WordPress gets a bad reputation when it comes to security. Stories of hacked websites being turned into illegal pages are everywhere, and in Indonesia, the most common scenario is a perfectly normal website waking up one day displaying gambling content. Since most of these cases involve WordPress, the conclusion people reach is obvious: WordPress must be the problem.
But is that really fair?
Blame the Driver, Not the Car
Before pointing fingers at the platform, it’s worth asking some honest questions about how the website was actually built and maintained:
- Were the plugins and themes installed from trusted, official sources?
- Were WordPress core, themes, and plugins kept up to date?
- Was the hosting provider reputable, with solid security standards?
- Were strong, unique passwords used across all accounts?
If the answer to any of these is “no,” then the door was already left open long before any attacker showed up.
WordPress is designed to be accessible, but accessible does not mean maintenance-free. Because it is open-source and self-hosted, the responsibility for keeping a site secure falls entirely on the owner. There is no official support team standing by unless you are using WordPress.com. That means every technical decision is yours to make, and that responsibility is exactly what many site owners underestimate.
Why Layered Security Is the Right Approach
Good website security is not a single switch you flip on. It requires a layered defense strategy that covers every part of the system, from the server infrastructure all the way to the form fields a visitor sees on screen. Here is what that looks like in practice:
1. Operating System Layer
If you are running your site on a VPS, you are responsible for securing the machine itself. The basics here are non-negotiable:
- Install Fail2ban to automatically block IP addresses that repeatedly fail login attempts.
- Switch to SSH key authentication instead of passwords for server access. Keys are significantly harder to brute-force.
- Move the SSH port away from the default port 22 to reduce exposure to automated scanners.
- Keep the OS and all installed packages updated regularly to patch newly discovered vulnerabilities.
2. Web Server Layer
Two things matter most at this level:
- SSL/TLS encryption: Every site should run on HTTPS. It encrypts data in transit, protects your visitors, and also signals trustworthiness to search engines, which translates into better SEO rankings.
- Cloudflare as a proxy: By routing traffic through Cloudflare, your server’s real IP address stays hidden. This alone makes it significantly harder for attackers to target your server directly, and it filters out a large volume of malicious bot traffic before it even reaches you.
3. Database Layer
The database holds everything that matters on your site. Protect it accordingly:
- Use a unique table prefix during WordPress installation. The default
wp_prefix is well known to automated attack scripts. Changing it adds a simple but meaningful barrier. - Restrict database access to localhost only. There is rarely a reason for your database to be reachable from outside the server. Locking it down means that even if credentials are somehow exposed, remote exploitation is still blocked.
- Apply the principle of least privilege: give the database user only the permissions the application actually needs, nothing more.
4. Application Layer
This is where most WordPress-specific threats live:
- Web Application Firewall (WAF): Use Cloudflare’s WAF or a plugin like Wordfence to filter out dangerous requests before they reach your application. A WAF is particularly effective against SQL injection, cross-site scripting (XSS), and plugin-based exploits.
- Two-Factor Authentication (2FA): Enable 2FA on every account with admin access. Plugins like WP 2FA or Google Authenticator make this straightforward to set up.
- Limit login attempts: Use a plugin or server configuration to block IPs after a certain number of failed login tries.
- Change the default login URL: Moving away from
/wp-adminor/wp-login.phpto something less predictable significantly reduces automated targeting of your login page.
5. Frontend Layer
The front end is not just where your visitors land. It is also where attackers look for openings:
- Add CAPTCHA to every form: Whether it is a contact form, registration, or comment section, tools like Google reCAPTCHA or Cloudflare Turnstile will block most bot-driven spam and automated abuse.
- Restrict file uploads: If your site allows users to upload files, define exactly which formats are accepted and set a reasonable size limit. Unrestricted uploads are a well-known attack vector.
- Disable unused features: XML-RPC, for example, is rarely needed on modern WordPress sites but is frequently exploited. If you are not using it, turn it off.
Security Is an Investment, Not an Afterthought
Managing all of this can feel overwhelming, especially if you are running a business and technology is not your core focus. In that case, hiring an experienced WordPress developer or security professional is money well spent.
Here is a grounding fact: millions of automated bots scan the internet every single day looking for vulnerable websites. That is not meant to be alarming, it is just the reality of running anything online. The good news is that with the right layers of protection in place, the vast majority of these threats never get further than your firewall.
WordPress is not inherently insecure. An unmanaged WordPress site is.
