Planning, creating, and deploying any website can be a long and sometimes expensive process. It could be your blog, professional business website or your online business. No matter, what purpose your site is serving, it is essential to keep it secure and functional. If left unguarded, hackers can steal your information, install malicious software or worse hijack it completely. According to reports, Google has banned over 20,000 websites for containing malware and malicious code.

WordPress share a large number of websites over the internet. Since its first launch, its popularity has increased immensely, and security challenges became daunting for website owners. As WordPress is open-source software, the code is available to the public for use, reuse or even modify. To deal with security vulnerabilities, the WordPress community keep an eye on the software’s possible weaknesses.

Make your WordPress Site Secure

So, correctly, what can you do to make your WordPress site secure?

1. Keep your site Updated

WordPress is backed by a massive community of top-notch designers and developers who understand the WordPress core well. With every update, WordPress tries to manage the security aspect. These updates are significant for the security and stability of your WordPress website. Whenever you get a notification about the update, initiate it immediately. Keeping themes and plugins updated should always be your priority.

2. Choose a strong Password

This tip isn’t just for WordPress website. It applies on every website or web application which includes user login. Keeping simple password may help hackers more than it helps you. You can make your site more secure by choosing strong, hard to predict passwords that are unique for your website. Sometimes, people choose the same password for almost every website they have an account on. This lousy practice could be a dangerous routine. Always keep your passwords to yourself, not just for WordPress admin area but also FTP accounts and databases as well.

3. Invest in Backup Solutions

Nothing is 100% secure or protected on the internet. What comes in handy in such a situation is a backup for your website. Backups allow you to quickly restore your WordPress site in case something terrible has happened to it. There are a few free and paid WordPress backup plugins that you can install. These will help you to save full-site backups on a regular interval of times to a remote location. This remote location could be a cloud on Amazon, Dropbox or somewhere else.

4. Install WordPress Security Plugin

Apart from keeping backups, the next important thing is to set up an auditing and monitoring plugin that keeps track of everything on your website. This action includes monitoring file integrity, failed login attempts at the admin panel, malware being uploaded, etc. There are plenty of such plugins, but Sucuri Scanner ( is the free and reliable WordPress plugin for this purpose.

It offers a set of security features, such as file integrity monitoring, remote malware scanning, blacklist monitoring, effective security hardening, and post-hack security actions. With the premium version, you also get the website firewall.

A firewall blocks all malicious traffic before it even visits your website. With this plugin, you get the application level firewall which protects your WordPress script. This method isn’t practical as the DNS level firewall which stops the harmful traffic before even it reaches your web server but still, if you can’t afford to have a DNS level firewall, at least have an application level firewall.

5. Switch to HTTPS

HTTPS means, your site is using SSL (Secure Sockets Layer) which encrypts data being transferred between user browser and web server. This encryption makes it almost impossible for someone to sniff around and steal information. SSL certificates could be expensive which led many website owners to choose simple HTTP over HTTPS.

If you open a website that doesn’t support HTTPS, Google’s Chrome even appends a text message before the URL which says, “Not Secure.”

To help people who can’t afford to buy an SSL certificate, a non-profit organization “Let’s Encrypt” has come forward. It offers free SSL certificates to website owners. The project is supported by Google, Facebook, Mozilla, and many other Technology companies.

6. Have you changed the by default settings

The purpose of having by-default is to make the life of a user easy but if you know the variable values, URLs of admin Panel, chances are hackers also know it.  It is always a good idea to create a custom admin user name instead of having simple “Admin” and password protect your WordPress admin directory.

You can also add a security question by installing the WP Security Questions plugin. ( Once installed and activated, it will need you to set a security question for anyone trying to login to your WordPress site.

7. Change WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all the tables in the WordPress database. If you haven’t change the default database prefix, it will make it easier for hackers to write a query to extract information from a table starting with wp_. That is why you should change it something hackers can’t guess easily. You should proceed with this if you feel confident about your coding skills.

