How to Secure a WordPress Site: Ultimate Security Guide

Share on facebook
Share on google
Share on twitter
Share on linkedin

Through this write-up, we will discuss about how to secure a WordPress site. A lot of you might be thinking what this thing is? Why is this article suddenly starting a write-up about something I have no idea of as well as it’s security? So, let’s get down to business.

In recent years, as people have started understanding the power of the internet, they have started delving more into websites. Nowadays everybody keeps a website be it for their own or their company as it increases the credibility of them or their company and also adds value to their profile. But making a website is not easy. You have to buy a domain, rent server, design the website, write codes, edit and do a lot of things for making a website. It is a very time-consuming task and only a few people know how to make a website. Not everybody can afford to get a website through this process. And this is where WordPress comes into play.


WordPress is a CMS (Content Management System) which saves you from the hassle of a lot of processes regarding the making of a website like designing the website, writing codes and editing them. Nowadays, you can easily make websites on your own. You just have to buy a domain name, get a host and go to to make your own website be it for your personal use or your company use. There, you can choose the design and theme of the website and within a few clicks, you have your website ready.

Some hosts are even connected to WordPress. After getting the server, all you have to do is click on a button and that takes you directly to WordPress. You don’t even have to go through the hassle of going to WordPress and connecting the server. But as making websites have become easier, a number of problems seem to appear. One of the key problems is the hacking of websites made through WordPress.

Why should you try to make WordPress secure?

More than 90,978 small and big attacks are occurring every minute in websites made by using WordPress. But don’t let this information distract you or stop you from making a website. A website is a very important thing nowadays and it kind of becomes your digital identity. Rather than stopping yourself from creating your own website, what you can do is learn about ways through which you can stop your website from getting hacked.

make wordpress secure

Through this article, I will be sharing different techniques regarding how to secure a WordPress site. If you follow the ways that are discussed in this article, you will be able to make your site’s security airtight and lessen the chance of hacking by a huge margin. By this article, you will also know how hackers target websites and carry out their actions. If you learn about how a thing is done and why a thing is done, you can easily do things that will stop the whole action. Besides, various troubleshooting techniques and the name of different security plugins available in WordPress will be discussed.

Is WordPress really good?

After reading all this, this question might arise in your mind that if WordPress is so vulnerable to attacks, why is it still ruling the whole website industry. It is because WordPress tries every day to become as secure as possible. But the problem is that every minute new virus, malware is being created and hackers are trying every day to hack more and more websites. The whole team which works for securing the sites tries their level best to neutralize the vulnerabilities in the site. They work night and day to detect new virus and malware to develop security patches so that sites don’t get hacked. Through the updates that are passed every now and then to the users, carry security patches that would reduce the possibility of sites being hacked. Till date, WordPress has removed more than 2,450 security vulnerabilities by providing security patches to the consumers. The team works so hard and diligently that sometimes, within an hour, the problem is addressed and solved.

How is WordPress attacked?

Before diving into how to secure a WordPress site, you need to know why it is attacked. If you talk in general, no website is actually safe from the attack of hackers. You can’t know one’s intention in mind and why he or she might try to hack your website. But there are mainly two reasons for attackers attacking your website. One of the key motives is money. Another motive is hacktivism. This term might sound completely new to you. It means that attackers might attack your site so that they can completely change the interface and make it a website for their supported political parties. Just think about it. If a website has 10,000 daily views, those 10 thousand people will come to the website to see the banner of a political party rather than the content they have come for. Though the viewers would be irritated, the advertisement would do the work. It might manipulate the minds of people to vote for that party or to become a follower of that party. The attackers might even change to share political propaganda or hate speech by changing the content of the site.

It has been found from various surveys and reports that a loss of more than $20 billion occurs every year just because of spam. It was found in various surveys that almost all the sites are mainly hacked for money, but a little portion of them are also hacked for hacktivism. Very few times, a site is attacked only for hacktivism. Majority of times, the hackers attack the websites to make money out of hacking and sometimes they use it to spread political propaganda along with that.

All the sites that are available on the internet be it for personal or professional use are vulnerable to attackers. But WordPress developed websites are hacked more because most of the times, the people who have created their websites using WordPress have little or no idea about how to keep an account secure and what impacts the security of a site. Other websites are developed by web developers. They know how the website works. They know their duties in various situations. So, they develop the site keeping all those things in mind. But that’s not what WordPress users face. You and I and anyone can open their own site with this. And perhaps, you didn’t know a lot of things even before reading this article, but you have your own website on the internet.

There are a lot of backdoors and alleys through which hackers hack different websites. They usually develop programs known as bots or hackbots. What this program does is that it automatically scans for security loops and attacks a lot of websites at the same time. It creates the chance of a lot of websites being hacked at once. Attacking a lot of websites at once creates the chance of at least a few websites getting hacked at once even if it can’t penetrate through the security of a lot of websites.

To provide data of what websites to hack, the hackers put the name of websites developed through WordPress as there is a higher probability of the programs successfully penetrating the security holes. Also, the websites which bring very low traffic or the websites which are not taken care of on a daily basis are more prone to these kinds of attacks. As the owners don’t care much, the bots can easily hack those sites and later the hackers use it for their own purpose. Now, this question might come up in your mind regarding a site being the target even when it has less viewers and traffic. Think about it in this way; if they can successfully change the whole interface of one hundred websites like this, it would serve their purpose. And it is easier than hacking the websites with a larger audience, as usual, those websites tend to have much better security. But it is not that the larger traffic and more secure sites are not prone to attacks. It is true that hacking those websites are hard as they tend to have much better security, but the other side of the story is that they have a huge amount of audience. If in the time of hacking 200 small websites, a hacker can successfully hack one big website, the profit would be much more. They can get more money or successfully share different messages supporting their views. So, no matter how is the website, the hackers can hack those and get their evil intentions fulfilled.

How to secure a WordPress site?

Let’s cut the gibberish and get to the point of this article that is how to secure a WordPress site that you have created. There are some small technical stuff you can apply and some steps you need to follow. Some of them which can ensure maximum protection of your site are-

Keep WordPress core updated:

wordpress core update

You need to keep your WordPress core up to date so that all the new updates and security patches that have been provided by the security team can do their work and stop the attacks. For doing this, you don’t need to do very difficult stuff. It is an easy process. You can just check on the option of install updates automatically. If you want, you can keep the option off and run compatibility tests first and then install the update. Compatibility test means to test if the update and the version match the version of your website and can install properly. Keep the plugins and themes you are using on your website updated too.

Keep Antivirus installed:

Always install computer antivirus in your computer to ensure that it always detects the threats and malware in your computer. Virus and different malware can enter your computer in various ways. It can enter your computer through the programs you download from the internet. It can also install on your computer when you visit any website on the computer. Usually, those websites which are not certified might carry these kinds of viruses. When you keep an antivirus on your computer, it detects those. Also, always keep the firewall on so that, it detects any threat in the websites you visit and saves your computer by giving you a warning.

antivirus installed

Another small but effective thing you should do is scheduling regular virus scans. Sometimes, you might forget to scan your computer or any software and before you know it, virus and malware have attacked your PC. Through that, one can easily get access to your website and do whatever they want to do with it.

Always be careful while logging in to your website:

Always make sure you access the admin panel of your WordPress site from private Wi-Fi or internet connection. Never log into it from any kind of public Wi-Fi. This increases the chance of others getting information or tracking info through that connection. Also, make sure that you get your internet connection from a service provider that is known for reliability and is known for keeping the data it has secure.

Buy site hosting from a good hosting provider:

Always get hosting that server space from the provider that is known for its security and reliability. Hosting is the giant pot where you keep all your data. If it is not secured, your data becomes vulnerable to hackers and attackers. They might get that and use that for their evil intentions. So make sure you use great hosting sites like Siteground, Bluehost, WP-Engine, Cloudways etc.

Use Strong Password:

strong password

It is a very basic thing to do to keep your site secure. If your WordPress admin panel doesn’t have a strong password, it can easily get hacked. Using random and common passwords always increases the vulnerability of your website. To avoid that, you should always keep strong passwords where there is numbers, uppercase and lowercase letters and even different symbols if possible. If you find it hard to remember that and is concerned about that issue, there are different browser extensions and applications available on the internet that generates a password and remembers it. What you have to do is remember an easy password and enter that application. The rest will be done by that app.

Be careful about letting users upload files:

Always try not to let users upload anything on to the site and keep the option for you only to upload anything to your website. Sometimes, while uploading various files, virus and malware also get uploaded and you could lose your site in the blink of an eye. Even if it is necessary to let anybody else upload something, be cautious about who you are giving the permission to.

Always keep backups:

It is very important always to keep backups of your data on the site. Always schedule the backup of your website after a certain point of time so that even if the website crashes or something happens to your site, you can easily get the site ready and uploaded as soon as possible. If possible, keep contingency even of the backup. And make sure you always test the backups to see if they are working properly or contain all the data.

Sometimes, it becomes difficult to back up the data manually. We recommend using the plugin named Updrafplus which can ease your work. It automatically backs up data when you set it up in your WordPress site and set when should it back up the data.

Be careful about using plugins:

Plugins might seem to be a great option for those people who are new to this whole website thing. It is important too. But be sure not to install any plugin on your computer just because it offers some extra features without researching about it a little.

Sometimes, those might give some extra features but can hamper with the security or smoothness of your site. Look up the plugins you want to use on the internet. People provide reviews of those and you can get an idea about what those do. Also, before activation of any plugin on your site, test it on the local part. See the performance and then decide.

Use security plugin:

This might sound weird to you that just after the previous point where I am telling you not to use plugins if you don’t need and in the next point I am advising you to install some plugins. It is because some plugins are actually good and they get the job done. Especially there are some plugins which provide security to your site. Install one or two of them to ensure the security of your website. Some plugins like Defender also helps you to track the activity of others who have access to the admin panel of your site. If you suspect anyone to be a hacker who is working with you, it can be of great help to know their true intentions.

A few plugins are known for providing security to your sites. Some of the plugins which have been tried and tested are-

It is a free plugin available in WordPress. It has a great interface that lets anybody use it with ease. It is used by a lot of experts too. Though it is free, there is also a premium version of it. If somebody wants more security featured, they can use it. The premium version is mainly for those websites which contains much more valuable information or has high traffic or is vulnerable to the attack of the hackers.

It has more than 30 security features for free version users. By installing this, you ensure a bit more security for your website. Like all the other plugins mentioned in this article, this also has a premium version that gives you access to some more features.

It is also a very known option for providing security. Defender provides a lot of security features and can be of great use. It also has a premium version providing some additional features.

This is also a great plugin. The main feature of it is that it scans your website and gives you a lot of information in real time. It tells you if your site is okay or vulnerable to hack attacks.

It has gained huge popularity over the years. Nowadays a lot of experts use and recommend this plugin. But the problem is that a lot of attractive and useful features are only available when you upgrade to the premium version. So, for those people who are not looking forward to upgrading to premium in a few months, we do not recommend this for you. But overall, this is a great plugin to use.

If you don’t want to clutter your website with a lot of plugins installed, this is the go-to for you. It has all the features of security along with the features of the database. It would let you not use a lot of plugins which can make your website slow. The premium version of this plugin gives you full site backup along with providing additional security features. As mentioned in this article, you should always have a backup of your site. If you don’t want to go through a lot of hassle, install this as it would lessen two must do things for you.

Don’t get confused by looking at all these Plugins. Using only one of them would suffice your need. Trial and error process might be of help to you in this case. Use one for a few days and then try another. Whatever you like best, use it permanently. Since all of these have free versions, they would not cut a hole in your pocket. If you like one, you can buy its premium version and get access to all of the features that the plugin provides.

Use FTPS or SSH:

Don’t use File Transfer Protocol (FTP) in your connection. Try to use File Transfer Protocol Secure (FTPS) or SSH File Transfer Protocol (SFTP) because they are much more secure. The former one is insecure and sometimes fails to keep your connection from being controlled or monitored. Also, be careful and never give your FTP account details to people who you do not know and cannot trust. When not using the FTP, delete the accounts or disable the FTPS features until the time you need to use it again.

Stay updated with WordPress newsletter:

Always try to stay updated with different WordPress newsletters; those usually contain different information about different issues or features of WordPress. When there is a new virus on the internet, you can know about those from there and tackle that issue.

Keep file editing option disabled:

Disabling this option provides an added layer of security to your website. Usually, if this option is ticked on, anybody who gets access to the admin panel of your site can change the articles or anything that is uploaded and visible to the public on your website. By disabling this option, you can at least get one more layer of protection. If the hacker uses some bots and that bot is not programmed to untick that option, you have a higher chance of not getting your website hacked or any information changed. Besides, another thing you could do is that you can stop the people who have access to the admin panel from changing the themes or any other thing on the website. Remember to remove the option when you need to change anything on your site.


To make this, you need to go to the Cpanel or Ftp of your site and then open the wp-config.php file. You will see that there is a line name /* That’s all, stop editing! Happy blogging. */. Above that line, write define( ‘DISALLOW_FILE_EDIT’, true);. After saving that file, you will see that in the dashboard, there will be no option of appearance editor or plugin editor.

Keep some options of WordPress hidden:

Though this is not a very reliable option or a very significant option, still you should do it. This option basically means that you hide some part of your website option that might give the hackers access to the main panel of your WordPress site allowing them to change anything and everything of the website. Many experts say that this option isn’t of much use. They say that if the hacker is competent enough to hack your site, wouldn’t they be smart enough just to unhide some options of your website! Though this logic is valid and has a strong point but as we said before that it had been found that most of the attacking is mainly done by bots. Usually, the bots haven’t programmed that way to enter the site and then unhide the options and then change information. The bots usually attack the least secure website. If any bot attacks your site, you have the chance of remaining safe just because of this option.

Only a small percentage of website attacks are done by professional and expert hackers themselves. If you are unlucky and they do it, unfortunately, you might have to lose your website. But if you are lucky, you can have your website just because of this option. So, it is definitely worth trying.

Access restriction to the admin panel:

When a hacker tries to hacks a website, the first thing he or she would try to do is guess the username and password of that site. There is a term used to denote such type of attacks. This is known as brute force attacks. To lessen the possibility of such a phenomenon occurring, what you should do is allow only trusted people to enter the login page that is the first step of accessing the admin panel. This definitely does not give 100% assurance that your site won’t be hacked by following this step. However, it does reduce the possibility.

You have to follow some steps to do this. You have to mention the IP address who are allowed to access the admin panel of your website. Even if the allowed users try to access the panel from a different IP address that is from a different place, they won’t be able to do so. Make sure you have that in mind too. If you are living a life where a lot of travelling is needed and you use internet connections available there, you can’t do so as it would create a lot of problems for you. But if you always access from a particular place or use a few fixed internet connections, you should do this.

Install SSL certificate:

Installing am SSL certificate on your web server means that using HTTPS protocol instead of using the HTTP protocol. It creates a secure connection between the users and the server. In other cases, when the server doesn’t have this, the data travels in the same way, but it is not encrypted. So, there remains the possibility of some person entering in the middle and fetching those data. They can get the data from both sides of the connection. Sometimes, a lot of important information is exchanged over the internet. In this case, if the HTTPS connection is not used, the hacker can target and gain access to those data. HTTPS connection allows the secured flow of information and helps reduce the chance of hacking by a huge margin.

Limit login attempts:

We have discussed it before also that hackers always try to guess the username and password at first. Even after hiding that and doing so many things, you still have the chance to save your website. You can limit the login attempts using the Login LockDown plugin. That would not let anyone try to input username or password more than a few times. After reaching that limit, WordPress would restrict them from entering for a few minutes or a few hours or a few days or even forever. You have the option to select what it would do.

Usually, hackers try to hack a list of websites. Most the times, it so happens that if they find it hard to hack one, they leave it and immediately go to the next site. So, if they are not let to input login information, they would stop trying and move on.

Install Server Firewall:

Install firewall is another thing you should do to ensure maximum security of your site. It is a great way to prevent hackers from entering your site. It is not done on the WordPress site. Rather, it is done on the hosting server. When you buy a domain, you will see that there is an option of installing a firewall on the website. Though you have to pay extra money for that in some cases, you should definitely do that. WordPress offers some firewall plugins, but they are different. The plugins give firewall protection inside of the website. But you need protection on the outside. It can only be done if the hosting server installs that.

Review The Access Log:

When you make your website through WordPress, it provides an option of always seeing who has entered the admin part of the site and when. It can even say where someone has accessed your site. It is better to keep reviewing it after a few days. Besides, when someone tries to access files or tries to change them, it detects that and keeps the log of that. By reviewing that, you can find if someone else other than people who you have given the permission to has tried to access the site. If you detect any kind of unusual activity in the log, you should change your password or see who is trying to do this. As there would be a lot of logs always, it might become very difficult for you to review if there is any different activity. The plugin Sucuri makes your work easier. If it sees any kind of activity in the log which is not normal, it notifies you and then you can take action based on that.

Change WordPress Default Username:

The first time you open your website through WordPress, it gives you a username to access the site. Then you set a password and enter the site. The default username is ‘admin’. But you should change your username. We have already mentioned how hackers try to hack the site at first by trying to guess username and passwords. The first thing they would try would be the default username WordPress provides. And what happens is WordPress is if the username is right and password is wrong, it tells you that you only need to write your password now. Then the hackers get to know that the username they have entered is right. So, you would not want your site to get hacked just because you were not careful regarding setting the username. What you should do is after creating your website, change the username and make it something which one cannot guess usually.

Delete Unnecessary Files:

After creating your website, you install certain files that you need at that time but don’t need later. Many people forget to delete those files later. You shouldn’t do that. Sometimes, those files have additional information about you and those can be exploited by attackers. After the use, remember to delete those files to avoid any such incidents.

Keep two-factor authentication on:

Like different other sites, you always need to login to your profile to gain access to admin features. WordPress is no different. There are some small steps you could take to make that process a little harder. You can keep the two-factor authentication on for that. There is a method to be followed to turn it on. It would require you to give permission from your smartphone or any other device after you have successfully entered the username and password. Unless you check that and click ok, WordPress won’t let anybody access the site. And whenever somebody would try to enter, you would receive notification.

Though it is not a very strong security option, all the security options combined can provide a great deal of security. Though it can be done from WordPress by following a process, this can be a daunting task sometimes. If you are new to WordPress and all this, you would have to face a lot of difficulties to use it. To save you from that hassle, we recommend using the Two Factor Authentication plugin. it can make your work a lot easier. After installing the plugin, click on the name of that plugin in the admin dashboard. And then, you need to install an authenticator application on your phone or other devices. You can install LastPass authenticator. After installing, open the app and click on the Plus button (+). You will be given an option to scan the QR code. Point the phone’s camera to the QR code that appeared on the Plugin’s settings option. The app will verify that and from next time, after you enter the password to enter the admin panel, you will be required to enter another code that generated on your phone by the application.

Remove WordPress Version Number:

This is a small step to take. Make sure that you never display your WordPress version number. Different hacking bots are made for different WordPress versions. If you display it, it becomes easier to deploy those bots into actions. You can easily avoid that just by hiding that.

You can do that by copying the following code in functions.php or add this via a custom plugin.

//remove version from head

Remove_action(‘wp head’. ‘wp generator’);

// remove version from rss

Add filter(‘the generator’, ‘__return empty string’);

// remove version from scripts and styles

function shapeSpace_remove_version_scripts_styles($src) {

if (strops($src, ‘ver=’)) {

$src = remove_query_arg(‘ver’, $src);


Return $src;


add_filter( ‘style_loader_src’, ‘shapeSpace_remove_version_scripts_styles’, 9999);

add_filter( ‘style_loader_src’, ‘shapeSpace_remove_version_scripts_styles’, 9999);

Prevent Username Enumeration:

Whenever someone uploads an article or a file and it goes live on the website, WordPress makes a URL of that for easy access of everyone. That URL is usually generated by some information. It contains the name of the article, name of the user and some minor information. You can change the way how that URL is generated. You should check on that option which doesn’t let username get into the URL.

prevent username

In this article, we have discussed usernames a few more times. By now, you have understood how important the username is. You should not let that get out to the public. So, don’t let that URL become a way for hackers to complete their evil intentions successfully.


Through this article, I have tried my best to give you as much information as possible about how to secure a WordPress site. We are encircled by the internet. Every day, thousands of us are creating new websites. A lot of them are made through WordPress. Though it is a secure place, some of our carelessness makes it prone to attacks. By avoiding a few things mentioned here and taking these steps mentioned here, we can easily keep our account safe. Many of you would probably be thinking this is too much of a hassle. But it is actually not. I would always recommend everyone not to get frightened by these and be welcoming to the changing internet has brought in our lives.

This post contains affiliate links. It means if you click one of the product links and then purchase the product, we’ll receive a small percentage from the sellers’ end. No need to worry! You’ll still pay the standard amount. So, there’s no extra charge from your part.

Loved this article?
Are you in dire need of the best wordpress developing tutorials & digital marketing guide? Did you say you need the best hosting, theme & plugin reviews too? Well, look no more. Subscribe with us right now and never miss our exclusive weekly newsletters, guides and tutorials!
Share To 
Share on facebook
Share on twitter
Share on linkedin
Share on google
Share on pinterest
Yousuf Hossain

Yousuf Hossain

Yousuf Hossain is a young passionate full-time freelancer who loves his work as his life. He has a dream that one day people will not only know him by this profile but also by his name for his passion and dedication toward work.

Leave a Comment

Your email address will not be published.

Sign up for our Newsletter

*You can unsubscribe at anytime!

Pin It on Pinterest

Share This
Scroll to Top