30 Important Steps For Securing a WordPress Website

Do you think that hackers are only targeting large websites like Microsoft and Time Magazine and they don’t bother about small and medium-size websites? Let me break the news to you: hackers, in fact, prefer launching attacks on the small and medium websites because they know that these websites don’t have the resources nor the skillsets to fortify their site. And hence, they are easy to breach. Here, we will show you how to secure a WordPress website.

Your website is under an equal and more important threat of being attacked by hackers. And the worst part is when hackers break into your site, you stand to lose everything, unlike the big websites that have the resources to fix a hacked site. But you don’t need to worry, in this article we’ll cover all the important and easy-to-implement steps that will secure your WordPress website from hackers and bots.


Many of the security measures listed in this article can be implemented quite easily with the help of a security plugin like MalCare. It carries out the 3 most important functions that’ll ensure your site remains safe and those are scanning, cleaning, and protection.

Early in 2019, a group of hackers exploited over 10 WordPress plugins to create rogue user accounts and plant malicious code on the hacked sites. Almost a year before that happened, another group of hackers struck gold as they defaced over 1.5 million pages. News of security breaches are nothing new but hack attempts of this scale beg the question of how secure a WordPress website is these days? And more importantly, why isn’t WordPress doing anything to protect its users?

Is WordPress Failing to Protect Its Users?

Being the world’s most high-profile CMS, WordPress makes sure it’s doing all it can to build a secure website building platform, but unfortunately, it can do only so much. While there is an army of people working to keep WordPress secure, the platform does not work in isolation. Various plugins and themes installed on your site are often responsible for making your site vulnerable. In fact, of the hundreds and thousands of hacked WordPress sites that we have investigated, most hacks could be linked to a vulnerable plugin. It’s very unfortunate because the ecosystem designed for your website to thrive in is causing all these problems.

What’s worse is that WordPress websites are a very popular target. At the time of writing this, there are 75 million WordPress websites on the internet and hundreds of new ones being built each day. That sort of popularity comes at a price. It puts a target on your back. In such circumstances, unless you decide to move away from WordPress (which, by the way, doesn’t guarantee that your site won’t be hacked), you have to take steps to ensure that your site remains protected.

How to Secure a WordPress Website?

There are 3 levels of security for a WordPress website – basic, intermediate, and advanced. The basic measures are essentials and easy to perform. Whereas the intermediate and advanced measures add an extra layer of security and are slightly risky. What we’d advise is to take a complete website backup before practicing any of the measures listed below. When something doesn’t go according to plan, a simple restore of your website would get your back up and running.

Eager to secure your WordPress website from hackers, bots, and the rest? We suggest that you run a website security audit and take the following steps –

1. Regularly Update Your Plugins, Themes & Core:

People often get into the habit of skipping updates. Either the updates are too frequent or they break your website when you implement them or both. But skipping updates can spell disaster because WordPress updates don’t just bring new features and improvements, they also come with fixes and patches for security vulnerabilities. These vulnerabilities, whether in the plugins, themes, or the core, welcome intruders to your website. Hence, keeping them updated to the latest version is imperative if you want to keep hackers at bay.

Since updates are released frequently, it’s best to set aside some time every week to implement them. Updates are known to break websites due to compatibility issues. But the good news is, you can test updates on a staging site (a replica of your website) before making them on your actual site. If you want, you can learn how to stage a site.

2. Always Remove Any Inactive Themes & Plugins

Vulnerable themes and plugins are threatening even in an inactive state. If you are not using them, it’s best to remove them. But if you plan to use the plugin or theme in the future, make sure you keep them updated.

3. Remove Abandoned Themes & Plugins

WordPress is the world’s leading CMS and it has an ever-growing repository of plugins and themes. Developers create them for various reasons, but maintaining a theme or a plugin is a different ball game. Sometimes when developers are unable to focus on improving the software because of reasons like lack of paying customers, they abandon the software. And the worst part is, without regular updates, vulnerabilities creep into the theme and plugin. Vulnerabilities, as we know, can be exploited to gain access to your website. It’s very important that you remove abandoned themes and plugins and keep an eye out for abandoned software.

4. Never Use Pirated Themes & Plugins

It’s tempting to use pirated plugins and themes but little did you know that pirated software is booby traps. They have malicious codes (called backdoors of your WordPress site) pre-installed and as soon as you activate the plugin or theme on your website. It opens the door for hackers to access your site. You need to remove all pirated software immediately and avoid using them in the future.

5. Choose a Good Hosting Plan

There are 3 primary WordPress hosts: shared, managed and VPS hosting. Shared hosting is the cheapest in the lot and draws the most attention. People tend to use it to build websites without fully learning about its drawbacks.

Cheap hosting which seemingly works well in most situations often lacks resources to handle security threats. It becomes a ground for serious cybersecurity issues. On the other hand, hosting providers like managed hosting and VPS hosting are designed to keep your website secure and up and running at all times. (Recommended read – Best Hosting Providers Compared.)

6. Use Unique Usernames

Most hack attempts are launched on the WordPress login page where hackers and bots try to guess the username and password. If your username is easy to guess, then the hacker only needs to figure out the password. Choose a unique username that is going to be hard to guess.

7. Enforce Strong Passwords

The WordPress login page is a favorite with hackers. You have to protect it from common hack attempts like the brute force attacks. A brute force attack involves automated bots trying out various combinations of usernames and passwords until they find the right ones. An easy-to-guess password can be cracked within a few minutes. But if you have a strong password, it can defend against sophisticated password cracking techniques. Here are guidelines that will be helpful in setting strong passwords.

8. Limit the Rate of Failed Login Attempts

As we mentioned earlier, in brute force attacks, passwords are guessed by bots designed to hack your website. Limiting the number of failed login attempts could perfectly prevent a bot from guessing the right credentials. CAPTCHA-based protection (like the one MalCare provides) could easily thwart brute force attacks. Learn more about CAPTCHA-based protection in this In-Depth Guide to WordPress Login Protection.

resolving captcha
Captcha-based protection

9. Hide WordPress Login Page

All WordPress websites have a default login page which looks like this – ‘yoursite.com/wp-admin’.

Thanks to this knowledge, hackers build automated bots designed to launch brute force attacks at hundreds of thousands of WordPress websites.

One way to dodge such attacks is to change your login page from ‘yoursite.com/wp-admin’ to something like ‘yoursite.com/newloginpage.’ There are quite a few plugins in the WordPress repository using which you can modify your default login page URL.

10. Remove WordPress Version Number

Although keeping your website up-to-date is an important step towards securing your WordPress website site, there are times when you may want to delay updates.

For instance, the new WordPress editor Gutenberg is quite different from the classic old one. Gutenberg was launched with WordPress 5.0 and many site owners, being reluctant to switch to the new editor delayed updating the core. An outdated core can be a sign of welcome for intruders. If you hide your WordPress version, you wouldn’t have to worry about running an outdated core.

If you want to prevent outsiders from finding out which WordPress version your website is running, we recommend reading this article – How to Remove WordPress Version Number.

11. Set Up a WordPress Firewall

Wouldn’t it be great if you could block the hacker or the bad bot before they access your web login page? That’s exactly what the firewall does! It filters incoming traffic that wants to visit your WordPress site. A WordPress firewall will fend off bad traffic (i.e. hackers and bots) ensuring that your site remains safe.

Since the login page is more frequently under attack than any other page on a WordPress website, it makes sense to add a layer of protection over the page. Click To Tweet

12. Use HTTP Authentication

Since the login page is more frequently under attack than any other page on a WordPress website, it makes sense to add a layer of protection over the page. That’s what the HTTP authentication will help you achieve.

Using HTTP Authentication
HTTP authentication implemented on the site

The HTTP authentication providers you with a way of blocking unwanted visitors to the login page. Once you’ve installed HTTP authentication on your website, it’s impossible to access the login page without a special set of HTTP credentials.

There are a handful of plugins that’ll allow you to enable HTTP authentication on your site. You can look for them in the WordPress repository.

13. Implement Two-Factor Authentication

Passwords were a primary means of protection in the WordPress world for a really long time. However, these days there are many sophisticated password-cracking techniques. Hence, a good way to strengthen the login page is to use a second factor of identification after the username and password stage. That’s what two-factor authentication will help you to achieve. Learn how to add two-factor authentication.

14. Auto-Logout When No Activity

For websites with multiple users, the chances of a security compromise are really high. A user leaving the dashboard open on the screen while they go about attending other urgent business poses serious security threats.

A passerby can steal information, modify the site without the user’s knowledge or can even end up breaking the site. To mitigate any risks of this sort, you have the option to set your site up in a way that it automatically logs out idle users. There are plugins in the WordPress repository for logging out users when they are idle for a specific period of them.

15. Set Passwords to Expire

Regular users of e-banking portals would know about passwords that expire every few months. The purpose is to ensure that if your account is hacked, the hacker gets only a limited window to exploit your account. If you apply the same practice on your WordPress website, it’ll help reduce the damage of a hack attack.

Enforce a policy where all your users will have to change the password every few months. It’s a good practice and a great reminder of how security is an on-going procedure.

16. Perform Daily Malware Scan

Hacking is a process that is constantly evolving. Each year, we find hackers developing sophisticated tools and finding better ways to breach websites. In such circumstances, using a security scanner can make a big difference to your security posture.

With the help of a WordPress security scanner, you can catch malware before it causes any damage to your site. Here’s a roundup of the top 5 WordPress malware scanners to choose from.

17. Schedule Daily Backups

Anyone who has been running WordPress websites for long knows there are going to be unforeseen disasters. While you can’t predict what form it will take, you can devise a recovery plan way before disaster hits. Best way of securing your WordPress website is when you have nothing to lose. This is where backups come in.

They are your safety net. When things go wrong, for instance, your website breaks due to an update, you can restore your site back to normal with the help of a backup. Hence, take complete backups of your website on a regular basis. (Recommended read – 5 Best WordPress Backup Plugins.)

18. Employ Least Privileged Principles

Every registered WordPress user has a user role. He or she could be an Administrator or Editor, Author, Contributor, Subscriber or a Superadmin. You should think twice before allocating user roles. Each role comes with a set of powers and responsibilities. Handing over big roles like that of an Administrator to people you don’t entirely trust could lead to power abuse and big security concerns.

Setting up a user's role
Change user role
Limiting access to your WordPress website is one of the better ways of protecting your WordPress website. Click To Tweet

19. Block Suspicious IP Addresses

Limiting access to your WordPress website is one of the better ways of protecting your WordPress website. In the previous section, we spoke of how the WordPress firewall blocks bad traffic from visiting your website.

But in case, a few hackers and bad bots do slip by, you have the option to block them. If you have a WordPress security plugin like MalCare installed on your website, you can see people constantly failing to log in to your site. Once you are sure that it’s not one of your registered users, you can block the IP addresses of the intruder and safeguard your WordPress website.

20. Use an SSL Certificate

An SSL certificate will enable you to switch from HTTP to HTTPS. Wait, what’s HTTP and HTTPS?

You must have noticed website address beginning with http or https? You can call HTTP an enabler of communication. When you access a webpage, your browser communicates with the server of the website you want to access. It tells the server which page you are exactly looking for. After the server responds, the browser shows you the page. This communication between the browser and server is possible due to HTTP. But HTTP is insecure. The communication line can be hijacked and exploited. The HTTPS is a more secure version of HTTP. It secures this communication line.

secure a wordpress website by using an SSL Certificate
The website has an SSL certificate installed

Switching your site to HTTPS will have 3 core benefits: One, it’ll encrypt all information passing between the visitor and your website thus keeping crucial information secure. As a result, it builds trust among visitors to your site. That’s benefit number two. And benefit number three is that the certificate boosts your Google ranking since Google considers an SSL certificate an important ranking factor.

21. Ensure File Permissions Are Correct

A WordPress website is made of files and databases. Every file has a set of permission which determines if the file can be modified or not.

WordPress file permissions play a vital role in securing your site. Having the wrong set of permissions can result in various errors or even a security breach. For instance, the wp-config file is a very important WordPress and should not be messed with. It should be set to ‘read-only’. Suppose this is changed to ‘read and write,’ anyone can edit the file and implement changes on your site without your knowledge. Hence, it’s important to set all important files like the .htaccess file and the wp-config file to read-only.

secure a wordpress website by changing file permissions
Change file permission

22. Monitor Real-time Activities Every day

Keeping a vigilant eye on everything that is happening on your WordPress website allows you to identify suspicious behavior at an early stage. This will help thwart any possible intrusion before it causes damage to your website. There are several plugins in the repository that’ll help you monitor activities in real-time. Here’s one we reviewed – WP Security Audit Log.

23. Disable File Editing

WordPress allows users to edit and add code snippets to installed plugins and themes from the dashboard. This poses serious security concerns because if a hacker gets admin access he can edit the themes and plugins.

Since most WordPress users don’t edit themes and plugins, it’s a good place to add malicious codes and go unnoticed. The code will help the attacker access the website in the future. But if you disable file editing, you wouldn’t have to worry about malicious codes stored in your themes and plugins.

Disabling file editing manually is risky but if you were a MalCare client, you could disable file editing with the click of a button.

secure a wordpress website by disabling file editor
Disable file editor with MalCare

24. Change Database Prefix

The WordPress database is a storage facility where content and configurations of your website are stored. It’s a very important part of your site which puts a target on it’s back. Hackers carry our Spam Link Injection or SQL injection to access and exploit the database.

The structure of the database is common knowledge. It comes with a standard 11 tables and every table has a ‘wp_’ prefix. If you change the prefix, you can throw the hackers off-guard and make it difficult to exploit the database. Changing this prefix to something else is a good WordPress security practice.

25. Disable PHP File Execution

A WordPress website is made up of many files and folders. The Upload folder is where images of your website are stored. You’ll never find a PHP file in the Upload folder. PHP files contain a set of commands and it’s used to execute functions. PHP files are easy to identify because they have a .php extension.

If you find such a file in the Upload folder, it’s very likely placed by an intruder. He or she will use the PHP file to execute malicious activities like sending spam emails. Disabling PHP execution in the Upload folder can go a long way in securing your website. Here’s how to disable PHP execution.

26. Disable Directory Browsing

Sometimes a website may show a list of files and folders instead of a standard homepage. It generally occurs when there is no index file (index.html, index.php, etc). In cases like this, the data is exposed and can be easily exploited.

You’d want to check if your website is exhibiting crucial data to the public. If it is, you do need to make sure that directory browsing in the WordPress website has been disabled. This article will help you do just that – How to disable directory browsing?

27. Disable XML-RPC in WordPress

XML-RPC is a WordPress function that enables users to perform a lot of operations on their sites remotely. It lets you access your site using the WordPress mobile application. On a WordPress website, XML-RPC is enabled by default which poses certain security risks.

We know that XML-RPC enables users to access their website remotely but you’ll need to authenticate your identity before WordPress allows you to access the site. Hackers exploit this authentication process and try and access to your site. So if you are not using WordPress remotely, consider disabling the XML-RPC.

28. Hide wp-config.php & .htaccess

wp-config.php and .htaccess files are two of the most important files of a WordPress website. They allow you to make modifications to your website. For instance, you can add snippets of codes to the .htaccess file and instruct WordPress to password-protect certain pages. Likewise, you can use the wp-config file to enable or disable automated WordPress updates. If these files go into the wrong hands, it can spell disaster for your website.

The worst part is that the location of both the files is common knowledge which makes it easier to access them. It’s good practice to hide the files, tuck it away in a different folder where hackers are unlikely to find it. Learn how you can hide the wp-config file and the .htaccess file.

29. Change WordPress Security Keys & Salts

Have you ever noticed how you don’t log in every time you want to access your website dashboard?

After signing into your account, WordPress stores your login information in your browser cookie, in an encrypted manner. WordPress uses security keys and salts to encrypt the passwords so that even if hackers manage to steal your cookie, they can’t decode your password.

Consider a situation where a hacker steals your security keys and manages to decode and access your site without your knowledge. If you change the security keys and salts, his/her browser cookies will be immediately invalidated. He will be thrown out of the website.

secure a wordpress website by changing security keys
Change Security Keys with MalCare

He’ll need to steal the new security keys and salts, try and decode them and then access your site again. It’s a difficult process, one which he/she may not want to proceed with again.

Learn how to change WordPress security keys and salts.

30. Monitor Google Search Console for Security Threats

Google crawls websites on a regular basis to check if there is any new content valuable enough for its users. In doing so, it also detects malicious activities on your site. To safeguard its own users, Google blacklists such websites and informs the website owner. If you’re using Google Search Console, Google will also send you a notice in Console whenever they detect malicious activities on your website. Make sure you are checking the Google Search Console regularly to stay informed about the health of your site.

Final Thoughts

This is a lot to take in, especially for a beginner, someone who has limited knowledge about how WordPress works. But taking these measures are a step in the right direction.

That being said, many of the security measures can be executed with a single security plugin. All you’d have to do is click a button. For instance, a security plugin like MalCare performs malware scanning, protects your login page, runs a firewall to block malicious traffic, change security keys and salts and a host of other things. The best part is many of these measures are automated so that you can spend more time focusing on your business instead of worrying about security. We hope that this article helps you to find out how to secure a WordPress website.

Try Out MalCare Security Services Right Now!

Sophia Lawrence,

Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap