WordPress security. Secure WordPress. Ultimate guide to security in WordPressSo many people blame WordPress just because their site got hacked, so even go as far as discouraging others not to try and use WordPress, saying it’s an open script hence the security level is not high. But that’s not true, WordPress is secure and the fact remains that it is an open script for anyone to see and use makes it more secure than several blogging platforms. WordPress Security is tight if you put the best practice in place.

Is your site hacked? Sorry, no offense but it’s your fault and blames not WordPress for it. First, you need to ask yourself: What are you doing to put your WordPress powered site secure? It is your responsibility to apply a security patch to your site.

Today, we will give you some simple tricks to secure your WordPress site without the fear of being hacked.

  1. Update WordPress Core Files Always: The power of WordPress security lies in its update. So many people make the mistake of overlooking WordPress ignoring available updates that their sites need. Whenever a major update is released, some often think it is just about adding new features which is usually not the case. The reality is that Major security update is also available. To update your WordPress, simply click the update tab and you will see any available update for you to apply on your blog or website. But remember to back your site before updating.
  2. Update WordPress Themes and Plugins: Just like the above illustration given, many don’t update their WordPress Themes and Plugins. Themes and Plugins developer often times release an update for their plugins and themes to fix bugs, tighten security and also add more features. Always apply necessary updates on time before hackers get the best of you.
  3. Remove your WordPress version number: This is another step that must be taken with carefulness. Most hackers first look for your WordPress version number (which can be found right there in your source code) then the hacker launches an attack on your WordPress site. The version number makes it easy for the hacker to tailor-build the perfect attack towards your site. To rightly deal with this, you can simply install a WordPress plugin called WordFence Plugin, Bulletproof Plugin, or iThemes Plugin (Formerly Better Security Plugin)
  4. Disable directory listing with .htaccess: With this feature not disabled, it makes anyone view your directory without any hassle. With this, an attacker can easily find out your vulnerability. For example, an attacker can see a directory(folder) named: tools (if you have it created in your file manager)…just by typing your URL like this:


         without typing any password, they can see all files and folders just like that. It is advisable you remove directory listing with this code:

 Options All -Indexes 

This code should be added to your .htaccess file

  1. Disallow file editing: Another mistake site owners using WordPress do make is to forget to disallow file editing in their WordPress Admin Dashboard. This feature allows you to execute code within your Dashboard. An attacker can easily leverage on this feature without any difficulty in harming your site. But with the code below, paste in your wp-config, you disable the feature.

Paste this code into your wp-config:

 define('DISALLOW_FILE_EDIT', true); 
  1. Protect the wp-config.phpfile: This is arguably the most important file in your WordPress file. It makes your site to be well connected to the database. Protecting this file literally means your whole site is a thumb up at least for simple security. You can secure this file by moving it a level up outside the WordPress core file root directory. WordPress will automatically look for the file by looking up a folder.
  2. Set directory permissions carefully: Setting the wrong permission for the directory can backfire on your site security. Every file and folder work on privileges that are set for their respective role and this is very important when you are on a shared hosting subscription from your web hosting company. For more, you can read about correct permission scheme of WordPress or install the iThemes Security plugin to check your current permission settings.
  3. Set strong passwords for your database: Your database is like the powerhouse of your website. If it powers your website, you can be sure that when the power shuts down, your site will definitely take a nose dive, and that you don’t want. To make sure your WordPress security is tight, make sure you set a strong password for your database.

As always, use uppercase, lowercase, numbers, and special characters for the password. We once again recommend password generator as a useful resource.

  1. Back up your site regularly: Don’t fall into the trap that your site cannot be under attack. Face the reality and have your backups intact in your desired location. And again, don’t rely on your hosting company, promising to do backup for your site. The popular saying is “if you want something done, do it yourself”. These plugins will definitely help you get it done: VaultPress by Automatic, Backup Buddy, UpdraftPlus, BlogVault, and CodeGaurd.
  2. Change the WordPress database table prefix: Many do make the mistake of installing WordPress with the default database prefix, which is a bad practice. But no worries, you can still change this even after installation but you will definitely need to back up your website before you even dare try this. With the plugins listed above, you can fully back up your website without a headache and get this done. To change the WordPress database table prefix, you will need either of these plugins to help you do that with ease and they are iTheme Plugin (Formerly Better Security) or WP-DBManager. With just a click of a button, these plugins will do the job perfectly well. But remember to backup as earlier stated.
  3. Change the admin username: A larger percentage of websites hacked by attacker were penetrated via brute force attack when the attacker kept trying to log in using the “Admin”. We can’t tell you how many times we have scrolled through my website logs, and found login attempts with username “admin”.

