Saturday , November 28 2020

19 Best Ways to Secure WordPress Website – WordPress Security

Best ways to secure WordPress web- WordPress security

WordPress security is not a simple task to do. As of today, WordPress faces thousands of failed attempts to access the site. In the past year, I had more clients for the “how to secure WordPress website – WordPress security” than “developing” them.

Attack ratio has increased more than ever. So, there are plenty of best ways to secure your WordPress site.

Malware attacks are one of the major issues. It messes up with your site without letting you know “actually what’s going on”. It might send lots of unwanted emails to any users or it might be the reason to lose important data from the site.

Another headache for the WP site is hacking. Today, hacking any WordPress website gives immense pleasure to hackers. They want to hack at least one WP site as their achievement. And we make it simple for them by not taking enough precautions.

If you are new to the blogging concept and don’t know anything about it, you can start with the following basic articles.

What is a blog? Blogging Basics

How to start a WordPress blog

9 Best Ways to Optimize Your Blog Posts for SEO

How to make money from blogging in 2020

What is Freelancing..? How exactly freelancing work..? Freelancing Pros & Cons

Sell digital products and services online on Envato


You can also check some tweaks or simple yet helpful solutions in the below article.

How to Stop WhatsApp Without Switching Off Internet

How to increase WordPress website speed – 13 Tips

How to use two Skype accounts at the same time

How to block email id in Gmail?

Access your Email in Gmail OR Connect webmail with Gmail


How to secure WordPress website – WordPress Security

1. Use WordPress Security Plugins

This is one of the most important security measures for securing any WP site. Security plugins secure WordPress website like 75-80%. They have plenty of options to take into consideration.

Each plugin has its own plus points. So, it depends on the user to choose the best one according to their requirement. These plugins work on different issues like

  • Block hacking attempts
  • Scheduled Malware Scanning
  • Maintain Logging
  • Security Alerts
  • File Comparison
  • Import/Export Settings
  • Many more

Please have a look at the best 5 free WordPress security plugin

Wordfence is the best WordPress security plugin and free as well. It has a paid version if you want added functionality.


2. Hide regular login URL

90% of the WP websites get hacked because of this simply vulnerable loophole. It’s a very common habit of all developers to use the default login URL after the installation of WP. Developers never change the login URL. By default, WP uses URL structure.

It’s like an open invitation for hackers to use this URL and hack us. We make it very simple for him by not changing the URL path. So, always change your default login URL to something different.

You can use the “WPS hide login” plugin for that. Its very lightweight and easy to use. You just need to mention the path you want to use for login. And you are good to go. No other setting, nothing. It plays an important role in WordPress Security.


3. Never use a common username

Do not use common usernames like admin, demo, admin123, demo123, etc. Or username with a domain like “technolizers” in my case. Hackers always go for these usernames as this is a common thinking process for any individual user.

Lots of developers forgot to change the default username i.e admin. Hackers try to login with such usernames. And, If they are lucky enough to log in, you know what can they do with your site.

So, always try to use different usernames. The one which is not at all related to your business or site or literally out of context like – black sugar, white leaf, dark money. These sample usernames cant be imagined by any hacker or any person in that case. And really helpful to secure your site from username point of view.


4. Use strong password

Always, always and always use a strong password. Users or admin always use weak or medium passwords. Passwords must be strong. Must have a special character, number, upper, lower case, etc. Must be at least 16 digits long. I always use a 30 digit long password.

Best ways to secure WordPress website - WordPress security - Password Generator

I use a specific password generator website for generating strong passwords. It gives you options to select passwords of your choice. It makes passwords much stronger and secure WordPress website.


5. Use purchased theme

Never, ever use “nulled themes” or “free download of professional themes”. It always has vulnerable files which furthermore creates a back entry for hackers. The user uses such free download and, as a result, gets blocked on the server or shows malware files.

Actually what happens is, hackers, add vulnerable script themselves in such pro theme and keep it for free download on different sites. Users search for such free download and use them in their sites. Hackers get ideas and enter into your site through that vulnerable script.

So, always use a professional theme and stay safe with a secure WordPress website


6. Update all plugins and themes

Companies always come up with new versions for their plugins and themes as they have some bugs in old versions. Those bugs might be related to security patches or might be new features added into the existing application to make it much better.

To use the new features and avoid security issues, we must update all the plugins and themes with such updates.

While plugins and themes are updating themselves for a better future, how can WordPress stay behind? They also provide updates with security patches, bug fixation, and new features. Developers must keep the WP version updated.

According to WPBeginner survey,

Best ways to secure WordPress site - WordPress security - WPBeginner Resource

So, keep WP, plugins, and themes updated.


7. Backup database as regular interval

Database is the heart of any WordPress site. If someone loses WP files, it’s still okay. We can copy new files and upload new images.

But if you lose DB, then you can’t do anything. You will lose the text data, passwords, settings, and revisions of the entire site.

You must back up your database at a regular interval of time. This interval depends on how frequently you make changes in your site.

Although, it’s a good practice to backup your DB at least every day or every week, even though you make changes into the site or not. You can delete those backups anytime.

Best ways to secure WordPress site - WordPress security - Backup Plugin

Use the “UpdraftPlusplugin, for backup and restoration purposes. It’s very powerful plugins with a scheduled backup.

It’s very easy to use and backs up to Microsoft OneDrive, Microsoft Azure, Google Cloud Storage, Backblaze B2, SFTP, SCP, and WebDAV with the paid version.

Free version helps you to backup DB on your own server.


8. Use strong prefix and strong database name

WordPress uses default prefix for any installation i.e “wp_“. As, its default prefix, hackers also familiar with it and try to access the DB with the same prefix. So we must use a prefix like “mqhz_“. You can use anything which cant be imagined easily by anyone.

The same case happens with the DB name. Developers tend to always use database name as the company name or website name like – my DB name could be “technolizers“. But not. I can keep it – “sweet salt“. You can keep the best suitable for your site.

So use strong prefix and database name to secure WordPress website. Do not use the DB name as a business name or website name. And do not use default prefix.


9. Hide WordPress Version Number

WordPress version number is not harmful but it can definitely create a mess. Once, hackers come to know the WP version, they come to know which vulnerable issues were exist with that particular version and they try to use those loopholes to hack your site.

Best ways to secure WordPress site - WordPress security

Therefore, hide your WP version number to maximize your site security.  In this process, there are many options but everyone must use this –

Add the following code at the bottom of functions.php in the theme folder

function remove_version_info() {
  return '';
add_filter('the_generator', 'remove_version_info');

Sometimes scripts and styles also have WP version numbers. We must remove that too. Add the following code after above one

// Pick out the version number from scripts and styles
function remove_version_info_from_style_js( $src ) {
  if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
    $src = remove_query_arg( 'ver', $src );
    return $src;

add_filter( 'script_loader_src', 'remove_version_info_from_style_js' );
add_filter( 'style_loader_src', 'remove_version_info_from_style_js' );


10. Delete non-used Themes and Plugins

Many sites have unused themes and plugins installed. They even do not use them at all. One of the best examples of such a case is defaults – twenty-fifteen, twenty-sixteen themes.

Actually what happens is, if users do not use any plugin, they do update them in most of the cases. And it becomes a vulnerable loophole from the site’s security point of view. So, one must delete such themes and plugins.


11. Change password at regular interval

Using a strong password is a different thing whereas using various passwords is another thing. Every user must change the password at regular intervals. Changing a password does not harm the site or does not acquire space.

We know, nobody knows our password. And if someone does, then why would he wait to hack the site. But, besides all these points, it’s a good practice to keep changing passwords.

You can use the mentioned site in 4th point or any site of your choice.


12. Limit login attempts

If an authorized user tries to log in, he will enter the wrong credentials for 1-2 times. But if some hacker tries to log in, he will keep trying until he logs in. In such a case, a developer can limit login attempts.

If you set login attempts to 3, the user must enter correct credentials in these 3 attempts. Once all the three attempts are failed to log in, that IP address will get blocked for the mentioned time period.

It’s one of the best security measures. As authentic users have correct credentials, they won’t fail to login. Its only hacker who keeps trying with the number of failed login and will automatically get blocked.


13. Logout Idle Users

Many times, users surf other websites and forget to logout from our site. Or sometimes, the session doesn’t get logged out until someone logs it out manually.

As a result, another person can have access to our accounts. User in-activeness for a longer time is also harmful.

To avoid this, we can forcefully log out idle users after a particular time period. Most of the security plugins have this option. You can use a dedicated plugin too.

Developers just need to mention the value to stay idle. Once the duration is over, it will automatically log you out.


14. Don’t display error

When someone tries to login and failed, WordPress generates an error message stating the Wrong password entered for username “xyz”. Remember, it gives such error when you enter the right username only.

Best ways to secure WordPress site - WordPress security

But still, if you don’t allow such error to display, how the user will come to know that he is using the correct username. The user might be a hacker too. So, it’s better to hide these errors for better safety.


15. Secure wp-config.php 

Anyone who is trying to access the wp-config file must not access it as no one has nothing to do with this file. So, we can use following code to deny anyone from using this file

<files wp-config.php>
  order allow,deny
  deny from all


 16. Disable File Editing through WordPress

If you are an authentic user, you must edit the file through c-panel or on the localhost and upload it via FTP. Therefore, No one must edit the file through the WP editor section. To avoid editing through the WP editor section, we can add the following code at the end of the wp-config.php file

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

Best ways to secure WordPress site - WordPress security


17. Restrict File Permissions

File permission should be

Folder = 755 –> Owner can read and write, and others can only read and execute.
Files = 644 –> Owner can read and write, and others can only read the files.


18. Use right web host services

Study whether your web host provider is well secured or not. Whether it takes security precautions for shared hosting or not. It is very much important.

Many times, it happens that you use shared hosting. If other sites hosted on the same server gets infected, it might cause you to block your site too. OR you can experience a cross-site infection.

So try to choose strong and secured web hosting.


19. Secure WP-Includes

As far as the use of “wp-includes” is concern, it has some scripts which must not be accessed by any user. In order to protect them, WordPress itself has given a code.

The code must be added before #BEGIN WordPress or after #END WordPress. It can be overwritten by WordPress.

# Block the include-only files.
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]



I am pretty sure, if someone implements these many points, his site will be much more secured. This article covers almost all major points for securing the WP site.

Ultimately, We got covered with the following vulnerable points for the best ways to secure WordPress website – WordPress security.

Wordfence WordPress security plugin, Default Login URL, WP-include access, WP file editor access, wp-config access, file permissions, malware attacks, DB backups, use of weak passwords, appropriate web hosting, idle user logout, login attempt limitations, plugins & themes timely updates, etc.

Plugins that I mentioned in some points are best at the time of writing this article. Daily, new plugins come into the market. You can choose as per your requirement.

I am sure you will find this article very helpful, as security is one of the major concerns for WP nowadays.

If you liked the post, please share it with your friends and colleagues. And like and follow me on social media. Thanks..!!!

About Author


Check Also

How to install WordPress on localhost – Complete WordPress installation guide

Anybody who wants to start with WordPress gets this question. How to install WordPress on …