Written by Reginald Chan on July 10, 2021

How to Secure Your WordPress Site – With 12 Easy Steps

How to secure a WordPress site? If you find yourself asking this question often, you’re not alone. The popularity of WordPress among website owners has made it equally popular with hackers who are constantly looking for ways to attack and break into WordPress websites.  

If you’re worried about WordPress security, you’re in the right place.  This guide takes you through 12 trusted and recommended ways to secure a WordPress site. Let’s get started.

How to Secure Your WP Site in 12 Steps

WordPress security can sound challenging and highly technical, but you don’t need to be a technical or WordPress expert to secure a WordPress website. You can perform these security steps even if you’re a novice user. Here’s what you need to do to set up a robust security posture for your site: 

  1. Take frequent backups.
  2. Keep everything up to date.
  3. Change the WordPress login URL.
  4. Limit the Login attempts.
  5. Use a WordPress security plugin.
  6. Use HTTPS protocol.
  7. Change the WordPress database prefix.
  8. Always use strong passwords.
  9. Secure your wp-config.php file.
  10. Change your default username.
  11. Disable file editing.
  12. Use secure hosting.

Next, let us discuss each of these 12 measures in detail.

1. Keep your website updated 

Most hackers exploit vulnerabilities in the Core WordPress version or installed plugins and themes to get into websites. A secure WordPress site runs on the latest WordPress version and updated plugins/themes. This is because WordPress developers add security fixes to the updated versions for the vulnerabilities introduced in previous releases.

If you cannot find an updated version of your installed plugins/themes, consider removing or replacing them for the safety of your site.

2. Change the WordPress Login URL

Did you know that anybody can access your WordPress login page by adding “/login” or “/admin” or “/wp-login.php” at the end of your website URL? For example, www.mysite.com/login. Why is the login page important? 

Hackers often target your login page as the first step to gain unauthorized entry into your WordPress account. Once they gain access, they can take full control of your website which can damage the user experience with random warnings. In brute force login attacks, hackers repeatedly send HTTP requests to your login page until access is gained or the server crashes.  Even if they don’t manage to break in, these high volume and incessant attacks often push the server to its limit which can result in a website crash.

How can you protect your WordPress login page from hackers? There are multiple ways of protecting your login page, but the easiest way is to change the default URL of your login page. You can use WordPress plugins like WPS Hide Login to do this. However, this alone may not be enough. There are chances that hackers know the URL format suggested by popular tools and can find their way around this. That being said, combined with the next two measures, it can make your login protection more robust.  

3. Limit Login Attempts

By default, WordPress allows an unlimited number of attempts to log into their accounts. Unfortunately, hackers take advantage of this. 

In addition to changing the default login URL, you can secure a WordPress website by limiting the number of login attempts to your account, say to three tries. This is the best guard against brute force attacks that use automated bots to guess your login credentials.

How do you limit login attempts? You can install a plugin like “Login LockDown” or enable the CAPTCHA feature using a plugin like reCAPTCHA to protect your site from bots and brute force attacks.

4. Use strong passwords

Configuring long and strong passwords as part of your user credentials is possibly the easiest and yet, most ignored, way to secure WordPress websites and their login pages. Weak passwords like “password” or “123456” are easy to remember for users but equally easy for hackers and their bots to guess. 

Here is how you can strengthen the password for every user:

  • Passwords should include upper- and lower-case alphabets, special characters (example, _ or @), and numbers.
  • They must be at least 10 to 12 characters long.
  • The same password must not be used for multiple user accounts.
  • Change passwords frequently after a gap of 4-6 months.

5. Change your default username

Default or easy usernames like “admin” or “admin123” make it easy for WordPress hackers to use brute force attacks and gain access to your site. After configuring strong passwords, go a step ahead and change the default usernames of all your users – particularly WordPress administrators (or admin users), to block unauthorized access into your WordPress account.

Here are some considerations for managing admin usernames:

  • Make sure every username is unique and not easy to guess for any hacker.
  • Restrict the number of users with admin privileges to as many as you require.
  • Assign user roles like “subscriber” or “contributor” with lower and fewer privileges to other WordPress users.

How do you change the default username? First, create a new admin user on your WordPress account, and delete the existing admin users. Alternatively, you can change the usernames of existing admin users with the Username Changer plugin for WordPress sites.

6. Install an SSL certificate 

Another great way to secure a WordPress website is to move it from HTTP to the HTTPS protocol.  HTTPS makes sure all the data transmitted between a user’s browser and your website is encrypted. Even search engines like Google consider it a factor for your website’s SEO ranking

How can you switch to an HTTPS website? By installing the SSL (short for Secure Socket Layer) certificate on your site. You can obtain this certificate from your web host provider or install a third-party SSL plugin like Let’s Encrypt. 

Once you have installed the SSL certificate, you can verify the same by checking for https:// or a lock symbol before your URL. 

7. Use secure hosting

Your WordPress web hosting platform can be a decisive factor for your website security. A good and secure host will always keep your website safe and operational, while a weak host can leave your site vulnerable. Apart from security, a good web host can improve your website performance across devices and provide facilities like regular backups and SSL certification.

If your website is on a shared host and facing regular outages, it’s time to switch to the more reliable managed web hosting that offers a dedicated server only for your site.

8. Change the WordPress database prefix

A majority of data breaches happen when hackers gain access and control to your database records. By default, WordPress prefixes its database tables as “wp_,” thus making it easier for hackers to run database attacks like SQL injection. 

The smartest way to secure WordPress databases is by changing the database prefix from “wp_” to some other prefix. How can you do this? From your WordPress installation folder, open the wp-config.php file and change the value of the “$table_prefix” variable from wp_ to something else, say wp_a1357_, so it looks like this:

$table_prefix  = 'wp_a1357_';

Note: You can only use numbers, letters, and underscores to do this. 

9. Secure your wp-config.php file

If there is one file that can make or break your WordPress site, it is the wp-config.php file that is part of every WordPress installation. Hackers try to take control of this PHP file because it contains sensitive information like your usernames and passwords, along with details on how to access your WordPress database.

How can you secure your wp-config.php file? Here are some tips:

  • Change the default location of this file in the WordPress installation folder.
  • Add the following code to the .htaccess file:

#secure wp-config.php

<files wp-config.php> 

order allow, deny 

deny from all 


10. Disable file editing

WordPress allows all its admin users to make changes in PHP files (including wp-config.php) using a file editor tool. Unfortunately, this privilege is also what enables hackers to break into WordPress admin accounts.

Disabling file editing or your file editor is the easiest way to prevent hackers from adding their malicious code to plugin/theme PHP files through an admin account. Disabling the File Editor is also among the hardening measures recommended by WordPress itself.

How can you disable file editing? All you need to do is adding the following code to the wp-config.php file:

define(‘DISALLOW_FILE_EDIT’, true);

11. Use a WordPress security plugin

An automated security tool is probably the easiest way to secure a WordPress site. Security plugins or tools like MalCare, Wordfence, or Sucuri can protect your site from many malware variants by detecting the latest malware and attacks. They scan your website regularly for security holes, vulnerabilities, and malware before it is too late. 

While there are many free security tools, paid tools like MalCare have advanced and evolving algorithms to detect new and unknown malware that most others miss.  MalCare, for instance, also comes with additional inbuilt features like a firewall, WordPress hardening, 2FA protection, and most importantly, automated malware removal so you can clean your website without having to rely on technical experts.

 It is easy to set up and use and lets you manage, scan, harden, and clean even multiple websites in a few clicks. 

12. Take frequent backups

Though strictly not a security measure, this is a good practice to ensure a hack doesn’t disrupt your website operations and take you back to ground zero. 

Complete backups of your website and database files help you restore your site in case of a crash without losing users and business due to downtime. Frequent backups – daily, hourly, weekly, or monthly – can be configured based on your website needs.

You can back up your website manually, but doing so repeatedly and regularly is a huge investment of time and resources. WordPress backup plugins like BackupBuddy or BlogVault are easy to install and run and offer scheduled and automated backups at a frequency of your choice. They also come with easy restore options you can use to restore your website from a dashboard in a few clicks. Plugins like BlogVault, have a 100% restore rate and features like Test Restore that make sure you can restore your site without any issues. 


A hacked website means more than just downtime. It causes a loss of revenue, damages your user experience, puts your users and their data at risk, impacts brand perception, lowers your hard-earned SEO rankings, and undoes all your WordPress development and business efforts so far. 

The steps in this article can go a long way in improving your website security. However, there is no such thing as absolute protection from hackers as they are constantly innovating to find newer ways to attack and damage sites. It can be hard to keep up with them. Security plugins like MalCare provide an easy way to ensure ongoing and continuous protection for your WordPress website. They also combine several recommended security measures into their automated user flows so you can secure your WordPress site with minimal effort.

Article written by Reginald Chan
A meticulous entrepreneur by nature and a serial entrepreneur. Founded a few awesome startups including Marketing Lancers, WP Maven and TheMarketingHuddle.com. Reginald is a sought-after success coach, digital marketing consultant and TEDx speaker from Asia. Currently, he teaches others how to make money online for free.

Related Posts