More than 43 percent of all websites on the Internet run on WordPress. More than two decades after it was first introduced, WordPress remains by far the most popular content management system (CMS) to create websites because – among other reasons – it is easy to use, versatile and highly customizable. Our team at Cookson is experienced in creating websites on many types of CMS systems, but almost all of our clients are on WordPress. Their websites are among more than 521 million sites built on the platform as of this blog.
The sheer number of WordPress websites increases the likelihood that novice website administrators will overlook key security measures. It is no surprise that hackers can be quick to exploit this vulnerability, which creates the false impression that WordPress itself is inherently less secure than other CMS options such as Drupal and Joomla.
The truth is that WordPress is secure, but the enormous marketplace of third-party plugins and themes to customize it can introduce vulnerabilities. In January 2025, AIOSEO reported that about 90% of WordPress vulnerabilities come from plugins. WordPress is just as secure as other leading website options if administrators are careful about plugins and take measures to deflect brute force attacks.
Here are a few must-do actions to keep WordPress websites secure and running smoothly:
Choose Plugins Carefully
A plugin is a package of code that can be installed on a WordPress website to add features, from the basics such as duplicating a page, to more complex functionality such as shopping carts or event registration. There are more than 70,000 WordPress plugins and multiple options for most features. How do you choose?
Here are some things to consider when choosing secure plugins:
- Look for a high number of active installations – A popular, heavily used plugin is likely to be maintained and updated to prevent security vulnerabilities.
- Review the plugin’s update history – Frequent updates indicate that the plugin developer is fixing any security vulnerabilities and staying current with WordPress updates.
- Evaluate the developer and support – Look for a professional website and a solid team supporting the plugin.
- Check user reviews and ratings – The WordPress Plugin Directory shares star ratings for every plugin. As with any reviews, take the time to read reviews and decide if criticisms (or praise) are relevant to you and seem accurate. It is generally a good idea to steer clear of plugins with few or predominantly negative reviews.
Implement Measures to Prevent Brute Force Attacks
Brute force attacks are a common hacking method where automated tools repeatedly guess login credentials to gain unauthorized access to your WordPress website. These attacks often rely on password guessing and can come from various IP addresses to avoid detection.
Even if they fail, brute force attacks can overload your server with excessive login attempts, slowing down or crashing your site. If successful, they can lead to serious damage—such as malware installation, data theft, or complete site deletion. To help you safeguard your site, here are some practical tips to prevent brute force attacks on WordPress.
Generate random usernames and passwords – It is easy for hackers to gain access to the site if you stick to the default “admin” username for the administrator. It is crucial to change all usernames – but particularly the one for the administrator – to ones that are hard to crack. Assign each user a separate, hard-to-guess username and use a password manager to generate strong passwords. Never re-use a password from another account. Brute force bots often use stolen passwords from data breaches to attack login pages.
- Use two-factor authentication – Two-factor authentication adds an additional security layer. Users will need their phones to generate a one-time passcode along with their login credentials to access the WordPress admin area.
- Install a security plugin – Tools like Wordfence, iThemes Security, or Sucuri Security offer comprehensive protection, including firewall, malware scanning and login security.
Check for Updates Daily
Applying all WordPress updates promptly is crucial for the security, stability, and performance of your website. WordPress and plugin updates fix known vulnerabilities and address performance issues. Hackers scan for sites running outdated versions and try to exploit the weaknesses that have not been patched.
Choose a Hosting Company Committed to Your Security
Your website won’t be seen on the Internet unless it is hosted on a server. Hosting capabilities vary widely, so be careful to do your homework before going with the least expensive option. Here are some factors to consider when selecting a hosting company:
- Security-focused infrastructure tailored to WordPress
- Automatic backups daily
- Automatic updates for the WordPress core, themes and plugins
- SSL (HTTPS) security certificates and encryption
- HSTS which only allows your site to interact with others with security certificates
- Web Application Firewall to block malicious traffic before it reaches the site
- Security logs and alerts
I start each day with a quick check of every client site that we maintain. Through personal experience, I can attest that WordPress is as secure as Drupal, Joomla and other alternatives if you take a few steps to reduce plugin and user vulnerabilities. Drupal and Joomla are great platforms as well, and we are experienced building sites on them. When proper security measures are taken, however, the incredible versatility and advanced features available through WordPress wins every time.
