21 Best WordPress Security tips to Secure Your Website

Here is a complete list of about 21 wordpress security tips, implementation of which can make your site secure from any hacking attacks.

1. Make Your Password Strong

The password comes at the first place when someone wants to login into their admin panel. Normally users create a list of some guessed password according to their name, email address, date of birth and anything related to you.

So when you create your website using WordPress, make sure you have created a strong enough password that no one can guess easily.

To build your Password, use the capital letters, small letters, numbers and special characters. And best, use at least 14 + characters in your password so your password will be hard to guess.

2. Limit the Login Attempts

Hackers are using brute force to break into WordPress sites. To prevent this from happening, use the Login Lockdown plugin that prevents a user from logging in to WordPress sites after a number of failed attempts.

You can set a number of login attempts on your admin login page. So, if someone reaches the maximum number of the specified limits, the user will be blocked for further login attempts. It will be very helpful to prevent unauthorized manual login attempts.

You can set this attempts by installing WPS Limit Login plugin to your WordPress. It has a lot of features and it is updated regularly, so, you don’t have to worry about anything after installing it.

3. Use 2-factor Authentication (2FA)

Two-factor authentication involves an additional logging layer in the process. It adds an extra login process to verify the generated email code, the generated app code or the OTP-based SMS.

The 2FA is available in the WordPress but if you want to use that feature, you have to enable the wordpress.com login in the Jetpack.

You can also enable this service by installing the plugin Google Authenticator. It has a lot of features and is free forever for one user. If you want to use it for more than one user, you can upgrade it.

4. Change Your wp-admin URL

WordPress comes with a default admin login page for all whoever install the WordPress as www.yourwebsite.com/wp-admin.

It means, whoever wants to open your admin login page can simply open by adding /wp-admin to your website.

And if you’re successful in guessing your username and password, you can enter your admin area.

So, Do you want that someone can easily access your admin login page?

If Not, then change your wordpress admin page URL instantly.

The changing process is so simple, you don’t have to do anything like coding. Just Install WPS hide login and change your /wp-admin url.

5. Scan Your Website Weekly

WP Security Scan is a recommended plugin to protect the WordPress site and detect malicious codes. Whenever you run the plugin, it scans the whole site to detect any injected malicious scripts and codes. If any is detected, the scan result will show a list of problems and state “You do not have a stable version of WordPress”. Get rid of the errors immediately.

6. Always remove Unused Themes and Plugins

Plugins are excellent gateways for hackers as they contain vulnerabilities that hackers and malicious code are known to exploit.

That means the more plugins you use, the more exposed you are to hacking attacks.

If it is not absolutely necessary, do not use a plugin. When a plugin or theme is no longer in use, be quick to deactivate and delete them.

Yes, even deactivated plugins and themes can be used as back-doors to gain entry into your site.

So look through your themes and plugin directories. Can you find any inactive plugin or theme?

Completely delete them!

7. Limit wordpress admin access by IP address

Any visitor with web access can visit your site login page and take a guess at your admin password. If they get it right, they’ll have full control of your site.

What you can do is Restrict the WordPress admin folder to allow access only from your computer, or a small group of computers. To limit access by IP, create an .htaccess file in your /wp-admin/ folder (not in WordPress root) containing the following code:

order deny,allow
deny from all
# allow  IP address
allow from XX.XX.XXX.XXX
# allow  IP address
allow from XX.XX.XXX.XXX

Just google “what’s my IP” and you can find your IP address. Once you’ve done this, visitors without the allowed IP address will see a 404 message if they try to access your admin area or login.

8. Change the username “admin”

By default wordpress provides “admin” as an administrative username for any WordPress blog. This is very known matter to each and every one so hacker goes one step ahead to know your password they try brute force attack to break security. So if your default username is not changed; change it as soon as you have finished the installation.

Another considerable issue is that do not make any guessable username that matches either with your name or your website name.

So, why making one step easier for unauthorized loggers. Now they only have to guess your password.

But here is one thing, you can’t change it after installing the WordPress. So, change it while installing process.

9. Use strong passwords for all admin accounts

Admin123, cool123 and many more such easy to remember passwords are also easy to guess by hackers. Some simple precautions and your password will be more secure. What you can do to make your password more secure ?

You can use reversed words in your password. E.g rednow (the reversed word for wonder)

Use both upper and lower cases in your password . E.g RedNow
Use special characters in your website. E.g Red#@n)w

Keep it in your habit to change the password every now and then. You can also use a password management utility like Keepass to save your long unmemorable passwords in the encrypted form on your computer.

10. Change the default table prefix in the WordPress database.

WordPress uses a pre-defined prefix for your database so it can distinguish itself from other databases. The default prefix is “wp_”. It is best to change it to another prefix so hackers can’t hack your database easily.

For a new WP installation, you can change the table prefix in the “wp-config.php” file (you must change it before installing WordPress).

For existing WordPress users, you can follow the instructions listed here to change your table prefix.

11.Move your wp-config.php file

In your wp-config.php file there is database connection info as well as other data that should be kept from anybody to access.

To do this simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your config file there if it can’t find it in your root directory.

This way, nobody except a user with FTP or SSH access to your server will not be able to read this file.

12. Try WordPress Security Plugins

There are a lot of WordPress security plugins you can use one of them on your wordpress website.

Most popular security plugins give you a lot of features as follows:

  • Block Brute force attacks
  • Web application firewall
  • Malware scanning
  • Block spam generating IPs
  • Detailed info about IP
  • Secure Authentication
  • And a lot

When having these features to your wordpress website, 99% chances are reduced of being attacked. The most popular plugins are as follows:

13.Check Ratings and Reviews Before Installing Plugin

There was one friend of mine who had installed a plugin on his blog without checking ratings and reviews. The fact was that the plugin was very new in the repository and therefore it didn’t have enough reviews and ratings to judge the usefulness. He took the risk of going ahead and installing it on his blog and finally ended up in big mess. His blog was eventually hacked in couple of days and to exacerbate the situation, he didn’t have the backup.

I don’t want you to fall in similar situation and therefore keep checking reviews and ratings before installing a plugin.

14. Don’t Skip any WordPress Updates

This is the step you must keep in mind all the time. If the WordPress update has been rolled out 5 minutes ago leave all the work and update it on the priority basis.

The update rolls out with new features, bug fixes which discloses the bugs in previous version of wordpress. This opens the gate for hackers to enter the site via those loopholes.

Don’t make excuses that I don’t have time to update, will my plugins support the new version, will my theme support the new wordpress version ?

Buy only those themes or plugins which are frequently updated & use the minimum number of plugins on the site to decrease the dependability on plugins for updates.

This is the most common method hackers use to hack your website through plugins, which have not been updated to the latest version. So regularly update your wordpress core, themes, and plugins.

16. Don’t use themes from questionable sources.

There are a lot of really great and interesting themes out there, and they are accessible from just a simple Google search. The problem is, not all themes are safe to use, and some aren’t properly coded.

To find a reputable theme:

1. Search from the WordPress theme repository. All the themes listed in the repository are vetted thoroughly by the WordPress team, so they will be safe to use.

2. Search through a reputable marketplace like ThemeForest.

3. Buy premium themes like Genesis, Catalyst, etc. These themes are well-supported by the developers and have a great community to help you.

17. Use a Secure Web host

Using a secure web host means using an SSL certificate for your website. An SSL certified website starts with https.

If your website doesn’t have an SSL certificate and you run a website like where people share sensitive information. It will be better if you use a secure web host because, without https, your data can be stolen.

An SSL certified website makes an encrypted path between the web browser and web server. So that your data could be safe.

18. Dis-allow File Editing

If you have multi-author Blog or website, then make sure you have disabled the file editing. When you disallow file editing, there will be no more available editor option in the appearance menu.

So, No one able to edit or customize your website files after enabling this feature. This will be very helpful if you have a multi-admin website.

It will be also very helpful, if hackers are able to enter into your wordpress admin area, they can’t edit your wordpress files.

You can disallow by simply adding this code of line into your wp-config.php file at the end.

define('DISALLOW_FILE_EDIT', true);

19. Change the Password Regularly

Changing Password regularly also help to secure your website from unauthorized users. It’s Logout all session from everywhere if you left your site logged In at any PC. You can take it as another important wordpress security tips.

20. Do not Show your WordPress Version:

If you feel some problem to upgrade your recent WordPress version from old one, do not show your WordPress version to others. Normally WordPress.org releases the faults of the previous WordPress versions; it makes hacker easier to find out the security hole in your blog. To hide version of currently used WordPress do as follow:

In case of old WordPress Theme remove the code line from header.php file:

<?php bloginfl(‘version’); ?>

In case of new WordPres theme add the following line of code in function.php file in current theme:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

21. Regular make Backups

If you following all the above tips then it has very few chances that your site get hacked. But keep one percent chances from all above the tips, No matter how much your site is secure, if your site gets hacked, then you will lose everything.

And, you have to start again with everything from scratch. So, If you don’t want to lose everything, make backups on the regular basis. If you have your site backed up, you can restore your complete site within some click to working state again.

There are some awesome plugins that help you to make your backups seamlessly without any effort.

Final Thoughts on WordPress Security Tips

Securing WordPress site is a crucial thing for everyone. If you have unseen these tips then you make a lot easier for hackers. Every tip related to wordpress security mentioned above in this article make you go one step ahead of hackers.

So follow these tips to secure your WordPress website, I know for beginners it’s a lot to work with. But following these tips make harder for hackers to break your site.

Add a Comment

Your email address will not be published. Required fields are marked *

Enjoy best web development services at an affordable price. Looking forward to build a good relationship and serve you better...


My name is Nohman Habib and I am a web developer with over 10 years of experience, programming in Joomla, Wordpress, WHMCS, vTiger and Hybrid Apps. My plan to start codingace.com is to share my experience and expertise with others. Here my basic area of focus is to post tutorials primarily on Joomla development, HTML5, CSS3 and PHP.

Nohman Habib

CEO: codingace.com

Request a Quote