WordPress Security – 30 Best Steps to Secure WordPress Website

wordpress security

WordPress security is the most important thing for your online business. If your website gets hacked then your traffic from the search engine will be lost.

Your ranking will be dropped. My website has been hacked 2 times (not this one, I have two more blogs other than usersadvice).

I have lost almost 80% of my traffic when my website gets hacked.

I removed all the malicious codes and files. After that, I worked on my site for a few days continuously to get my ranking back.

I managed to rank my website again. What I want to say is always take WordPress security seriously.

After that, I have learned many tricks and information to protect a website.

In this guide, I will share some best ways to protect your WordPress website and I suggest you implement these things on your website as quickly as possible.

This is chapter 14 of the free blogging course for Beginners.

Before adding any code provided in this tutorial to your website I recommend to take the backup of your whole website before making any changes.

WordPress Security

When my site got hacked at that time I was not using any WordPress security plugin But now, I am using the premium plan of a security plugin to protect my blogs.

In this post, I will share some best methods that you can use to make your WordPress website more secure. WordPress is a secure platform.

It is very important for all of us running a website or using the Internet in our daily life to know cybersecurity attacks and how to deal with them to protect yourself.

But as an owner of your blog, you have to take all the responsibilities to protect it from a different type of hacking attacks.

How to Secure WordPress Site?

I have listed a total of 30 steps that you can use and implement on your WordPress website to make it secure.

In short, Always use a security plugin, a good and trusted web hosting, and keep your themes, plugins, and WordPress version updated.

Best WordPress Security Plugins

Use a WordPress security plugin to protect your website from hackers. There are many WordPress security plugins available.

You can install any one WordPress security plugin but don’t keep two security plugins together as it may cause problems.

Some best free Plugins to secure the website in my opinion. I have listed only those plugins that I have used and tested on my website. You can use any of these WordPress security plugins

  1. Wordfence – Best free plugin and it also provides 2-factor authentication feature in the free version
  2. All in One WP Security & Firewall – Overall it is a good plugin that offers too many security features
  3. iThemes Security – Another popular WordPress security plugin but not as good as Wordfence
  4. Cerber Security – It is a good plugin to secure WordPress website and it offers a lot of features in the free version
  5. Sucuri – Free version is good for hardening the website security but the main features are provided in the premium version.

Use a Good Web Hosting

Always use a well-known and trusted web hosting companies like Bluehost or Cloudways. WordPress Installation is a software that is uploaded on a server.

Therefore, a secure server is very important to protect your website from hacking attempts.

If your current web hosting is not providing proper security such as a server-level firewall to alleviate DDOS attacks, uses the latest hardware, updating the operating system, applying security patches, etc then you can move your website to the above web hosting that I have mentioned.

Set a Difficult Username

If you are a beginner and planning to start a blog then at the time of WordPress installation, set a difficult username. By default the username is admin and every blogger knows this.

But if you are using the default name which is admin. Then, it becomes easy for hackers to guess the username and do the brute-force attacks.

Therefore, set a username which is difficult to guess.

Username can not be changed once you saved the name. If your username is admin then create a new admin, set a good username, and transfer/assign all the posts that you have published to the new admin that you have created.

Now, delete the old admin account.

Use strong password

A strong password makes it difficult to guess the password. So, always use a strong password.

Use uppercase, lowercase, numbers, and special symbols (%,#,*,&) to set a strong password.

Your password should be at least 10 words long.

Stay updated with the latest version of PHP

If you are using shared hosting or cPanel based hosting then you can easily change the PHP version by going to the PHP selector and then select the latest version. Click on the save changes.

You can also contact your web hosting support and ask them to update the latest PHP version.

Always use WordPress free themes or premium themes

Always install a WordPress theme or plugin from the trusted sources. Therefore, I suggest using a free theme is a better idea.

You can also use the premium themes like generatepress which is a light-weight theme and hence it helps to load the website quickly.

Never install nulled plugins or themes

What are nulled plugins/themes? These are the pirated copies of the original plugin or theme that can be available to download for free.

As I have already mentioned that you can use free themes and plugins but do not use nulled plugins or themes.

The reasons to not use nulled plugins are:

  • The biggest reason is the security of your WordPress website. The nulled plugins can contain malware.
  • You will not receive the latest plugin updates. So, you can not enjoy the latest features. The latest updates fix all the bugs and security issues. So, It is not good for website security.

Update WordPress Plugins and Themes

Whenever a new plugin or theme update comes then update that as soon as possible because in new updates developers fix the security issues, improve the performance, the developer may provide new features, etc.

Therefore, Always keep your WordPress files, themes, and plugins updated.

Always take a backup

Backup is the most important thing that you need to take daily or weekly.

