How to Secure WordPress


WordPress is the most popular content management system (CMS), used for all kinds of sites, from personal blogs to eCommerce shops.

Unfortunately, its popularity also attracts cybercriminals to exploit the platform’s vulnerabilities. Sucuri confirmed this claim with a study. 94% of over 60,000 WordPress websites studied in 2019 experienced security breaches.

Before you rush to find another CMS, note that this doesn’t mean that WordPress has a terrible security system. Mostly, WordPress security breaches happen due to the users’ lack of security awareness.

This is why understanding and implementing multiple security measures is essential to keep your website safe from various attacks. To help you in this process, this article will list the best practices and tips to make your WordPress site secure

Why Do You Need to Secure WordPress!

The consequences of getting hacked are far from pleasant. A breached website may experience significant data, assets, and credibility losses. Furthermore, if your website manages customer information, the incident can jeopardize their personal data and billing information.

It’s predicted that by 2025 the cost of cybercrime damages can reach up to $10.5 trillion per year. Surely you don’t want to be part of that statistic.

Based on WPScan Vulnerability Database, here are some of the most common types of WordPress security vulnerabilities:

  • Cross-site request forgery (CSRF) – forces the user to execute unwanted actions in a trusted web application.
  • Distributed denial-of-service (DDoS) attack – incapacitates online services by flooding them with unwanted connections, thus rendering a site inaccessible.
  • Authentication bypass – allows hackers to gain access to your website’s resources without verifying their authenticity.
  • SQL injection (SQLi) – forces the system to execute malicious SQL queries and manipulates data within the database.
  • Cross-site scripting (XSS) – injects malicious code that turns the site into a transporter of malware.
  • Local file inclusion (LFI) – forces the site into processing malicious files placed on the server.

How to Improve Security in WordPress

Improving WordPress security doesn’t always require advanced technical knowledge and high-risk investments. Simple steps that anyone can do, like updating WordPress software and removing unused themes, help strengthen a site’s security.

That said, implementing one or two WordPress security measures won’t be enough to make your WordPress website completely safe. So, let’s take a closer look at 21 tips that will help boost your WordPress security.

1. Keeping the Site Updated

WordPress releases regular software updates to improve performance and security. These updates protect your site from new online threats. Thus, updating your WordPress version is a simple yet important way to improve WordPress security.

wp v

However, more than 50% of WordPress sites are running on an older WordPress version. If your WordPress site uses an older version like 4.x, it is at a higher risk of security breaches.

To check whether you have the latest WordPress version, go to the Updates menu on your WordPress dashboard. If you find your site is using an older version, we recommend updating your WordPress version as soon as you can.

WordPress has a complete list of all the released and upcoming WordPress versions. Keep an eye on the future update release dates to make sure the site won’t run an outdated version of WordPress.

Next up, we advise updating the themes and plugins installed on your WordPress site. Outdated themes and plugins may conflict with the newly updated WordPress core software and cause unwanted errors. Moreover, outdated themes and plugins are prone to security threats as well.

Go to the Updates menu on your WordPress admin panel and find the list of themes and plugins ready for updates. You can update the themes and plugins all at once or separately.

wp thems
Automatically updating a major version of WordPress can lead your website to crashes due to incompatibility with older plugins or themes. If you decide to have this option enabled, always make sure that your website is backed up periodically so that you can revert back to previous versions in case of crashes or errors. 

2. Using Secure Admin Login Credentials

One of the most common mistakes users still make is using usernames like “admin,” “administrator,” and “test.” It is a small yet critical mistake as it puts your site at a higher risk of brute force attacks.

If you’re using a name that’s easy to guess, we recommend changing the username to one that’s unique and secure. Creating a new administrator account with a new username is also a great way to keep your site safe.

Here’s how to create a new WordPress administrator account:

Brute force attacks also target WordPress sites with weak passwords. Therefore, it’s crucial to use a unique and strong password.

  • From your WordPress Dashboard, navigate to Users -> Add New.
  • Create a new user and assign it the Administrator role. Add a password and hit the Add New User button once you’re done.
wp new user
  • Log in with the newly created WordPress user credentials.
  • Head back to the Users section, then navigate to All Users. Select the old admin account that you want to delete. Change the Bulk Actions dropdown menu to Delete, and click Apply.
delete user

Try incorporating numbers, uppercase and lowercase letters, and special characters into your password. We also recommend using more than 12 characters as longer passwords are way harder to crack.

One key thing to remember is that even though the complexity of a password is important, in cases of hacking, the password’s length will always outweigh the complexity.

