How to Secure WordPress Website

secure WordPress

Secure WordPress Website is the most common question for every wordpress users. WordPress is one of the favorite platforms among website administrators, concentrating no less than 26% of all Internet sites . However, like every big name on the market, so much popularity makes it highly targeted by hackers, so security is the number # 1 concern of its users.

Of course, being very targeted does not mean that your site will inevitably be a victim of the attacks, but the possibility exists and is not worth the risk. It is important to note that there is no 100% secure or hacker-proof system. However, there are some measures that the user can adhere to to lessen these odds, make your site more secure and protect your information.

In this article, you’ll see practical ways to increase the security of your WordPress site and reduce the chances of a malicious attack. Check out!

 Tips to Secure WordPress Website

Table of Contents:

  1. Choose a great host — it all starts with them.
  2. Search for vulnerabilities.
  3. Always Update Plugins.
  4. Update your WordPress.
  5. Use strong passwords.
  6. Back up your website regularly.
  7. Omit the current version of your WordPress.
  8. Change the WordPress username.
  9. Review the theme used on your site.
  10. Edit .htaccess file properly.
  11. Prevent PHP execution wp-content folder.
  12. Deny all from wp-config.php.
  13. Disable File Editing.
  14. Use security plugins.
  15. Disable wp-admin access.
  16. Lock your wp-login page from file manager.
  17. Conclusion.

Choose a great host — it all starts with them

There are plenty of things that you can do to keep your new store secure, but this isn’t to say that security should be entirely your responsibility.

In fact, the very first step you take should be choosing a reputable, reliable host that makes site security one of their top priorities. You shouldn’t put your new store just anywhere — making a poor choice could put both you and your customers at risk.

Ideally, you should seek out managed WordPress hosting from a company that clearly states what they do to make your safety and security a priority. Look for features like:

  • Attack monitoring and prevention
  • Proactive reviews and patches of security threatslike core WordPress bugs, plugin exploits, and so on
  • Up-to-date server software(using the most recent versions of PHP, etc.)
  • Ability to isolate and prevent the spreading of infectionsso that a hacked site or virus cannot move to other sites on the same shared server

The hosts you evaluate should have a page on security on their site, so you can find this information out on your own. If you have to dig deeper or send emails to get answers, it might be a sign to steer clear.

Check: How to Optimize WordPress

Search for vulnerabilities

  • There are numerous plugins in the WordPress directory that diagnose and scan for potential vulnerabilities on your site or other plugins.
    These tools are critical to keeping site security constant and preventing a potential threat from becoming a major problem. With them it is possible to make checks on plugins, themes and database.
    The Vulnerability Alerts is an example of such a tool because the plugin promises:
  • Check out the core of WordPress, its themes and plugins for possible vulnerabilities;
  • Show an icon in the Admin Toolbar with the total number of vulnerabilities encountered;
  • Notify you by email when new vulnerabilities are encountered.

Keep plugins always up to date and delete unneeded ones

Plugins are responsible for performing specific functions on your site, but may also interfere with the regular functionality of your site. So keep them up-to-date to get the best performance from your site and just install WordPress plugins that have a good reputation and offer some support. Another important tip is to use as few plugins as possible, as these applications are usually produced by third parties and are not always reliable, as well as making the site heavier and slower to load.

Update your WordPress Regularly

Whenever a platform update comes out, update it as soon as possible. This measure serves to correct bugs and security holes that can be used by hackers to invade the system.
This process is very easy and it takes a few minutes to complete because it only takes one click to keep your site more secure and away from threats. Do not neglect this simple task and avoid taking risks!

Use strong passwords to secure WordPress

secure WordPress

This tip is valid for WordPress as well as for any other application or system. Avoid using obvious information such as names of relatives, birthday dates, or any other easy-to-find data. Forget sequential or repeated numbers and never save the password on public or third-party computers. The best passwords should match capital letters, numbers, special characters and should not be too short. Remember this!

Back up your website regularly

Even taking these precautionary measures, there is still the risk of your site being invaded or some failure that compromises the functionality of your web project.

If this happens, you do not have to be desperate, because with a backup you can restore everything in a short time. If you are not in the habit of making backups, think hard about how much you or your company can lose in case of data theft.

So set a day or a few hours to take care of just the security of your data and do not expect the worst to happen, as the damage and rework can be large.

Omit the current version of your WordPress

This tip sounds strange, we know, but there is a reason for that. What happens is that many hackers already know the specific vulnerabilities of each version of WordPress and leave the published version a “full plate” to try to break into your site.

If you do not know how to remove this information or do not feel secure, look for an experienced professional or some WordPress expert. But we have anticipated that this is very easy to solve or if you prefer, you can also use a plugin that performs this function.

Or add the below code to your wordpress header.php file.

<meta name = "generator" content = "WordPress 4.0">

Change the WordPress username

By default, WordPress generates “admin” as the username and knowing this, hackers already have some of the information to hack into your site, because the first and most obvious attempt to log into the site is the name “admin”.

Ideally, you should change this username and omit it so that it cannot be identified. This change can easily be made in the “Users” section of the administrative panel.

Review the theme used on your site

Unfortunately, some WordPress themes may come with built-in threats in the form of malicious code or files.

Malicious code can range from simple website promotion scripts to even some code that exploits the loopholes to try to steal or hijack data. Stay tuned for this, especially in themes that are used for e-commerce and e-commerce stores.

This is necessary due to the great use of the platform and to make available free themes produced by developers from all over the world. Therefore, it is very difficult to control or know the true intentions of each person.

Edit .htaccess file properly to secure WordPress

The proper htaccess code are given below add this to your website htaccess file before the default code.


# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress

Prevent PHP execution wp-content folder:

As you know, wp-content folder is writable by everyone as it stores all the plugins, themes and uploads. To preventing php execution use the below code in your htaccess file. Just below the above code:

 # Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
deny from all

Deny all from wp-config.php to secure WordPress 

wp-config.php contains your database name, username and password and other important data. Deny everyone from accessing this file in htaccess:

<files wp-config.php>
order allow,deny
deny from all

Disable File Editing to secure WordPress

Disable file editing on your WordPress dashboard using wp-config.php. Just add this code in your wp-config.php file:

## Disable Editing in Dashboard

define('DISALLOW_FILE_EDIT', true);

Use security plugins:

There are many security plugins available to secure WordPress website. You can install any popular one and secure your website.

Disable wp-admin access:

if you type wp-admin after your domain address in WordPress website, it redirects to login page. Hide this to accessing anyone.

You can use anything on the place of wp-admin. I use this plugin for this: WPS Hide Login

Lock your wp-login page from file manager:

Lock your wp-login page from file manager will help you to add extra security. When someone try to access to your login page it will ask that password is set in file manager.


Thinking about digital security is nothing new, but an essential factor nowadays in any web project. Although neglected, the area of ​​data security has been gaining notoriety, even more with the events of attacks and seizures of data that is occurring in the world.

Cyber-attacks are evolving every day and hackers are always improving how to circumvent the systems to gain benefits illegally.

In this way, increasing the security of your WordPress or any other system is extremely important to not have hassles or losses.  For more tutorials and information about the subject and also about website hosting, you will find other articles on our site.