The Ultimate WordPress Security Guide

There is a good reason to be worried about your website’s security. Reports tell us that over 90,000 hack attempts are made on WordPress website every minute of the day.

Many websites owners may think their website is too small to draw a hacker’s attention. The truth is, since small websites take security leniently, hackers find it all the more easy to hack small websites.

Big or small – every WordPress website needs to take security measures.

Luckily, there are numerous things you can do to protect your website from hackers and bots. In this article, we’ll show exactly what steps you need to take to ensure that your website is secure.

favicon.ico virus

Importance of Website Security

WordPress is the world’s most popular website building platform. Right now there are 75 million WordPress websites on the internet, and hundreds of new ones are being created each day. This kind of popularity comes with a price.

The more people use it, the more attractive it is as a target for hackers. Windows is a bigger target than Apple’s operating system. Chrome is a bigger target for exploit than Firefox. Popularity draws more attention, both good and bad.

We mentioned earlier how small website owners consider their websites immune and don’t take necessary precaution which makes them an ideal target.

When your website is hacked, hackers use websites to run malicious activities. They could be launching bigger attacks on other sites, sending spam emails, storing pirated software, injecting spam links, selling illegal products, creating affiliate links with Japanese SEO Spam and among other things.

And that’s the end of the problem. Things can snowball quickly and search engines will provide deceptive site warnings to users and can blacklist your site. Reports tell us that Google blacklists 50,000 websites for phishing activities and around 20,000 websites for containing malware every week!

Apart from that, hosting providers can also suspend your account. This means your website will be down for days which will have an impact on your revenue collection. If you wait too long to fix your site, it’ll have irreparable damage on your business.

We can all agree that taking security precautions is much better than fixing a hacked WordPress website.

We’ll show you how to keep wordpress site secure but before that we want to address a question that many of our readers are thinking.

[Back to Top ↑]

But Isn’t WordPress Secure?

The WordPress core is secure. WordPress has an army of the best developers working tirelessly to keep the WordPress core safe. They are consistently improving technology and releasing patches and updates to fix any glitch or error.

There hasn’t been any major vulnerability in the WordPress core for a long time.

Despite this, there are over 90,000 hack attempts made on WordPress websites every minute of the day. And there are two main reasons behind that.

First off, WordPress is an extremely popular platform. Some 75 million websites on the internet are built on WordPress which attracts the attention of hacking groups from around the world.

Another reason is the presence of vulnerable and outdated themes and plugins. In fact, reports suggest that outdated themes and plugins are a leading cause of more WordPress compromises.

(Psst — you can read more about this on our WordPress security updates article.)

why websites get hacked

So although your WordPress is a safe platform, there are other factors that can lead to a compromised website. Hence, taking the following WordPress security measures can go a long way in saving your websites.

[Back to Top ↑]

favicon.ico virus

How to Secure a WordPress Website?

There are 15 different security measures that you can take to protect your WordPress website. Those are:

  1. Install a WordPress Security Plugin
  2. Take Regular Backups
  3. Use a Good Hosting Company
  4. Keep WordPress Up-to-Date
  5. Use an SSL Certificate
  6. Protect Your WordPress Login Page
  7. Set Up a Firewall
  8. Harden Your Website
  9. Employ Least Privileged Principles
  10. Blocking Suspicious IP Addresses
  11. Implement Country Blocking
  12. Hide WordPress Version
  13. Check Activity Log
  14. Use Only Email Address to Login
  15. Use HTTP Authentication

Let’s take a deeper look at these measures.

1. Install a WordPress Security Plugin

The primary functions of a security plugin or service are to scan, clean, and protect. While there are many WordPress security plugins to choose from, not all plugins are effective. Some may offer many features but it just creates a lot of noise. A seasoned hacker can bypass such security plugins to hack your website.

MalCare is one of the best WordPress security Scan plugins out there. Here’s why –

i. MalCare’s Malware Scanner

A WordPress malware scanner requires resources to run a scan. Many scanners rely on your web server’s resources but this can slow down the speed of your website.

