A secure WordPress website: our best practices

WordPress, one of the most popular content management systems in the world, sometimes struggles with a negative image in terms of security. This can lead people to think that a ‘WordPress website is not secure’. However, your WordPress site doesn’t have to be unsafe if you know what you’re doing and have the expertise to properly maintain and secure your website. We will discuss how to keep your WordPress website safe and protected.

Shooting Gravel: How Hackers Benefit from WordPress’s Market Share

One of the main reasons WordPress is considered insecure is its enormous market share. According to recent statistics, 63.3% of websites with a CMS run on WordPress. This means the platform is a large and attractive target for hackers and malefactors. A good metaphor to illustrate this is “shooting gravel”. Hackers generally are not looking for one specific target but try to hit a large number of sites, hoping some prove to be vulnerable. This contributes to the thought that a ‘WordPress website is not safe’.

Thanks to WordPress’s large market share, the chances are higher that a random attempt by a hacker will hit a WordPress site. However, by applying a little protection to your website, you can avoid the vast majority of these attempts. In other words, if you properly secure and maintain your WordPress website, it becomes much harder for hackers to succeed. While the large number of WordPress sites makes it an attractive target, this does not mean your individual site is automatically vulnerable, as long as you take the right security measures.

Diverse Users, Diverse Security Needs

WordPress is so popular and user-friendly that it is used by both large companies and organizations as well as smaller, non-business users.


This means there is a wide variety of people responsible for managing and maintaining WordPress websites. Unfortunately, not all users have the knowledge or expertise to properly secure their website.

Expertise Matters

When building and maintaining a custom WordPress website, it’s important to choose a reliable partner. There are many parties creating WordPress websites, ranging from independent developers working in attics to ISO 27001 certified digital agencies. By choosing a reliable partner, you can trust that your website will be properly secured and maintained.

When choosing a builder, it is important to consider their experience, expertise, and references, as well as the security measures they take to ensure your WordPress site remains safe.

Is WordPress easy to hack?

While WordPress is not inherently insecure, the risk of hacking increases if updates are neglected or weak login credentials are used. Regularly updating and choosing strong login credentials can improve security.

In the hands of an experienced WordPress agency, you can expect this.

Update Regularly

At the time of writing, just under half of WordPress installations are running the latest version, and only 21% are running a PHP version that still receives security updates. Outdated software is at greater risk of security issues.

It is crucial to perform regular updates and ensure your PHP version is up-to-date, so you can benefit from the latest security updates and features.

Plugins: Be Vigilant

Plugins are a convenient way to quickly add functionality to your WordPress website. However, they can also pose a security risk. Poorly designed or outdated plugins can introduce vulnerabilities that hackers can exploit. Therefore, it is important to be cautious when choosing and using plugins.

To minimize risks, it is advisable to conduct audits and use only reliable and well-maintained plugins. Therefore, we work closely with trusted plugin builders (such as Yoast and Gravity Forms) who respond quickly to incidents and security issues.

It is important to stay informed of security incidents that may affect the websites we manage. That’s why we subscribe to newsletters and updates from reliable sources that report incidents. This allows us to respond quickly and take necessary measures before a vulnerability is exploited.

Extra steps

While WordPress is quite safe out of the box, there are some improvements you can make to further strengthen the security of your website. By using the right configuration and security plugins like WordFence, we can minimize potential vulnerabilities for you and secure WordPress.

One way to do this is by adding two-factor authentication (2FA) for extra security when logging in. Additionally, with WordFence, you can automatically block visitors who repeatedly try to guess administrator passwords. Moreover, it is wise to disable unnecessary features, such as XML-RPC, to reduce potential attack points.

How can you best secure your WordPress site?

There are a number of steps you can take to get started with your WordPress security.

  1. Use a unique, strong password.
  2. Use Multifactor Authentication (2FA or MFA) such as a security key.
  3. Where possible, use Single Sign-On, with, for example, your Microsoft Azure Active Directory or Google Workspaces account.
  4. Don’t make every user an administrator, but think carefully about what role everyone gets.
  5. Regularly update the plugins on your site.
  6. Prevent the web server from modifying or creating files by asking your technical partner to use DISALLOW_FILE_EDIT.

Is WordPress reliable?

As far as we’re concerned, yes. WordPress is as reliable as other software products, provided it is regularly maintained and updates are installed promptly. That’s what we’re on top of. And that’s the trust our customers, like large webshops, municipalities, and charities, also have.

How do you know a website is secure?

From the outside, it’s hard to tell if a website is safe or not. There are plenty of examples of large companies or institutions, such as LinkedIn, Adobe, or the RIVM, that have had data breaches despite a lot of investment in security.

However, there are a few things to look out for:

  • Does the website have a valid certificate?
  • Are there visible seals of approval from independent parties, such as Thuiswinkel Waarborg?
  • Are there past data breaches? How has the company behind the website dealt with them?
  • Does the website provide clear instructions on how to report a security breach if discovered?

In Summary

It’s clear that WordPress websites are sometimes considered insecure due to various factors such as the platform’s popularity, the diverse user base, the varying quality of website builders, and the need to keep software up-to-date. However, with the right expertise and attention to security, a WordPress website can be just as secure as any other platform.

Do you also want a secure WordPress website?

We would love to tell you more about the steps we take to ensure that your site and your users’ data remain protected.

Get in touch with us