secure your WordPress in 11 steps

Looking ways to secure WordPress website?

If you are not confident about your WordPress website security, this post will help you understand security threats and how you can make your site more secure.

To begin with, you should know that WordPress’s core software is itself is very secure as hundreds of developers work on it with security being their primary focus.

Still google blacklists 20,000 websites for malware and around 50,000 for phishing each week. Now why is that?

WordPress is one of the worlds most popular content management system powering more than 43% of the world’s websites.

WordPress’s popularity is why it is so prone to security and malware threats.

The WordPress Security team works tirelessly to prevent & neutralize any threat or vulnerability in the WordPress Core software secure by rolling out regular updates.

Still there are things that you can do to further ensure that your website remains safe and out of harm’s way.

WordPress Security

WordPress Security

In this guide, you will find the best practices & tips on how you can make your WordPress website secure.

A Secure WordPress Websites -Why is it Important?

When a Website is hacked, it is blacklisted by google. This can seriously damage your reputation, harm your business in terms of revenue and scare away your traffic. 

Hackers can harm in a variety of ways:

  • Steal user information
  • Steal/change your password
  • Install or distribute malicious and harmful content on your website
  • Corrupt your files
  • Decrease the speed of your website

You need to be careful or you might end up negotiating ransom with the hackers.

Types of Threats & What They Mean

Before we jump into secure WordPress, we need to understand the different types of security threats first.

Below are the common WordPress security threats:

Backdoor: The attacker uses loophole instead of following the authentic way to access your website, without the owner finding out about this breach.

Hackers leave the backdoor so that they can regain access after they have been once removed.

Malware: are malicious software purposely designed to harm your website, there is a vast variety of malware out there all differing in their potential to harm your website.

Spam: These are messages that are sent to a large number of websites. They often contain links that lead to other websites (ads) or even illegal and harmful pages.

Hacktools: Exploit or DDOS tools used to attack other sites.

Phishing: Used in phishing lures in which attackers attempt to trick users into sharing sensitive information (i.e login information, credit card data, etc.)

Malware Family Distribution, Stats by Scurri -2017
Malware Family Distribution, Stats by Sucuri -2017

Broadly at WordPress Support Desk, we categorize WordPress security measures into the following two things:

secure WordPress chart

1- Use SSL to Encrypt Data

SSL stands for Security socket layer, Which is a very effective and useful way to secure your WordPress admin panel.

Use SSL to Encrypt Data for secure site transactions

An SSL certificate ensures that your website’s data is safely being transferred between browsers and web servers. This helps your website against hackers in the following way.

  • Difficulty of breach
  • Problem gaining access
  • Trouble make a connection with your website

secured protocol

Now search engines like Google give sites that have SSL certificates SEO ranking which leads to more traffic and business for such sites.

2- The Role of WordPress Hosting

WordPress hosting plays an important role to secure WordPress. You should choose your hosting service provider very carefully depending on your website needs.

There are four types of WordPress hosting:

  • Shared WordPress hosting
  • Managed WordPress hosting
  • Dedicated WordPress hosting
  • Cloud WordPress hosting

If you are serious about your website and about its security, the first thing that you need to do is invest in your website hosting.

It doesn’t really matter what type of hosting you choose just make sure that you choose a company that comes with a good reputation. 

One thing is for sure that investing in your WordPress websites hosting with a good company is something that you would not regret later. 

3- Best WordPress Security Plugin

Since WordPress powers such a large chunk of websites in the world, this leaves it vulnerable to all sorts of threats.

In order to keep your website out of harm’s way, you need to take as many steps as you can & installing good security plugins is one of them.

You will find hundreds of security plugins in the WordPress repository. We have a list of our top 3 security plugins.

1- Sucuri – Website Firewall
2- iThemes Security
3- Word Fence

Plugins like Sucuri are a blessing. They add an extra protective layer around your website, filtering all the traffic before it gets to you allowing only authentic visitors to get to you. 

There are other plugins that you can install to scan your website for viruses, infected files, spams, brute force attacks, etc. They can prove to be incredibly helpful when your website gets attacked. See our Ultimate list of tried and tested plugins.

4- Keep Regular Backups:

This is another vital step you need to take in order to secure your WordPress website. Keep regular backups of your website.

Now to state the obvious, backs ups are as important to your website as insurance is to your car. If you have regular backups of your website, it means that all of your data is stored safely.

So in case of breach of security or hacking, in which you end up losing access to your website or lose your website entirely, you can recover all your data and start again.

There are three ways in which you can take backup:

  1. Backup WordPress via Plugins
  2. Backup WordPress Manually 
  3.  Backup WordPress Through WordPress Maintenance Services 

5- Keeping WordPress Regularly Updated

Update your WordPress to keep it secure

WordPress is a software that has a lot of world-class developers behind it. So every now and then they come up with an update, fixing bugs, improvements and even core updates that fill out security patches. In other words updates are good for you and your website. 

You should keep your website regularly updated. Luckily, updates can be done automatically and if not, you can manually do them in just a couple of clicks. Keeping your WordPress core up-to-date would apply all the new security patches that have been released to your website. 

We are not sure why but users are generally not very found of updates. Hackers use this to their advantage, they exploit it to their benefit by using already solved bugs to hack websites that have not yet been updated.

Only about 49% of the WordPress websites are up to date which puts them all at risk of being hacked.

To check your if there are any new updates

Dashboard >> Updates 

The best and the easiest thing that you can do is to regularly update your website’s theme and plugins. WordPress automatically roles out updates for its users. 

But we would suggest that you keep an eye on it as risk reduction, you never know when things may go wrong. 

Whenever there is an update in the core software of WordPress it appears like this. 

update WordPress regularly

And as for the plugins you can change the default setting to update automatically instead of keeping it manually.

Set WordPress to auto update for security

If you have a huge website or are using if for business we would suggest that you look into hiring WordPress maintenance services

6- Disable File Editing

WordPress themes and plugins can be edited easily from your WordPress admin area which is a really cool feature until your website falls into the wrong hands and they are able to do the same.

They can mess with your file by changing them or injecting your files with malicious code or links.

We would suggest that you disable this feature as it is a potential threat in a secure WordPress website.

And for that all you need to do is add this in your wp-config.php file which is the root folder where WordPress is located

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

7- Strong Password & User Permission

According to a report by Panda Security 81% of attacks are based on insecure or stolen passwords. getting hold of someone’s password is the easiest way to hack a website. 

Once a hacker gets hold of your password, all they have to do is login and change it. And there your website has been hacked!

To avoid this here is a list of does and don’t you should consider while deciding upon a password. 

  • Use at least 12 characters in your password (perhaps mix it up a little with Upper & lower caps letters and symbols)
  • Use two factor authentication
  • Regularly update/change your passwords
  • Do not keep the same password of everything
  • Don’t keep you account logged in all the time (especially in office settings where anyone can use your computer)
  • Install this plugin, limit login attempts reloaded. This will protect you from brute force attack.
  • Brute force attack is when a hacker opens your login page and starts trying out different passwords with different combinations. According to a report 8% of the websites are hacked because of weak passwords.

8- Use 2-factor Authentication

Two-factor authentication means that instead of you log into your account with your password only, you add an additional step. Now that step could be any of the following steps:

  • Something that you are.
  • What only you know.
  • Something that you have.

secure your website with two factor authentication

The problem with the generally used single factor (password) authentication is the single step, the passwords, that can easily get leaked, stolen & even guessed.

And once your password is gone consider your entire website gone.

You can add your bio-metric (something that you are) details like you thumbprint & face recognition (like iPhones).

In this case, even if someone has your password they won’t be able to log into your website without you personally being there.

Another thing that you can do like Gmail and Facebook is to use something that you have. Like your mobile phone on which you get a code or your email address on which you receive a verification Email. 

The third could be something that you know, like a question. That only you know the answer too. 

The WordPress Team once said that weakest link to your WordPress security is your Password. Two-factor authentication can help you prevent situation, where your password is stolen and you end up losing access to your website.

9- Rename Your Login URL to Secure Your WordPress Website

By default all the WordPress database have this:

Normally people don’t change this. But we would suggest that you change this prefix to something else due to the following security reasons.

