How To Protect WordPress Sites Against Online Threats

The internet is a dangerous place. The majority of global email sent in 2018 contained either spam or malware. Ransomware attacks are increasing by more than 350% each year, with a projected loss of $11.5 billion in 2019 for companies around the world. One in 13 web requests leads to malware, reminding us that websites represent a vulnerable frontline against a global army of hackers and criminals. WordPress websites are no exception.
As the world’s most popular website development tool, WordPress is a uniquely high-profile target. This open-source CMS underpins over a quarter of the world’s websites, making it a prime focus for criminal gangs and botnets. Administrators of WordPress websites with comments sections receive regular notifications about spam comments and pingbacks, while a single vulnerability in a popular plugin caused thousands of websites to be compromised by malicious code last autumn.
It’s clearly vital to protect WordPress sites against online threats like the “evil cursor” attack, which creates an invisible button that follows the cursor around to prevent the closure of compromised websites or windows. Yet there’s a certain irony to the fact that user error or apathy tend to leave the door open to criminals, rather than flaws or security holes in WordPress itself. Below are our recommendations for simple and effective ways to protect WordPress sites – against criminals, but also against our own naivety and sloppiness:

Update plugins

This is the obvious place to start because the most effective way to protect WordPress sites is by keeping plugins fully updated. Patches are generally rolled out in response to discovered bugs or vulnerabilities, so not installing them almost always results in plugins being exposed to known threats. Many WordPress hacks stem directly from compromised or out-of-date plugins; if support disappears or updates tail off, it’s usually time to find an alternative.

Improve your login credentials

If your admin page is located at, cybercriminals won’t have to try out many URLs to find it. If the login name is Admin, that’ll probably be the first term they attempt. And if your password is one of America’s most common passwords – 123456 or password – they’re in. Prevent this by changing your login page URL, replacing your default admin profile name with an email address, and setting a lengthy alphanumeric password.

Use 2FA

This expands on the previous point, introducing a second layer of login security. Two-factor authentication might be a pain, but it makes third-party interference far more difficult. Common examples of second-stage security include a secret question, a PIN code or even the Google Authenticator tool. By dispatching a one-time passcode to a registered phone, nobody else can log in, making Authenticator a great way to protect WordPress sites.

Install security

WordPress security isn’t just useful for consumers. It helps administrators protect against brute force login attempts, spam comments, and other WordPress-specific threats. It also underlines the importance of regular plugin updates, since malware tools are only as effective as their databases. Zero-day attacks and recent malware variants are just as potent as established threats. There are plenty of security plugins to choose from, including Sucuri.

Set regular backups

WordPress sites can occasionally be taken offline by malicious activities, so preparing for the worst isn’t a bad policy. Create a full backup of your site and any databases or media content, using tools like VaultPress. A single mouse-click will restore the site to its most recently saved status, which should ideally be less than a week old (and not simply stored in a directory subfolder). The best backup utilities also proactively scan for malware and viruses.