In this competitive world of smart people, the Security of WordPress sites is emerged as one of the essential and important points to be taken into consideration.
Every serious site owner needs to pay attention to the best practices and implementation strategies for the security of their WordPress site.
Even though the WordPress Core is secure and audited regularly by talented developers and community members. There is still some scope to harden the security of your WordPress site.
As a site owner, there are lots of areas where you can work to improve the security of your WordPress site (even if you’re not a technical person).
In this guide, I will share all the essential and most important techniques to strengthen the security of your WordPress site. Implementing these techniques will help you protect your WordPress site against hackers and malware.
Before proceeding further, you must know the importance of Security and Why it is essential to be implemented.
Why WordPress Security is Important?
If your website or blog is insecure, then any hacker can easily hack your website and hamper your revenue and reputation (considering your monthly earning would be $100000).
Hackers are capable of stealing sensitive user information like their passwords, address, and phone number. Also, they can install malicious software to infect user devices and lead you to some legal complications as well.
The worst scenario can be that you should pay a ransom amount to hackers to get access back to your website.
Every Week, Google blacklists around 60K+ websites for malware and around 100K+ for phishing.
Being an online business owner, it is your responsibility to protect your website from illegal access, similar to how you protect your physical store from theft.
Effective Steps to Secure your WordPress site
I know that thinking about improving WordPress security can be a horrible and scary thought for beginners.
Initially, It was a challenging task for me too. But, as time passed and constant learning helped me overcome this challenge.
After that, I’ve started helping other newbies as much as possible. I’ve helped hundreds of WordPress users in hardening their WordPress security with the essential and most important steps.
I’ve hand-crafted a list of essential and most important security measures that will help you to harden WordPress security with just a few clicks and almost no coding required.
#1 Use Managed WordPress Hosting
Take Regular Backups via Reliable Sources
Backups are the essential and the first defensive step to fight back against any kind of WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so yours.
It will allow you to quickly restore your WordPress site in case of mess up, your website hacked or anything bad happened.
There are so many free and paid WordPress backup plugins available that you can use. But, all of these backup plugins can prove to be resource-intensive when it comes to site performance.
The most important thing you need to know is that you must regularly save full-site backups to a safe remote location like Amazon, DropBox, Google Drive, and Stash as well as enable backups on your hosting providers like WPX Hosting, FlyWheel, and Kinsta to do it (as they provide the hack-proof guarantee).
Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups (most of the managed hosting providers provide real-time backups).
It is your choice whether you need to back up your complete WordPress site using any third-party WordPress plugin or utilize the backups feature of Managed Hosting Providers or using both of them.
Change Default Database Prefix
By default, the WordPress default database prefix is:
If your WordPress site is using the default table prefix, then it will be easier for hackers to predict the table name of your database and perform malicious activities on your site. So, I recommend you change the table prefix of your site database for WordPress security
Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills or you can hire a developer to accomplish this point.
Using Unique WordPress Secret Keys
A WordPress Secret Key is a unique, random, and complicated string of data that hashes to ensure better encryption of information stored in the form of user cookies. It makes your site harder to hack by adding random elements to the password.
Using WordPress Secret Key is very important to ensure an additional layer of security to WordPress. You can find these WordPress Secret Keys in
wp-config.php file under WordPress root.
These WordPress Secret Keys are divided into 2 categories:
- Keys, and
Each of these categories has four different secret keys to add an additional layer of security. From these, four keys are required for enhanced security. While other four salts are recommended but are not required, because WordPress will generate salts automatically for you if none are provided.
In simple words, a secret key is a password with elements that make it harder to have enough scope to break through the site security barriers.
For example, A password like “password” or “test” is simple and easily broken. A random, long password that uses no dictionary words, such as “88a7da62429ba6ad3cb3c76a09641fc” would take a brute force attacker millions of hours to crack. So, salt is used to further enhance the security of the generated result.
You don’t have to remember these salts, instead make them long, random and complicated or simply use the online generator to generate new unique WordPress salts. You can change these at any time to invalidate all existing cookies.
Disable Directory Indexing
Directory indexing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.
It can also be used by other people to look into your files, copy images, find out your directory structure, and other information to create a clone of your site. Hence, I highly recommended that you turn off directory indexing on your server.
If you use any WordPress optimized hosting providers like MilesWeb, WPX Hosting, FlyWheel or Kinsta, then you’ll have Directory Indexing disabled by default which is a plus point.
If you are using any other hosting, then you need to connect to your website using FTP or cPanel’s file manager. Then, locate the
.htaccess file in your website’s root directory.
After that, you need to add the below line of code at the end of the
Then, save and upload
.htaccess file back to your site and confirm that the directory indexing is disabled or not.
If you’re not technical to do it on your own. Then, you can contact the support team of your hosting provider and ask them to disable directory indexing on your site. So, I believe all the hosting providers will do it free of cost for you.
#2 Keep WordPress Core, Plugins & Themes Updated
WordPress is an open-source web software that is regularly maintained and updated by a team of developers and contributors.
By default, WordPress automatically installs minor updates. You need to manually update the major releases from WordPress.
There are thousands of plugins and themes available freely on WordPress Plugins and Themes directory respectively that you can install on your website with a single click. These plugins and themes are maintained by third-party developers who regularly release updates as well.
These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date on your WordPress websites.
Alternatively, if you’re running out of time managing content and marketing, then I would suggest you use services like InfiniteWP and ManageWP for automating all the updates within a single dashboard.
#3 Use Strong Passwords
The most common WordPress hacking attempts to use stolen passwords or weak passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for the WordPress admin area, but also for FTP accounts, Database, hosting account, and even for your professional email address.
The main reason why beginners don’t like using strong passwords is that they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager such as DashLane and LastPass.
Another way to reduce the risk is by providing access to the WordPress admin to only those persons you trust and are part of your team considering the user roles and capabilities in WordPress.
#4 Don’t use the default username
Previously, the default WordPress admin username is “admin” and usernames make up half of the login credentials. Hence, this made it easier for hackers to perform brute-force attacks and crack passwords.
Thanks to WordPress since they changed this and now allows you to select a custom username at the time of installing WordPress.
However, there are certain 1-click WordPress installers, still set the default admin username to “admin”. So, I would recommend that if you notice “admin” as the default username, then it’s probably a good idea to change the username of the website or switch your web hosting to a better one.
Note: I’m talking about the username called “admin”, not the administrator user role to avoid further confusion.
#5 Disable File Editing
By default, WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area.
This feature can be a considered high-security risk as any unauthorized user can easily change the code of your WordPress website.
Hence, I recommend you disable file editing. You can easily disable file editing by adding the following line of code in your wp-config.php
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
#6 Limit Login Attempts
By default, WordPress allows everyone to try to log in as many times as they want. Due to this behavior, all WordPress sites are vulnerable to brute force attacks. Hackers try to hack passwords by trying to log in with different combinations.
This can be easily fixed by limiting the failed login attempts per user and then blocking the site access to IP Addresses that are trying frequent failed login attempts.
To implement login attempt limitations, you need to install and activate the Login LockDown plugin. After activating the plugin, visit the Settings » Login LockDown page to configure the plugin as per your needs and frequency of brute force attacks on your WordPress website.
#7 Disable XML-RPC
XML-RPC was introduced in WordPress 3.5 and is enabled by default because it helps to connect your WordPress site with web and mobile apps.
However, because of its powerful and vibrant nature, XML-RPC can exponentially increase the risk of brute-force attacks on your site.
For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.
Using XML-RPC, a hacker can use the system.multicall function to try thousands of passwords with around 20 to 50 requests.
Hence, I would recommend disabling XML-RPC, if you’re not using it.
#8 Auto Logout Idle Users
Sometimes, Logged in users can go away from the screen being idle instantly after login, and this poses a high-security risk. Someone can hijack their session, change passwords, or make changes to their account in the meantime (especially on public computers).
This is the reason why many banking and financial sites automatically log out of an inactive user. You can implement similar functionality on your WordPress site as well.
You need to install and activate the Idle User Logout plugin. After activating the plugin, visit the Settings » Idle User Logout page to configure plugin settings.
#9 Add Security Questions
The login screen is the most risk-sensitive area for any website. Adding a security question to your WordPress login screen will make it harder for anyone to get unauthorized access to the site.
You can easily add security questions by installing the WP Security Questions plugin. After activating the plugin, you need to visit the Settings » Security Questions page to configure the plugin settings.
These are the WordPress security steps that I follow to secure my site.
You can do the same to secure your WordPress site from hackers who can inject malicious code into your site.
If you still have any questions, you can contact me anytime, I’ll revert back to you with all the possible ways you can secure your WordPress site.