated with DDoS attacks.

Attackers use hijacked websites (botnet) and other programs to send abnormal amounts of traffic to overload your server and cause it to crash. When a server is overwhelmed, legitimate traffic can no longer be accepted, and your website becomes inaccessible.

Diagram showing how a DDoS attack works

DDoS attackers use machines located around the world to generate traffic, which is why it’s much harder to track and thwart these attacks.

The only way to protect yourself from DDoS attacks is by using WAF (web application firewall) to analyze the bandwidth being used and block out DDoS attacks entirely.


19. Disable XML-RPC

While XML-RPC can be useful if your WordPress system needs to connect to the web and mobile apps, it also poses a big security hazard. It almost opens doors for brute force attackers.

Normally if a hacker wanted to try 1000 different passwords on your website, they would have to make 1000 separate login attempts. This would trigger login security plugins, and the attacker would get blocked.

With XML-RPC enabled, a hacker can use something called system.multicall function” to probe thousands of password combinations with only 20 or 50 requests. That allows hackers to fly under the radar where most security plugins can’t find them.

Quality WordPress security plugins such as iThemes can block XML-RPC login attempts to keep your site secure from these types of brute force attacks.

Screenshot of how to block XML-RPC using iThemes plugin

You can even go so far as to completely disable XML-RPC using the .htaccess file.

Use the XML-RPC validator tool to check if this feature is currently running on your site.


20. Use latest PHP version

Keeping your PHP version up-to-date is vital for your security, just as much as your WordPress core, plugins and themes. Each PHP version usually comes with two-year support that patches up any security vulnerabilities.

Diagram showing PHP versions and their support timelines

As of now, versions 7.0 and older are no longer supported and may come with potential security risks.
Unfortunately, too many WordPress websites fall behind with over 31.9% still using PHP v5.6.

Pie chart showing the usage percentage of each PHP version

Make sure your site is powered by the latest stable PHP version to ensure maximum security.

Sometimes it does take time for developers to test and ensure compatibility with their code, so you can use any of the PHP versions that still have security support (currently 7.2 and 7.3, with only a few months remaining for 7.1 version).

Running your site on the latest PHP version can give you a significant security and performance boost. Check with your hosting provider which version is powering your WordPress site.


21. Limit access to vital parts of your site

Hackers often target vital files on your WordPress website with malware. These include your index.php, functions.php and wp-config.php files.

Pie chart showing top 3 modified file by malware affected by hacker attacks

According to Sucuri, there are a few main reasons why these files make for popular targets among attackers:

  • They are loaded on every site access
  • These are core files not overwritten during WordPress updates
  • They are often ignored by integrity monitoring systems, as their value often changes

These types of attacks are very dangerous since regular malware scans don’t detect infections contained in these files.

To protect your core WordPress files, consider doing the following:

  • Hide your wp-config.php file
  • Disallow file editing using wp-config.php file
  • Change your database (wp_) prefix
  • Protect your files with .htpaccess rules
  • Restrict access to PHP files
  • Secure your /wp-includes/ directory
  • Disable directory browsing
  • Prevent username enumeration

You can go to WordPress Codex for more details on keeping your files secure. However, this type of security involves a lot of technical know-how so be cautious or contact your developer.


22. Prevent spam

Spam has become a modern-day plague for everyone on the internet. However, besides being annoying, it can also lead to brute force and DDoS attacks as well as XSS vulnerabilities.

Various types of spam can compromise you as well as your users. To fortify your WordPress site and ensure maximum security you need to prevent:

  • Comment spam – the most common type of spam that appears in the comments section of your site. Spam comments are often riddled with links to sites filled with malware, viruses or scam.
  • Splogs – this is short for spam blogs. Spammers can register for a site in a multisite network to suck up bandwidth and resources to post spam or affiliate links to questionable items.
  • Trackbacks – this is when another site links to your post in one of their posts, and it shows up as a comment on your site.
  • Pingbacks – pingbacks are essentially the same as trackbacks, except the process is automated.

Spam can hurt your site in a number of ways, from performance slowdowns to phishing and SQL injections.

It’s essential to keep your site spam-free. You can protect your site with dedicated anti-spam plugins such as Akismet as well as all-in-one security tools like Wordfence.


23. Monitor your site security

Finally, once you have all security measures in place, you need to monitor your site security constantly. You can enable WordPress security logging using the iThemes plugin to keep tabs on activity related to your security.

Security logging in iThemes plugin

Security logging can track activities like:

  • Brute force attacks
  • Lockouts
  • Version management (updates)
  • User logging, etc.

Another way to monitor your security is by checking for security issues and manual actions in Google Search Console.

Google Search Console security issues report

These issues can have a big negative impact on your SEO, so keep a close eye on this GSC report.



When you think of WordPress security, always think of having multiple security layers. There’s no one foolproof security measure that can protect you from all hacker attacks, malware, exploits, etc.

Although quality WordPress security plugins provide extensive security layers, your site protection also depends on your server/hosting as well as some technical configurations.

If this whole security thing is too much for you to handle or if your site is already compromised, don’t hesitate to reach out to a strong web development team. It’s better to be safe than sorry.

Get someone who can harden WordPress and lock down your site with backups, firewalls and other security measures, for your peace of mind.

And don’t forget to drop a comment if you think we’ve missed any important security tips or if you’re having a specific security problem.

Ignite your
with a free strategy

Book a free strategy session with our experts and get a custom strategy designed to maximize your digital marketing results.

Comment Section:

Leave a comment

Your email address will not be published. Required fields are marked *

Related Blog