8. Disable Directory Indexing and Browsing

If a hacker can find out about your directory structure and files through the web browser, he/she is already half-way to harm your site. They can find out if any files on your server have a vulnerability so they can take advantage of these. That is why getting your directory indexing and browsing disabled should be on your security checklist.

To disable your directory indexing, just navigate to the .htaccess file in your website’s root directory. You can connect to your site root directory using FTP or cPanel’s file manager. After you access the file, you need to add the following line at the end of the .htaccess file.

Options –Indexes

Save the changes and exit.

9. Add two-factor authentication

Two-factor authentication is an extra layer of security for your WordPress website meant to ensure that you are the only person who can access your site protected areas. This extra security layer would require users to access the protected area in two steps. The first step will ask you to enter user name and password and the second step will ask you to authenticate your access using a different application like your email etc.

There are few plugins which let you protect your WordPress website using two-factor authentication. You can use LastPass Authenticator WordPress plugin ( to enable the two-factor authentication. This plugin also enables you to take back up of your login data to the cloud which means another layer of security.

10. Disable File Access and Editing

WordPress provides a handy feature for web developers and masters which let them edit themes and plugins right from your WordPress admin area. In the wrong hands, this feature can be a security risk, which is why we recommend disabling file editing functionality. You can do this through plugins like Sucuri or you can change the configuration in wp-config.php file

Simply open the file, change the Boolean value in the parameter and save it.

// disable file edits from wp-admin
define( ‘DISALLOW_FILE_EDIT’, true );

11. Refrain users from guessing the password

By default, WordPress doesn’t stop users from trying to login multiple times but if some user is trying to attempt multiple times. That will leave your WordPress site vulnerable to brute force attacks. Hackers can try to guess the passwords by trying to log in with different combinations.

It can be corrected if you limit the failed login attempts a user can make. If you are using the firewall at the application level, this is taken care automatically. However, if you haven’t installed the firewall app, then you can install and activate the Login LockDown plugin (

After you activate the plugin, it will take you to the settings page which will let you define the login attempts. After completing the login attempts, the user won’t be able to retry. You can also set the lockout period for IP range blocks. The default value is one hour, you can change it according to your requirements.

12. Choose the right hosting service

People often go for the cheapest web hosting package they can find but not every hosting service is good enough. There are many web hosting providers who run their systems on outdated software or don’t care much about actively maintaining the firewalls etc.

Shared web hosting which is the choice of many startups or small businesses can also pose a few risks that can cost you a lot in the long run. DOS attacks on any one IP on a server can affect all websites hosted on that server. If a shared IP gets blacklisted, the other sites can also face the consequences.

Whenever you are deciding on buying a hosting service for your website, make sure that you know about the company, has read all the reviews. Talking to their customer service before purchasing a hosting package is always a good idea. It will also give you a hint about how responsive they would be in a time of crisis.

We usually recommended a managed web hosting for WordPress websites. This option could be slighter expensive but has lots of advantages over a regular hosting service.

13. Always choose high-quality themes and plugins

WordPress has seen exponential growth in the past few years, mainly because of its vast repository of free plugins and themes available over the internet. But can you trust a free theme or plugin? We don’t suggest that every free theme or plugin is malicious but, there is a high chance that they are poorly written, maintained or rarely updated.

If you can afford, always prefer a premium theme or plugin from a trusted company. A security log is also helpful to web development and security professional to keep track of changes on a multi-site basis when they handle the needs of their clients. If you still prefer the free versions of themes or plugin, stick to the directory only. Check out the history of the theme/plugin, user, number of downloads and ratings before you decide to use that theme or plugin. The last updated date is another factor you should always consider.

14. Change your WordPress Admin Panel URL

By default, WordPress admin area can be accessed at Brute force attempts are useful only if hackers can find the login page. Leaving by default values unchanged is a considerable threat itself. You can hide the login page from them. You can do this by changing the login page’s URL with WPS Hide Login ( This plugin doesn’t change anything. It will intercept page requests and make the wp-admin directory and the wp-login page inaccessible.

Recommended Reading


Last modified: May 23, 2019