Connect with us


21 tried-and-tested ways to secure a WordPress website

The risk of cyberattack is always there. Here’s how you can ensure your WordPress website remains secured against hacking incidents.



WordPress is an established authority in the content management universe—powering almost a third of all websites on the internet. The size, however, comes at a certain cost.

According to research, more than 70 percent of all websites are vulnerable to hacker attacks.

Most people would now ask the logical question: With so many safety threats, how come WordPress is not losing supremacy among content management systems?

The answer is very simple. The problem lies not in WordPress but rather in webmasters who don’t protect their sites regularly.

For instance, as much as 8 percent of WordPress security breaches happen as the result of a weak password. Although improving a password is the easiest thing in the world, some people still find it too boring to deal with it, which is exactly the kind of mistake hackers are hoping for.

If you want your website protected, then you need to learn several methods of securing your websites against hackers. In this post, we will show you 20 ways to secure a WordPress site.

Let’s hop right in.

1. Limit login attempts

The first tip on our list is one of the golden rules of WordPress security. You should limit the number of login attempts to prevent repeated brute force attacks. In such cases, your website will be locked and you will receive notification that someone is trying to access your site without authorization.

2. Use two-factor authentication

A two-factor authentication is like having two different passwords for your website. It’s the second step towards reaching a higher level of WordPress security and you should not be too lazy to use it.

Websites with two-factor authentication demand login entries for a couple of components. For instance, you will have to enter the usual password and answer a question that you designed for this particular purpose.

3. Install Security Ninja

Before we dig deeper into the topic, we should mention that the simplest way to protect your website is to download a free WordPress plugin such as Security Ninja. This tool allows you to scan and test the entire site within minutes, while one click is the only effort that you need to make in this process. To cut the long story short, Security Ninja runs over 50 tests to give you a comprehensive overview of the site’s security.

4. Replace username with email

When you log in to WordPress, you need to enter a username. However, you can replace it with your email address to enhance safety. Why is that so? It’s because hackers can guess usernames much easier than email IDs. Besides that, you need to come up with a brand new email address when you launch a WordPress site, so it’s good enough to become a trustworthy login detail.

5. Delete old plugins

WordPress plugins are vulnerable to brute force attacks for a variety of reasons. If you don’t need a plugin anymore, you should not leave it hanging around and potentially giving a backdoor entrance to the hackers. You should delete it instead and minimize the odds of getting hacked this way.

6. Update plugins

Old plugins are not the only threat to the WordPress security. On the contrary, even the brand new plugin can jeopardize your website in case you don’t keep updating it regularly. Attackers are patient and they will be searching for any sign of weakness. Plugins you don’t update could become a weak spot soon and the same goes for all WordPress themes.

7. Get creative with passwords

If you followed our instructions so far, you solved most of the login safety issues. However, we have to make sure that you have everything under control, so we suggest you get creative with passwords and change them every once in a while. You don’t want to use these bad passwords that can get you in trouble.

8. Install a firewall

A webmaster should do whatever it takes to protect the site both internally and externally. For this reason, you should install a firewall on your computer to prevent potential safety hazards. You can choose one of many different firewall solutions, but we suggest you do the homework and find the one that fully integrates with all other safety measures. We would like to revert back to Security Ninja whose Cloud Firewall bans more than 600 million bad IPs automatically and protects your login pages.

9. Don’t save money on premium plugins

A reliable plugin will probably cost you some money, but you should be glad to pay for it. Don’t try to cut the budget from this side because you might end up paying twice. First of all, free and pirate versions of premium plugins often contain malicious software and will hurt your website. Secondly, you will come back to pay for the official version of the plugin once the damage is done already.

Create strong passwords with varied characters to avoid data hacking. (Source)

Create strong passwords with varied characters to avoid data hacking. (Source)

10. Secure the wp-admin directory

The wp-admin directory is an anchor of your site. In case you lose control over it, you will put the whole website in danger. But it won’t happen if you add a password to this directory. Doing so, you don’t only set up a password on the login page but also secure the WordPress admin area.

11. Disable PHP file execution

You can disable PHP file execution in some directories that don’t require this type of activity. One example of such directory is /wp-content/uploads/. It’s a simple coding procedure, so you only need to write a few lines like this in Word or Notepad:

<Files *.php>

deny from all


After that, save the file as .htaccess and upload it to /wp-content/uploads/ folder on your website.

12. Use SSL to encrypt data

Another way to enhance WordPress security is to obtain an SSL (Secure Socket Layer) certificate. The SSL helps you to complete safe data transfers between the server and user browsers. It’s a strong safety measure that you can choose and buy quickly.

13. Be careful about multiple user accounts

Most sites operate on a multi-user basis because there is not only one contributor. However, more accounts mean more security threats as each user can access the admin panel. In this case, you should pay special attention to passwords and each contributor must choose a strong password to avoid brute force attacks.

14. Rename the login link

Another login-related tip is to rename the login URL. You can access this feature simply by adding wp-admin to the main website link, but so can hackers. Gregory S. Benet, a web security specialist at, explained this briefly: “Hackers use the so-called Guess Work Database to try to find the right username/password combination and enter your site. But when you rename the login URL, you instantly eliminate the fear of brute force attacks.”

15. Choose unique WordPress database prefix

By default, WordPress assigns you with the standard database prefix wp- when you install this content management system. However, this prefix is often subject to SQL injection attacks so we strongly recommend you change it. You don’t have to make things complicated – it’s enough to add a letter or two to make the prefix unique. For instance, it could be mewp- or anything else you can remember easily.

16. Backup website regularly

No matter how hard you try to keep the website safe, sometimes you won’t be able to defend it because hackers constantly create new ways to breach security. In cases like this, you should have your site backed up so that you could recover it quickly. As usual, plugins are the best option because they do everything automatically.

17. Disable file editing

A user who enters your WordPress dashboard can change all files related to website installation, including themes and plugins. But you can disable this option, so even if you face a security breach hackers won’t interfere with your files. To do this, you just need to add the line of code like this:

define(‘DISALLOW_FILE_EDIT’, true);

18. Use the safe server connection

When you set up a website, you can connect through FTP, SFTP, or SSH. But the standard FTP connection lacks certain security measures so you should connect the server only via SFTP or SSH. That way, all your file transfers will be safe and sound.

19. Change directory permissions

Directory permissions are highly sensitive in the shared hosting environment, which is why you should change them and enhance website security. How can you do it? Simply change directory permissions to 755 and files to 644 and you will be protected. You can do it single-handedly using File Manager or via terminal using the “chmod” command.

20. Hide WordPress version number

A standard WordPress website reveals the version number of your content management system. This is great news for hackers because they know the weak spots of each version and tailor the attack so as to aim those weaknesses. By using a security plugin like Security Ninja, you can remove this information and make your website even stronger.


WordPress vulnerabilities seem to be one of the biggest controversies in the world of cybersecurity, but most people forget that safety breaches usually happen because of the website owners’ carelessness.

A surprisingly large percentage of hacker attacks could be prevented if webmasters would invest more time into security updates.

(Featured Image by DepositPhotos)

DISCLAIMER: This article expresses my own ideas and opinions. Any information I have shared are from sources that I believe to be reliable and accurate. I did not receive any financial compensation in writing this post, nor do I own any shares in any company I’ve mentioned. I encourage any reader to do their own diligent research first before making any investment decisions.

Jimmy Rodela is a Freelance Writer and a Content Marketer. He is the Founder of the Guild of Bloggers. He is a contributor to websites with millions of monthly traffic like,,, Business2Community and