WordPress is one of the best choices you can make for your website. It’s universal, as in anyone can create a WordPress site, there are thousands of tutorials and support online for it and with the different plugin options you can have your website do anything you want it to.

Something WordPress isn’t know for is security. As WordPress is built using open source software it’s available in its most basic form to everyone. Therefore it’s really important to do everything you can to secure your website.

The steps below will help you to set up and configure options within your website to secure it from hackers and malware.

Use reliable hosting

A reliable host will keep their own servers up to date and secure as well as offering firewalls, malware scans and backups as part of their hosting package. 

Don’t know where to start with website hosting? You can read more in this post. My personal recommendation is TSO Host. (Use the code: WebsiteCoachingAcademy for 10% discount on their products). 

Get an SSL Certificate

An SSL Certificate encrypts data on your website making it secure for people to send information – for example contact forms and payments. It also makes your website more SEO friendly as back in 2017 Google started to penalise all websites which didn’t have an SSL Certificate meaning websites which didn’t have one would appear way down the search results when people were searching for that product or service. 

Configure your website settings

When you set up a WordPress website you’ll need to configure the settings in the reading/writing/general section.

In the general section you’ll see a tick box with ‘anyone can register’. There’s then the option of different user roles people can register as. It’s up to you whether you want others’ to be able to access the site. If you want only you then uncheck the ‘anyone can register box’ if you do want to keep people registering as an option then choose the role ‘subscriber’ so they can’t make changes to your website. 

Hide your login information

All WordPress websites have the login URL of website name/wp-admin to access the website. This is the least secure your admin console can be and with hackers using automated software which runs different combinations to access your website, it’s important that you change this. 

The simplest way to do this is to use a plugin like WPS Hide Login which allows you to generate a unique URL to login to your website. 

Choose a unique username and password

Hopefully by now we all know that a login name shouldn’t be easy for someone else to guess. For example my name’s Holly. If I used Holly in the login for my own website people are going to be able to guess that and try to access my website. So be creative, go for something people won’t be able to guess and use that for your Login name.

Likewise with passwords – we’ve all moved on from the name of your first pet/teacher/road you grew up in. Either use a password generator like this one. Or try something you know people won’t be able to guess easily. Just make sure you remember it yourself! 

Use a security plugin

Security plugins are designed to monitor your website against brute force attacks, malware and spyware being put on your site and any other threats that may come. Most come with both, free and paid for versions. It’s up to you which you choose but if you use all the steps in this post you should be fine using a free version. 

My top 3 recommendations are: 

Run your updates

A WordPress website is constructed of: 

WordPress software

Website theme & page builder


These allow you to build whatever you like in whatever style you choose with unlimited functions. The developers of WordPress, themes and plugins are constantly working in the background to update and bring new technology and designs to their products. These come in the form of updates and will show on the updates page of your WordPress dashboard.

Updates are a change in the code of the theme/plugin and when updates are released developers of compatible products need to update and rewrite some of their code to make sure everything works together. They will then release their own updates which, again you’ll see in the updates section of your dashboard or if you’re using one of the security plugins it will email and tell you.

If you don’t run your updates regularly, and by regularly I mean monthly, you could be exposing your website to attacks where a change in the code has made the site vulnerable. If you’re not confident in doing this you can turn on ‘automatic updates’. Just be sure in all circumstances to keep a back up of your site.


If you don’t have a lot of WordPress knowledge the thought of keeping everything secure can be daunting but it needn’t be. Ultimately the developers of the themes and plugins do the hard work for you. Making your foundation secure by choosing reliable hosting is the first step. Most of the steps in this post only have to be done once and then it’s just a matter of running updates regularly and having the peace of mind that your website is as secure as can be. 

A note to my readers

Sometimes I use affiliate links in my posts. This means if you click on a link and then go onto to purchase a product/service I get a small amount of money for recommending it. It is your choice whether to click on the link or purchase the product/service. I will always be transparent in letting you know which ones are affiliates. They will always have the name of the product or service so you can Google them if you’d rather not click the link and affiliate links are displayed in this colour. Any other links in the post not in this colour are not affiliates.