Threat Intel Solutions

* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)Locking Down the WordPress Login Page===================================== [Kyle Knight](https://blog.sucuri.net/author/klknight)* August 22, 2025  Due to its flexibility, ease of use, and massive plugin ecosystem, WordPress is a favorite among bloggers, developers, and businesses alike. Given its popularity, attackers do not waste time guessing where sensitive assets live. By default, on every WordPress site the front door is conveniently labeled **/wp-login.php** or **/wp-admin/**. On even a modest site, server logs can often reveal hundreds of failed logins coming from residential proxies and botnets that rotate addresses. Once a single credential is cracked an attacker could install a malicious plugin, add a backdoor, inject SEO spam, or turn the site into a drive-by malware host, damaging reputation, search rankings, and revenue in one hit.How secure is the WordPress login page?—————————————WordPress ships with essential security features right out of the box. Still, those built-in defenses often aren’t sufficient to stop persistent attackers. The default login page can be exposed to several threats, including:* [Brute force attacks](https://sucuri.net/guides/what-is-brute-force-attack/)* [Credential stuffing](https://blog.sucuri.net/2021/06/3-password-attacks-101.html#:~:text=spraying%20will%20work.-,Credential%20Stuffing,-To%20summarize%20credential)* [Phishing attempts](https://sucuri.net/guides/phishing-attacks/)* [Man-in-the-middle attacks](https://sucuri.net/guides/what-is-broken-access-control/)For stronger protection, you’ll need to move past the defaults and add extra security layers.10 defensive layers for WordPress login security————————————————Below we’ll go over how attackers target the login page, then walk through some configurations that help close the most common gaps like strong credentials, two-factor authentication, rate limiting, and real-time monitoring.1. [Use high-entropy passwords everywhere](#step-1)2. [Move the login URL to a non-default path](#step-2)3. [Enforce strict limits on failed logins](#step-3)4. [Require 2FA for all privileged users](#step-4)5. [Challenge suspicious sessions with CAPTCHA](#step-5)6. [Harden wp-config.php against post-exploitation tampering](#step-6)7. [Obscure author usernames from public view](#step-7)8. [Remove dormant or unknown user accounts](#step-8)9. [Purge unused plugins and themes](#step-9)10. [Patch WordPress core, plugins, and themes immediately](#step-10)*** ** * ** ***### 1. Use high-entropy passwords everywhere#### Threat contextCredential stuffing campaigns rely on the fact that users reuse passwords across services. Phishing kits and info-stealers dump millions of credentials daily. Attackers feed those lists into scripts that target `/wp-login.php` looking for credential matches.#### Protective actions* Generate passwords of at least 16 random characters. Passphrases are fine if the total entropy is comparable (for example, six random dictionary words separated by symbols).* Store them in a reputable password manager. Browser autofill alone is insufficient because malware routinely extracts saved credentials.* For service accounts, create unique API keys where possible instead of shared passwords.* Audit the server for configuration files containing plaintext passwords and remove them.#### VerificationRun the following on Linux to identify hard-coded passwords:“`sudo grep -Eai ‘pass(word)?-s*=-s*[”-”][^”-”]{0,11}’ -R /var/www/html“`If anything shows up, change it immediately and replace the hard-coded password in the source file/config with an environment variable or pull from a secrets manager.#### Common pitfalls* Do not rely on simple substitutions (P@ssw0rd! is not safer than Password1!).* Avoid baseline policies that cap passwords at twelve characters. Instead, *raise* the limit.*** ** * ** ***### 2. Move the login URL to a non-default path#### Threat contextCommodity scanners are designed to check the default login paths, so use a non-default path to reduce exposure to scanners that only look for defaults. It doesn’t stop a targeted attacker, but it filters out a massive wave of commoditized scanners.#### Protective actions##### Option A: Sucuri Website Firewall1. Log in to your [Sucuri dashboard](https://dashboard.sucuri.net/login/).2. Select **Firewall -> Access Control -> Protected Pages**.3. Add `/wp-login.php` and `/wp-admin/` and set the rule to **Block** or **CAPTCHA**.4. Add a new custom path such as `/private-console/` and allow it from the public internet.