25 Effective ways to Secure WordPress website

Looking for an easy way to secure wordpress website? Not sure what to do? Is your business is important than getting a website compromised?

If your answer is YES, here I’ve highlighted 25 effective ways to secure your wordpress site which will help you to reduce the wordpress security pain.

before we get started, answer me the following questions in the comment section:

  • Since when did you start wondering about wordpress security?
  • Do you implement any wordpress security tweaks when you install the wordpress?
  • Have you ever been the victim of the hacker?

If you did, Let’s begin the reading

Secure WordPress Website

⇛ Importance of wordpress security:

Security, a word which we use in our Daily Life, not verbally but we do. The World is becoming more Digital every day. The day might be too much time, it’s becoming Digital every second. We are being introduced to New Features in SmartPhones, Computers, etc. Sometimes new Features come with new Vulnerabilities.

We all use some kind of Lock in our SmartPhones. There are few known features like Screen Lock, Pattern Lock, Password Lock, and the Vintage PIN Lock.

We use what we like in our Phones to Secure it from Unwanted Access and Data Thefts. When we are so serious about a Phone’s Security, then we should be aware of WordPress Security as well. As I said earlier, new features come with vulnerabilities sometimes.

⇛ 25 effective ways to Secure WordPress Website

Let’s start exploring 25 effective ways to secure wordpress website.

1) Setup Daily Backups

Backing up your site often is essential. Every webmaster knows this. Regrettably, many new WordPress users do not take backing up as seriously as they must. In reality, if something goes wrong with a website or wordpress, You would end up having nothing which will eventually make you pay the developer again and develop the site from the stretch.

It is not always unusual for website owners to take backups no longer seriously until something goes wrong. It is a hard lesson they won’t in any way to forget. If you’re smart, you’ll get into the habit from the very beginning to back up your wordpress account.

We use WPvivid + S3 at wpzonify. we recommend the same.

A Good host takes backups regularly. See our “Hosting recommendation list

2) Keep Updating WordPress, Themes, and Plugins

WordPress is an open-source Blogging platform often developed and used by businesses and every attacker quite often aims to find the loophole in wordpress, themes, plugin.

So, it’s important to update your WordPress Core whenever there is one. The same goes for the Themes and Plugins you use in your Site. According to surveys, most of the WordPress blogs which are hacked or are victims of Cyber Attacks are those which were not updated.

There are 2 types of updates in WordPress. One is minor changes, which you can wait to update till a week. Some are Critical Updates, you need to update that as soon as possible.

Pro Tip: Make sure you have Backup before you updating the wordpress, themes and plugins else you may lose your Site.

How to update: You can go to your wordpress Dashboard, there you will the Notification to Update the Required Things. Or you can download the latest software from WordPress Official Website and upload it in your File Directory where wordpress is installed.

update wordpress as soon as you receive.

3) Use Strong Passwords and User Permissions

If you use the cPanel softaculous to install the wordpress, the wordpress will be installed with the “pass” as a password that enables attackers to compromise the wordpress website. For such a purpose, it is necessary to use a strong password to secure wordpress website.

And don’t share the admin privileged user credentials with the others. Either they are known personalities or friends. trust no one.

I recommend using a “temporary login plugin that allows you to create a temporary login URL where people can access the wordpress dashboard without login credentials if you want to share with the hosting provider support or someone you trust.

use strong password

4) Install And Set-up a WAF (Web Application Firewall)

Enabling the firewall will help you reduce the number of bot attacks or suspicious activities on your wordpress websites. Although the server-side firewall is one step ahead than the application-level firewall.

Which Firewall plugin do I recommend?

Ninja advanced firewall. Why?

I did a wordfence & Ninja advanced firewall test which wordfence plugin usually uses more resources on the hosting account, while the Ninja firewall is lightweight, blocks many threats.

How to Install?

  • Straight login into the wordpress dashboard.
  • Navigate to Plugins >> Add new Plugin.
  • Search “Ninja Firewall” and Install the plugin.
  • Follow the Instruction offered by the plugin.
Ninja firewall

5) Use Different “admin” Username

A Username is what you write in place of default “admin” while installing WordPress on your Domain. And below that, you write a Password in place of “pass” which must be difficult for others for a guess.

Now coming to log in. By default, WordPress allows anyone to enter the password in as many attempts as a person wants.

Yes, there is a feature called Forget Password which you can use if you forget it. But what if the person who is trying to log in isn’t you?!

It is recommended to change the default wordpress username “Admin” to a random username unless you know how to secure wordpress site.

Use random username

6) Disable WordPress File Editor

WordPress comes with 2 Editors with installation, one is the Theme Editor, and the other is known as the Plugin Editor. With Theme Editor, you can make changes to your current theme which is in use.

Like removing WordPress Credits from the Footer, or adding a Google Analytics code in the Header. You can use it if there is such a need for Editing the Theme. Plugin Editor is the least used Function in WordPress. It’s mostly used by developers only. If you have no knowledge of it, then you shouldn’t use it.

Let’s assume, a hacker enters in your WordPress site. The 1st thing he will do is to corrupt the site or inject his malware code to your Site and it can be easily done with both Editors as WordPress gives Unrestricted Access to anyone who has logged into the Dashboard. Once he’s done, then your Site will get compromised and whatnot.

That’s one reason to Disable both Editors. Another is, if you have multiple users on your WordPress Site, then you may need to hide both Editors since they can knowingly or by mistake make some changes in the Codes which might result in you losing your own Site. These are the common reasons why you must disable the Editors.

How to Disable: Login to your cPanel or SFTP account using the Filezilla. Edit the wp-config.php file and add the following code. save changes.

define( 'DISALLOW_FILE_EDIT', true );

Both Editors will be disabled once you reload your wordpress dashboard. Before disabling, make sure you have SFTP Access to website files or cPanel, Control panel.

Before disabling the wordpress file editor:

25 Effective ways to Secure Wordpress website 1

7) Disable PHP File Execution

As I stated earlier, once the hacker has accessed your site, if you have never disabled the wordpress file editing function, they would then add the malware code to your wordpress website which makes it easy for them to compromise the wordpress.

What if you’ve disabled editing the wordpress file? Ultimately attacker would then quickly upload his executable file to the upload directory and execute the code to gain access to your wordpress files.

How to disable: Login to SFTP again and head-over to /wp-content/uploads/ folders on your website. then create .htaccess file with the following code.

<Files *.php>
deny from all

That’s it, Executing the code file in your Uploads directory would be kind of difficult for the attackers.

8) Limit Login Attempts

Well, there are many Plugins available to prevent unknown people trying to breach into your Website. One such plugin is a loginizer plugin. You can install it on your WordPress site and follow the instructions offered by the plugin to make sure the next time someone tries to enter your Site, the attempts restrict that person.

Once you have chosen the Username in wordpress Installation, you can’t change it. There are options but that will consume your time. If you have activated the loginizer plugin, then it will work for you as well. So, if you forgot the password, then don’t keep trying. Just click on Forget Password and Reset it. If you keep entering the wrong credentials, your Ip Address might get blocked for a while.

Limit login attempts

9) Add Two Factor Authentication

2 Factor Authentication, in short 2FA, is a High-Level Security Feature used in many platforms. This Feature includes a Password and a Random Security Code generated on the Security App on your phone. There are apps that work as authenticators in 2 Factor Authentication. Like Google Authenticator.

How to set up 2 Factor Authentication: Login to your WordPress dashboard. Install and activate the 2FAS Light plugin. To set up the 2FA, You would also need to install the 2FA security app on your android device such as Google Authenticator, Authy.

10) Use Different WordPress Database Prefix

WordPress Database is the main source of everything you have in your WordPress Site. It’s the foundation of your WordPress Installation. That makes it the most important place digitally for Spammers and their seniors known as the Hackers.

By default, when you are installing WordPress via cPanel softaculous or Installing wordpress manually, you will see “wp_” in Table Prefix. That’s too common for anyone to guess. So, to make your WordPress Database more secure, you need to make it a bit tough to guess. Make sure whatever you enter there, it ends with an underscore(_). If you keep “wp” at the start, it will make the Directories be in Order.

For example: RandomPrefix_

wordpress table prefix

11) Password Protect WordPress Admin Folder

The additional layer of authentication to your wordpress makes it more difficult for someone to access. Your website will ask for the username and password as soon as someone tries to access the default URL / wp-admin wordpress.

If you are using the cPanel already, you can set up with the help of “Directory privacy” functionality offered by cPanel. If you are not using the cPanel, please go through the following steps.

  • Go to Htpasswd generate tool
  • Enter the username & password. Click create .htpasswd file.
  • You will see the encrypted password, copy it.
  • Now login to your SFTP and Navigate to your /wp-admin directory.
  • Create a .htpasswd file and paste the copied code. Save changes.
  • Create another .htaccess file in the same location /wp-admin and paste the following code:

AuthName "Admins Only"
AuthUserFile /home/yourdirectory/wp-admin/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere

Once you do the above steps, your default admin directory will then start requesting the login credentials that we created earlier in the .htpasswd.

12) Disable Directory Browsing

Directory indexing can be problematic, allowing attackers to view and download the website files easily to their system. Web server Litespeed will trigger the 404 not found error by default but if you are on a host that does not use the LiteSpeed, you can quickly add the following code to disable the directory indexing.

Options -Indexes

Please add the above code to your .htaccess file.

13) Disable xmlrpc.php in WordPress

The WordPress XML-RPC is a specification aimed at centralizing communication between multiple systems. It uses HTTP as the transport mechanism and XML as the encoding mechanism that allows the transmission of a vast range of data.

Causes of XML-RPC in wordpress:

  • DDoS via XML-RPC pingbacks
  • Brute force attacks via XML-RPC

How to disable it: Paste the following code in your .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all allow from

14) Protect The Wp-Config File

The other way to tweak wordpress security is to safeguard the wp-config.php. Wp-config.php holds sensitive content such as security keys, database host, database user and database password that might allow attackers to pull your wordpress database completely.

Why would anyone want sensitive wordpress data to fall into wrong hands. do you? that’s why wp-config.php security is something you should be taken care of.

How to protect with .htaccess rule: Paste the following code in your .htaccess file and save changes.

<files wp-config.php>
order allow,deny
deny from all

Receive similar wordpress guides, eBooks in your email inbox!

15) Disable script injections

Attackers constantly try to inject their script into your wordpress website. Script injection not only impacts your business, but it can also be super expensive, the result of Google’s search will show as “hacked website,” you’ll have to hire developers to build the site for you again.

Guess what? It can be prevented by adding htaccess rule to your .htaccess file. Add the following code to your htaccess file and save the changes.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING}
(<|%3C).script.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

16) Fight Against Content Scrapers (hotlink)

Hotlink Protection makes it possible for you to prohibit the direct link to files from your website from other websites. It means that when some other website tried to link your files to their websites to load your files such as CSS, JS, and images it can not load content from your wordpress that lets you prevent bandwidth abuse and duplicate content.

How to enable hotlink: Place the following code in your .htaccess file and save changes.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)example.com/.*$ [NC]
RewriteRule .(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ – [F]

17) Add Security Questions to WordPress Login Screen

You can protect your wordpress login page for unauthorized login attempts. Anyone who tries to log in to your wordpress will have to answer the questions that you would add with the plugin.

How to set up: Install the WP Security Questions plugin on your wordpress website and follow the instruction offered by the plugin.

Pro Tip: If you already have Limit login attempts and 2FA security enabled on your wordpress, the WP Security Questions plugin really doesn’t have to be installed.

18) Prevent Unnecessary Info From Being Displayed

When somebody(or you?) failed to login to your wordpress dashboard, wordpress would show you display you unnecessary information such as “Username incorrect” and “Password is invalid for username XYZ” which will help attackers to compromise your wordpress website.

Why don’t we just prevent from being displayed on your site? to do that, add the following piece of code to your theme function.php

add_filter( 'login_errors', create_function('$a', "return null;") );

OR Use the same plugin that I suggested earlier to change quickly.

Change login error message

17) Use Cloudflare

Cloudflare is yet another CDN service that caches your website across its 200 other servers around the world and delivers the content from the nearest location and you can make use of it for security purposes as well. you won’t get any such service for absolutely free and I’d highly recommend setting up the Cloudflare.

How to setup: Head over to the cloudflare.com website and signup with your website address. you will be offered the name servers which you need to update in your current domain name provider.

cloudflare security

18) Install or use SSL Certificate

I assume I would not need to explain more about the importance of an SSL certificate because the SSL certificate is to encrypt sensitive information sent across the internet and now SSL is extremely important as chrome announced the “unsecured” budge that will be displayed in the visitor browser if you don’t use the SSL certificate or redirect users to https.

SSL is being offered for free with the hosting services that I listed in my hosting recommendation list and if you have installed the SSL certificate already. you sure you need to redirect Http to Https.

Image Credits

19) Blacklist Undesired Users And Bots

20) Use secure hosting services

21) Use Latest PHP version

22) Hide wordpress, themes and plugin version

23) Automatically log idle users out of your site

24) Keep eye on recent changes

25) Safeguard your computer

Final Words:

This is the very extensive list of wordpress security enhancements that you can make sure to secure wordpress website. additionally, I would also recommend, you should only use trustworthy plugins and never trust plugins/themes from the unknown developers.

Finally, I’m curious about your wordpress security settings. Please do mention in the comment section.

About Manoj lk

Manoj is a guy who helps small business owners to securely run their wordpress website while also increasing their business revenue. You can reach out to him by sending an email to [email protected]

2 thoughts on “25 Effective ways to Secure WordPress website”

Leave a Comment


Top 5 Awesome Fastest wordpress themes (Free + 2020)