For the majority of business owners, your website is your business, so you need to pay extra attention to the security of your WordPress site.
Back in 2016, Google reported that they issued warnings to 50 million users that the website they were visiting either contained malware or tried to steal their information.
Additionally, Google blacklists over 20,000 websites for malware and around 50,000 for phishing every week. That’s a lot!
It’s important to protect your website like you would protect a physical store. At the end of the day, whether your sharing information, selling services or products, or both from your website – it’s essentially your storefront, and who wouldn’t keep their store safe?
Here are some of the essential steps to keep your WordPress site secure:
Updated
WordPress is open-source software that is regularly updated, and with each update – developers make few changes, which often include security patches.
By keeping your WordPress up-to-date you are helping protect your website against known attacks and exploits.
By default, WordPress will automatically apply minor updates, but you will need to install major updates from within your WordPress dashboard manually:

Make sure to keep an eye on your plugins and theme updates as well and apply them as soon as they become available. As a general rule, always take a backup of your website before updating plugins or themes, just in case!
Nulled themes and plugins
We strongly advise against using outdated or pirated themes or plugins on your WordPress website.
Premium themes and plugins look more professional and offer more functionality, but they also cost money to purchase, so you may be tempted to download pirated versions from fishy websites.
This is a really bad idea as outdated software usually contains malicious hidden code that could either destroy your website or steal your login details. Not good!
If you can’t afford to purchase a premium theme, it’s better to consider finding a free WordPress theme that has some of the functionality you are looking for.
Strong passwords and permissions
One of the most popular hacking techniques is brute-forcing weak passwords. Always make sure to use unique passwords for your website, database, and your custom email addresses.
We realize that most beginners use simple passwords as they’re easier to remember, but you can find excellent password managers nowadays.
A strong password has a combination of lower case and upper case letters, numbers, and special characters. Remember, the most random and difficult it looks, the better!
You should also get into the habit of changing your passwords on a regular basis, every 3 months is a good rule of thumb.
Additionally, you can significantly reduce risks of being hacked by only providing access to your WordPress site when you need to.
Learn how WordPress roles and capabilities work and set up proper access levels if you have multiple authors or contributors. Admin access should really only go to you, or a developer working on the website, once they’re done, delete their admin role and change your passwords.
Good web hosting company
You may be tempted to use cheap web hosting for your website, as after all – you can invest the rest of the budget somewhere else within your organization. Try to resist this temptation as going down this route can cause nightmares down the road and cost you much more.
Good web hosting providers could cost more namely because they make an effort to invest in their infrastructure, especially your security and privacy. You get what you pay for, so make sure what you get is stability, multiple security layers, and faster loading of your website – a host that invest in their infrastructure will give you that.
There are tons of excellent WordPress hosting companies out there, so make sure to make the right choice.
Security plugins
It’s very time-consuming to check your website for malware regularly, especially if you’re not a web developer. It’s also difficult to actually check for malware.
Luckily, numerous excellent web developers realized that there’s a need for useful security plugins, and there are tons of good plugins to choose from.
A security plugin essentially takes care of your site security, scans, and monitors your website for malware 24/7. We tested several security plugins, and here is a very handy one:
WP fail2ban – this plugin has only one function, and it’s to block unwanted visitors. You can choose between a soft or hard block, and it logs information about spam, pingbacks, and comments. Best of all – it’s completely free!

You might see plugins such as Wordfence and iThemes security advertised, we wouldn’t recommend these plugins as they create bloat and compatibility issues on most WordPress websites.
Disable file editing
If you go to Appearance > Theme Editor in your WordPress dashboard, you will find a code editor that can be used to edit your theme. This is a potential security risk because if the hacker gains access to your WordPress dashboard – he can inject malicious code to your theme. Most often, it’s a subtle piece of code, so it’s tough to notice.

We recommend disabling this functionality, and you can do that by pasting the following code to your wp-config.php file:
define(‘DISALLOW_FILE_EDIT’, true);
SSL certificate
Up until recently, SSL certificates were only used to protect web transactions such as online payments or any sensitive information such as passwords.
However, Google recently implemented a change in its Chrome browser, where a website is clearly tagged if it doesn’t have an SSL certificate installed, which prompted website owners to use SSL’s to avoid being branded as non-secure in Chrome browser.
Also, Google now gives more weight to secure websites in its search results, so it’s very beneficial to have an SSL certificate installed.
Admin username
The default username that WordPress suggests when you install it is admin. That’s not very secure. Make sure to always choose a custom username as your username, so it’s not easy to guess half of the login credentials.
You don’t want to make it easier for hackers to brute-force you. You can change it to something difficult to guess or simply a spin of your name.
Keep in mind that WordPress doesn’t allow you to change the admin username once you create it (yes, kind of annoying), however, you can always:
- Create a new username and delete the old one
- Use the Easy Username Updater plugin
- Change your username through PHPMyAdmin software
Hide wp-login URL
By default, to login into WordPress you go via the yoursite.com/wp-admin URL, and this isn’t very secure as it’s well known.
If you also allow user registration, you’ll likely receive tons of spam registrations through it, as well.
To prevent this, you can change your login URL by using the Change wp-admin login plugin.
To further beef up your login page security, we recommend you use the Two Factor Authentication plugin, which will require you to provide additional authentication through an email or SMS, for example.
Limit login attempts
WordPress allows users to login as many times as they want by default. While this helps in some cases, it opens your website to brute-force attacks as it allows hackers to try many different password combinations without any penalty.

We recommend using the WP Limit Login Attempts plugin, which will help lock out hackers before they finish their attack.
Once you’ve installed the plugin, you can change the settings via the Settings > WP Limit Login option.

Disable PHP file execution
PHP execution isn’t needed in all WordPress folders, so disabling it where it’s not needed can help with the security.
In your .htaccess file in /wp-content/uploads/ folder and insert the following code:
<Files *.php>
deny from all
</Files>
Additionally, you can disable access to .htaccess and wp-config.php files in your root website directory, by pasting this code into .htaccess file:
<Files .htaccess>
order allow,deny
deny from all
</Files>
<Files wp-config.php>
order allow,deny
deny from all
</Files>
Disable XML-RPC
XML-RPC was enabled by default in WordPress 3.5 as it helps connect web and mobile apps with your WordPress website. XML-RPC can significantly increase the brute-force attacks on your website due to its potent nature.
For example, if a hacker wanted to try 500 different password combinations on your website, they would need to initiate 500 separate login queries, which would likely be caught by the Limit Login Attempts plugin.
XML-RPC allows hackers to use the system.multicall function to try thousands of passwords with only 20 or 50 actual web requests.
We recommend that if you’re not using XML-RPC – disable it immediately on your website.
The best way to achieve this is to paste this code to your .htaccess file as it’s less resource-intensive than alternatives:
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Security questions
Another method to beef up the security of your WordPress login form is to add security questions to it.
You can achieve this by installing the WP Security Question plugin. Once you install it, you can head to Settings > Security Questions option to set up your questions.
That’s it.
We hope that this guide helps you learn something new when it comes to the security of your website.
Like your storefront, your website needs to be secure so your online presence runs smoothly.