To overcome this challenge, MalCare uses its own server resources to run a scan of your website. It transfers your website’s files to its own server and then runs the scan there. This method ensures that your site remains unaffected during the scanning process.

Many scanners look for only existing malware which means that they miss new types of malware. MalCare is designed to identify all types of malware including new ones.

ii. MalCare’s Malware Removal

MalCare offers the fastest malware removal service. Most WordPress security services offer ticket-based cleaning. In this, if your website is hacked, you’d need to raise a ticket, pay the malware removal fee and then wait for security personnel to clean your site and get back to you. This process is time-consuming and involves giving access to your site to a third-party.

MalCare’s Cleaner works differently. Following a hack, time is of the essence. The longer it takes, there are more chances of Google blacklisting your website or web hosts suspending your site. That’s why MalCare offers an instant WordPress malware removal to clean a hacker website. All you need to do is click a button, sit back and let the plugin clean your site within minutes.

malcare scan

iii. MalCare’s WordPress Protection Measures

All the measures that we mentioned so far – from using Firewall to Country Blocking to Hardening Your Website are protective measures that MalCare enables you to take with just a click on the button.

How to Use MalCare?

  • To use MalCare, you need to first download and install the plugin on your website.
  • Then add your site to the MalCare dashboard. The plugin will begin scanning your website immediately. If it finds any malicious files on your website, it’ll notify you.
  • You can clean your site immediately using MalCare’s Auto-Clean button.

[Back to Top ↑]

2. Take Regular Backups

Backups are your safety net. If something goes wrong with your website, you can restore it back to normal if you have a copy of your website.

There are many backup plugins out there. With the overwhelming number of choices available, it can be really easy to end up with a service that is not up to the mark. To select the right backup service, you’ll need to know how to choose a backup plugin.

Moreover, reviewing backup plugins will be a time-consuming and expensive affair. Luckily, we did a comparison between the major WordPress backup plugins in the market. Take a look at the best WordPress backup plugins.

[Back to Top ↑]

3. Use a Good Hosting Company

The two most popular hosting providers are shared hosting and managed hosting.

Shared hosting is popular because it’s less expensive. It has enabled millions of people across the globe to start their own website without a big investment. But in shared hosting, you are sharing a server with other unknown websites. And often when one website is compromised, other websites on the same server are affected. Hence, although popular, shared hosting providers are ill-equipped to handle threatening situations.

If you can afford a dedicated server, always choose that. It does a better job of keeping a WordPress website secure. You can check how web hosting affects website security.

Since there are many hosting providers to choose from, we made a comparison of the top WordPress hosting. Hopefully, it’ll help you make a decision on which web host provider to opt for.

[Back to Top ↑]

4. Keep WordPress Website Up-to-Date

Like any other software, plugins, themes, and even the WordPress core develop vulnerabilities over time.

When developers learn about the vulnerabilities, they release a patch in the form of an update. When website owners don’t update their site, the vulnerabilities remain.

After releasing a patch, developers announce the reasons for the update which means the vulnerability is publicly announced. Hackers are now aware of the security flaw and in which version it exists. They are aware that not every website owner is going to update their site immediately, so they start looking for websites that are running on the vulnerable version. This time gap gives them a good chance of successfully hacking a large number of sites.

Case in point, statistics show that over 80% of the websites were hacked because they were not being updated!

You must update your WordPress site regularly. Learn how to update your WordPress website safely.

wordpress update

You may notice that there are plugins and themes that are not being updated by their developers in a long time. In most cases, the software is abandoned by the developers. It’s best to remove the plugin or theme from your website and install an alternate.

[Back to Top ↑]

5. Use an SSL Certificate

Quickly take a look at the URL of this website.

Notice the lock? This lock means the site is using an SSL certificate. SSL is a secure socket layer that encrypts the data while it’s being transferred between browser and website.

ssl certificate

Why? Because data (like credit card details) transferring from a visitor’s browser to your website can be intercepted and stolen. So even if the data is stolen, if it’s encrypted then hackers cannot use it.

