12 Tips to Secure Your WordPress Website
All websites are vulnerable. No matter how much work you’ve put into launching your site, it can always find itself in harm’s way, even though you might have done nothing wrong. This is just how the internet works and how random attacks are carried out.
If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, I will share some of the basic yet important WordPress security tips to help you protect your website against hackers and malware. And the best thing is almost all the tips mentioned in this article can easily be done without less or no knowledge of coding.
So, let’s get started.
1. Update WordPress regularly
Keeping the WordPress version up to date is one of the basic and best practices when securing your website. With every update, developers make a few changes including updates to security features. By staying updated with the latest version you are one step closer to protecting your website against being a target for pre-identified loopholes and exploits hackers can use to gain access to your site.
2. Update themes and plugins
Just like WordPress itself, it is also important to update your themes and plugins for the same reasons. By default, WordPress automatically downloads minor updates. However, for major updates, you will need to update them directly from your WordPress admin dashboard.
3. Avoid nulled themes
A nulled or cracked theme is an illegal version of a premium theme and is a hacked version. They can be highly dangerous for your site since they might contain hidden malicious codes, which could destroy your website and database or log your admin credentials.
Basically, WordPress premium themes look more professional and often have more customizable options than a free theme. Premium themes are coded by highly skilled developers and are tested to pass multiple WordPress checkings. There are no restrictions on customizing your theme, and you will get full support if something goes wrong on your site. Most of the time you will get regular theme updates including major security updates. And if you use a nulled theme in your website it will never provide you security updates but put your website at risk.
It might seem easy and less costly to use nulled themes, but never ever use them if you want your WordPress website to be safe.
4. Back up the site regularly
Backing up your site is all about creating a copy of all the site’s data, and storing it somewhere safe. By doing this, you can restore the site from that backup copy in case anything bad happens to your website. Backups act as your first defense against any WordPress attack.
To back up your site easily, all you need is to install a reliable plugin. There are many free and paid backup plugins including UpdraftPlus, BlogVault or, Jetpack.
The most important thing you need to keep in your mind when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account) such as a cloud service like Amazon, Dropbox, or private clouds like Stash.
5. Limit login attempts
By default, WordPress allows users to try to log in as many times as they want. Letting your login form allow unlimited username and password attempts will obviously help a hacker succeed. If you let them try an infinite number of times, chances are high that your login data will be discovered eventually. Limiting the available attempts is one of the major things you should do in order to avoid that.
There are certain specialized plugins that limit the possible login attempts including Login LockDown and WP Limit Login Attempts.
6. Use a strong password and change it often
Changing your passwords often can decrease any hacker’s chances of breaking into your site. “Often” doesn’t mean that you have to do it every day, but once in 2–3 months would be sufficient.
7. Install SSL Certificate
SSL (Secure Socket Layer) is a great strategy through which you can encrypt your admin data. SSL makes the data transfer between the user browser and the server secure.
SSL is essential for sites that process sensitive information, i.e. passwords, or credit card details. Without an SSL certificate, all of the data between the user’s web browser and your web server are delivered in plain text. This can be readable by hackers. By using an SSL, the sensitive information is encrypted before it is transferred between their browser and your server, making it more difficult to read and making your site more secure.
There are two ways to get an SSL certificate. You can either buy one from a third-party company or get one from your hosting provider. Sometimes, this comes as a feature in some hosting plans. Depending on your host, it is possible that you can get one for no additional cost.
8. Install a firewall
Apart from installing a firewall on your computer, you can install security tools right on your WordPress website too. This type of firewall protects your site from viruses, malware, hacker attacks, etc.
There are free and paid solutions for firewalls, such as Sucuri, WordFence, iThemes Security.
9. Rename the login URL
By default, to log in to WordPress the address is “yoursite.com/wp-admin”. By leaving it as default you may be targeted for a brute force attack to crack your username/password combination. If you accept users to register for subscription accounts you may also get a lot of spam registrations. To prevent this, you can change the admin login URL or add a security question to the registration and login page.
If you change the login URL, the chances of finding yourself in trouble will be decreased. Guessing a custom login URL is way harder for hackers. For instance, your login URL can turn into something like yoursite.com/my_new_url.
For that, you can easily use a plugin like iThemes Security.
10. Choose a reliable hosting provider
Your hosting provider plays the most important role in the security of your WordPress site. Therefore the simplest way to keep your site secure is to go with a hosting provider who provides multiple layers of security. A reliable shared hosting provider like WPEngine, Bluehost, or Siteground takes extra measures to protect their servers against common threats.
On a shared hosting plan, you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.
11. Add two-factor authentication
You can further protect your login page by adding a 2-factor authentication plugin to your WordPress. By using that, when you try to log in, you will need to provide additional authentication in order to gain access to your site — for example, it can be your password and an email (or text). This is an enhanced security feature to prevent hackers from accessing your site.
12. Protect wp-config.php file
It is strongly advised that only experienced developers should perform option 12, and it’s critical to take a backup of your site first and proceed with caution. Any error could render your website inaccessible.
The wp-config.php file is one of the most important, hence vulnerable files on your site. It hosts crucial information and data about your whole WordPress installation. It’s technically the core of your WordPress site. If something bad happens to it, you won’t be able to use your blog normally.
One simple thing you can do is take that wp-config.php file and simply move it one step above your WordPress root directory. Your WordPress site won’t be affected at all by this move, but hackers won’t be able to find it anymore.
Bottom Line
In this article, we discussed some of the basic and common ways to secure your WordPress website. Almost all the tips mentioned above can easily be tried without less or no knowledge of coding. Security is one of the crucial parts of a website. If you don’t maintain the security of your website, hackers can easily attack your site. Most of these threats can be easily prevented if you just spend a short while implementing the above simple WordPress security practices.