The iThemes Security plugin can stop such attempts cleverly by immediately banning any IP address that attempts to log in with that username.

  1. Add user accounts with care: When running a multi-author blog, you will want to watch out for activities happening on your WordPress Admin Dashboard. With this busy site, you will need to enforce strong password and also be careful to make sure the right user is added without giving out access to the wrong user. A plugin called Force Strong Password will help make their password strong and accept not any weak password.
  2. Monitor your files: If you want some extra added security, you can monitor the changes to the website’s files via plugins like WordFence, or again, iThemes Security.
  3. Use SSL to encrypt data: Secure Socket Layer(SSL) is one of the smart moves you can make to make sure your site is login process is encrypted without phishing.it creates some secure login parameters for you and the site whenever you want to have access to your site backend. Web hosting like inMotion and Hostgator offer free SSL for all our users in any of their hosting packages chosen. The SSL certificate also affects your website’s rankings on Google. Google ranks sites with SSL higher than those without it. That means more traffic. Now, who doesn’t want that?
  4. Protect the wp-admin directory: To make your site a little more secure, you will have to make sure you protect your wp-admin directory. This directory is the Heart Beat of your WordPress installation. One possible way to prevent this is to password-protect the wp-admin With such security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other the WordPress admin area. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts while locking the rest.

You can use the AskApache Password Protect plugin for securing the admin area. It automatically generates a .htpasswd file, encrypts the password and configures the correct security-enhanced file permissions.

Also Read: How to remove WordPress Login Error Shake

  1. Rename your login URL: Another thing you can easily do with ithemes security plugin is to rename your login URL. By default, WordPress login URL can be accessed using this following link:
a href="http://www.example.com/wp-admin"
a href="http://www.example.com/wp-login"
www.example.com/ wp-login.php?action=register

Change the end slug to something unique, that only you and your users will have access to. You can take advantage of the earlier mentioned plugin (iTheme Security Plugin)

  1. Use email as login: By default, WordPress allows you to log in using your username. But a better option can be the use of email. Since every user is assigned with an email that can not be used by more than one user, then switching to email shouldn’t be a problem. Attackers can easily guess your username when compared to email.

With the use of plugins like WP Email Login, the task can easily be done without much hassle.

  1. Set up website lockdown and ban users: A lockdown feature for failed login attempts can solve a huge problem, i.e. no more continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.

We found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. You can specify a certain number of failed login attempts after which the plugin bans the attacker’s IP address.

(Alternatively, you can also use the Login LockDown plugin that was built to help you with this problem only.)

  1. Use 2-factor authentication: Introducing the 2-factor authentication (2FA) at the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, etc.

We prefer using a secret code while deploying 2FA on any of my websites. The Google Authenticator plugin helps me with that in just a few clicks.

  1. Adjust your passwords: Play around with the website’s passwords and change them regularly. Improve their strength by adding uppercase and lowercase letters, numbers, and special characters. This password generator is a useful resource.

Now you know all the basics including expert tips about WordPress security, your site should be more difficult than the previous should you put everything in this post in place.

You can also read Beginners Ultimate Guide to SEO

Now you know the ultimate guide to WordPress Security, your comment is an encouragement to us, most people don’t comment, they just bounce off after reading, but your comment is a lot precious to us. We will definitely respond should your comment require so. Thanks for reading.

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.


CMSFolks Editorial Crew

Editorial Staff at CMSFolks is a team of WordPress experts led by Ajayi Adekunle. Site maintained by CMSFolks Studio.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu


Spelling error report

The following text will be sent to our editors: