WordPress is the biggest fish in the sea of Content Management Systems (CMS). According to Kinsta, more than 500 new websites are designed every day on WordPress.

However, the ever-growing popularity of WordPress has also exposed millions of websites to malicious security vulnerabilities. Recently a study was conducted on hacked websites stating 74% of the 8000 sites were built on WordPress CMS.

While the core of WordPress is secure, most of the hacking attempts are successful due to configuration fault and neglect in WordPress website maintenance.

In this post, I will highlight the top WordPress security tips to protect your website from hacking attempts and security breaches the easy way.

Let’s dive in!

Tips to Secure the WordPress Website

#1 Secure the Login Process

Login panel is probably the weakest spot in your website. That is because hackers can easily break into your site with a brute force attack on the login page.

Here’s what you can do to secure your login panel:

#1.1 Change the login URL

The default login URL is www.yoursite.com/wp-admin/ Many website owners overlook the threat of a wp-login breach. Hackers can easily access your backend once they figure out your site can be logged into using the default URL.

Change it to www.yoursite.com/my-new-login/ or www.yoursite.com/my-new-admin/

#1.2 Limit the login attempts

You can lock out the bad guys by restricting the number of times they can enter the wrong username and password. It will help you dodge another brute force attack.

Moreover, you will be notified of the unauthorized attempt as soon as a user is blocked temporarily.

iThemes security plugin comes in handy when dealing with the security aspects of your WordPress website.

#1.3 Enable two-factor authentication (2FA)

While it may sound time-consuming, two-factor authentication closes the backdoor vulnerability of password hacking.

That means, if a hacker figures out your password, they will have to face another login component to enter your website. It could be anything: a security question, a one-time code, or a sequence of characters.

Google Authenticator, Duo Security , and Wordfence are some of the popular plugins that offer 2FA.

#1.4 Use complex password

An easy-to-remember password is also easy-to-guess by hackers. It is the weakest link on your site.

Try to incorporate numbers, special characters, and uppercase letters in your password. You can use an automated password generator to further strengthen your security. 

PRO TIP: Change your password regularly or use a password manager to do the work for you.

#2 Restrict Dashboard Accessibility

wp-admin is the linchpin of your website. It is where any illegitimate user can edit pages, posts, and files – basically screw up your site functionality. There are two ways you can tighten the security of the wp-admin directory:

#2.1 Enable password-based authentication

You can add a login request to access wp-admin using your hosting panel. In case your WordPress account is compromised, the hacker is blocked access on this authentication layer.

#2.2 Limit access by IP Address

You can restrict access to the dashboard for only your IP address. For that, you need to create a new .htaccess file in your wp-admin directory and add below lines of code in it:
  • order deny,
  • allow
  • allow from YOUR IP ADDRESS
  • deny from all

#3 Protect Critical Files on Your Website

#3.1 Disable theme and plugin file editing

All the theme and plugin files become vulnerable once a hacker breaks into your dashboard. They can modify the code and enter malicious scripts that could destroy your website. To prevent that from happening, all you need to do is disable file editing functionality. Add this single line of code in your wp-config.php file:

define(‘DISALLOW_FILE_EDIT’, true);

#3.2 Harden your wp-config.php file

In terms of security, wp-config.php is the most crucial file holding sensitive information regarding WordPress installation, security keys, and database login data. You cannot overlook the importance of securing this file.

wp-config.php resides in the root directory ( /public_html directory) by default. You need to move the file to another directory. Here’s how you can do that:

  1. Create a new wp-config.php file
  2. Copy the entire code from the original wp-config.php and paste it into the new PHP file.
  3. Replace existing code in the original file with the below-mentioned line:



Note: Confirm include path (/home/yourname/) with your web server

#3.3 Disable directory browsing

Every website follows a directory structure where each directory stores a list of files. By default, you can browse all these files by simply entering their path. For instance, www.yourwebsite.com/important/ Let’s say you have a directory called important containing files that you wouldn’t want hackers to get their hands on. To prevent this from happening, you have to block directory listing. Add the following code in .htaccess present in /important/ directory:

Options All -Indexes

#4 Secure data transfer with HTTPS

Unlike HTTP based websites, HTTPS sites ensure encrypted data transfer between the web browser and the webserver. It protects all the data from any hacking attempts.

Get an SSL certificate installed on your site even if you don’t transfer sensitive information. Google gives a ranking boost to HTTPS sites. Moreover, the ‘not secure’ sign in the address bar doesn’t exactly make a great first impression on the visitors.

#5 Keep Your Website Updated

Websites running on older WordPress version or outdated themes and plugins is one of the primary loopholes of hackers.

With every rollout, WordPress developers release security patches along with bug fixes to fortify your website. Never miss out on these updates.

If it’s too much work for you, you can always sign up for website maintenance services.

#6 Go for the Right Hosting Company

By right, I mean good quality – the one that offers multiple security layers for the website. 

While you might be tempted to go with the cheapest one, I’d advise against that. 

Find a reasonable hosting provider that undertakes strict security measures. Assess and compare their plans; check if they meet your hosting and security needs correctly.

#7 Choose Reliable Security Plugin

While reputed plugins might be high-priced, however, they are bundled with security features that eliminate the risk of breaches and malicious hacking.

Installing security plugins relieves you from all the hassle of tinkering with the technicalities. They perform regular security checks, scan malware, and monitor your site night and day for any suspicious activity. Check out this list of best WordPress security plugins I have compiled to help you make a sound decision.

Final Thoughts

Securing your WordPress website is just as crucial as building it. Invest your time in strengthening your website’s security with the tips mentioned above. Try them one at a time.

A well-secured site is a stepping stone for a well-established online presence.