Tips for web professionals

Six tips for securing your site with WordPress plugins

Secure your site with WordPress plugins
A whopping 64% of sites that use a CMS (Content Management System) use WordPress, making it one of the most used in the world. This intuitive and easy-to-use tool lets you create and configure a website without especially advanced knowledge of web development. There are thousands of WordPress extensions that are either free or available for a fee. These extensions either add new features to your site or extend existing features. WordPress’s popularity also makes it a target of choice for cybercriminals. That makes securing your site necessary to protect your data and your users’ data too. Here are our six recommendations for strengthening the security of your site using WordPress plugins.

1. Regularly back up your data

The most important thing to do in terms of security is to make regular backups of your WordPress site. Saving your data is essential because it’s what allows you to:
  • not lose everything if there’s a problem on your site
  • get your site back online not only if it gets hacked, but also in case of any other incident that may result in you losing your site
Ideally, we recommend doing a backup every week, and we suggest noting the date and time of the backup in your backup folder. There are several extensions (or plugins) that let you create automatic backups of your data. UpdraftPlus WordPress Backup Plugin or BackWPup offers backups of your files and data. You can also save your backup to a storage server, like Nextcloud, or download it to store it where you see fit (on an external hard drive for example).

2. Install a WordPress security plugin

In the same way that you install anti-virus software on your computer, it’s a good practice to improve your site’s security by installing a plugin that protects your site from attacks. Plugins like iThemes Security and WordFence Security improves the security of your site by offering complete protection. These let you, among other things, add multi-factor authentication, prevent bots from being able to probe your site for vulnerabilities, and even automatically generate strong passwords.

3. Modify your login URL

By default, your login URL is This default address is well known. By keeping this URL, you’re exposing your site to attackers who can attempt to brute force attack your login page to gain access to your site. To avoid this threat, we suggest changing your login URL. You can do it yourself by updating your .htaccess folder. However, there are also plugins you can use that let you easily change your WordPress login URL without having to have any advanced technical knowledge. For example, with the plugin WPS hide login you can change your login URL in just a few clicks. Once downloaded, you only need to navigate to the plugin in your WordPress admin page and change the login URL.

4. Limit the number of login attempts

One common technique for pirating a website is using a brute force attack. This technique consists of using a bot that tries thousands of username and password combinations in order to “crack” your login page and gain access to your WordPress admin site. You can use a login to limit the number of login attempts allowed. That way, after a bot tries to log in a certain number of times, its IP address is blocked and can no longer try to connect. Plugins like WordFence Security (including the free version), WP Limit Login Attempts and WPS Limit Login let you easily impose this limitation on login attempts. With these plugins, you can also add an IP address to exclude from the login attempt restrict. That way you (or your customers) can avoid having your access to your own site blocked.

5. Update WordPress and plugins regularly

In order to ensure that your WordPress site is secure, it’s important to regularly update both WordPress and your plugins to make sure you have the latest version available. CMS developers frequently correct bugs and improve security, so it’s essential to have the latest version available of the CMS. For the same reason, it’s also crucial to regularly update all your plugins and themes. That’s because new security vulnerabilities are constantly being discovered and fixed. Of course, Gandi will report on the most critical security issues. It’s nonetheless important to regularly check whether an update is available in order to be sure that you have the latest versions of your plugins, since an outdated plugin might expose you to an attack. This advice is all the more important for plugins related to your site’s security! The good news is that there’s also a plugin for that! WP Updates Notifier lets you receive email alerts when an update is available. For greater simplicity, you can also activate automatic updates for WordPress, your themes, and your plugins. Finally, to limit your attack surface and make your plugin management easier, we recommend deactivating or uninstalling plugins that you don’t use or no longer use. For more information, check out this article on

6. Choose a trusted and secure hosting provider for your WordPress site

By applying the tips above, you can protect your site, you can ensure your site is well protected from attackers. However, vulnerabilities don’t necessarily come from your site alone. Attacks can also target your site’s hosting provider’s infrastructure, which you have no direct control over. As such, beyond working to improve the security of your site, consider choosing a reliable hosting provider. There is a wide range of hosting providers that are more or less expensive and more or less reliable. Gandi’s watchword is No Bullshit, meaning our services are clear with no surprises. Gandi offers complete and secure WordPress hosting. WordPress hosting at Gandi starts at $10.00 (USD) per month (size M recommended), including 50 GB of storage minimum, a free SSL certificate, and extensive documentation. N.B.: WordPress updates are up to you to complete, as indicated in tip number five above. And while plugins are useful, they won’t do you much good if they’re not configured correctly, we’re ready to help with setting things up. Our Customer care team is available 24 hours a day, 6 days a week. Need to increase the resources allocated to your site to support installing your plugins? No worries! You can change the size of your instance at any moment from your admin interface. Choose Gandi for a secure WordPress site!