Ultimate Guide To Secure Your WordPress Site
A Comprehensive Guide to Enhance Security and Keep Your Site Safe
- Last Update: October 5, 2024
WordPress is a powerful and highly flexible content management system (CMS) to build an attractive and responsive website.
However, as it grows, hackers have taken note and are beginning to specifically target WordPress sites. No matter what types of content your site provides, you are not an exception.
If you are serious about your website, then you need to pay attention to the WordPress security best practices.
In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.
Discloser: ElegantEspace is supported by readers like yourself. We may earn an affiliate commission when you purchase through our links . Commissions do not affect our editors’ opinions or evaluations.
What Is Website Security?
Web security refers to protecting networks and computer systems from damage which involves protecting websites from attacks.
It includes cloud security and web application security, protecting computer systems from misdirecting or disrupting the services they are designed to provide.
Why WordPress Security Is Important
If your WordPress website gets hacked, you risk losing important data, assets, and credibility.
Hackers can steal user information, and passwords, install malicious software, and can even distribute malware to your users.
They will start exploiting you in many ways for instance they will ask for ransomware just to regain access to your website.
These apply to businesses of all sizes, reputations, and industries.
3 main reasons why security is given top priority on every successful WordPress website.
- It protects your information and reputation.
- Your visitors expect it.
- Google likes secure websites.
Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.
A firewall service named Wordfence blocked a whooping 18.5 billion password attack requests on WordPress websites. That’s nearly 20 billion attacks on WordPress websites alone.
The Most Common Types Of Cyberattacks On WordPress Websites
1. Brute-Force Login Attempts
2. Cross-Site Scripting (XSS)
3. Database Injections
4. Denial-of-Service (DoS) Attacks
5. Phishing
6. Hotlinking
Brute-Force Login Attempts
A brute force attack is a hacking technique that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple but effective method for gaining unauthorized access.
The hacker tries multiple usernames and passwords, often using a computer to test a wide range of combinations until they find the correct login information.
Cross-Site Scripting (XSS)
XSS attacks occur when an attacker uses a web application to send malicious code to a different end user, typically in the form of a browser-side script.
Database Injections
An SQL injection occurs when you request input from your website visitors, such as their username/user ID, and instead of a name/id, the hacker submits a string of harmful code that you unknowingly store in the database.
Denial-of-Service (DoS) Attacks
A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its users.
DoS attacks are most commonly carried out by flooding a server with fake traffic and causing it to crash.
Phishing
Phishing attacks are the practice of sending fraudulent communications that appear to come from a reputable source. It is usually performed through email.
The goal is to steal sensitive data like credit card and login information or to install malware on the victim’s machine.
Hotlinking
Hotlinking is known as the act of stealing someone’s bandwidth by linking directly to their website’s assets, such as images or videos.
Hotlinking is usually illegal and gives the victim serious issues since they have to pay every time content is retrieved from their server when displayed on another website.
In order for these crimes to take place, hackers must find flaws in a website’s security.
In March 2016, Google reported that more than 50 million website users have been warned that a website they’re visiting may contain malware or steal information.
Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.
8 out of 10 WordPress security risks fall into the “Medium” or “High” severity score according to the Common Vulnerability Scoring System.

This doesn’t mean that WordPress has a terrible security system – security breaches can also happen due to the users’ lack of security awareness.
To sum all this up, WordPress is secure, but only if its users take security seriously and follow these best practices.
How To Secure WordPress Site
1. Secure Login Credentials.
2. Use Secure Website Hosting.
3. Update your version of WordPress.
4. Update to the latest version of PHP.
5. Don’t Use Nulled Themes
6. Enable SSL/HTTPS.
7. Install a firewall.
8. Back up your website.
9. Change the default WordPress login URL.
10. Enable Limit Login Attempts.
11. Disable file editing in the WordPress dashboard.
12. Change your database file prefix.
13. Disable your xmlrpc.php file.
14. Consider deleting the default WordPress admin account.
15. Consider hiding your WordPress version.
16. Install security plugins.
17. Automatically log out Idle Users
18. Remove Unused WordPress Plugins and Themes.
19. Monitor User Activity
20. Add user accounts with care.
1. Secure Login Credentials
This is the most fundamental step to securing your WordPress website.
It might be tempting to use or reuse familiar or easy-to-remember login credentials, but doing so puts you, your users, and your website at risk.
The stronger your password, the less likely you are to be a victim of a cyberattack.
But as of this year, people are still using “123456” as a password. Make sure that all users with accounts on your WordPress backend are using strong passwords to log in.
And as far as your WordPress install goes you should never use the default “admin” username. Create a unique WordPress username for the administrator account and delete the “admin” user if it exists.
You can do this by adding a new user under “Users” in the dashboard and assigning it the “Administrator” profile (as seen below).
After assigning an administrator role to the new user you can go back and delete the old “Admin” user.
You can also rename your current admin username manually in phpMyAdmin with the following command. Make sure to back up your database before editing tables.
UPDATE wp_users SET user_login = 'newadminuser' WHERE user_login = 'admin';
Another way to reduce the risk is to Enable two-factor authentication.
2. Use Secure WordPress Hosting
You should only host your website with reliable, high-quality and safe hosting.
Everyone thinks their hosting is great until something breaks for the first time.
So consider services that have taken steps to protect your information and promptly recover if an attack occurs.
See our list of recommended WordPress hosting providers.
3. Update Your WordPress Version
Keeping your WordPress up to date is a good practice for keeping your website secure. Outdated versions of the WordPress software are a very common target for hackers.
Every time a WordPress security vulnerability is reported, the core team starts working to release an update that fixes the issue.
By default, WordPress automatically downloads minor updates.
To update WordPress core you can click on “Updates” in your WordPress dashboard and click on the “Update Now” button.
It is also important to update your plugins and themes for the same reasons.
4. Update To The Latest Version Of PHP
Like old versions of WordPress, outdated versions of PHP are no longer safe to use.
Head to your hosting account to upgrade to the latest PHP version. If you don’t have access to your hosting account, get in touch with your web developer to upgrade.
5. Don’t Use Nulled Theme
WordPress premium themes look more professional and have more customizable options.
They are coded by highly skilled developers and are tested to pass multiple WordPress checks right out of the box.
Few website owners want all these features free of cost and head to sites that provide nulled or cracked themes.
A nulled or cracked theme is a hacked version of a premium theme, available via illegal means. Those themes contain hidden malicious codes, which could destroy your website and database or log your admin credentials.
It may be tempting to save a few bucks but always remember to avoid using a nulled theme or plugin.
It is preferable to use the free version of a premium theme provided by developers rather than the nulled version.
6. Enable SSL/HTTPS
SSL (Secure Sockets Layer) is a protocol which encrypts the data transfer between your website and the user’s browser making it harder for someone to steal information.
It is mandatory for any sites that process sensitive information, i.e. passwords, or credit card details.
Generally, an SSL certificate costs $80 per year but a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners.
Once you enable SSL, your website will use HTTPS instead of HTTP, you will also see a padlock sign next to your website address in the browser.
If the URL begins with “http://”, you’ll need to get an SSL certificate for your website.
7. Install a Firewall
A firewall monitors incoming activity, detects attacks, malware, and other unwanted events, and blocks anything it considers a risk.
DNS Level Website Firewall – Your website traffic is routed through their cloud proxy servers by these firewalls. This enables them to send only legitimate traffic to your web server.
Application Level Firewall – These firewall plugins examine traffic after it reaches your server but before most WordPress scripts are loaded. Application level firewall is not as efficient as DNS level firewall.
We recommend installing the WordFence Web Application Firewall (WAF) plugin to protect your WordPress site.
8. Backup Your Website
Regularly creating a WordPress site backup is an important mitigation task because it will help you recover your site after incidents, such as cyberattacks or physical damage to the data centre.
Misfortune may happen no one knows, so it’s better to install a backup plugin to recover your lost data.
A plugin like an updraftplus will work efficiently to keep a backup of your website. In fact, other professional hosting providers also keep a backup of your website.
9. Change The Default WordPress Login URL
By default, to log in to WordPress, the address is “yoursite.com/wp-admin” It’s easy to find and may be targeted for a brute force attack to crack your username/password combination.
To prevent this, you can change the default admin login URL by using plugins like WPS Hide Login.
10. Enable Limit Login Attempts
By default WordPress allows users to try different password combinations as many times as they want.
To protect your website (unauthorized login) from hackers, all you have to do is install the Limit Login Attempts Reloaded plugin.
You can save your website from hackers by putting a limit on the number of failed login attempts per user.
For example, if someone is trying to log into your WordPress website and enters the wrong password 3 times, then the plugin will block their IP address for a certain period of time based on your setting.
It is up to you for how long you want to block their IP address, it can be blocked for 5 minutes, 15 minutes, 48 hours or even longer.
As soon as you activate the plugin, it starts working right away. By default, users get four guesses before the plugin locks them out.
You can also whitelist your IP address to avoid being locked down by mistake.
If you add a user to the whitelist, they’ll be able to log into your site as many times as they’d like, and won’t have to worry about getting locked out.
However, if you wish to permanently ban a specific IP address, simply enter it in the blacklist section.
Advantages of Limit Login
- It prevents humans and bots from being able to try a different combination of username/password until they hit the right one.
- It temporarily blocks hackers from logging in to the backend of your admin panel.
Disadvantages of Limit Login
- Legitimate users who forget their passwords or make multiple login attempts for some other reason can still get locked out, which is an inconvenience.
- It puts some strain on your WordPress website.
11. Disable File Editing In The WordPress Dashboard
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area.
This gives attackers an easy way to alter your files if they gain access to your account.
If a plugin hasn’t already disabled this feature, you can do some light coding to disable it yourself. Add the code below to the end of the file wp-config.php:
// Disallow file edits
define( 'DISALLOW_FILE_EDIT', true );
12. Change Your Database File Prefix
By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. Hackers leverage this setting to locate your database files by name and conduct SQL injections.
To keep your site safe from this attack you should change the prefix to something different, like “wpdb_” or “wpdbsafe_” at the time of installation of WordPress.
If your site is already live, you can use plugins to handle this process because your database stores all of your content and a misconfiguration will break your website.
13. Disable XML-RPC File
XML-RPC is enabled by default in WordPress 3.5 because it allows you to connect your WordPress site to the web and mobile apps.
It is a system that allows you to post on your WordPress blog using popular weblog clients like WordPress mobile apps, Open Live Writer, or other remote blogging apps.
Disabling it will basically close one more door that a potential hacker may try to exploit to hack your website.
Method 1. Manually Disable XML-RPC in WordPress
Simply add the following code to a site-specific plugin or by using a custom code snippets plugin.
add_filter('xmlrpc_enabled', '__return_false');
Save your changes and WordPress will deactivate the XML-RPC.
Method 2. Disable WordPress XML-RPC with .htaccess
To disable all xmlrpc.php requests from the .htaccess file before the request is even passed onto WordPress.
Simply paste the following code into your .htaccess file:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files>
However, what if you needed to give access to a particular app, yourself, or some other user?
In that case, you have to add the IP address they are using as shown below.
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files>
Don’t forget to replace 123.123.123.123 with the IP address that you want to allow.
14. Consider Deleting The Default WordPress Admin Account
We’ve talked about changing the “admin” username for the default WordPress admin account, but if you want to go even further, delete the default account and create a new account with the same administrator permissions.
15. Hide Your WordPress Version
Hackers can break into your site easier if they know which version of WordPress you’re running.
As previously stated, you must always update WordPress to the most recent version. However, if you haven’t already, it’s critical to mask the potential vulnerability.
To remove the version number from the header and RSS feeds, paste the following code to the functions.php file:
function dartcreations_remove_version() { return ''; } add_filter('the_generator', 'dartcreations_remove_version'); remove_action('wp_head', 'wp_generator');
and save the changes.
16. Install Security Plugins
Installing a security plugin can add some extra layers of protection to your website without requiring much effort.
These plugins do much of the security-related manual work for you, such as scanning your website for infiltration attempts, failed login attempts, malware scanning, modifying source files that may leave your site vulnerable, and preventing content theft such as hotlinking.
Recommended WordPress Security Plugins
- Wordfence Security – Firewall & Malware Scan
- All In One WP Security & Firewall
- iThemes Security
17. Automatically Logout Idle Users
Logged-in users may occasionally walk away from the screen and this poses a security risk.
This is why many banking and financial sites automatically log out an inactive user.
Auto-logout prevents strangers from snooping on your account if you forget.
To enable auto-logout on your WordPress account, try the Inactive Logout plugin.
18. Remove Unused WordPress Plugins and Themes
Keeping unused plugins and themes on the site can be harmful, especially if the plugins and themes haven’t been updated.
Also installing the plugin from unofficial sources can be risky. So, before you download any plugin, be sure to look at the developer’s profile as well as the plugin’s reviews.
Millions of websites are relying on it to deliver their content, so you should know every important thing about plugins.
19. Monitor User Activity
Create a log of all activity that users take on your website, and check this log periodically for suspicious activity.
That’s because users may change settings that they should not, like altering themes or configuring plugins.
For instance, theme and widget changes are obviously only reserved for the admins.
You can check the audit log to ensure that your administrators and contributors are not attempting to change anything on your site without your permission.
The easiest way to track user activity is by using a WordPress plugin:
20. Add User Accounts With Care
If you run a WordPress blog or a multi-author blog, you must deal with multiple people attempting to access your admin panel.
This may increase the vulnerability of your website to WordPress security threats.
Hackers Always Find A New Exploit
This is an ugly truth that not a single website is 100% safe, hackers always find new ways to get around the website/ system.
That is why it is very important to keep a complete backup of your WordPress site all the time.
However, the first layer of protection for your WordPress website is your password.
You should always use a strong password which will be very difficult to guess. Keep it long, alphanumeric and a combination of special characters.
What To Do If You’re Hacked
1. Remain calm.
2. Turn on maintenance mode on your website.
3. Alert your customers and stakeholders.
4. Check that your website is not blacklisted by Google.
5. Examine other channels related to the website to see if they have also been hacked.
6. Start creating an incident report.
7. Diagnose the issue.
8. Reset access and permissions.
9. Reinstall backup, themes and plugins.
10. Change your site passwords again.
FAQs On WordPress Security
Is WordPress Easily Hacked?
WordPress is secure and safe to use. However, no matter how safe the platform is, your site can easily be hacked if you don’t take security measures seriously.
Why Is My WordPress Not Secure?
It means your site doesn’t have an SSL certificate or the SSL isn’t configured correctly. Consider installing one or switching to HTTPS to fix the issue.
Is Security Plugin Necessary for WordPress?
Yes, having a trustworthy security plugin is very useful for your WordPress website.
What Is the Best WordPress Security Plugin?
We recommend Wordfence or Sucuri as the best WordPress security plugins.
very useful formation