Wednesday , March 20 2019

19 Best Ways to Secure Your WordPress Site

How to secure your wordpress website
Securing WordPress site is not a simple task to do. As of today, WordPress faces thousands of failed attempts to access the site. In past year, I had more clients for “securing WordPress site” than “developing” them. Attack ratio has increased more than ever. So, There are plenty of best ways to secure your wordpress site.

Malware attacks is one of the major issue. It mess up with your site without letting you know “actually whats going on”. It might send lots of unwanted mails to any users or it might be the reason to loose important data from site.

Another headache for WP site is hacking. Today, hacking any WordPress website give immense pleasure to hackers. They want to hack at least one WP site as their achievement. And we make it simple for them by not taking enough precautions. So,


Best ways to secure your WordPress site

1. Use Security Plugins

This is one of the most important security measure for securing any WP site. Security plugins secure your site like 75-80%. They have plenty of options to take into consideration.

Each plugins have its own plus points. So, it depends on user to choose best one according to their requirement. These plugins works on different issues like

  • Block hacking attempts
  • Scheduled Malware Scanning
  • Maintain Logging
  • Security Alerts
  • File Comparison
  • Import/Export Settings
  • Many more

Pleas have a look at best 5 free plugins.


2. Hide regular login URL

90% of the WP websites get hacked because of this simple vulnerable loophole. Its a very common habit of all developers to use default login URL after installation of WP. Developers never change login URL. By default, WP uses URL structure.

Its like an open invitation for hacker to use this URL and hack us. We make it very simple for him by not changing URL path. So, always change your default login URL to something different.

You can use “wps hide login“plugin for that. Its very lightweight and easy to use. You just need to mention path you want to use for login. And you are good to go. No other setting, nothing.


3. Never use common username

Do not use common username like admin, demo, admin123, demo123, etc. Or username with domain like “technolizers” in my case. Hackers always go for these usernames as this is common thinking process for any individual user.

Lots of developers forgot to change the default username i.e admin. Hackers try to login with such usernames. And, If they are lucky enough to log in, you know what can they do with your site.

So, always try to use different username. The one which is not at all related to your business or site or literally out of context like – blacksugar, whiteleaf, darkmoney. These sample usernames cant be imagined by any hacker or any person in that case. And really helpful to secure your site from username point of view.


4. Use strong password

Always, always and always use strong password. User or admin always use weak or medium passwords. Passwords must be strong. Must have special character, number, upper, lower case, etc. Must be at least 16 digit long. I always use 30 digit long password.

Password Generator

I use specific password generator website for generating strong passwords. It gives you options to select passwords of your choice. It makes passwords much more stronger.


5. Use purchased theme

Never, ever use “nulled themes” or “free download of pro themes”. It always have vulnerable files which furthermore creates back entry for hackers. User uses such free download and, as a result, get blocked on server or shows malware files.

Actually what happen is, hackers add vulnerable script themselves in such pro theme and keep it for free download on different sites. User search for such free download and use them in their sites. Hackers get idea and enter into your site through that vulnerable script.

So, always use purchased theme.


6. Update all plugins and themes

Companies always come up with new version for their plugins and themes as they have some bugs in old versions. Those bugs might be related to security patches or might be new features added into the existing application to make it much better.

To use the new features and avoid security issues, we must update all the plugins and themes with such updates.

While plugins and themes are updating themselves for better future, how can WordPress stay behind. They also provides updates with security patches, bug fixation and new features. Developer must keep WP version updated.

According to wpbeginner survey,

WPBeginner Resource

So, keep WP, plugins and themes updated.


7. Backup database as regular interval

Database is heart of any WordPress site. If someone loose WP files, its still okay. We can copy new files and upload new images. But if you loose DB, then you cant do anything. You will loose the text data, passwords, settings and revisions of entire site.

You must backup your database at regular interval of time. This interval depends on how frequently you make changes in your site. Although, its a good practice to backup your DB at least everyday or every week, even though you make changes into the site or not. You can delete those backups anytime.

Updraft plugin – Database-Site Backup

Use “UpdraftPlusplugin, for backup and restoration purpose. Its very powerful plugins with scheduled backup. Its very easy to use and backs up to Microsoft OneDrive, Microsoft Azure, Google Cloud Storage, Backblaze B2, SFTP, SCP, and WebDAV with paid version.

Free version help you to backup DB on your own server.


8. Use strong prefix and strong database name

WordPress uses default prefix for any installation i.e “wp_“. As, its default prefix, hackers also familiar with it and try to access the DB with same prefix. So we must use prefix like “mqhz_“. You can use anything which cant be imagined easily by anyone.

Same case happens with DB name. Developers tends to always use database name as company name or website name like – my db name could be “technolizers“. But not. I can keep it – “sweetsalt“. You can keep best suitable for your site.

So use strong prefix and database name for security of your site. Do not use db name as business name or website name. And do not use default prefix.


9. Hide WordPress Version Number

WordPress version number is not harmful but it can definitely create mess. Once, hackers come to know the WP version, they come to know which vulnerable issues were exist with that particular version and they try to use those loopholes to hack your site.

Hide WordPress Version Number

Therefore, hide your WP version number to maximize your site security.  In this process, there are many option but everyone must use this –

Add following code at the bottom of functions.php in theme folder

function remove_version_info() {
  return '';
add_filter('the_generator', 'remove_version_info');

Sometimes scripts and styles also have WP version number. We must remove that too. Add following code after above one

// Pick out the version number from scripts and styles
function remove_version_info_from_style_js( $src ) {
  if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
    $src = remove_query_arg( 'ver', $src );
    return $src;

add_filter( 'script_loader_src', 'remove_version_info_from_style_js' );
add_filter( 'style_loader_src', 'remove_version_info_from_style_js' );


10. Delete non used Themes and Plugins

Many sites have unused themes and plugins installed. They even do not use them at all. One of the best example of such case is defaults – twentyfifteen, twentysixteen themes.

Actually what happens is, if user do not use any plugin, they do update them in most of the cases. And it becomes vulnerable loophole from site’s security point of view. So, one must delete such themes and plugins.


11. Change password at regular interval

Using strong password is different thing whereas using various passwords is another thing. Every user must change password at regular interval. Changing password does not harm site or does not acquire space.

We know, nobody knows our password. And if someone does, then why would he wait to hack the site. But, besides all these points, its a good practice to keep changing password. You can use mentioned site in 4th point or any site of your choice.


12. Limit login attempts

If any authorized user try to login, he will enter wrong credentials for 1-2 time. But if some hacker try to log in, he will keep trying until he logs in. In such case, developer can limit the login attempts.

If you set login attempts to 3, user must enter correct credentials in these 3 attempts. Once all the three attempts are failed to log in, that IP address will get blocked for mentioned time period.

Its one of the best security measure. As authentic users have correct credentials, they won’t fail to login. Its only hacker who keeps trying with number of failed login and will automatically get blocked.


13. Logout Idle Users

Many time, user surf other websites and forget to logout from our site. Or sometimes, session don’t get logged out until someone log it out manually. As a result, other person can have access of our accounts. User in-activeness for longer time, is also harmful.

To avoid this, we can forcefully logout idle users after particular time period. Most of security plugins have this option. You can use dedicated plugin too. Developer just need to mention the value to stay idle. Once duration is over, it will automatically log you out.


14. Don’t display error

When someone try to login and failed, WordPress generates error message stating Wrong password entered for username “xyz”. Remember, it gives such error when you enter right username only.

Should not display Error Message

But still, if you don’t allow such error to display, how user will come to know that he is using correct username. The user might be hacker too. So, its better to hide these errors for better safety.


15. Secure wp-config.php 

Anyone who is trying to access wp-config file must not access it as no one has nothing to do with this file. So, we can use following code to deny anyone from using this file

<files wp-config.php>
  order allow,deny
  deny from all


 16. Disable File Editing through WordPress

If you are authentic user, you must edit file through c-panel or on localhost and upload it via FTP. Therefore, No one must edit file through WP editor section. To avoid editing through WP editor section, we can add following code at the end of wp-config.php file

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

Disable File Editing through WordPress


17. Restrict File Permissions

File permission should be

Folder = 755 –> Owner can read and write, and others can only read and execute.
Files = 644 –> Owner can read and write, and others can only read the files.


18. Use right web host services

Study whether your web host provider is well secured or not. Whether it takes security precautions for shared hosting or not. It is very much important.

Many time, it happens that you use shared hosting. If other site hosted on same server get infected, it might cause to block your site too. OR you can experience cross-site infection.

So try to choose strong and secured web hosting.


19. Secure WP-Includes

As far as use of “wp-includes” is concern, it have some scripts which must not be accessed by any user. In order to protect them, WordPress itself have given a code. The code must be added before #BEGIN wordpress or after #END wordpress. It can be overwritten by WordPress.

# Block the include-only files.
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]



I am pretty sure, if someone implement these much points, his site will be much much more secured. This article covers almost all major points for securing WP site.

We got covered with following vulnerable points –

Default Login URL, WP-include access, WP file editor access, wp-config access, file permissions, malware attacks, DB backups, use of weak passwords, appropriate web hosting, idle user logout, login attempt limitations, plugins and themes timely updates, etc.

Plugins that I mentioned in some points are best at the time of writing this article. Daily, new plugins comes into the market. You can choose as per your requirement.

I am sure you will find this article very helpful, as security is one of the major concern for WP now a days.

If you liked the post, please share it with your friends and colleagues. And like and follow me on social media. Thanks..!!!

About Author


Check Also

How to Stop WhatsApp Without Switching Off Internet

How to Stop WhatsApp Without Switching Off Internet

Today, I would like to share a simple yet important trick with you guys. I …