12 ways to secure your WordPress site
WordPress Security

12 ways to secure your WordPress site

Editorial Team
Editorial Team

Follow us on Discord or Telegram to get access to free tutorials and updates.

WordPress is undisputedly the most popular content management system (CMS). With 59% of the CMS market share, WordPress powers 31% of the internet. This popularity makes WordPress favourite target for hackers.

Today, I plan to discuss quite a few simple tricks that can help you secure your WordPress website.

1) Never use ‘admin’ as username

Remember that your WordPress username makes half of your login credentials. Choosing a good and unique username is as important as choosing a good password. By default, many one-click WordPress installations set ‘admin’ as the username. Change this as soon as possible and secure your website.

2) Use strong password

Choose a unique and strong password for your WordPress site. Never use the same passwords for your WordPress login, Database,  Web hosting control panel, and FTP accounts.

3) Using outdated or old versions of WordPress

Updates for WordPress is released regularly with bug fixes and security improvements. Many users do not update their plugins and WordPress because they think that it will break their site. If you are not updating WordPress, you are intentionally leaving your website vulnerable.

4) Hosting provider

Choosing a good Hosting Provider is the first step towards your website’s security. Many hosting companies don’t keep their platform safe and secure leaving your site vulnerable.

5) Limit Logins

Limiting the login attempts is one of the best way to prevent brute force attacks. Fortunately, WordPress plugins such as iThemes Security and Sucuri Security can allow you to limit the number of times a person from a specific IP can attempt to login within an allotted period of time.

6) Protect the wp-admin directory

The wp-admin directory is the heart of any WordPress website. Therefore, if a hacker gains access to this directory, the entire site can be damaged.

One possible way to prevent access to wp-admin directory is by setting a password for this directory. You can do this from your Web hosting control panels such as cPanel or Plesk.

7) Monitor your core files

You can use plugins like Wordfence or iThemes Security to monitor any file changes made on your site.

8) Take backups

Scheduled backups are essential essential because you can easily restore your site if your site is compromised. There are several free and premium plugins that can do this task. At out site, we use UpdraftPlus to take backups.

Here’s a list of free and premium backup plugins:

9) Hide version number

If an attacker gets the version of the WordPress which you are using, he can plan attacks on your site, exploiting vulnerabilities of that particular version of WordPress.

Either you can do this with Sucuri Security plugin or by deleting readme.txt from the root directory of your WordPress installation.

10) Ensure that your computer is free of viruses and malware

If your computer is infected with virus or a malware software, the attacker can gain access to your login details and login to your site.

11) Disable script execution in certain directories

Disabling PHP file execution in directories where it’s not needed such as wp-content/uploads is another way to improve WordPress security.

You can do this by adding a .htaccess file with the following lines to wp-content/uploads.

<Files *php>
deny from all
</Files>

12) Implement a two-factor authentication

With Two-Factor-Authentication, you’ll be asked to verify your identity through your smart device. Many large companies, such as Google, Facebook and Microsoft use this technology to help protect your accounts.


Many developers suggest to change the prefix of WordPress tables to improve security. They believe that changing the default table prefix (wp_) of WordPress tables can make SQL injection difficult.

Personally, I believe that changing the table prefix can do nothing to improve security.