A proverbial giant within the Content Management System (CMS) industry, WordPress is a platform powering over 30% of all the websites on the internet.

But its fame comes at a cost. Regularly, hackers target WordPress websites and damage websites regardless of their content. You could be writing about technology, personal finance, politics, or selling digital/physical products, and still, your website gets hacked.

It’s disheartening to read that such a powerful platform is so vulnerable. But all is not lost. There is light at the end of the tunnel.

Taking precautionary security measures for your website today can reap significant benefits in the long run. To ensure that your digital footprint is free from heinous malware attacks and other security breaches, you need to take action today.

This article is written to help you make your WordPress site secure. Once you’ve done reading through these 15 steps, you will be well on your way to protect yourself from any cyber criminals that come your way.

So, without further ado, let’s begin with the very first.

1. A Good Hosting Company Helps You Go the Distance

You must always choose the best hosting companies for your WordPress website

The best way you can make your WordPress site secure from malware attacks is to select a hosting provider that offers multi-layered security at the server level.

It’s tempting to go with a cheap hosting provider, especially if you’re just starting. That said, if you’re serious about your business or blog, then you should invest in hosting that doesn’t give you security nightmares (SQL Injections, Ransomware, Malware, URL redirects, SERP blacklisting, etc.) in the long run.

Not only does a good host offer superior quality in security. But it also comes with loads of other benefits like a built-in CDN, automatic backups, free migration, and a complimentary WordPress installation that can help you save time and make your site optimized from the get-go. These types of hosting services are called managed hosting services.

While there is a myriad of hosting services available on the internet, the most popular ones are Pantheon and WPEngine. Their prices are reasonable even with the level of services they provide.

2. The World of Nulled and Pirated Themes and Plugins and Why You Should Avoid

Premium themes and plugins come with functionalities that their regular counterparts can’t match up to. The developers release the premium versions to ensure they have the financial resources to keep developing better things in the future.

To ensure WordPress security, these plugins and themes are updated continuously and released into the market. Individuals who have paid for those themes update them to the latest version.

The developers ensure quality, and the users’ websites are secure. At least that’s how the legal flow works.

Then there are those people who, in seeking premium features for free, decide to pirate or download previous versions of those themes and security plugins for their site.

While it is tempting to gain premium benefits on your site, it is essential to remember that those themes and plugins are nulled, meaning the developers have already moved their official users from that version to the newer, more secure version. Those themes and plugins you’re using have an insecure codebase and are vulnerable to any hacker worth his/her salt.

There are plenty of ways to select the best WordPress theme, but it’s always recommended that you avoid nulled and pirated themes. Free Premium features are just not worth it if you’re sacrificing your site.

3. Security Plugins and Why They Matter

You can check your site for vulnerabilities by regularly checking the codebase of your website, themes, and plugins.

Unless you’re proficient in coding and have lots of free time, that’s a pretty good option. Even then, most programmers would instead take the easy and automated way out by installing a security plugin.

A security plugin helps protect your site from malware attacks and hacks of all sorts. It also keeps your site in check 24/7, sends you security alerts in the event something goes wrong.

WordFence is the industry leader when it comes to security plugins—providing a variety of security features like malware detection, blocking shady logins, firewalls, scanners, two-factor authentication, and more.

Apart from WordFence, you can also use Sucuri Security to secure your WordPress installation. The plugin comes with powerful features like improving site speeds through built-in caching tools and a CDN, protection against DDoS attacks, exploitation, and other hacks.

Both of these plugins we’ve mentioned come with their premium versions that give your WordPress site an additional performance and security boost. That said, the regular versions are also very beneficial.

4. The Benefit of Using Strong Passwords and Usernames

Strong passwords are an essential tool in securing your site.

Strong passwords are an essential tool in securing your site. Often overlooked, there are still many users who prefer to use passwords like “123456, password, and abc123”.

If you’re one of those users, then change your password instantly. While it’s easy to remember these passwords, it’s also easy for hackers to gain access to your site without facing any particular problems, even with the security plugin installed.

To set a strong password with all the best practices, you should choose an online password generator. We understand that the generator will release passwords that are complex and hard to remember. To solve that issue, you can use a password management service like Lastpass or Passbolt.

Don’t just limit yourself to the login password. Create strong passwords for your hosting account, your FTP, and databases.

Similarly, don’t just rely on generic login usernames like “[Login]” or “admin.” Try and take a more personalized approach towards usernames so that hackers can’t easily figure it out. You don’t need a generator at this point. Just use your imagination and figure out a username that you can easily remember.

For example, you can use the username of your favorite author, like say Ernest Hemingway, and create a username lie “E-Hemmingway” or “Ernest Hummingbird.” A comical example, it’s no less original.

5. Disable the File Editing Option

You can edit the code of your WordPress themes and plugins in by visiting your dashboard and navigating Appearance > Editor. An alternative way you can do that is to visit Plugins > Editor.

Once your developers have done making some custom changes (if any), you should disable the File Editor feature. In the event of hackers getting access to your site, a disabled file editing option will also prevent them from planting malicious code on your website.

Disabling the file editing feature is pretty simple. Go to your wp-config.php and paste the following code as shown here;

define(‘DISALLOW_FILE_EDIT’, true);

6. Installing an SSL Certificate

Never forget to change your WordPress site to HTTPS.

Single Sockets Layer (SSL) indicates that a site is secure and that transactions and payment processing are also secure from that site. Google ramped up SSL’s importance by giving it precedence over sites that don’t have an SSL installed.

If you’re looking to rank high in the Search Engine Result Pages (SERP’s), as well as make your WordPress site secure for users, then you must install an SSL certificate.

Here’s why. An SSL certificate adds an https:// to your site instead of the plain old http://. It shows search engines that a website is secure and transactions and other activities within it are also secure. As a result, when you publish content on your site and rank it on a search engine like Google, it gives it precedence over other non-secure sites.

There are plenty of SSL certificate providers available on the internet, and depending on your budget, you can select which one suits you best.

7. Change The “wp-admin” Login URL To Something Else

The default WordPress login is the following:


If you have a strong username and password, then you’re already secure from hackers. To restrict their access even further, you can completely remove the access by changing the URL from wp-admin to something else.

To harden security even further, you can add a two-factor authentication method to your site with a plugin such as Two Factor Authentication. At the same time, you’re also blocking the IP addresses with the most failed logins that your security plugin reports.

8. Limit Login Attempts

The default WordPress login allows users to login as many times as they can. It allows the authentic user to try to log in a few times until he/she can get access.

But for the hacker, it provides more than sufficient room to try and gain access to your site. When given enough room, they can also trigger a DDoS attack that can hamper your site’s reputation to a damaging extent. 

You can limit the login attempts on your site through the Limit Login Attempts Reloaded plugin, which allows you to set a limit on the number of login attempts by going to the plugin settings.

9. Keep Your wp-config.php and .htaccess Files Hidden

While this one borders one being a bit advanced for the general user, keeping these files hidden can prove beneficial in improving the security of your site in the long run.

Warning: Before trying this, we would recommend creating a backup of your WordPress installation. Because coding is not for everyone, in the event things do turn out awry, it can cause serious ramifications to your site’s processes. So be vigilant before trying this.

Once you’ve backed up your site, all you need to do is to visit your wp-config.php file and add the following code:

<Files wp-config.php>
order allow,deny
deny from all

Similarly, you need to do the following to the .htaccess file:

<Files .htaccess>
order allow,deny
deny from all

Even though the process is easy to understand and implement, it is essential to have a backup just in case you break your website. Again, coding is something that’s to be left to the coders. If you have a developer with you, you should perform these things alongside him/her.

10. Keep Your WordPress Updated

Keep Your WordPress Updated

Besides updating plugins and themes regularly, you should also look towards keeping your WordPress core updated as well.

Similar to plugins and themes, WordPress core developers also release new security updates with each new version. With newer updates, you prevent hackers from using generally accepted loopholes to hack into your site.

For its part, WordPress installs minor updates automatically. For the major ones, however, you can visit the admin dashboard to install them manually.

11, XML-RPC Files and Why You Need to Disable Them

Coming packed with the default WordPress installation since version 3.5, the XML-RPC files are crucial if you wish to connect your site with web and mobile applications.

While these files are useful, hackers have managed to utilize this for amplifying brute force attacks on your site. 

In a scenario where you have installed Brute Force Protection with either WordFence or another security plugin, the plugin would block multiple login attempts by multiple IP addresses. If hackers try to hack your site 100 times, their IP addresses will be blocked 100 times. 

The XML-RPC, however, changes this scenario in favor of them. They do so by accessing the system.multicall function to guess the password for, let’s say, 20 to 50 requests without getting their IP banned by the plugin. 

So, to ensure security from Brute Force attacks, it’s recommended that you disable the XML-RPC file. Here’s how you can go about doing it.

12. Log Out Users That are Idle for Too Long

Whenever a logged-in user (it could be you or your employees) wanders away from a screen for a long time, it can pose a security risk for your site. Several ways can happen:

  • Your WordPress session can be highjacked by someone malicious.
  • That someone can change the password to your website, disabling your access.
  • Once they have possession of your account, they can make malicious changes to your account.

It’s recommended that you remove users who are inactive for too long on your site to prevent such social engineers from hacking your website.

You can accomplish that by using a plugin called Inactive Logout. Once you’ve installed the plugin, simply navigate to Settings > Inactive Logout to set the plugin’s timing. Afterward, click on Save Changes and you’re done.

13. Enable Security Questions on Your WordPress Login

Using the WP Security Questions plugin, you can add security questions to your site.

If creating a strong password, username, and changing the wp-admin login URL wasn’t enough, you can boost the security of your WordPress site even further by introducing a security question.

WordPress plugins add value to your security. Using the WP Security Questions plugin, you can add security questions to your site.

14. Regularly Perform Security Audits

WordFence and associated security plugins regularly track your website traffic and send you reports of any oddities (if they do exist).

If you see sudden changes in your website traffic or your overall SERP rankings, we recommend manually scanning your site for errors and possible signs that it’s been hacked.

There are plenty of non-WordPress solutions that can help you detect the problems on your site. That said, the most effective amongst them is Sucuri Site Health Check and Virustotal.

Going through these scans is relatively easy. All you have to do is enter the URL of your website, and wait for the scan to finish. Both of these scanners are thorough in their searches and will generate a detailed report showing off where your security is lacking and what are the significant problems related to your site.

It’s recommended that you perform these scans regularly to protect yourself in the event of things going wrong.

15. Disable PHP File Execution in Specific WordPress Directories

Another method that you can use to ensure security at the backend is to disable the execution of PHP files for certain directories.  In certain directories such as the /wp-content/uploads/, that file is not needed.

Similar to how you need to disable XML-RPC and File Editing, you can also perform this action to prevent hackers from getting access to your site through them.

You can do this by opening up a Notepad document and pasting the following code onto it:

<Files *.php>
deny from all 

Save this as .htaccess and upload it on your WordPress installation in the directory mentioned above. Similar to the wp-config.php file we mentioned above, it’s best that you backup before you perform this action since changes might cause your website to break.

Wrapping Things Up

WordPress security is essential, and you need to be proactive about creating an almost unbreakable wall for your website. Once you’ve done that, it’s best to stay vigilant and take the time to go through the security of your site.

Failure to do so can harm your digital reputation in the form of SERP blacklists or, worse, ransom demands from hackers themselves. It’s not a situation you want to find yourself in.

We wish you the best of luck in making your WordPress site secure from hacks. Stay safe, and stay vigilant.


Ammar Naeem is a WordPress whiz, specializing in WP development and security. He is passionate about giving back to the community and helping others. Playing with the analytical data and digging into useful insights is his most favorite thing to do.

Write A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.