WordPress Security Guide: 14 Pro Tips To Secure A WordPress Website

WordPress Security Guide
  • Save

Looking to improve the security of your WordPress website?

Here I’m sharing all the tips and strategies that I have learned running this award-winning WordPress blog.

Just to let you know,

In recent times, WordPress has been highly targeted by hackers. A lot of users has asked, “Is WordPress secure?”

and here is my answer:

Yes, WordPress is secure.

However, when we use various plugins, themes and some time it’s the hosting, which follows security worst-practices and thus makes our WordPress website vulnerable to different kind of attacks and hacks.

Fact: WordPress powers around 33% of the websites in the world, which not only makes it the most popular CMS platform but also is more prone to hacking. If this is your first time here, do check out WordPress guide for Beginners.

As an end-user, there are a few things you can do to secure WordPress blog.

Also read: Best WordPress security plugins (Opens in a new tab)

My site has been hacked nearly 2 times in the past by some Arabian and Turkish hackers (at least that’s what they claim). They infiltrated my site and left it with an ugly black background featuring GIF images of skulls and ravens. This is what made me find out how I could harden WordPress security.

Over the period of 10 years, I have learned many tricks which I’m sharing with you today so that you don’t have to face the hassle of losing your WordPress website in the hands of hackers.

If WordPress is safe the why WordPress security is crucial?

As I mentioned above, WordPress is secure by default but when you host it on an unsecured server or when you add new codes in the form of themes and plugins, you are increasing the possibilities of getting hacked.

This help page on hardening WordPress adds

The vulnerabilities most affecting WordPress website owners stem from the platform’s extensible parts, specifically plugins and themes. These are the #1 attack vector being exploited by cyber-criminals to hack and otherwise misuse WordPress sites.

These vulnerabilities are usually not introduced intentionally, they are a result of mistakes and oversights during development. Many plugin and theme developers are not highly versed in security, and so they are prone to inadvertently write vulnerable code. As vulnerabilities are discovered, developers usually address them by releasing updates

Hackers usually hack a WordPress site for personal gain, which is usually in the form of adding backlinks to some spammy sites or redirecting a WordPress site to other websites. Sometimes it’s done so sophisticatedly that you would not even know you are hacked or there is a backdoor installed on your website.

However, the owner starts losing the traffic over time (SEO penalty) and by the time they realize the actual issue, things are way out of their hands.  Another worse that could happen is getting blacklisted by a prominent blacklist authority. This will cost you a significant amount of time and money to get your website out of the blacklist.

According to security firm Sucuri,

of all the CMS they cleaned in 2018,  WordPress tops the infected CMS with 90%.

Infected Websites Platform
  • Save

That’s some scary numbers for any WordPress owner and this is why it’s of utmost importance for you to roll your sleeve and follow these best practices to enhance WordPress security.

14 Proven Tips To Secure WordPress Blog

1. Configure WordPress Backups

Even though I have given a lot of proven tips below to secure your WordPress blog, you need to ensure that if something happens, you won’t lose anything.

Not having a proper WordPress backup solution in place is the biggest mistake you can make. When a big site like Sony or Dropbox can be hacked, your WordPress blog will be relatively easy to be cracked by a hacker.

So the first thing is to ensure you are taking a daily backup of your blog.

You can use the backup system offered by your hosting company or use a 3rd party backup system such as Blogvault, VaultPress or Updraftplus. You can find a list of WordPress backup plugins here.

If your hosting company offers backups, ensure they store the backup on a different server.

2. Use A Reliable & Secure Hosting Company

Server level security
  • Save

Your WordPress installation is just software installed on a server. The foundation of a secure website is a server that has enough protections that ensure your website is safeguarded against hackers.

