How to Prevent Security Attacks on Your WordPress Website - dummies

How to Prevent Security Attacks on Your WordPress Website

By Lisa Sabin-Wilson

You can’t ever be 100 percent secure. But with a WordPress website, you’re in good hands because the WordPress developers understand the importance of security, and they built a highly effective system to address any vulnerabilities you’ll run across.

Update your WordPress website

The first way to prevent hackers is to keep your WordPress website up-to-date. The quick-and-easy way to do so is through the automatic update feature.

The beauty of applying updates is that they often introduce new streamlined features, improve overall usability, and work to patch and close identified or known vulnerabilities.

As technology and concepts evolve, so do attackers and their methods for finding new vulnerabilities. The further behind you get, the harder it will be to update later and the higher your risk increases, which in turn impacts how vulnerable you are to attacks.

Install WordPress patches

All WordPress updates are not created equally, but there are a few that you should pay special attention to when it comes to the WordPress core software.

There are major releases, which contain feature additions, UI changes, and bug fixes and security updates. You can always tell what major release you’re on by the first two numbers in the version number (as in 3.4).

Then you have point releases, which are minor releases that can be identified by the third number in the version number (as in 3.4.2). These releases contain bug fixes and security patches but do not introduce new features.

When you see a point release, apply it. Point releases rarely cause issues with your site, and they help close off vulnerabilities in a lot of cases.

Use a firewall to protect your WordPress site

A firewall builds a wall between your website and the much larger Internet; a good firewall thwarts a lot of attacks.

Your web server should also have a good firewall protecting it. Every day there are countless visits, good and bad, to every website — some are from real visitors, but many from automated bots. A Web Application Firewall (WAF) helps protect your WordPress installation from those bad visitors.

Web application firewalls don’t offer 100 percent protection, but they are good deterrents for everyday attacks.

If you plan to manage and administer your own server, install and configure a tool such as ModSecurity — an open source WAF-like solution that lives at the web server level as a module to Apache.

If you’re using a managed hosting solution, you’re probably in luck because most offer WAF-like solutions built into their services.

However, as a user, you can also install a plugin for WordPress called CloudFlare, which can be found in the official WordPress Plugin Directory. CloudFlare provides the best available WAF-like features for your WordPress website on a managed hosting solution.


If you would like to use the CloudFlare plugin on your WordPress website, you do need to have a CloudFlare account. There is a free account option, but also upgrades to paid accounts that include more features. After you’ve installed the plugin on your website, follow the instructions on the CloudFlare configuration page to connect your WordPress blog to your CloudFlare account.