Here’s a guide that’ll help you install an SSL certificate on your website and Move WordPress Site From HTTP to HTTPS.

[Back to Top ↑]

6. Protect Your WordPress Login Page

The login page is one of the most commonly attacked parts of a WordPress site. Hackers try to guess the login credential and access the WordPress admin area which will give them complete control over the website. Hence, it’s important to implement the right protection on your WordPress login page. Let’s look at the different techniques that’ll enable you to protect your login page and increase WordPress login security.

i. Use Unique Username

If your username is easy to guess, then the hacker only needs to figure out the password. With one less thing to worry about, it makes the job of a hacker a lot easier.

One of the most common WordPress usernames is ‘admin’. Up until a few years ago, WordPress encouraged people to use ‘admin’ as a username. Although WordPress no longer auto-suggests ‘admin’, it is still widely used. Hence, you must take measures to make sure that your admins avoid using “admin” as the username along with these commonly used usernames.

Consulting this list every time a new user account is created could go a long way in keeping your WordPress safe. Moreover, if any of your existing users are using common usernames, then tell them to change it. Here’s a guide that they’ll find helpful on How to Change WordPress Username?

ii. Change Your Display Name

To infiltrate your site, hackers skim through your website and pick up the display names. They use different combinations of those names to try to log in. Hackers know it’s not uncommon to have the same username and display name. For example, if Sophia Lawrence is a display name, they might try to login in using sophialawrence or sophia.lawrence or sophia as the username.

So, to safeguard your site from this, you can change your display name.

Go to ‘Edit My Profile’. And then change your ‘Nickname’. Save the update. Now, select ‘Display Name Publicly As’. A drop-down menu appears in which you’ll see the new display name. Select it and save the setting.

wordpress display name

Hackers will inevitably fail if they try to use the display name.

[Back to Top ↑]

 iii. Prevent Discovery of Username

Apart from the display name, another method that can be employed to discover the username from your website is through WordPress Rest API. This a serious WordPress security issue. Introduced in 2016, this core WordPress feature allows anyone to discover users’ information on your site. All they need to do is run a simple URL:

discover usernames

To prevent this from happening, use the following code snippet in the functions.php file. It’ll hide the user’s list and give you a 500 error if you try to run the URL again.


add_filter( ‘rest_endpoints’, function ( $endpoints ){

if ( isset( $endpoints[‘/wp/v2/users’] ) ) {

unset( $endpoints[‘/wp/v2/users’] );


if ( isset( $endpoints[‘/wp/v2/users/(?P<id>[\d]+)’] ) ) {

unset( $endpoints[‘/wp/v2/users/(?P<id>[\d]+)’] );


return $endpoints;




The username is one of the two components of a login credential. Let’s look at the second component – password, and try and figure out how to secure it from hackers.

[Back to Top ↑]

iv. Enforce Strong Passwords

Any password will protect my website, isn’t that enough? The answer is no because hackers are constantly trying to guess passwords of WordPress sites in order to break in.

They use a technique called brute force attacks in which they program bots to make millions of login attempts trying to guess your credentials in under a few minutes.

If you use an easy password like Passw0rd123$, the bot will crack it in a few guesses. This is why it’s important to have a unique and complex password.

WordPress encourages users to auto-generate strong passwords, but you can still create an account using a weak password. Therefore, the onus of using strong passwords falls on your shoulder.

add new user

You can educate your WordPress admins to use strong passwords. The guidelines for setting a strong password are as follows:

– Create Long Passwords

In general, passwords that exceed 8-10 characters are considered strong and typically difficult to crack. Every character you add to your password makes it stronger. However, over the past few years, password cracking technology has advanced significantly. Hence, many WordPress security personnel recommend using passphrases that are 15 characters in length.