##### Option B: WPS Hide Login plugin1. Install [WPS Hide Login](https://wordpress.org/plugins/wps-hide-login/) from the official repository.2. Under **Settings -> WPS Hide Login** , specify the new slug (example: `/secure-gateway/`).3. Save changes and record the new URL in your password manager.##### Option C: Manual rewrite rule (Nginx sample)“`location /wp-login.php { return 404;}location /secure-gateway { include fastcgi_params; fastcgi_pass unix:/run/php/php8.2-fpm.sock; fastcgi_param SCRIPT_FILENAME $document_root/wp-login.php;}“`#### VerificationRequest **/wp-login.php** in a private browser window. A 404 or 403 response means the default path is hidden. Check that **`/secure-gateway`** loads the expected login form.#### Common pitfalls* Do not publish the new path in public documentation or support forums.* Keep a second administrator account that bypasses the plugin in case the rewrite rule is misconfigured.*** ** * ** ***### 3. Enforce strict limits on failed logins#### Threat contextReadily available brute force tools can cycle through password guesses in rapid succession, especially when the site replies quickly.#### Protective actions##### Firewall method (recommended)The [Sucuri Website Firewall](https://sucuri.net/website-firewall/) automatically profiles failed logins and blocks IPs or entire ASNs that cross the threshold of failed attempts. Sucuri firewall users can review further hardening options and which directories or files they apply to under **Security -> Hardening**.##### Plugin method1. Install [Limit Login Attempts Reloaded](https://wordpress.org/plugins/limit-login-attempts-reloaded/).2. Configure: * **Allowed retries:** 3 * **Lockout length:** 30 minutes * **Max lockouts:** 4 * **Extended lockout:** 24 hours3. Enable GDPR compliant logging to capture IP, username, time.##### Server method (fail2ban sample)On Ubuntu:“`sudo apt install fail2bancat << 'EOF' | sudo tee /etc/fail2ban/filter.d/wp-login.conf[Definition]failregex = .* ‘POST /wp-login.phpEOFcat < Access Control -> Protected Pages**.3. Add `/secure-gateway/` or `/wp-login.php`.4. Select **’Two Factor Authentication’**.5. Add the admin email addresses. Each login will prompt for a time-based code delivered by email or an authenticator app.##### Plugin method1. Install [miniOrange](https://wordpress.org/plugins/miniorange-saml-20-single-sign-on/) 2FA or similar.2. Require 2FA for every role above Subscriber.3. Provide backup recovery codes and train staff.#### VerificationLog in, skip the 2FA step, and confirm access is denied. Use Google Authenticator or Microsoft Authenticator to approve a token and confirm success.#### Common pitfalls* SMS codes are vulnerable to SIM swap attacks, so prefer TOTP apps or hardware keys.* Enforce 2FA on XML-RPC (for mobile app logins) if that endpoint is required.*** ** * ** ***### 5. Challenge suspicious sessions with CAPTCHA#### Threat contextCredential stuffing often originates from headless browsers or CURL. CAPTCHA blocks those automated runs with minimal friction to humans.#### Protective actions##### Sucuri Firewall method1. Log in to your [Sucuri dashboard](https://dashboard.sucuri.net/login/).2. Go to **Firewall -> Access Control -> Protected Pages**.3. Enter the path of the page you want to protect (e.g. **/wp-login.php** ) and then select **Captcha Challenge** from the dropdown.4. Select **Protect Page**.After you save the path, it’s added to your protected pages and will be secured from automated attacks by the Sucuri Firewall.##### Plugin method1. Install CAPTCHA 4WP.2. Register reCAPTCHA v3 keys at .3. Apply challenges to login, registration, and password reset forms.#### VerificationUse CURL to POST credentials. The response should return the CAPTCHA form rather than authenticating.#### Common pitfalls* Do not rely entirely on ‘invisible’ CAPTCHA, combine it with rate-limits.* Keep keys secure. Exposure allows attackers to proxy requests and bypass the check.*** ** * ** ***### 6. Harden wp-config.php against post-exploitation tampering#### Threat contextIf an attacker reaches the dashboard or gains file write access they can inject backdoors through the theme editor or plugin installers. Disabling those features forces attackers to find a server-side write primitive, raising the bar.#### Protective actionsAdd the following lines above `/* That’s all, stop editing! */““define(‘DISALLOW_FILE_EDIT’, true);define(‘DISALLOW_FILE_MODS’, true);“`Move wp-config.php one directory above the web root if your hosting provider allows:“`/home/user/wp-config.php/home/user/public_html/index.php“`Set strict file permissions:“`chmod 400 /home/user/wp-config.phpchown www-data:root /home/user/wp-config.php“`#### Verification* Dashboard should no longer show Appearance -> Theme Editor.* Attempt to install a new plugin and confirm the action is blocked.#### Common pitfalls* Remember to allowlist your own IP and temporarily disable `DISALLOW_FILE_MODS` when a legitimate update from the dashboard is needed.* Test after core updates since custom file locations can break some managed hosts.*** ** * ** ***### 7. Obscure author usernames from public view#### Threat contextMany automated tools run the enumeration scan `/?author=1` which returns a redirect to `/author/username/`. That leak hands the attacker half the login puzzle.#### Protective actions##### Set a distinct display name1. Log in to your WordPress admin dashboard.2. Go to **Users -> Profile -> Nickname field**.3. Enter a friendly name.4. In the dropdown **’Display name publicly as’**, select that nickname.##### Block author scansAdd the following to your **.htaccess**:“`RewriteCond %{QUERY_STRING} author=-dRewriteRule ^ /? [L,R=301]“`Or configure the Sucuri firewall to block requests matching ‘`author=`’ in the query string.#### VerificationVisit `/?author=1`. Expect an instant redirect to the home page or a 403. Blog posts should show the nickname but not the actual login name.#### Common pitfalls* Changing only the nickname without blocking enumeration still leaks.* Do not pick a nickname identical to the username.*** ** * ** ***### 8. Remove dormant or unknown user accounts#### Threat contextOld contractors, ex-employees, test accounts, or compromised email addresses provide attackers with a foothold. [Least privilege](https://blog.sucuri.net/2024/01/what-is-the-principle-of-least-privilege.html) is a core security principle that unused accounts violate.#### Protective actions##### Manual audit1. Log in to your WordPress admin dashboard.2. Go to **Users -> All Users**.3. Sort by Last Login date (install [WP Last Login](https://wordpress.org/plugins/wp-last-login/) plugin for visibility).4. Export the list as backup.5. For each dormant account: * Downgrade role to Subscriber temporarily. * Notify the owner via their registered email. * If no response within seven days, delete the user and reassign posts.##### Automated policy with WP-CLI“`wp user list –field=ID –role=author –field=user_registered | while read id; do last_login=$(wp user meta get $id last_login) if [ $(date -d ‘$last_login’ +%s) -lt $(date -d ’90 days ago’ +%s) ]; then wp user delete $id –reassign=1 –yes fidone“`#### VerificationRun penetration testing scripts to verify no default usernames like **admin** , **test** , or **demo** are present.#### Common pitfalls* Delete only after verifying that the account’s email is not shared with a current employee.* Reassign content, otherwise, media attachments may break.*** ** * ** ***### 9. Purge unused plugins and themes#### Threat contextSerious [vulnerabilities in plugins and themes](https://blog.sucuri.net/2025/07/wordpress-vulnerability-patch-roundup-july-2025.html) are disclosed on a recurring basis. Keeping unused or outdated components installed increases risk even if they’re deactivated, as they can be executed directly via file inclusion.#### Protective actions##### Inventory1. Log in to your WordPress admin dashboard.2. Go to **Dashboard -> Plugins -> Inactive**.3. Review and remove any plugins you are no longer using.Again, deactivating does not neutralize risk. Remove entirely unless needed for staging.##### Delete with WP-CLI“`wp plugin delete $(wp plugin list –status=inactive –field=name)wp theme delete $(wp theme list –status=inactive –field=name)“`##### Host-level whitelistLock `wp-content/plugins/` to root:root and deny write via chmod 550 when no new installs are planned.#### VerificationScan the site with our [SiteCheck](https://sitecheck.sucuri.net/) remote scanner to verify no references to deleted plugins.#### Common pitfalls* Keep one default theme such as Twenty Twenty-Four for debugging but lock it at read-only permissions.* **Never use nulled or pirated plugins** . In a recent [threat report](https://blog.sucuri.net/2023/04/hacked-website-threat-report-2022.html), we found that 36% of malware samples in our database for 2022 involved sites with at least 1 nulled plugin.*** ** * ** ***### 10. Patch WordPress core, plugins, and themes immediately#### Threat contextSome vulnerabilities see broad exploitation soon after disclosure, but prompt patching shortens the time your site remains exposed. Apply fixes immediately and consider a web application firewall to reduce risk while you update.#### Protective actions##### Auto-update strategy* **Core:** set `WP_AUTO_UPDATE_CORE` to minor.* **Plugins and themes:** enable auto-updates only for vendors with strong regression testing.##### WP-CLI scheduled job“`0 */4 * * * cd /var/www/html && wp plugin update –all –quiet >> /var/log/wp-updates.log“`This cron job will auto-update all WordPress plugins every 4 hours and log the results.##### Firewall virtual patchingThe [Sucuri Website Firewall](https://sucuri.net/website-firewall/) blocks known exploit signatures even when the vulnerable code still exists. This buys the admin time to test updates in staging.#### Verification* Run `wp core verify-checksums` to ensure files are pristine.#### Common pitfalls* Relying only on hosting provider auto-updates. Always monitor for changes to WordPress core and any themes or plugins you’re using.* Ignoring premium plugins that require manual download; set calendar reminders.Bonus hardening tactics———————–### HTTP basic authenticationPlace an additional password at the web server layer, effectively requiring credentials before PHP executes. Example for Nginx:“`auth_basic ‘Restricted’;auth_basic_user_file /etc/nginx/.htpasswd;location /secure-gateway { # existing fastcgi config}“`### IP allowlistingRestrict wp-admin to a fixed office VPN range.“`allow 203.0.113.15;deny all;“`### Content Security PolicyReduce the impact of XSS by limiting where scripts can load.“`add_header Content-Security-Policy ‘default-src ‘self’; frame-ancestors ‘none’;’ always;“`### Disable XML-RPC if unusedAttackers leverage xmlrpc.php for brute force multicall methods.“`# Block xmlrpc.php requestsorder deny,allowdeny from allallow from ALLOWED.IP.GOES.HERE“`Replace the `ALLOWED.IP.GOES.HERE` with the IP address you want to allow. If you want to disable XML-RPC requests entirely, you can remove this line.### Enforce least-privilege accessAs touched on earlier, hand out permissions sparingly. Each account should get only the rights it needs to complete its tasks. No more, no less. If that account gets hijacked, the fallout stays contained.WordPress offers these built-in roles:* **Administrator:** Unrestricted control over site settings, plugin and theme installs, code edits, and user management.* **Editor:** Can publish and manage any post, page, comment, category, or tag, but can’t alter site settings.* **Author:** Publishes and maintains only their own posts and can upload media, yet can’t edit pages or other users’ content.* **Contributor:** Can write posts but not publish them or upload media. An Editor or Administrator must approve the drafts.* **Subscriber:** Limited to reading content and updating a personal profile. Perfect for membership or restricted-content sites.Assign roles with care, and create custom roles with tailored permissions whenever the defaults don’t fit.Lock Down WordPress Fast with Web Application Firewall Virtual Patching———————————————————————–If applying updates and patches right away is a challenge, a web application firewall can fill the gap. By adding [virtual patches](https://blog.sucuri.net/2022/09/a-guide-to-virtual-patching-for-website-vulnerabilities.html) for known weaknesses, a WAF helps block familiar threats such as [cross-site scripting](https://sucuri.net/guides/what-is-cross-site-scripting/) and [SQL injection](https://sucuri.net/guides/what-is-sql-injection/).Key takeaways and next steps—————————-* Attackers focus on the WordPress login page because its location is predictable and single factor by default.* Layered defenses like [strong passwords](https://blog.sucuri.net/2024/01/how-to-make-strong-password.html), hidden URLs, rate limiting, [two-factor authentication](https://blog.sucuri.net/2022/04/the-case-for-2fa-by-default-for-wordpress.html), CAPTCHA, configuration hardening, and strict patch management stop the overwhelming majority of real-world attacks.* A [Website Application Firewall](https://sucuri.net/website-firewall/) accelerates the process by providing virtual patching and automated brute force protection out of the box.* [Regular backups](https://sucuri.net/website-backups/) remain the safety net when all other measures fail. If you do not have off-site daily backups, set them up now.Locking down the WordPress login page is not a one-time project. Attack techniques evolve, infrastructure changes, and human habits shift. Effective defense therefore relies on continuous reinforcement.If you need help hardening authentication or cleaning up after an intrusion, the [Sucuri team is on call](https://sucuri.net/website-security-platform/help-now). Implement the steps above, validate them regularly, and keep the WordPress login page a silent guard rather than the weakest link in your security chain.[](https://sucuri.net/live-chat/)  ##### [Kyle Knight](https://blog.sucuri.net/author/klknight)Kyle Knight is a Senior Technical Writer who joined the company in 2013. His responsibilities include managing various content and socials. With over a decade of experience in the web industry, Kyle has supported a variety of products including domain, hosting, email, and SaaS solutions. He excels at bringing clarity to complex topics, ensuring users have the information they need. In his free time, Kyle enjoys playing basketball, video games, riding motorcycles, and staying current with the latest tech trends.##### Related Tags* [Best Practices](https://blog.sucuri.net/tag/best-practices),* [Passwords](https://blog.sucuri.net/tag/passwords),* [Sucuri WordPress Plugin](https://blog.sucuri.net/tag/sucuri-wordpress-plugin),* [WordPress Plugins and Themes](https://blog.sucuri.net/tag/wordpress-plugins-and-themes),* [WordPress Security](https://blog.sucuri.net/tag/wordpress-security),* [WordPress Tips](https://blog.sucuri.net/tag/wordpress-tips)##### Related Categories* [Security Education](https://blog.sucuri.net/category/security-education)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security) * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html) [X-Cart Skimmer with DOM-based Obfuscation](https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html)—————————————————————————————————————————* Denis Sinegubko* May 17, 2022 Our lead security analyst Liam Smith recently worked on an infected X-Cart website and found two interesting credit card stealers there — one skimmer located… [Read the Post](https://blog.sucuri.net/2022/05/x-cart-skimmer-with-dom-based-obfuscation.html)  * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2020/12/fake-wordpress-functions-conceal-assert-backdoor.html) [Fake WordPress Functions Conceal assert() Backdoor](https://blog.sucuri.net/2020/12/fake-wordpress-functions-conceal-assert-backdoor.html)——————————————————————————————————————————————-* Douglas Santos* December 8, 2020 A few weeks ago, I was manually inspecting some files on a compromised website. While checking on a specific WooCommerce file, I noticed something interesting…. [Read the Post](https://blog.sucuri.net/2020/12/fake-wordpress-functions-conceal-assert-backdoor.html)  * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-removal.html) [Remote Access Trojan (RAT): Types, Mitigation -& Removal](https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-removal.html)————————————————————————————————————————————————–* Ben Martin* February 16, 2024 Remote Access Trojans (RATs) are a serious threat capable of giving attackers control over infected systems. This malware stealthily enters systems (often disguised as legitimate… [Read the Post](https://blog.sucuri.net/2024/02/remote-access-trojan-rat-types-mitigation-removal.html)  * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Security Education](https://blog.sucuri.net/category/security-education)* [Web Pros](https://blog.sucuri.net/category/web-pros)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2021/03/the-importance-of-website-backups.html) [The Importance of Website Backups](https://blog.sucuri.net/2021/03/the-importance-of-website-backups.html)———————————————————————————————————–* Juliana Lewis* March 31, 2021 Today is World Backup Day. This date was created to remind people of the importance of having backups set up for everything that matters. I am pretty sure your website falls into… [Read the Post](https://blog.sucuri.net/2021/03/the-importance-of-website-backups.html)  * [Security Advisory](https://blog.sucuri.net/category/security-advisory)* [Vulnerability Disclosure](https://blog.sucuri.net/category/vulnerability-disclosure)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2023/08/wordpress-vulnerability-patch-roundup-august-2023.html) [WordPress Vulnerability -& Patch Roundup August 2023](https://blog.sucuri.net/2023/08/wordpress-vulnerability-patch-roundup-august-2023.html)———————————————————————————————————————————————-* Cesar Anjos* August 31, 2023 Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes… [Read the Post](https://blog.sucuri.net/2023/08/wordpress-vulnerability-patch-roundup-august-2023.html)  * [Sucuri Labs](https://blog.sucuri.net/category/sucuri-labs)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2017/12/reversed-urls-randomly-redirect-to-scams.html) [Reversed URLs Randomly Redirect to Scams](https://blog.sucuri.net/2017/12/reversed-urls-randomly-redirect-to-scams.html)————————————————————————————————————————-* Denis Sinegubko* December 14, 2017 We are seeing hundreds of infected WordPress sites with the following scripts (in one line) injected in random places in wp_posts table. $vTB$I_919AeEAw2z$KX=function(n){if (typeof ($vTB$I_919AeEAw2z$KX.list-[n-])… [Read the Post](https://blog.sucuri.net/2017/12/reversed-urls-randomly-redirect-to-scams.html)  * [Ecommerce Security](https://blog.sucuri.net/category/ecommerce-security)* [Website Malware Infections](https://blog.sucuri.net/category/website-malware-infections)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2024/09/woo-skimmer-uses-style-tags-and-image-extension-to-steal-card-details.html) [Woo Skimmer Uses Style Tags and Image Extension to Steal Card Details](https://blog.sucuri.net/2024/09/woo-skimmer-uses-style-tags-and-image-extension-to-steal-card-details.html)———————————————————————————————————————————————————————————–* Ben Martin* September 12, 2024 This post starts the same way many others do on this blog, and it will be familiar to those who keep up with website security:… [Read the Post](https://blog.sucuri.net/2024/09/woo-skimmer-uses-style-tags-and-image-extension-to-steal-card-details.html)  * [Drupal Security](https://blog.sucuri.net/category/drupal-security)* [Joomla Security](https://blog.sucuri.net/category/joomla-security)* [Magento Security](https://blog.sucuri.net/category/magento-security)* [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2016/09/hacked-website-report-2016q2.html) [Hacked Website Report — 2016/Q2](https://blog.sucuri.net/2016/09/hacked-website-report-2016q2.html)—————————————————————————————————–* Daniel Cid* September 21, 2016 Today we’re releasing our quarterly Hacked Website Report for 2016/Q2. The data in this report is based on compromised websites we worked on, with insights… [Read the Post](https://blog.sucuri.net/2016/09/hacked-website-report-2016q2.html)  * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)* [WordPress Security](https://blog.sucuri.net/category/wordpress-security)[](https://blog.sucuri.net/2022/02/top-10-security-tips-to-keep-your-wordpress-site-healthy.html) [Top 10 Security Tips to Keep Your WordPress Site Healthy](https://blog.sucuri.net/2022/02/top-10-security-tips-to-keep-your-wordpress-site-healthy.html)———————————————————————————————————————————————————* Allison Bondi* February 9, 2022 As we go through the winter months and whether changes, many of us go to our local pharmacy and take advantage of a flu shot…. [Read the Post](https://blog.sucuri.net/2022/02/top-10-security-tips-to-keep-your-wordpress-site-healthy.html)  * [Security Education](https://blog.sucuri.net/category/security-education)* [Website Security](https://blog.sucuri.net/category/website-security)[](https://blog.sucuri.net/2021/12/how-to-add-ssl-move-wordpress-from-http-to-https-2.html) [How to Add SSL -& Move WordPress from HTTP to HTTPS](https://blog.sucuri.net/2021/12/how-to-add-ssl-move-wordpress-from-http-to-https-2.html)———————————————————————————————————————————————-* Ashley Sand* December 23, 2021 Making sure your website uses HTTPS should be a top priority for any webmaster In fact, recent statistics show that over 42% of site administrators… [Read the Post](https://blog.sucuri.net/2021/12/how-to-add-ssl-move-wordpress-from-http-to-https-2.html)

Related Tags:
NAICS: 519 – Web Search Portals

Libraries

Archives

Other Information Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Denis

Blog: Sucuri

Phishing

Brute Force: Password Guessing

Brute Force

Associated Indicators: