How To Secure WordPress Website? WordPress Security Guide

WordPress is globally the most popular Website Builder that is used to build more than 37% of all websites on the internet.

That said, just building your website isn’t enough. It is very important that you do regular website maintenance.

Your website’s security is one of the most important parts of your website maintenance. Let’s see how you can give more security and make stronger your website.

Read More: WordPress Hosting Vs Linux Hosting What Is The Difference?

21 ways to secure your website


In this article, we’ll discuss how to secure WordPress website in the most convenient methods.

The methods are listed below :

Password Security

This is the first and one of the most crucial steps in securing your account.

Strong password protection will help you avoid hackers who often use stolen passwords to attempt to log in to your website.

The older your account is, the more at risk it is because your website security system is old as well. But with strong passwords, they have to put more effort and so there’s a chance they’ll choose to move onto the next target instead.

Make sure your WordPress website is fully password protected to secure wordpress website. Use passwords for your login, admin area, FTP account as well as WordPress hosting account.

Read More: Why Website Maintenance & Update Is Very Important?

Backup Plans And Regular Updates

It is unbelievable to see how many people do not follow a regular backup routine.

Surveys show that 73% of people do not keep their websites backed up. Backups act as a defense mechanism against malware attacks and also help you restore all your files if someone hacks into your account.

Regular updates also help in increasing your security because, with each update, WordPress works to enhance its security system.

You can also install either a free or paid WordPress backup plugin to help backup your website.

Read More: A Beginner’s Tutorial To Using WordPress Dashboard

Security plugins

While on the topic of plugins, it is a must that we talk about security plugins.

WordPress provides a range of free and paid security plugins that allow you to maintain the full security of your website.

They often provide you with password management facilities and have a support team ready just to assist you with any of your security issues.

Such plugins and support systems also help you restore most of your data if your website gets hacked.

Web Application Firewall (WAF)

Web Application Firewalls are a sure way of securing your WordPress website.

These firewalls drive away unusual traffic even before it reaches your website. There are two types of such firewalls —

  • DNS Level
  • Application Level

The DNS Level website firewall takes your website’s traffic across their cloud servers which in turn allows them to send only the remaining organic web traffic to your website server.

The Application Level Website Firewall on the other hand comes in the form of plug-ins that examine your website’s traffic after it reaches your server but before most of your WordPress scripts finish loading.

Moving site to SSL or HTTPS

The security sockets layer ( SSL ) is a method of encrypting your website’s data and files.

When your SSL is turned off, your website is in an HTTP address but when SSL is enabled, your website’s URL will shift to HTTPS and a padlock icon will be displayed beside it.

To Make your SSL work, you will need an SSL certificate.

WordPress offers an easy to set up an SSL certificate that can be used for free using third-party organizations. But nowadays, many WordPress hosting providers offer free SSL for WordPress websites.


Disable file editing

WordPress offers its users full freedom over their websites. The users can change the website theme or add or remove any plugin from their system.

To help you carry out such tasks, WordPress comes with a built-in code editor.

The user-friendly WordPress dashboard enables you to edit your codes from your admin area. But such a feature also poses a threat to your website security — meaning that it’s wise to disable the file editing.

An easy one-click method to do so is to use the Hardening feature that you get using the free Sucuri plugin.

Disable PHP file execution for some directories

Not every WordPress directory needs PHP file execution.

So, to further increase your security, it is a good step to disable such PHP file executions from the directories where it is deemed unnecessary.

For example, if you were to disable the execution in /wp-content/uploads/, your first have to open a text editor and paste the code :


deny from all


Then you have to save the file as .htaccess and upload it to the folder you desire using an FTP client and your job is done.

Limit login attempt number

Normally, WordPress allows you to attempt to log in as much as you want without any ban.

This makes it easy on the users but, as we previously mentioned that hackers use stolen passwords to attempt to log in, this feature only adds to the risk by allowing the hackers to try unlimited login attempts to get into your account.

So, if you limit the number of times you can log in, it’ll also act as a barrier from such hackers.

Using the web application firewall already takes care of this task for you, but if you do not use WAF, you can easily do this with other plugins.

Two-factor authentication

Two-factor authentication is a common security technique found in almost every kind of web platform.

It allows you to run a security check before logging in by sending confirmation codes to your number or email.

This is a very easy method of securing your account even with the WordPress learning curve.

WordPress offers two-factor authentication in the form of plugins (both free and paid).

Change admin username and login URL

The admin username is a default username for the admin, set by WordPress itself. As this has been the same for quite some time, hackers use this knowledge to launch various attacks.

But one may face a problem while trying to change it because WordPress doesn’t allow this change by default. The solution to this comes in three ways :

  •  Use a username changer plugin
  •  Delete the old username and make a new one
  •  Update the username from phpMyAdmin

Just like username, your default login URL can be a risk to your security. This can easily be changed with the WPS Hide login plugin and the fun part is that you can set it to anything you want.

Disable XML-RPC

XML-RPC is a WordPress feature that allows data to be transmitted across networks with the help of HTTP that acts as a transport mechanism.

Although the WordPress 3.5 version update enabled this feature by default, it is unnecessary to many people and has risk factors involved.

Enabling this feature means your data can be transmitted smoothly, but it also amplifies the risk of brute force attacks from hackers that rely on GWDb.

Hackers can use the system’s multicall function from this feature to try thousands of different password combinations with fewer login attempts. Whereas disabling means that such attempts can be blocked from the very start.

Auto signout for idle users

When you have multiple users on your account, your data can be accessed from any of those user accounts or devices.

This means that if their security is not strong, your strong website security will mean nothing.

So, to lower the risks from such users, WordPress provides many different plugins that allow you to customize a time limit after which idle users are automatically logged out of your account.

A good recommendation for one such plugin is called Bulletproof Security.

Security questions

To further add to your website security, you can add security questions to your WordPress login page.

Just like two-factor authentication, this is another step to make your security stronger.

WordPress provides a plugin called WP security plugin that allows users to add such questions to their login page for free.

The question can be set to anything you want, for example — What was the name of your first pet? etc.

Malware scans

If hackers weren’t enough, we are reminding you to worry about malware as well.

But to make things easier, having a website built with WordPress means that you will get top-quality support from WordPress security teams.

Also, since WordPress is open-source software, malware can be easily identified and ejected from the system with the right support.

To do so, you can install a WordPress security plugin with regular scan features or use a third-party malware scanning software for free.

Protect wp-config.php file

The wp-config.php file holds utmost importance in your website’s root directory.

Securing this file means that you can take a breath of relief because it would mean that you have secure WordPress site’s core.

The best way to do this is rather simple. Instead of the root directory, store your wp-config.php file on some other file.

As this is a high-priority file, secure WordPress servers can still find and access it. But hackers cannot and so it helps to increase your website’s security.

Directory permissions need to be set carefully

Directory permissions play a large role in your website’s security. If you use shared hosting, setting the wrong permissions may cost you heavily.

To do it correctly, we would suggest you set the files to 644 and directory permissions to 755.

This change can be done using the file manager on your hosting control panel or via the ‘chmod’ command on the terminal connected to SSH.

Disable listing with .htaccess

Hypertext access (.htaccess) is a file that allows you to configure a particular directory of your website.

If this file has its directory listing enabled, users can easily access all the other files in that directory without the need for any password or other login information.

This can be carried out by simply typing in  on your web browser.

But to prevent that security disaster from happening, you can add the line ‘ Option All – Indexes ‘ to your .htaccess file and you’re good to go.


All hotlinking must be blocked

Hotlinking is the act through which your bandwidth can be stolen with the help of your website’s resources such as images or videos.

It is a must to block all sorts of hotlinking on your WordPress website to maintain good security.

If people start hotlinking your website’s images or other such assets, your website’s bandwidth will be stolen — meaning that your website will lose its loading speed and become slower for your audience.

This can easily be blocked using yet another security plugin such as All In One WP Security And Firewall.

Protection against DDoS attacks

DDoS or Distribution Denial of service is a form of a cyber-attack with which the perpetrator denies access to a specific network or service to the user.

Such an attack can easily overload your server and its main target is to make your site crash for a long period of time if not fixed quickly.

The attacks are conducted by cyber-terrorists without any serious motive other than making people suffer.

And so, such attacks are common to any user and not only large companies. It is important that you understand such attacks and use any from the plethora of WordPress security plugins to help protect against them.

Hide your WordPress version

It is very easy for just about anyone through your website’s source view.

If hackers know this version, it is a piece of cake for them to plan the most efficient attack on your website.

So, it is a very good security step to hide this WordPress version number.

Almost all WordPress security plugins allow you easy ways to carry out this task. Other than that, one can also do it manually for more security by removing the version from the RSS feeds as well.

Change WordPress database prefix

To secure WordPress uses its ‘wp’ prefix to name the folders in your database by default. This allows hackers the advantage to easily guess such names and hack into your database.

This also allows hackers to execute a well-planned DDoS attack.

So, it is recommended that you change the database prefix and do so carefully from your wp-config.php file because if it goes wrong, it’ll break down your website.

To Wrap Up

There are four main layers to your website security:

1.    Secured Hosting

2.    Secured login

3.    Secured admin dashboard

4.    Secured website database

We have covered most of it but some other methods also exist, such as monitoring your audit logs, etc.

By following these steps, you are making sure that your WordPress websites are receiving the highest level of security. But to end, we must remind you to choose good WordPress hosting providers, because your website’s security starts with your hosts.

Read More:

How To Sell Digital Products With Woocommerce
Top Essential WordPress Plugins For Smart Bloggers
How To Choose A Business Name – 7 Simple Steps

Leave a Reply