  • Long password: pd&&)xG56ZhLNrjl4jjNJ4#h (hard to remember)
  • Long passphrase: Its wolf was white as you know nothing John Snow (easy to remember)
– Use a Combination of Uppercase, Lowercase, & Special Characters

In brute force attacks, bots are programmed to carry out password cracking procedures. They follow certain instructions, for instance, they’ll try to guess the right password by coming up with a combination of different lowercase letters (‘a’, ‘b’, ‘c’, etc.). Using an easy password like ‘testpass’ means they can crack the password after making only a few attempts.

Hence if you use a combination of both lowercase and uppercase characters, it’ll take them a long time to figure out the password. However, a really well-programmed bot can try a few million passwords every second. So mixing special characters, numbers, lower and uppercase letters should ideally make the password unpredictable and hard to crack.

  • Add caps – TestPass
  • Add numeral and symbol – TestPass123$
– Avoid Using Common Words and Publicly Known Details

Common words like ‘test’, ‘admin’, ‘login’ are common words that WordPress users tend to use. These are some of the passwords that bots first try out, hence avoid using them. According to an infographic by Splashdata, the top 25 most commonly used passwords are:

  • Common Sports and Interest like ‘baseball’, ‘football’, and ‘Star Wars’, ‘Princess’, ‘Solo’ etc.
  • Numbers in Order like ‘87654321’, ‘0123456’, etc.
  • Letters in Order like ‘abc123’, etc.

Hackers targeting your website may pick up details from your site and try them out. For instance, if you have a website built around your favorite TV show Game of Thrones, bots will try various combinations of the phrase to break into your sites such as ‘GoThrones123’ or ‘gameofthrones123’. To prevent this from happening, design a password that has no mention of anything related to the website.

Securing passwords minimizes the chances of a security breach. But strong passwords are hard to remember unless you have a few tricks up your sleeves.

[Back to Top ↑]

 v. CAPTCHA-based Protection

Besides using unique usernames and strong passwords, using CAPTCHAs is another perfect way to prevent brute force attacks on your WordPress website.

Following a certain number of failed login attempts, a CAPTCHA is generated to determine whether the user is human or bot. CAPTCHAs are designed to be unreadable by bots. Hence, it thwarts brute force attacks because bots can’t access the login page until they solve the CAPTCHA.

WordPress security plugins like MalCare generate image-based CAPTCHA that is only solvable by a real, human user.

captcha protection

Designed to prevent hacker bots from cracking your credentials, CAPTCHAs are great.

[Back to Top ↑]

 vi. Implement Two-Factor Authentication

Have you noticed how popular services like Facebook and Gmail authenticate users when they try to log in? A code is sent to the smartphone associated with your account which helps validate the user. This is known as two-factor authentication.

WordPress does not offer two-factor authentication. Hence, to implement this on your WordPress site, you can follow this guide on How to Add WordPress Two-Factor Authentication.

[Back to Top ↑]

favicon.ico virus

7. Set Up a Firewall

Of the hundreds of visits that you receive on your website, some are malicious. Such visitors come to your site with the intention of finding vulnerabilities that they can exploit to gain control of your site.

A WordPress firewall checks every visitor request made to your website. No matter what device the visitor is using – desktop, smartphones, tablets, laptops – every device is associated with an IP address. If the request comes from a suspicious IP, the visitor is blocked, otherwise, it’ll be allowed to and access the site. A good firewall is your first line of defense against malicious traffic.

A WordPress firewall plugin like the one MalCare offers comes with an advanced firewall that offers better security. It does not just check traffic requests made on your site, it also records bad traffic. Meaning when it comes across a new bad IP, it keeps a record of that. If the bad IP tries to access your website again, it’s promptly blocked.

[Back to Top ↑]


8. Harden Your Website

We identified some common areas of a WordPress website that hackers take advantage of. For instance, could be using your security keys to gain access to your website or installing malicious plugins or themes on your website. To protect your website from hackers, you need to take steps to fortify your website.

We have a guide that’ll help you take WordPress hardening measures.

[Back to Top ↑]

9. Employ Least Privileged Principles

WordPress offers 6 default WordPress user roles: Administrator, Editor, Author, Contributor, Subscriber, and Superadmin. Allotment of these roles must be done carefully. Each role comes with its own set of power and responsibilities. Let’s take a look at them:

The Administrator is at the top of the hierarchy. He has full control over the website and can execute the following functions:

  • Create, edit and delete content
  • Edit plugins and themes code
  • Manage all plugins and themes
  • Create, modify and delete user accounts

The rights decrease as you go down the hierarchy. The Editor cannot make major changes but he can manage categories and link, moderate comments, create, edit, and delete a post, and pages. The author, contributor, and subscriber have fewer permissions.

The highest responsibility is that of an Administrator, the rights to which should be given to the people you are confident won’t abuse power.

If the wrong sort of people gains admin access, they could take advantage of the role. They can install rogue plugins and themes, steal your data and sell it for a price, store illegal files and folders among other things.

[Back to Top ↑]

10. Blocking Suspicious IP Addresses

If you have a WordPress security plugin like MalCare installed on your website, go through the log of IP addresses that have been trying to log in unsuccessfully.

Notice how some of them could be using common usernames (we spoke of this in the ‘Use Unique Username’ section) like “adm2016”. This picture below is a record of failed login attempts made on one of our websites.

malcare login attempt blocked ip

To block these malicious IP addresses, place the code in your .htaccess file:

order allow,deny

deny from

allow from all

Replace “” with the IP address you want to ban and save the file.

[Back to Top ↑]

11. Implement Country Blocking

The world wide web gives hackers access to websites all across the globe. They could be located in Russia targeting a website from New York.

Statistics show that the top five countries where hack attempts originate include China, United States, Turkey, Brazil, and Russia.

If you have MalCare installed, it is easy to check users who are trying to log into your website. You can see their country of origin.

malcare login attempt blocked country

If you have users located only in the US, then login attempts made from other countries are most likely malicious.

In the above image, we can see that login attempts have been made from four different countries – the United States, United Kingdom, Russia, and China.

Now, if you are targeting only specific countries like the US, you don’t need traffic from other countries hence you can block the United Kingdom, Russia, and China.

To learn how to implement country blocking, take the help of this guide on How To Block a Country In WordPress?

[Back to Top ↑]

12. Hide WordPress Version

Another way a hacker can find out if you have any files with known WordPress vulnerabilities is by looking up the WordPress version you are using. Sometimes website owners miss new WordPress updates that leave their site vulnerable.

Hackers can exploit any vulnerability that may have existed in the previous version of the core WordPress installation. Hence, hiding the WordPress version you are using might be useful.

wordpress version view page source

To do this, you need to place a code in the function.php file.

Step 1: Login to your host account. Access cPanel > File Manager > public_html.

Step 2: In the public_html folder, access wp-content and select the folder of your active theme.

For example, if you’re using the default WordPress theme Twenty-Nineteen, select the folder that’s named “twenty nineteen.”

Note that ‘personalblogily’ is the theme we are currently using our websites, you could be using a different theme.

functionphp file manager

Step 3: Right-click on the function.php file and select Edit. Here, place the following code.

function wpbeginner_remove_version() {

return ”;


add_filter(‘the_generator’, ‘wpbeginner_remove_version’);

Save the file, and this will remove the WordPress version number from being displayed anywhere on your site.

[Back to Top ↑]

13. Check Activity Log

Keeping a vigilant eye on everything that is happening on your WordPress website allows you to identify suspicious behavior at an early stage. This will help you thwart any possible malicious hack attacks before they actually happen and damage your WordPress website.

You can do this by installing a plugin to keep a record of everything that happens on your WordPress website in a WordPress activity log. There are several different plugins you can choose from. WP Security Audit Log is one such plugin.

wpwhite security

14. Use Only Email Address to Login

In the WordPress login page, you can either use your username or your email ID to log in. Hence, disabling the use of username could discourage hackers from performing brute force attacks on your website.

There are plugins like No Login by Email Address that allows you to prevent the use of usernames to log into your website.

[Back to Top ↑]

15. Use HTTP Authentication

HTTP authentication offers a layer of protection over the WordPress login page and is an important step towards WordPress security. To access the page, the user needs to enter the HTTP credentials. Without this, they will not be allowed to access the login page of your site.

http authentication

Plugins such as HTTP Auth help set up this protective layer over your login page. Remember to share the HTTP authentication credentials with your users. Otherwise, they will find themselves locked out and unable to login to your site.

With that, we’ve come to the end of advanced security measures for WordPress websites.

[Back to Top ↑]

Common But Obsolete WordPress Security Measures

In the world of WordPress security, there is a lot of advice that site owners tend to get. But some of this advice is not very effective. We are going to list down some of the common security advice that comes with major drawbacks. These measures don’t really secure your website as hackers have found ways to work around these measures.

  1. Hide WordPress Login Page
  2. Set Passwords to Expire
  3. Auto-Logout When No Activity

1. Hide WordPress Login Page

Hackers rarely target single websites. They program automated bots to launch attacks on WordPress login pages. Anyone who has used WordPress long enough knows that WordPress websites come with a default login page URL that looks like this: ‘’.

This makes the job of the automated bots much easier. Hence, changing your website login page to something like ‘’ could deflect an oncoming attack.

There are several plugins such as WPS Hide Login, Hide WP-Admin, etc. that can help you hide your WordPress login page.

change wordpress login url

Drawback: Although this can easily prevent automated hack attempts, it does not guarantee that your website will be safe. This is mainly because tools like WPS Hide Login offer a default login URL. So, hundreds of thousands of websites using the tool are using the same URL for their login page. Hackers can easily find out the URL format and launch attacks.

Moreover, hiding the login page without properly informing all users can prove to be very inconvenient. It can even cost you a day’s work.

[Back to Top ↑]

2. Set Passwords to Expire

You must have noticed in e-banking services they ask you to change passwords after a specific time period has lapsed. This is a safety measure that ensures that if your account is hacked, the hacker gets only a limited window to exploit your account. Applying the same measure on your WordPress websites reduces the damage.

Using the Expire Passwords plugin, you can set user passwords to expire after a specific number of days. All users are forced to update their passwords.

wordpress forget password

Drawback: This measure does provide some level of security, but hackers find ways to surpass it. For example, when they hack your site, they create new user accounts or install hidden backdoors. So even though you change your password regularly, they’ve already created other points of access.

[Back to Top ↑]

3. Auto-Logout When There’s No Activity

For websites with multiple users, chances of abuse of user rights are high. It’s even higher for users who work remotely. A user may have to leave their desk to tend to urgent business and forget to log out.

What if someone abuses the website during this time? To reduce the risk of such abuse, you can set up your WordPress website to log out users automatically if they are inactive for a long period.

The Inactive Logout plugin offers an Idle Session Logout feature. This allows you to set a time period of inactivity that’s acceptable, such as 10 or 20 minutes, after which the user is logged out automatically.

Drawback: But chances are if someone wants to snoop around in your site, they’ll do immediately after the user leaves. In cases like these, logging out idle users can’t prevent abuse of user rights.

[Back to Top ↑]

favicon.ico virus

Final Thoughts

We know that was a really long read and a bit overwhelming too. But before you seek off to take a nap, here’s what we suggest you do –

We sincerely hope that you found this article helpful. We want to leave you with one final thought – taking all these security measures can be very overwhelming, so we suggest running regular WordPress security audits and opting for a premium WordPress security plugin like MalCare that will handle security for you.

With MalCare, you’ll have access to nifty security features like the firewall, regular malware scans, WordPress hardening, and so much more. You can rest easy knowing your site’s security is taken care of.

Try Out Our WordPress Security Plugin – MalCare Right Now!

Sophia Lawrence,

Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap