Security is something that is often overlooked when it comes to launching or running a WordPress site. It usually only gets attention immediately after a site has been hacked and sensitive data stolen. There are lots of steps to completely secure a WordPress site but two of these steps should be taken immediately.

Step 1: Use strong passwords, or even better, passphrases

There are two really good ways to go about upgrading your passwords so that they cannot be cracked. The first method is still secure, but not quite as secure as the second method.

The first method: Use a long passphrase

Think of a sentence that you will be able to remember, preferably something nice and long like 30 characters or more. Now determine a few different spots where you can swap out letters for numbers and special characters like !@#$%^&*. Now take some time to commit your new passphrase to memory. And there you have it! That passphrase will be almost impossible to crack. Test your new passphrase against your old short password and see the difference here.

The second method: Use a password manager

Using a password manager is one of the easiest ways to use impossible to crack passwords on all of your accounts. The password manager acts as a safe to store all of your passwords and you access that safe with one master password. Most password managers come with browser extensions that automatically fill in your credentials and log you in when you access the login page of a website. You can install the manager on all of your devices which is also quite handy. This removes all the headache of forgotten passwords/passphrases (unless, of course, you forget the master password; just don’t do that). A few solid options are 1Password, Password Boss and LastPass.

Step 2: Make Brute Force attacks impossible

While you may think that hackers sit for hours on your login page typing one username/password combo after the next in hopes of eventually breaking in, that’s not the case (unless they’re just getting into hacking, lol). No, hackers use “bots” to do the heavy lifting. The bots try username/password combos one after the other at supercomputer speed and can crack short, simple passwords without breaking a sweat. Even somewhat longer, more complex passwords can be cracked in a matter of days, weeks, months, years.

So, to put a damper on their password cracking party, we can put something in place to only allow a certain amount of attempts in succession from any given IP address, and block that IP from accessing the site, even if they did have our username and password. This is known as brute force prevention/protection and makes sure bots can’t run thousands upon thousands of attempted break-ins without consequence. There are several WordPress plugins that provide this protection. One that I would highly recommend installing is Limit Login Attempts Reloaded. And just like that you’ve taken another step in preventing hackers from accessing your site.


If you’ve followed the above steps and secured your passwords and locked down your login forms, you’ve already helped harden your WordPress website as well as other important accounts. Hackers will not be able to easily crack your passwords like they could before you took those steps.

Is this all you need to do to protect your website? Not a chance!

There are so many steps to be taken to fully protect your site, many of which lie in the hands of your web hosting provider, so are not possible on many shared hosting accounts. I will try to write more articles about things you can do to harden your WordPress site, but, in the meantime, would encourage you to reach out. I can help you get on the right hosting for starters and also help you securing some aspects of your site that are more technical. You can use the request a free estimate form to reach me.

Dustin Parker

Dustin is a web developer with a passion for building custom websites and web applications on platforms/frameworks such as WordPress, Shopify and Laravel.