A secure WordPress hosting usually has:

  • Server level firewall to mitigate DDOS attacks.
  • Uses the latest hardware and top-notch data center for physical security
  • Regularly update the Operating system and apply the latest security patches
  • Has intrusion detection systems for malicious activity or policy violations

I understand that it’s hard to know which hosting company is reliable against hackers & that’s why I have created this list of secure WordPress hosting companies:

  1. SiteGround: An award-winning hosting that uses an anti-bot AI system to prevent some well-known attacks.
  2. Bluehost: One of the top-rated hosts which offers great security.
  3. WPEngine: A managed WordPress hosting company that is recommended for business WordPress sites. They offer backups and security on multiple levels.
  4. Kinsta hosting: This one is perfect for WordPress blog with high traffic. ShoutMeLoud.com is also hosted on Kinsta hosting.

If your existing hosting company is not secure and provides no security-related support, moving to any of the above-listed hosting will make an enormous difference.

3. Use the latest version of WordPress

Keeping your WordPress software up to date is the most basic security tip for any WordPress blogger. This is something that you never want to miss.

Whenever WordPress is sending an update, it means that they have fixed some bugs, added some features, and most importantly, added some security features and fixes.

WordPress Updates
  • Save

When you see the message: “WordPress x.x.x is available!”

Update it.

Nowadays, with one-click update, it’s very easy to upgrade your blog.

Make sure your theme and plugins are compatible with this latest version of WordPress. If an update has been rolled out and it’s not a security update, I suggest you wait for 5-6 days before other users stop reporting bugs in the latest version.

4. Update WordPress Plugins

Update WordPress plugins
  • Save

As I mentioned above, WordPress releases an update to fix bugs and security holes, and the same goes with plugins.

Many times, a vulnerable plugin or 3rd party script can create a security hole in your WordPress website.

One such issue which we have seen in the past is the Timthumb vulnerability. This was because of a script, and many plugins that were using this script became vulnerable too. Such kind of Zero-day vulnerability is hard to avoid, but by limiting the number of plugins, scripts, and themes you can make WordPress site more secure.

Always use plugins which are continually updated and have good support. If you are using a plugin which has not been updated for a while, find an alternative to it.

5. Use the Latest PHP version

PHP is the backbone of WordPress and currently, the 7.4 is the latest version of PHP. According to the official PHP stats page, they offer security support to any stable version of PHP for 2 years only.

Latest PHP version
  • Save

That means if you are using anything below PHP 7.1, you are not going to get security updates.

Here is an interesting stat from WordPress.org, about 71.8% of the WordPress website is using outdated PHP.

PHP Versions
  • Save

Depending upon the hosting environment you are using, you can quickly change your PHP version. I strongly recommend you to first create a staging environment and then test the latest PHP version. This is to ensure the compatibility as at times, outdated plugin and theme could cause an issue.

You can check the PHP version of WordPress from the dashboard and ask your hosting support to test and update your PHP version. Bluehost users can follow this tutorial to update PHP version on cPanel.

6. Use Web application firewall (WAF)

A firewall exists between your hosting server and network traffic. The role of the firewall is to filter out the most common threat before it reaches the machine your WordPress website is hosted.

There are three most common types of firewall solution that you can use on WordPress:

  1. At the network level: This is usually stored on the network level or machine level and works when you are hosting WordPress at a data center you own. This is the costliest option and usually used by an enterprise-level website where they have control over the physical space where the server is installed.
  2. At the host level: This is hosted on the web-application level, in our case it’s WordPress. This is not recommended as eventually, your host has to do the heavy lifting of filtering out the traffic. This is definitely better than a network-based WAF but the local server resources it requires, it’s not the best option.
  3. Cloud-based WAF: Cloud-based WAF are usually implemented at DNS level and it filters the most common type of threats before it even hit your WordPress server. This is the easiest one to implement and most economical in sense. The only downside is, it may require you to change the DNS.

Some common type of threat which is detected and protected by WAF are: Cross-site scripting (XSS) attacks, SQL injection attacks, session hijacking, and buffer overflows. This is a protocol level 7 defense in the OSI model.

There are two recommended services that you can use to implement WAF:

This is a highly recommended WordPress security feature for WooCommerce and other WordPress websites which is made for business.

7. Hide WordPress Version

Let’s assume you don’t have those 2 minutes to update your WordPress core files. The listed WP version can spark an idea for a hacker to break in. If you are running an older version of WP and everyone knows it, trust me, you are doomed.

Most theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

8. Use A Complex Login Password

I shouldn’t have to mention this, but I know too many people who use ingenious and insanely complex passwords like:

  • password
  • ilovejesus
  • 123123


Please make your passwords complex, add a couple of special characters (%&*#), and keep changing it every 5 or 6 months.

I would also like to recommend a plugin called Limit login attempt This plugin will record all IPs and time stamps of failed login attempts. After a specific number of failed attempts from a particular IP, the IP will be blacklisted. This helps a lot to prevent any brute-force attack.

At your end, you should also start using a password manager like Dashlane that will help you further improve your password security.

Also, read:

9. Change the WordPress Login URL:

By changing the WordPress login URL page, you are preventing a lot of attacks and hacking attempts. Especially, if you are someone who has a handful of people or just, you need to login to WordPress dashboard, changing login page will offer a great deal of help. There are a few added benefits that find it in my earlier tutorial on how to change the WordPress admin login URL.

10. Set Google alert for indexed pages

This is one of the less-known tricks that you can use right away. You can use Google alerts to send you an alert whenever Google indexes a new page on your domain name. A lot of time, WordPress hackers adds new pages and posts which are not shown in the backend or frontend, but it gets indexed in Google.

When you set an alert like this, you would know if something is happening without your notice. Since it’s free and takes only 2-3 minutes to set it up, it’s totally worth it.

Here is how you can do it

  • Head over to Google alerts
  • In the “create an alert about” field, add site:domain.com
  • Save
  • Change How often to “as it happens”,  language to “any language” and how many to “all results’

Now, you will get instant notifications when a new page is indexed in the search engine.

11. Check WordPress Folders File Permissions

WordPress file Permissions
  • Save

Go to the File Manager in your cPanel, or log in to your FTP software, and check the file attributes of your WordPress folder.

It’s good if it’s 744 (read only). If you find it to be 777, consider yourself extremely lucky that you haven’t gotten hacked yet.

When most bloggers change hosting, they don’t realize how their file permissions also get changed. Make sure you verify all file permissions after migrating your hosting.

12. Delete Default Admin User

This is one of the most crucial tips for people who are looking to create a secure WordPress blog. The default “admin” username is prone to brute-force attacks because most people never change it.

When you install WordPress, make sure you use a custom username and do not use “admin”.

You can create a new user with “Administrator” rights, and give this new administrator a nickname that will be publicly displayed in case he/she writes a post. Now, log out and then log back into the newly created admin account and delete the old “admin” user.

Make sure you attribute all usernames and links to the new user which you have created.

Here is an alternative way to change the default username:

13.  Hide The Plugins Directory

The plugins folder /wp-content/plugins/ should not be showing the list of folders and files inside of them.

Try visiting your plugins folder (replace domain.com with your domain name):

  • domain.com/wp-content/plugins/

If you see a list of folders and files, you need to hide them.

To hide these folders, you need to create a new .htaccess file and drop it in your plugins directory.

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]# Prevents directory listing
IndexIgnore *
# END WordPress

If you already have a well written .htaccess file in your root directory, adding a separate .htaccess to an individual folder is not going to cause any harm.

Also, take a look at this post for a better understanding of how to edit the .htaccess file.

14. Turn Off Database Errors

In older versions of WordPress, if there were errors in the MySQL database, it would show the exact error on the browser itself giving the hacker valuable information about your database.

To prevent this, you need to update your WordPress to the latest version, so that it will only show a general error message like “Database connection error” instead of showing exactly what’s wrong

Log in to your WP dashboard and update your WordPress core files.

