How to improve WordPress security

For some reason, every freelance web developer on LinkedIn tries to explain how wordpress is not secure or posts another vulnerability, making it look like wordpress is insecure. Certainly, agency owners should not fall into this trap and look for another CMS for clients. Most issues happen because of neglected security rules. In this article, we’ll go step by step through my preferred security setup.

Why Security Matters

Most websites do not need strong security. I’d say that even most of the issues are resolved by your hosting setup, and web developers can’t do much of that. The hosting team does. But, even when you have a good hosting provider, it does not mean clients’ websites can’t be hacked.

In my experience, most of hacks harm the website owner’s pocket by erasing thousands of dollars invested in SEO or paid ads.

Here are most common states of hacked websites:

• Redirect client’s SEO traffic to another website with ads/porn/whatever
• Client’s website becomes unavailable, and traffic can’t convert – even worse. Client make bad impression on potential prospects in B2B.

Keep WordPress Updated

Most issues and vulnerabilities could be fixed if wordpress is up to date. Based on my experience, I’d say that websites that are using custom themes get hacked much less than any page builder-based theme. Simply because custom themes are made by more experienced and technically superior developers which leads to less mistakes, fewer plugin dependancies and the less plugins – the less vulnerabilities – easy.

Core, Themes, Plugins

These 3 items should be updated weekly or monthly, and more likely 0 of your clients will face issues with their websites. My personal preference is to have minor versions updated automatically and major releases manually on staging or all releases to be automatically updated on staging, so if no issues – your dev runs updates on production or if issues – he gets an email, fixes them and after moving this changes to production, production is ready for updates as well with no harm for users, SEO, paid ads etc.

And the main thing – the core team saves time on routine work and is involved only when issues are raised on the staging environment. Clients don’t even know about that!

Protect Login Access

This is a common myth in wordpress development area. By changing your wordpress login URL to something else, you won’t make big difference to security, if somebody would like to hack the website, the website will be hacked even with the new login link, trust me.

The only benefit for agencies is just option to make branded link like site.com/{agency-name}-login

Strong Passwords

On the other hand, setting a strong password is a much higher security measure than protecting login access. Most bots simply find a way to get a list of users and then make a million password entry attempts. One of the passwords will work, and a bit will find a way to inject an ad script or malware into the website.

Limit Login Attempts

As common sense advises, most agency owners, limiting login attempts will prevent bots from testing all possible passwords even if they know admin login or email. They may succeed – but in a million years, haha.

Two-Factor Authentication

And if they succeed – they need 2FA auth code – so really, adding these 3 steps will make your clients website safe from most common type of bot attacks.

Use Secure Hosting and SSL

As I briefly mentioned before, the hosting security team does much more than your team will do to protect access to your core files of the project. One of important things is SSL and obviously everybody is setting this in 2026, but yet worth reminding one more time why we’re doing this – ain thing is SSL securely encrypt password from user’s browser to the server so it can’t be stolen and used to make digital crimes or placing ads on your client’s website

Install a Security Plugin

Most of things that security plugins do could be done on hosting, I love them for 2 reasons:

• 2FA authentication, as we talked before
• Security scans that allow your devs and my devs to make sure there is no issues or resolve them quickly

Back Up Your Website

Again, hosting does this – but hosting can face the attack as well, so having alternative cloud backup is an extra layer of protection that smart agencies introduce and that one client who’ll be saved or that 1 day when you’ll restore files from there – will be worth all the money you’re paid.

Remove Unused Themes and Plugins

Unused or rarely used plugins – something that could be replaced with a couple of strings of custom code – should not exist. More plugins – more possible issues. More possible issues = real issues and it’s matter of time when it will backfire.

Last week I got a request to rebuild the website for the brand, which was deleted without backups. From a solid digital agency. I was shocked but these simple steps could have serious consequences.

Scan for Malware

Usually the best scanners are provided by hosting providers, but security plugins like wordfence will do the job as well.

Common Security Mistakes

I’d say the dumbest mistake I see all the time is to have an “admin” user. Some hosting providers create this login by default, and it’s a mistake. If you can set different default value – do this, as business owners risk with 1 website, when agencies risk with all of the websites they build for clients

Final Tips

Just follow the list above and common sense. Keep things simple, avoid making stupid mistakes, and trust professionals like Codelibry when outsourcing wordpress maintenance. It was Vitalii from Codelibry – hope this helps, and ping me on LinkedIn if you have something to add to this article.