You can use plugins like updraft to take your whole website backup automatically to Google Drive, Dropbox, Microsoft OneDrive, Rackspace, etc.

Updraft plugin can take backup on an hourly, daily, weekly, or monthly basis. So, you don’t need to take stress for daily or weekly backups.

You can also take the backup of your website manually by saving all the files and database.

Hide wp-admin

Everyone knows that using /wp-admin or /wp-login.php can take you to the login page of the WordPress website.

If you change this URL to something else, then hackers can not find your login page.

Therefore, it makes it difficult to do brute-force attacks to hack a website.

It is a good step to hide the wp-admin and wp-login.php to something else for WordPress security.

You can easily hide wp-admin using the plugin WPS Hide login.

Disable XML-RPC

I suggest you disable XML-RPC to prevent hacking attempts like brute-force and strengthen your WordPress security.

By default, It is enabled. If you are using the Jetpack plugin then you can keep it as to enable because it is required to post automatically all the latest published articles to your social media pages.

But if you are not using the Jetpack plugin and you do not have any need of XML-RPC then I suggest to disable it.

You can disable it by using a plugin, contact your hosting support, or by inserting a code in the .htaccess file.

You can paste this code in your .htaccess file. If you do not find this file in your hosting then you can create a .htaccess file using the text editor.

#Disable XML-RPC
<Files xmlrpc.php>
order deny,allow
deny from all

Use 2-factor authentication

To strengthen your website security to the next level I suggest using 2-factor authentication login.

Without a six-digit code, no one can log in to your WordPress dashboard. To enable 2 Factor authentication on your website you can use plugins like Two Factor Authentication and Wordfence.

I have already explained a step by step guide to set up 2-factor authentication on your WordPress website using Wordfence.

Change the database prefix and DB Name

Database prefix is in the format wp_ and it is by default. If you are a beginner or going to install WordPress then take care of this thing.

Change the database table prefix and database name to something else. The reason to change the table prefix is that it becomes easy for hackers to guess the table name.

So, changing the name can help you up to some extent to prevent attacks like SQL injection.

You can change the database prefix and for that, you need to first backup your website because it can break your website.

You need to make a change in the wp-config.php file in which you have to change table prefix and then change all the database tables names by going to the PHPMyAdmin.

I can not explain all the things in this post because it is a little bit lengthy process and it needs a separate post. So, I will insert a link here when I complete the post on this topic.

Use Cloudflare

Cloudflare is one of the best services for website protection from attacks like DDoS, Enhanced security with Web Application Firewall, Role-based account access, etc.

Cloudflare offers free as well as paid plans. Currently, I am using the free plan. The free plan also offers many security features.

You will get a free SSL certificate for your website, protection from DDoS, etc.

Disable Image Hotlinking

Now, your first is definitely: what is image hotlinking? Image hotlinking is stealing of your bandwidth by any other website by using your images directly from their URL on your website.

It can also slow down the speed of your website, increase bandwidth usage, and increases your server cost.

If you are using All in One WP Security and Firewall plugin then it has the in-built feature to block image hotlinking.

But if you are not using this plugin then you can add this code in your .htaccess file and yes, don’t forget to change usersadvice.com with your domain name.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?usersadvice.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Hide WordPress Version

Anyone can see your website WordPress version using the source code.

By using this way, a hacker can know the WordPress version and if you are not using the latest WordPress version then you may be in trouble. As the new updates fix all the bugs and security issues.

If you are using the Wordfence plugin then it has this in-built feature. But if you are using any other WordPress security plugin then you can paste this code in the function.php file and you can find this file in your themes folder.

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

Google Alert for Indexed Pages

Only a few bloggers are using Google alert for indexed pages but it can help you a lot. Google will send you an alert whenever a new page is indexed.

Most of the time when the website got hacked. The hackers use to add new posts and pages on the website. Using this tool, you can know the indexed pages. It is a free tool.

Therefore, I suggest you also to use this tool. Open Google alerts and create an alert for your website. Type your website URL in the create an alert about, like in this way.


set google alerts

WordPress Folders File Permissions

You can check your WordPress folders and file permissions by login to your hosting account and then open cPanel to see all the folders and file permissions.

You can also use FileZilla to check the file attribute of the WordPress folder. Wrong directory permissions can be a threat to your WordPress security.

For the folders/directory, the permission should be 755 and for the files, it is 644. You can set it by going to your web hosting control panel.

If you are using VPS hosting then this can be done through the terminal by using the command chmod.

Disable Error Reporting in WordPress

Error reporting in WordPress helps us to know which specific plugin or theme is causing an issue but it will also display the server path. Using this the hacker can take advantage of this moment.

So, it is a good idea to disable error reporting. You can add this code in the wp-config.php file to disable it.

// Disable Error Reporting


@ini_set(‘display_errors’, 0);

Use ReCaptcha on the Login Page

Use reCAPTCHA on the login page of your website. It will help to prevent bots to attempt to login.

You can use Wordfence free version to use reCAPTCHA on the login page or use themes security pro version.

reCAPTCHA can be helpful for WordPress Security. I am using both on my two other sites. You can see the image below how it looks.

In the iThemes security, When you are using reCAPTCHA on the login page then it will look like this.

wordpress security to secure a website

If you are using Wordfence plugin then it will look like this in the image below because Wordfence provides reCAPTCHA V3  integration while iThemes security is providing reCAPTCHA V2.

recaptcha for wordpress security

Disable Directory Listing

It is another good step that you can implement for WordPress security. Directory listing can be used by attackers to see the files and check if there are any vulnerabilities so that he/she can use it to gain access to the website.

You can easily disable directory listing by adding this code to .htaccess file.


Options -Indexes

Protect the wp-config file

wp-config.php is a very important file for the WordPress security that contains data like DB name, table prefix. You can easily harden your wp-config.php file by adding this code in the .htaccess file.

<files wp-config.php>

order allow,deny

deny from all </files>

Disable User Registration

If your website does not require user registration or log in or you don’t allow any user to post content on your website then disable the user registration on your website and hide the login page.

You can disable the user registration by going to the settings and then in the general settings you will see the option membership.

Uncheck that option and click on save changes. This helps to secure your website to some extent.

how to protect a wordpress website from hackers

Limit Login Attempts

This is another best step to strengthen WordPress security and prevent brute force attacks. Login limit attempts help to lock those users who have tried multiple attempts to login but failed.

You can set the number of login attempts after which a user will be locked to try for the login attempt to the website dashboard.

To limit login attempts, you can use Wordfence or Login LockDown plugin.

Protect .htaccess file

.htaccess is an important file where you can set multiple security and other functions. So, to protect your .htaccess file you can add this code to your .htacess file.


<Files .htaccess>

order allow,deny

deny from all


Disable PHP File Execution

If you want to further improve your WordPress security then you can disable PHP file execution using this code and paste it in the .htacess file.


<Files *.php>

deny from all


If you are using Wordfence security plugin then it provides this feature in a single click.

Regularly or Weekly Scan your Website

Wordfence provides the website scanning feature that you can use to check your website health.

You can scan your website on a weekly basis

Disable File Editing of Your WordPress Website

To harden your WordPress security you can disable the file editing of the themes and plugins which is the first and most common target of a hacker to insert codes.

If you disable file editing then you can edit the files from the cPanel but not from the WordPress dashboard. You will not be able to see the theme editor option after making the changes.

If a hacker successfully enters your website admin area then he/she can not change the themes or plugins files or execute any code into it because it is not accessible after adding this code written below. So, in this way, no one can edit theme and plugin from the dashboard.

To disable the file editing you can paste this code in the wp-config.php file.

// Disable file editing

define( ‘DISALLOW_FILE_EDIT’, true );

Use 2 Step Verification for Web Hosting

Almost all the web hosting companies provide 2 step verification feature to secure your account.

Therefore, Don’t forget to turn ON 2-step verification.

Never use Public WiFi

Public WiFi or Open Wi-Fi (free Wi-Fi) is not always safe. If you don’t know who is providing the connection then don’t connect your device with Wi-Fi.

WiFi eavesdropping is a man in the middle attack method that hackers can use to set up an open Wi-Fi connection to get access to all the information that you are browsing by inserting himself in the connection between you and server.

Therefore, He/She can access any sensitive information.

Don’t open unknown Links or Emails

If you have received some unknown emails or links in the message then always avoid to open unknown links or emails because it may be the phishing attempt or Stealing browser cookies.

Stealing browser cookies is a type of man in the middle attack in which the attacker can steal your passwords, data, and other sensitive information.

How to Recover a hacked WordPress Website?

This topic required a different post because it is a vast topic to explain all the things step by step so that you can understand it easily.

My website had been hacked two times and I have successfully recovered that website and also recovered the lost traffic.

So, In short, I will mention some points here that you can follow and I will make a separate post on this topic.

You can recover a website by deleting malicious files and codes that hackers have inserted in your website theme and other files.

To find those files in which hackers have inserted the malicious code you can use Wordfence to scan your website and after the complete scan, it will show you the infected files.

Now your work is to see the files changes and remove the malicious code. Wordfence will show you the original code and inserted code. So, in this way you can easily identify the file changes.

If you have any doubts or problem-related to WordPress security then you can ask your question or any other solution in the comments.


Related Chapters: