WordPress security is not just a general safety observation of your internet presence, but a tricky aspect you must consider for every action performed on that website, including posting content, choosing and installing plugins, and customizing themes.


As expected from a leading CMS, WordPress guarantees an easy and relatively secure setup but doesn’t assume responsibility for the add-ons, widgets, plugins, or themes you install on top of the custom code. At the same time, those are the most vulnerable and common gateways hackers use to attack websites.

The likelihood of being attacked continues to expand with every new user added to the system, which is not good news for individuals but may be detrimental for businesses and teams.

What can you do to protect your website?

1. Start by securing your login page

It is no secret that WordPress login pages are URL-based, which is how most hackers brute force access to them. In order to make things harder for them, add /wp-login.php or /wp-admin/ where your domain name ends, and you will be safe.

2. Lockdown the site for certain users

Unlock folder secure data file document with lock key icon. Flat 3d isometry isometric web vector illustration.Lockdown is one of the handiest WordPress features which can solve your biggest problems, i.e. preventing brute force attacks on your website. Whenever someone tries to access it entering repeatedly the wrong password, the site is locked, and you are notified about it.

There is also a popular iThemes Security plugin you can use for the purpose, and which goes as far as to ban the attackers’ IP addresses after a number of unsuccessful break-in attempts. Another plugin that works in a similar way is the Login LockDown one.

3. 2-factor authentication is a must

Enabling 2FA on your website is another smart precaution measure, meaning that you will provide users with two separate login components to determine who they are. For instance, you can ask for a regular password and an additional security question, recognition of characters, birth dates, and so on. Google offers a pretty handy Authenticator plugin that can do this in less than no time.

4. Use emails instead of deliberately created credentials

Believe it or not, emails IDs are way safer than classic usernames. In order to enable this option, check the WP Email Login plugin that doesn’t even require configuration to make this happen. Enable the email ID login, log out of the website and go back to see whether the address will work to access your account.

5. Simply rename the login URL

 authentication login form system

There is nothing easier than changing the site’s URL: you need to access the wp-login.php file or add wp-admin straight to the URL.

Leaving the direct URL in the original form will give hackers easy access to your login page, as they maintain a Guess Work database to automatically list combinations of potential usernames and passwords.

So far, most of the successfully hacked websites report having usernames such as ‘admin’, while substituting the user name with an email ID reduces the risk for as much as 90%.

Another thing you can do to limit unauthorized access is to install the iThemes Seurity plug in that will modify your login URL in the following way:

  • Replace wp-login.php with something unique; e.g. my_new_login
  • Replace /wp-admin/ with something unique; e.g. my_new_admin
  • Replace /wp-login.php?action=register with something unique; e.g. my_new_registeration


6. Continue by securing the admin’s dashboard

The reason why hackers attempt to break the login page is that they need access to the dashboard, where all critical operations are performed, and most protection is necessary.

The first thing you need to do is to secure the wp-admin directory.

The wp-admin directory is the core of all WordPress functionality, and where your entire website can be damaged and become unusable. Because of it, we advise you to purchase the AskApache Password Protect plugin, which will automatically generate .htpasswd files to protect your password and configure necessary permissions.

7. Encrypt data with SSL

It won’t be difficult to get an SSL certificate for your website: you can buy it from a dedicated provider, or ask your hosting company to hook your website with their SSL.

8. Rename the admin

While installing WordPress, use a different username than ‘admin’ for the principal administration account. This way, the account will become unapproachable for hackers, assuming that your password is also difficult to guess.

9. Secure your database

The database contains all important information, so take proper care of it.

10. Rename the table prefix

The table prefix can be easily changed during installation, but in case you failed to do it, you can change it later using plugins such as iThemes Security and WP-DBManager.

11. Back up information repeatedly


Regardless of the security precautions you’ve activated, backup remains relevant in order to protect your data when you mess up. At the same time, it gives you the chance to recover vital files even in cases when the website is irreversibly deactivated.

12. Choose strong passwords

The same as in other aspects, using strong passwords is essential in the database. Mix lower and upper cases, and characters and numbers, and avoid words that can easily be related to your brand. Once again, it is a good idea to use an automated password generator.

13. Secure the hosting setup

Most hosting providers take care of optimizing security, but relying on their service 100% is not recommended. Read here more about the inter-correlation between hosting provider and website security.

14. Secure your wp-config.php file

The wp-config.php file contains some of the most important WP installation data and represents thereof the most critical file based in your root directory. Protecting it, you’re doing yourself the service of protecting the entire website.

15. Disable file editing for certain users

Disabling editing equals denying hackers admin access to the WordPress dashboard and makes sure that even those who eventually get a grasp on it won’t be able to edit the files inside.

Add the following line at the end of the wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

16. Make sure the server is properly connected

While setting up the website and connecting it o your server, use SFTP or SSH over traditional FTP. The reason to do this is that security features are usually not attributed to it.

17. Turn off directory listing via .htaccess

For instance, when the directory is called ‘data’, it takes to type ‘http://www.yourwebsite.com/data’ in the browser and get access to all files. The website won’t ask for credentials and passwords to display it.

In order to prevent this, and add this line of code to the access file:

Options All –Indexes

18. Protect the themes and the plugins

There are many security threats that can be associated with themes and plugins, which makes it essential to protect them too.

19. Regular updating

Hand holding megaphone - Time to update

By failing to update your themes and plugins, you’re actually leaving the door open for all hackers interested to attack your website. Many of them are led by the perception people don’t have the time to bother with updates and exploit the bugs that have or haven’t been fixed to enter their website.

Don’t miss completing this simple operation – on your dashboard, you will find a notification each time an update is available, so click on it, and improve your website. In case you’re afraid this will disturb the functioning of your website, back data up, and proceed with the update.

20. Make sure your WordPress version number is not visible to users

The version number is available in the website’s source view (unless disabled), and reveals more about it than you can possibly think. Most security plugins will help you hide it.

There are many other smart practices to consider when securing your website, as for instance removing old themes or uninstalling plugins that you rarely use. If it serves no function, but requires a constant update, erase it.

Additionally, keep all ongoing processes on your website in the loop, and consider the following tips:

  • Confirm that there are no viruses at your workstation, and update your antivirus system.
  • Back up all files and databases. If affordable, do so with vault press, because this premium backup plugin will protect data automatically.
  • Choose only strong passwords, and change them as often as you can. Make sure they are not mentioned in the browsing history or some of the FTP clients.
  • If the budget allows it, purchase only premium theme.

WordPress is currently the leading CMS system, which makes it pretty attractive for hackers and unwanted visitors. The price you have to pay for running an amazing website on a free platform is to invest some extra efforts into protecting it.

For the purpose, we’ve selected the best tips and security practices that can help you run a considerably safe WordPress website, but having in mind that a 100% safety guarantee does not exist, we are always available with an extra offer here.

back to top