A DIY Guide to WordPress Security – Secure your Website in 9 Steps

Last updated - October 6, 2022

A cyber attack on your WordPress website can be initiated with no more than 10 lines of code. And when successful, there’s no telling what the hacker will do. They can use their administrative control to steal your visitors’ data or launch an attack on everybody that shares your server.

And the bitter truth is your website can succumb to a cyber attack regardless of your security measures. In fact, more than 30,000 websites are identified to have been compromised every day.

These compromises are made possible by a number of vulnerabilities in the entire system — on your computer, in WordPress, on your web server, and in your network. And while many vulnerabilities are eliminated every day, more surface regularly.

So what can you as a WordPress website owner do about it? Here are 9 tips to strengthen your WordPress security.

1. Keep WordPress, Plugins, and Themes Updated

Every new WordPress update comes with a changelog telling users about the changes, improvements, and bug fixes made on the previous version. But these changelogs can also be used as a reference for all the bugs that can be taken advantage of on websites running older WordPress versions.

The same goes for plugins and themes on WordPress. Every update comes with a changelog published on the plugin or theme’s page itself. Despite notifications, few WordPress admins update their WordPress core, plugins, or themes. And hackers don’t hesitate to jump on any and every opportunity.

colourful circle
As of June 2020, only 38% of WordPress users have updated to the latest version.

This is why you should keep your website up-to-date. Just go to the dedicated ‘Updates’ tab in your dashboard and update everything on a single page. The notification badges on the ‘Updates’ tab should be enough to get your attention whenever there is an update.

2. Hide WordPress Version

For someone looking to target your website, finding out your WordPress version can be as simple as right-clicking to view your page source and searching for “generator”. The attacker can then use the listed vulnerabilities of this version to manufacture the most effective approach.

This is why it’s necessary that in the window of time it takes you to update your WordPress core, your version is hidden from everyone. You can hide WordPress version information by adding the following code to your WordPress theme’s function.php file:

black text on white screen
Add this code snippet to your function.php file to hide your WordPress version.

If you’re not comfortable altering code yourself, you can install a plugin like Meta Generator and Version Info Remover. The plugin gives you complete control over where your WordPress version number is visible.

3. Get a Secure Web Host

A sneaky way attackers can plant a backdoor inside your website is by gaining access to the server first. Though web host providers have their own security systems in place, not all are created equal. Thus, it’s critical that you choose your web hosting provider carefully.

While choosing one, make sure to look for security features like firewalls, virus protection, spam filters, SSL certificates, Domain Name Privacy, and DDoS protection. The choice of a hosting environment is highly subjective. 

If you have little to no knowledge of how websites work, you’re better off having a Managed Hosting Environment, but if your organization has its own dedicated sysadmins and operation centers, you should look into Virtual Private Server and Dedicated hosting environments.

If you’re looking for suggestions, WordPress whole-heartedly recommends Bluehost, Dreamhost, and SiteGround.

black text on white background along with blue squares and circles
WordPress recommends Bluehost, Dreamhost, and SiteGround to its users.

4. Limit Access to Your Website

A reliable web hosting service can cover a lot of ground in terms of your website’s security. But it can’t eliminate the vulnerabilities on your end. Your website could still get compromised by brute force attacks or due to password mismanagement.

So here are 3 processes you can follow to limit an attacker’s access to your website.

Process 1: Remove the default WP-Admin

Most attackers go for the default wp-admin, wp-login.php, and xmlrpc.php access points. You can prevent such brute force attacks by using a unique username. Here’s how:

  • Go to the Users tab in your Dashboard and click on Add New.
  • Use a new email address to create a new account and set the role to ‘Administrator’. Be sure to use a unique username.
  • Save the new user and log out.
  • Then, log back in and with the newly created account and go back to the Users tab in your dashboard. Hover your mouse pointer over the username admin and select Delete.

Process 2: Manage user roles effectively

It’s crucial that you control who can access your website and what they can do while they’re there. The principle of least privilege, an important computer science principle, dictates:

  • Use the minimal set of privileges on a system in order to perform an action.
  • Grant privileges only for the exact duration that an action is necessary.

Keeping these principles in mind, you can use WordPress’ built-in roles like Administrator, Editor, Author, Contributor, and Subscriber when giving access to people. And make sure to revoke access or even delete accounts when they’re not required.

black text on grey backround
WordPress lets you allot privileges to new users using various roles.

One more thing you can do is set the default user role to Subscriber. Go to the General tab in your settings. Here, change the new user default role to Subscriber from the drop-down. 

Process 3: Use Two Factor Authentication

In the unfortunate scenario that someone is somehow able to brute force their way into your website, you can put a huge roadblock for them in the form of two-factor authentication. Setting up 2-factor authentication is easy.

Download and install the Google Authenticator on your mobile device. Find a 2FA plugin for WordPress and install it. A good one is miniOrange’s 2FA. After activating, select miniOrange 2-Factor from the left menu and follow the instructions. 

After getting the QR Code, open the Google Authenticator app on your phone and click on the Add button. Scan the QR code and verify the code on the plugin page. 

Apart from these three processes, you can add even more layers of security with randomly generated passwords, setting a limit on WordPress login attempts, and by using pre-login CAPTCHAs. Plugins like Loginizer and Login No Captcha reCAPTCHA are worth checking out.

5. Protect ‘wp-config’ File

The wp-config.php file contains sensitive information about your database, including the host, name, username, and password. So, special steps should be taken to secure it. Some easy ways to secure this file are:

  • Moving it outside the root directory.
  • Modifying the default wp-config.php file.
  • Setting 400 permission to the file to restrict access.
black text and orange lines on white background
The wp-config file contains extremely sensitive information about your website.

6. Install a Security Plugin

The official WordPress repository contains thousands of security plugins. These plugins perform a range of functions like preventing, detecting, and auditing your WordPress website.

Sucuri Security is by far the best security plugin on WordPress. The plugin boasts features like active auditing, file monitoring, and malware scanning features for free. Plus, it acts as impenetrable wall against virtual patching exploits, bat bots, backdoor locations, DDoS attempts, and spam requests. The premium version comes with a top-of-the-class web application firewall as well.

black and white text on colourful background
Sucuri’s premium plan is a comprehensive security solution for WordPress websites.

7. Install SSL and HTTPS

SSL or Secure Socket Layer is a type of digital security that enables encrypted communication between a web browser and a website. And HTTPS is a secure extension of HTTP that establishes a secure connection with the server.

Installing SSL and HTTPS is not only important to protect your and your users’ data, it’s also a major ranking factor for Google. Plus, it is a big indicator of trust and credibility among users.

The best way to get an SSL certificate is by requesting your hosting provider. Then, you can install a free plugin like Really Simple SSL that automatically detects your SSL certificate and configures WordPress to use HTTPS.

black text on white and yellow background
Really Simple SSL is a free, simple plugin for integrating HTTPS on your website.

8. Manage Plugins Carefully

According to an estimate, more than 55% of hacked websites had one or more outdated plugins. Attackers inject malicious code into outdated plugins and offer them for free. So you should only install plugins based on factors like:

  • Size of the install base
  • Number of user reviews and their average
  • Frequency of patches and updates
  • Privacy policy or Terms of service
colourful circle on white background
Estimated % of how WordPress websites get hacked.

If you do have some inactive plugins lying around in your WordPress website, it’s time to purge them. Only keep plugins you are using and are sure they’re safe.

9. Make Backups of Your Website

No number of security measures can guarantee a website’s safety. With so many vulnerabilities and unpredictable factors, the WordPress security tips mentioned above are limited to risk mitigation, not risk elimination.

This is why backing up your website prepares you for the worst-case scenario. Even if your data has been wiped or corrupted, backups can help you get back up and running in no time. While backing up your website, make sure to keep the following in mind:

  • Automate backups – Backups should be made regularly and shouldn’t depend on humans to perform the process. Thus, scheduled, automated backups are a must.
  • Store offsite – Backups should never be stored on the same server as your website. Not only do onsite backups susceptible to hardware failure, but they also pose serious security risks.
  • Test recovery process – You need to test the backups for their performance in the recovery process. A good backup should be able to set up a fully-functioning website from scratch.

With a reliable backup and a host of tough security measures, you can lay back knowing you’ve done everything you need to do to secure your WordPress website.

Have a doubt? Leave a comment below and we’ll get back to you.

Further reading


Please enter your comment!
Please enter your name here