If you need help to generate a strong password, there are online tools available for that, like LastPass and 1Password. Moreover, their password management services help you store strong passwords safely, so you don’t have to memorize them.

Additionally, be aware of the network you use before logging in. If you’re unknowingly connected to a Hotspot Honeypot – a network operated by hackers – you risk leaking login credentials to the operators.

Even public networks such as a coffee shop or school library WiFi may not be as secure as they appear. Hackers can intercept your connection and steal unencrypted data, including login credentials.

For that reason, we recommend using a VPN when you connect to a public network. It provides a layer of encryption to the connection, making it harder to intercept data and protecting your online activities.

3. Enabling Two-Factor Authentication

Activate two-factor authenticationto reinforce the login process on your WordPress website. This authentication method adds a second layer of WordPress security to the login page, as it requires you to input a unique code to complete the login process.

The code is available only to you via text message or a third-party authentication app.

To enable two-factor authentication, install a login security plugin like Wordfence Login Security. Additionally, you’ll need to install a third-party authentication app such as Google Authenticator on your mobile phone.

After installing the plugin and the authentication app, go to the plugin page on your WordPress admin. If you’re using Wordfence Login Security, navigate to Login Security, located on the left sidebar, and open the Two-Factor Authentication tab.

Use the app on your mobile phone to scan the QR code or enter the activation key. Then, you will have to enter the code generated on your mobile phone app to complete the setup.

two factor authentication 1024x669 1

4. Enable the Lockdown Feature

Enabling URL lockdown protects your login page from being accessed by unauthorized IP addresses and brute force attacks. To do that, you need a web application firewall (WAF) service such as Cloudflare or Sucuri.

Using Cloudflare, it’s possible to configure a zone lockdown rule. It specifies the URLs that you want to lockdown and the IP range allowed to access these URLs. Anyone outside the specified IP range won’t be able to access them.

Sucuri has a similar feature called URL path blacklist. Essentially, you add the login page URL to the blacklist so that no one can access it. Then, you whitelist authorized IP addresses to access the login page.

Note that a blacklist can never be comprehensive since new threats are constantly emerging. And while blacklisting is effective against known threats, it’s useless against new, unknown threats.

Hackers can design malware specifically to evade detection by tools that use a blacklist system.

While whitelisting offers stronger security, it can also be more complex to implement.

In addition, it’s difficult to delegate creating a whitelist to a third party because they will need information on all the applications you use. Because it requires information specific to each organization, it requires more input from users.

5. Disabling PHP Error Reporting

The PHP error reporting feature is great for monitoring the site’s PHP scripts. However, displaying your website’s vulnerabilities to visitors is a serious security flaw.

When PHP error reporting is enabled, it will display the full information about your website’s paths and file structure. It will also display the plugin name on which the error message appeared.

The more information displayed about your website’s backend, the more vulnerabilities it leaves open. For example if it displays a specific plugin, people with bad intentions could use that plugin’s vulnerabilities.

There are two ways to disable PHP error reporting – via the PHP file or your hosting account’s control panel.

Modifying the PHP File

The first method requires adding the following code snippet to the site’s wp-config.php file:

2.@ini_set(‘display_errors’, 0);

To open the file and make the changes, use either an FTP client such as FileZilla or your hosting provider’s File Manager. Also, make sure to add the snippet before any other PHP directive

Stay with us next article be soon

  • 6. Using Trusted WordPress Themes
  • 7. Checking for Malware
  • 8. Migrating to a More Secure Web Host
  • 9. Install an SSL Certificate
  • 10. Backing Up as Frequently as Possible
  • 11. Turning Off File Editing
  • 12. Removing Unused Plugins and Themes
  • 13. Using .htaccess for Better Security
  • 14. Changing the Default WordPress Database Prefix
  • 15. Limiting Login Attempts
  • 16. Disabling XML-RPC
  • 17. Automatically Logging Idle Users Out
  • 18. Hiding the WordPress Version
  • 19. Blocking Hotlinking
  • 20. Managing Directory Permissions
  • 21. Monitor User Activity

please leave a comment lt’s very important for us.

Update admin 2022/01/11

I do not know much about wordpress and website development. Someone with knowledge of each category of unixblog will be with you in the future. But because of the shortcomings of this article you unixblog readers can write to us. We would love to have your name on it.


  1. I do not know much about wordpress and website development. Someone with knowledge of each category of unixblog will be with you in the future. But because of the shortcomings of this article you unixblog readers can write to us. We would love to have your name on it.

  2. Everything is very open with a very clear explanation of the challenges. It was definitely informative. Your website is extremely helpful. Thank you for sharing!


Please enter your comment!
Please enter your name here