Firstly if you have a different database prefix it would protect you from these obnoxious SQL injections and later from brute force attack.

Hackers generally follow the standard queries when they attack a website. Now if your database details are different they will face an error.

Otherwise, it becomes one less piece of information they need to hack your website. You can simply change it to your name or anything that you feel like but not to predictable. Be creative its for your own security!

10- Change the Default “admin” Username

Often hackers try their luck out by brute force attacks, they open your login page and try out random usernames and passwords.

The default username that you get is ‘Admin’. You can change it to your name or your email address or something that is less obvious. Which we would suggest you do.

So the first thing they need is to guess the right username. And if you haven’t changed your username from the default one, it becomes one less thing that they need in order to succeed at hacking your website.


How do I change my username?

There are basically three ways to change your username, however we will only discuss one in this guide. The manual method of changing your user name.

You have no direct option in WordPress to change your username but there is a way around it.

You need to open USERS from your dashboard navigation menu. 

Dashboard > > Users > > Add New

Fill in the required information. You are going to have to add a different email address for this new user. (you can change it back to the original one once this process is complete). 

It goes without saying but make sure that you add a strong password. And give this user administrative role.


Once you have completed this process you can change the email address of the new user to the one that you used in the other account. 

Changing the user name alone does not mean that you are completely out of harm’s way. But its a small strategic action in your battle against hackers.

It’s better to take the fate of your website in your own hands rather than leaving at the mercy of hackers and luck.

Once this new user has been added. You have to login using this new username and delete the default user by hovering over its name like this:


Once you click on delete user you will see this page, transfer all the data from this account to the new one you made by checking the box that says ‘attribute all the content to the new user’ that you made.  


11- Hide Your WordPress Version Number

WordPress’s software leaves a footprint of its version on your site, which tells the outside world information about the version of WordPress being used on your website.

Now for normal traffic, it would mean nothing for prying eyes, this is valuable information that they can use and exploit in order to hack your website. 

There are certain bugs that have already been taken care of in the update but you are still facing them since you haven’t updated yet. And this is exactly the lope hole that hackers are looking for. They will manipulate this bug to damage your website.

This is one of our risk reduction strategies as this is not solely strong enough for the elimination of threats. 

There are three places on your website where the version number appears:

  • The generator meta tag in the header
  • Query strings on scripts and styles
  • The generator tag in RSS feeds

You just need to add this one code by developer Frankie Jarrett in your functions.php file and all the WordPress version on your website will be hidden from public eye.  

/* Hide WP version meta tag from header and generator tag from feeds * @return null * @filter the_generator */
function fjarrett_remove_wp_version_tag() { return null;
add_filter( 'the_generator', 'fjarrett_remove_wp_version_tag' ); /* Hide WP version strings from scripts and styles * @return {string} $src * @filter script_loader_src * @filter style_loader_src */
function fjarrett_remove_wp_version_strings( $src ) { global $wp_version; $parts = explode( '?', $src ); if ( $parts[1] === 'ver=' . $wp_version ) { return $parts[0]; } else { return $src; }
add_filter( 'script_loader_src', 'fjarrett_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'fjarrett_remove_wp_version_strings' );


We have acknowledged two facts in this guide if you want to secure WordPress:

  1. The importance of having a secure WordPress website.
  2. The constant security threats to a website 

Keeping in view these two facts our advice would be that you keep regular backups of your website as well as the data base as a top priority.

Applying Murphy’s law, Anything that can go wrong, will go wrong. So, worst case scenario a hacker gets into your website, at least you’ll have a clean copy of your website to reinstall.

Keep an eye on your WordPress site health score and contact your website hosting provider who will help in making your website more secure.

Also feel free to email us if you need any WP Support.

Professional Blog Setup Service In Just $79

Hate wasting time? Our expert blog setup service will save you time & $$$.

Click here to start

You will Get

  • Hosting selection advice
  • WordPress installation
  • Premium theme
  • Contact form setup
  • Pro security plugin
  • Yoast SEO plugin initial setup
  • Speed optimization

Want to Learn More?

Here is the list of few other guides that will help you master WordPress.


You might also like this video

Leave a Reply