WordPress Security: Over to you

Well, I hope this guide helped you to understand the importance of WordPress security and helped you harden it.

Again, it’s a wise idea to take automatic backups of your WordPress blog at regular intervals to make sure you can always roll back your blog to a healthy condition.

Do let us know what other security tips you would like to give to other bloggers to keep their WordPress blog secure. Share your tips in the comments below!

Don’t forget to bookmark and share this post!

For further reading:

Was this helpful?

Thanks for your feedback!
  • Save
Authored By
A Blogger, Author and a speaker! Harsh Agrawal is recognized as a leader in digital marketing and FinTech space. Fountainhead of ShoutMeLoud, and a Speaker at ASW, Hero Mindmine, Inorbit, IBM, India blockchain summit. Also, an award-winning blogger.

14 thoughts on “WordPress Security Guide: 14 Pro Tips To Secure A WordPress Website”

  1. Bob Richmond

    Good article. I can only add that disabling XML-RPC can also be a good WordPress security practice.

    Attackers can exploit XML-RPC in WordPress by abusing the pingback functionality provided by XML-RPC, which is legitimately used within WordPress to enable content owners to track where their content is getting linked.

    So if you have XML-RPC enabled, disable it. I learned this from the Rosehosting blog and i trust their expertise.

    If someone experiences an attack to the xmlrpc.php file, configuring fail2ban to block the attacks will save your site from being offline.

  2. Dave

    I guess you can’t secure your website 100%, even following those rules, so the most important thing – regular backups!

  3. Bilqees Kenchi

    Hello, friend my question is that, please tell how to secure wordpress blog /site from hackers? Is this responsibility of hosting providers or my-self. Kindly tell some plugins for wordpress.

    1. Harsh Agrawal

      Some hosting companies are well equipped with firewall, latest hardware, auto WordPress updates and such feature which enhances the security of WordPress. However, by the end of the day It’s your responsibility to secure WordPress site from hackers.
      For plugins, you should pick one from here: https://www.shoutmeloud.com/best-wordpress-security-plugins.html

  4. Jaswinder

    Big thanks for this detailed article to secure WordPress Blog from hackers. As a new blogger, I don’t know much about these things. Now I started to take actions.

  5. Amit Shaw

    Nice tips for securing our wordpress. But i already wrote 40 article with same account without deleting the admin if i’ll delete it now than is there any problem?

    1. Gowtham

      If you try to delete your default admin user, you will get an option something like following.

      “What should be done with posts and links owned by this user?

      * Delete all posts and links. Or
      * Attribute all posts and links to another author.”

      Then you can attribute these posts to a different author and proceed with deleting the old one. But make sure you 1st create the new admin user and then try to delete the old one.

  6. Wpfix

    Nice collection of list of securing wordpress blogs. Even wordpress security scan plugin does a good job. It checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:

    File permissions
    Database security
    Version hiding
    WordPress admin protection/security
    Removes WP Generator META tag from core code.

    1. Gowtham

      I have tried a couple of WP security plugins in the past, but had some bad experience with them, so i stopped recommending them to people.

  7. Ammar Ali

    That’s nice post but I want to ask. How I can disable Directory Listing of WordPress Blog?

    1. Gowtham

      Thanks, You can hide the directories and files inside a particular folder by using .htaccess. Please take a look at step #7

  8. Arjun

    The methods mentioned in this post are really nice but I don’t think any one of these will work out when a professional cracker wants to take your WP down. For example, Symlink can be used to surpass the above security steps…

    1. Gowtham

      Indeed a really good hacker would find someway to hack the site, but taking the time and doing all the necessary things to secure your blog does help.

  9. suraj

    Great article ! Some days Ago my blog was hacked and recover it easily. If we follow these tips, Sure we can secure a wordpress Blog. Most important thing is Blog backup, We should keep it.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top