How to Secure WordPress: 18 Ways to Protect Your Website

How to Secure WordPress: 18 Ways to Protect Your Website

Nowadays it’s paramount to stay safe online since the Internet is full of cyber threats. Because of that, webmasters shouldn’t neglect their tasks towards WordPress security.

That’s why in this article we will uncover the best WordPress security tactics by using the 18 easy-to-implement web security practices.

How to Improve Security in WordPress?

Better WordPress security doesn’t require a huge investment or advanced technical knowledge. Here’s how to improve your website’s protection by using simple to learn security practices.

1. Keeping Your Site Updated

The CMS releases regular software updates to improve site performance, including its security, making sure to keep it secure from new online threats. Thus, updating your website is the most fundamental WordPress security practice you can do.

Surprisingly, less than 50% of websites are still running on the newest WordPress version. If your site is using older versions, such as 4.x, then you put your site at a higher risk of a breach and are in dire need of an update.

To check whether or not you have the latest WordPress version, you can navigate to the Updates menu from your dashboard. For the complete list of all released and to be announced WordPress versions, you can follow this page.

In case you don’t know how to update WordPress, you can follow this tutorial.

2. Using Secure Admin Login Credentials

One of the most common mistakes many users still do to this day is using common usernames such as “admin,” “administrator,” and “test.” Since these usernames are so universal, you shouldn’t be surprised to find failed login attempts while browsing through your WordPress website logs. This is a small yet fatal error as doing so puts your site at a higher risk of successful brute force attacks.

In case you haven’t changed your admin login credentials yet, you can follow this tutorial to change your WordPress username. Alternatively, you can create a new secure administrator account with a different username and delete the old one.

Here’s how to create a new WordPress administrator account:

  1. From your WordPress dashboard, navigate to the Users -> Add New.
  2. Create a new user and assign the Administrator role to that account. Hit the Add New User button once you’re done.Creating a new administrator in WordPress.
  3. Re-log with the newly created WordPress user.
  4. Head back to the Users section, then navigate to the All Users. Select the old admin account that you want to delete. Change the Bulk Actions dropdown menu to Delete, and click Apply.

Brute force attacks can easily target a WordPress site with a weak password, so it’s essential to use unique login details. Try to incorporate variations of numbers, both uppercase and lowercase letters, and special characters into your strong password to make it much harder for someone to guess. Such tools as LastPass and 1Password can help you create and manage strong passwords effortlessly.

Additionally, be aware of the network you use before logging into even a well-protected WordPress site. Public networks, such as a coffee shop or school library WiFi, may not be as secure as they appear. To protect your login credentials, we advise you to use a VPN before going online from a public place.

3. Enabling Two-Factor Authentication

If you want to reinforce the login process even further, you should consider implementing two-factor authentication to secure your WordPress website. This authentication method adds a second layer of WordPress security to your login page, which requires you to input a unique code to complete the login process. This code is available only to you via a text message or a third-party authentication app.

You can find our detailed tutorial on how to enable better authentication features for a more secure WordPress website here.

4. Disabling PHP Error Reporting

The PHP error reporting feature is useful for monitoring the site’s PHP scripts. However, broadcasting your website’s vulnerabilities to other people is a serious WordPress security flaw and won’t help much in the future.

There are two ways to disable PHP error reporting in order to improve WordPress security – via the PHP file or hosting control panel.

Modifying the PHP File

The first method requires you to add the following code snippet to the site’s wp-config.php file to help better secure your WordPress website. Be sure to add it before any other PHP directive. You can either use an FTP client, such as FileZilla, or File Manager to make the modification.


@ini_set(‘display_errors’, 0);

Changing PHP Settings Using the Control Panel

If you don’t want to deal with coding, you can opt for the second method. Here’s how you can disable PHP error reporting from the hPanel:

  1. From your hPanel dashboard, navigate to the Advanced section. Then, click PHP Configuration.
  2. On the PHP Options tab, uncheck the display_errors option and Save.Disabling the display_errors option via hPanel.

5. Using Trusted WordPress Themes

Nulled WordPress themes are pirated versions of the original premium themes. HomePress, for example, is one among many premium themes that fall victim to this illegal practice.

Despite being more affordable, nulled themes have a ton of security flaws. They often carry malware, spam links, and backdoors that can endanger your WordPress security.

Being distributed illegally, nulled themes don’t receive any support from the developers. That means if something critical happens to your site, you’re on your own, without any advice on how to secure your WordPress website after the initial incident.

For this reason, it’s best to avoid using nulled themes at all costs and pick a WordPress theme from its official repositories or trusted developers and their official marketplaces.

6. Checking for Malware

Despite being cautious about the plugins and themes you install on your site, there’s no guarantee that they won’t carry any malware with them. The most common types of malware are viruses, spyware, and ransomware – all of which can be incredibly harmful to your site.

Therefore, it’s crucial to scan your site regularly and learn what various WordPress plugins are able to offer.

Fortunately, there are plenty of great plugins to choose from. Here are some of our recommendations for WordPress security plugins, so feel free to pick one that best suits your preference:

Wordfence security WordPress plugin.

  • Wordfence — a popular WordPress security plugin with real-time malware signature updates, alert notifications that informs you if another site has blacklisted yours for suspicious activity, limiting login attempts, and reCAPTCHA protection.
  • BulletProof Security — helps secure your website with an idle session logout feature that prevents other people from hijacking an unattended device, hidden plugin folders that aren’t visible in the WordPress plugins section, and database backup and restoration tools.
  • Sucuri Security — one of the best WordPress security plugins on the market that offers various SSL certificates, remote malware scanning, and post-hack security action features that can show you how to secure your website after a breach and help resolve technical issues to improve security.

Don’t know how to install a WordPress security plugin? Not to worry, this comprehensive guide can help you set one up in no time.

7. Migrating to a More Secure Web Host

41% of WordPress websites were hacked due to security loopholes in their hosting accounts. Your web hosting provider has a significant role in keeping your server secure. In other words, your website security won’t matter much if the server it’s on is prone to cyberattacks.

If you think your current web hosting provider is unreliable, it’s time to migrate your WordPress site to a new one. Here’s what you need to consider when searching for a reliable web host:

  • Type of web hosting. Due to server sharing, shared hosting tends to be more vulnerable to cyberattacks than other types of hosting. In any case, make sure your account is isolated from other users or migrate either to VPS or dedicated hosting.
  • Security. A good hosting provider monitors its network for suspicious activity and updates its server software and hardware periodically. They also need to have server security and protection against all types of cyberattacks.
  • Features. Regardless of the type of hosting, having automatic backups and security tools for preventing malware is a must-have feature to safeguard your WordPress site. In the worst-case scenario, you can use it to restore a compromised website.
  • Support. Having a 24/7 support team with excellent technical knowledge to help you protect your data is essential in tackling any technical and safety problems that may occur.

With Hostinger, we make sure you get all the essential resources and features needed to protect your WordPress website. Not only do we provide various types of hosting services, but we also offer them for an affordable price. Additionally, our customer support team is always ready to assist you 24/7.

8. Backing Up as Frequently as Possible

While it’s essential that you arm your website with various security measures, regularly backing up the entire site is equally important. When thinking about how to better protect your WordPress site, you won’t need to worry about losing all your hard work in the event of a security breach.

There are a few ways to create backups. You can manually download website files and export the database or use your hosting provider’s backup tools. Various WordPress backup plugins can also help you to do the job more easily.

Here are several top-notch WordPress backup plugins worth considering:

  • VaultPress — a Jetpack-powered plugin equipped with backup and restoration tools, site migration services, and automated file repair that restores infected files.
  • UpdraftPlus — a beginner-friendly, multilanguage WordPress backup plugin that allows you to backup selected files or the entire website and provides you with the option to send them via an email address.
  • Backup Guard — a feature-packed security plugin that offers unlimited backups, cloud storage integration with popular platforms like Dropbox and Google Drive, backup logs that recap your backup history, and mail notification features.

If you don’t know where to start, feel free to check this tutorial on how to create WordPress backups in Dropbox with UpdraftPlus. Alternatively, see this article for more information about WordPress backups.

9. Turning Off File Editing

WordPress offers an in-built file editor that allows you to edit PHP files easily. Despite that, this feature can become a double-edged sword if hackers gain control of it.

For this reason, some WordPress users prefer to deactivate this feature completely. You can disable it by adding the following line of code to the wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

IMPORTANT: In case you want to re-enable this feature on your WordPress website, simply remove the previous code from the wp-config.php file using an FTP client or your hosting provider’s File Manager.

10. Removing Unused Themes and Plugins

As themes and plugins can potentially have vulnerabilities, it’s not a good idea to pile them up on your site for no reason, especially if it has been a while since they were last updated.

Furthermore, having outdated yet active plugins increases the risk of cyberattacks as hackers can use them to gain access to your site. Thus, it’s best to remove unused plugins and themes altogether.

11. Using .htaccess for Better Security

The .htaccess file ensures WordPress links work properly. Without this file declaring the correct rules, you will get a lot of 404 errors. Additionally, the file can also help you secure your website even further.

For example, .htaccess allows you to block access from specific IPs or disable PHP execution on specific folders. The examples below show you how to use .htaccess to harden security for WordPress.

IMPORTANT: Before making any changes, we strongly advise you to backup the old .htaccess file. If anything goes wrong, you’ll be able to restore your site as it was.

Restricting Access to the WordPress Administrator Area

Here, the following code grants access to only specific IPs of the administrator area.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
allow from

Be sure to change to your IP address. If you’re not sure what your IP address is, WhatIsMyIP can help you identify it.

If you use more than one connection to manage your WordPress website, make sure to include all other IPs by repeating the allow from code as many times as necessary.

Disabling PHP Execution in Specific Folders

Hackers like to upload backdoor scripts to the Uploads folder. By default, this folder only hosts uploaded media files. So, it shouldn’t contain any PHP files. To keep a safe WordPress site, you can easily disable PHP execution in the folder by creating a new .htaccess file in /wp-content/uploads/ with these rules:

<Files *.php>
deny from all

Protecting the wp-config.php File

The wp-config.php file contains WordPress core settings and MySQL database details, thus making it the most important file in your site. For the same reason, the wp-config.php file is also a hacker’s primary target.

You can easily protect this file and keep WordPress secure by implementing these .htaccess rules:

<files wp-config.php>
order allow,deny
deny from all

12. Changing the Default WordPress Database Prefix

The database holds and stores all crucial information required for your site to function. Due to this reason, hackers often target it with SQL injection attacks.

SQL injections comprise 80% of cyber-attacks executed on WordPress websites, making it one of the biggest threats. One of the reasons why hackers consider this type of cyberattack is because many users forget to change the default database prefix wp_.

In this step, we will briefly overview how to protect your WordPress site against such attacks.

Changing Table Prefix

IMPORTANT: Make sure to backup your secure MySQL database before proceeding.

  1. From your hPanel dashboard, navigate to the File Manager section and open the wp-config.php file. You can also use an FTP client for this.
  2. Look for the $table_prefix value within the following code, then replace the default database prefix wp_ with the new one as shown in the example. You can use any combination of letters and numbers to create a unique prefix for your website.
 * WordPress Database Table prefix.
 * You can have multiple installations in one database if you give each
 * a unique prefix. Only numbers, letters, and underscores please!
$table_prefix = 'wp_1secure1_';
  1. Moving back to the hPanel dashboard, access the phpMyAdmin section. Then, open your WordPress database by clicking Enter phpMyAdmin.Accessing phpMyAdmin from Hostinger's hPanel.
  2. If you have multiple databases, you can find the database’s name in the wp-config.php file. Look for the following block of code:
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'MySQL Database' );

/** MySQL database username */
define( 'DB_USER', 'MySQL Username' );
  1. From the phpMyAdmin dashboard, navigate to the SQL tab at the top menu bar.
  2. Enter the following query in the SQL query editor to change your database prefix:
RENAME table `wp_tablename` TO `wp_1secure1_tablename`;
  1. Be sure to change `wp_tablename` with your current table name, and `wp_1secure1_tablename` with the new prefix and table name. Repeat this line of code based on the number of the tables you want to rename, then select Go.Using the the SQL query editor to rename the wp_ prefix.

Changing Value Prefix Manually

Depending on the number of plugins you’ve installed on the site, you might need to update some values in the database manually. You can do it by running separate SQL queries on tables that are likely to have values with the wp_ prefix – these include Options and Usermeta tables, for example.

Instead of going through all your tables one by one, you can use the code below to filter all values that contain the following prefix:

SELECT * FROM `wp_1secure1_tablename` WHERE `field_name` LIKE '%wp_%'

`wp_1secure1_tablename` contains the table name in which you want to perform the query. Meanwhile, field_name represents the name of the field/column where values with wp_ prefix most likely appear.

Here’s how to manually change the prefix value:

  1. From the phpMyAdmin dashboard, navigate to the SQL tab at the top menu bar.
  2. Enter the piece of code from before in the SQL query editor to filter the values that contain wp_, then click Go. Be sure to modify the information according to your real table and field names.Filtering all values that contain wp_ prefix.
  3. When you’ll get the results, update all values from wp_ to your newly configured prefix by clicking the Edit button next to the targeted field. Change the prefix value, then click Go. Do this to all of the filtered values.
  4. Repeat these steps for the rest of the tables within the database.

Securing New WordPress Installation

If you are planning on installing a fresh site and want to keep your WordPress database safe, you don’t have to perform the beforementioned steps.

WordPress automatically requires you to decide what table prefix you want to use during the database setup process. Refer to this tutorial for more information on how to set up a WordPress database.

13. Limiting Login Attempts

WordPress allows its users to make an unlimited number of attempts a single user can make trying to log in, which means people can try as many times as they want to try to log into a site. However, this is a perfect opportunity for hackers to brute force their way in using various password combinations until they find the right one.

That’s why placing a limit on the number of WordPress failed attempts is necessary to prevent brute force attacks. Thereby, anyone who exceeds the number of allowed attempts will be temporarily or permanently locked out.

Limiting failed attempts can also help you monitor any suspicious activities happening on your website. Most people only need a single try or a few failed attempts, so you should be suspicious of any questionable IP addresses.

One way to limit login attempts in order to increase WordPress security is by using a third-party plugin. There are many great options available. Here are some of our recommendations:

  • Limit Login Attempts Reloaded – lets you customize the number of failed attempts for specific IP addresses, add users to the whitelist or block them entirely, and inform a user about the remaining lockout time.
  • Loginizer – one of the best login protection plugins out there that offers plenty of helpful features, such as two-factor authentication, reCAPTCHA, and login challenge questions.
  • Limit Attempts by BestWebSoft – can automatically block and add an IP address to the blacklist that goes over the failed attempt limit. You can also hide login, register, lost password forms for blacklisted IP addresses.

If you’re suddenly getting locked out of your WordPress account, we have an article that can help you to fix the issue.

14. Disabling XML-RPC

XML-RPC is a WordPress feature that helps users to access and publish content via mobile devices, enable trackbacks and pingbacks, and use the JetPack plugin on their site. Though this file comes by default, it’s best to disable it if you’re not using its functions.

Some security concerns arise when you enable XML-RPC since this element has weaknesses that hackers can easily exploit.

The XML-RPC function is created to publish content in large, making it possible for attackers to make hundreds of login attempts without being detected by security software.

What’s more, hackers can take advantage of the XML-RPC pingback function to implement DDoS attacks. This feature allows attackers to send pingbacks to thousands of websites at once, which can crash the targeted sites.

To know whether XML-RPC is enabled, run your site through the XML-RPC validation service and see whether you receive either an error or a success message. If you get the latter, it means the XML-RPC function is running on your website.

You can use any of these two methods to improve WordPress security – either use a plugin or do it manually – to disable the XML-RPC function.

Disabling XML-RPC Using a Plugin

Should you want a faster and simpler way to block the XML-RPC feature, we recommend installing a plugin called Disable XML-RPC Pingback.

This plugin will automatically turn off some of the XML-RPC functionalities that don’t allow hackers to perform targeted attacks towards this security flaw.

Disabling XML-RPC Manually

Another way to stop all incoming XML-RPC requests before it gets passed onto WordPress is by doing it manually.

To use this method, you need to locate the .htaccess file in your root directory. If you find difficulties locating the file, you can check our guide to identify or possibly create a new .htaccess file.

From here, copy and paste the following example inside your .htaccess file to disable XML-RPC:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
 allow from

If you want to allow XML-RPC to access a particular IP, replace with the IP address or delete this line altogether.

15. Automatically Logging Idle Users Out

Many users tend to forget to log out and leave their session running, allowing the next person who uses the device to access their account and potentially exploit their confidential information. This is especially true if you’re using a computer on Internet cafés or public libraries.

Thus, it’s crucial to configure your website to log off inactive users automatically. By doing so, an idle user will be kicked out from their account after some time.

Most bank and financial institution websites use this technique to prevent hackers from hijacking their sites, ensuring that their clients’ data is safe.

Using a WordPress security plugin is one of the easiest ways to automatically log an idle user out.

Inactive Logout is one such solution. Aside from terminating unattended idle users, this plugin can also send a custom message to alert an idle user that their session will be ended soon.

Furthermore, the beforementioned BulletProof Security can also log out an idle user in addition to other security features.

16. Hiding Your WordPress Version

It’s easier for hackers to break into your site when they know which version of WordPress you’re running. Using this information, they can use the vulnerabilities of that version to attack your site, especially if it’s been a while since you last updated your site to the latest version.

To hide the WordPress version from all areas of your site, do the following steps:

  1. From your WordPress dashboard, navigate to Appearance -> Theme Editor. Choose your current theme and select functions.php file.
    Editing the functions.php file in WordPress.
  2. In order to remove the version number from the header and RSS feeds, paste the following code to the functions.php file:
function dartcreations_remove_version() {

return '';

} add_filter('the_generator', 'dartcreations_remove_version');

You can also add this line to remove WordPress generator meta tag:

remove_action('wp_head', 'wp_generator');
  1. Click Update File to save your changes.

Keep in mind that hiding your version doesn’t prevent your site from being vulnerable and doesn’t improve WordPress security by itself. Therefore it’s still necessary to keep track when was your website last updated.

17. Blocking Hotlinking

Hotlinking is a term used when someone uses your image’s URL to display the picture on their own site. It’s a bad practice because every time people visit a website with hotlinks that lead to your content, it uses up your bandwidth.

As a result, your site will be slow down, potentially running out of bandwidth. Aside from additional costs, hotlinking is also illegal if the content theft links to licensed images that you’ve acquired.

To see if your content is hotlinked somewhere on the web, you can type in the following in Google Images.

Make sure to replace the with your own domain name. Doing so will help you find some websites that have hotlinked your images.

Should you want to prevent hotlinking, here are a few ways to do that:

Using an FTP Client

This method is one of the most effective ways to disable hotlinking. All you need to do is connect to your website via an FTP client and paste in the code snippet to your .htaccess file.

First of all, ensure that you have an FTP client set and ready before we continue. We recommend using FileZilla for this job.

Once you’re connected to your site, look for the .htaccess file and add this code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F]

This code will block hotlinking from all sites, so it’s crucial to add your own domains, popular search engines, and social media networks to allow them to them crawl your image.

IMPORTANT: Remember to add the file formats you want to block. This is listed in the last line of the given code.

Using WordPress Security Plugins

If you prefer to install a plugin instead, we recommend trying All in One WP Security & Firewall.

All In One WP Security & Firewall plugin.

After installing and activating the plugin, from your WordPress dashboard, go to WP Security -> Firewall -> Prevent Hotlinks. Check Prevent Image Hotlinking and click Save Settings to finish the process.

Using a Content Delivery Network

A CDN uses a group of servers to provide fast content delivery, managing traffic by handling user requests much faster. Utilizing CDN servers can improve security, reduce bandwidth, and increase speed.

That being said, the method to disable hotlinking might be different for each CDN provider. For instance, Cloudflare has a built-in dashboard setting called Hotlink Protection, which you can easily enable under the ScrapeShield tab within its dashboard.

If you want to setup Cloudflare CDN on your WordPress site, feel free to check this article.

Accessing Control Panel Settings

To prevent hotlinking from your cPanel, you have to log in to your hosting account and go to the Security section. Choose the Hotlink Protection option, set the necessary configurations, and click Submit.

If you’re using Hostinger, this guide can help you to activate Hotlink Protection in the hPanel.

18. Managing Directory Permissions

Determining which users can read, write, or execute your site’s files or folders helps prevent hackers to gain access to your admin account and server.

You can use any of these two options to manage your files and folders permissions:

  • Using your web host’s File Manager. Find the file or folder which permissions you want to change, right-click on it, and choose Change Permissions option. A pop-up box will appear where you can enter the desired file permission number for the appropriate users and groups.
  • Utilizing an FTP client. Similar to the previous method, you need to navigate to the file or folder, right-click on it, and look for either CHMOD or Permissions option.

Why Do You Need to Secure WordPress?

Powering more than 35% of all websites on the Internet, WordPress is the most popular CMS to date. Unfortunately, its popularity also attracts hackers who seek to exploit the platform’s vulnerabilities. Sucuri confirmed this claim with a study resulting in 94% of 60,299 studied websites in 2019 that experienced WordPress security breaches use WordPress.

Hacking occurs when someone manages to exploit vulnerabilities in the WordPress core or vulnerable plugins and themes. Based on WPScan Vulnerability Database statistics, we gathered some of the most common types of WordPress security vulnerabilities:

  • Cross-site request forgery (CSRF) — forces the user to execute unwanted actions in a trusted web application.
  • Distributed Denial-of-Service (DDoS) attack — incapacitates online services by flooding it with unwanted connections, thus rendering a site inaccessible.
  • Authentication bypass — allows hackers to gain access to your website’s resources without needing to verify their authenticity.
  • SQL injection (SQLi) — forces the system to execute malicious SQL queries and manipulates data within the database.
  • Cross-site scripting (XSS) — injects malicious code that turns the site into a transporter of malware.
  • Local file inclusion (LFI) — forces the site into processing malicious files placed on the server.

The consequences of getting hacked are far from pleasant. A website that has been breached, first and foremost, may experience significant data, assets, and credibility loss. Furthermore, if your website manages customer information, the incident can jeopardize your customers’ personal data and billing information.

Before you scramble to find another CMS, we have good news for you, these facts by no means indicate that WordPress has a terrible security system. On the contrary, most web WordPress security breaches happen due to the user’s lack of security awareness.


There are plenty of cyber threats that are lurking on the Internet. As a result, all webmasters must ensure that their sites are protected as much as possible. Since the CMS a common target for hackers due to its popularity, everyone should take extra steps to ensure the security of your WordPress website.

Here’s how to ensure security for a WordPress site with 18 impactful safety practices:

  1. Keep your site up to date
  2. Use unique admin login credentials
  3. Enable two-factor authentication
  4. Disable PHP error reporting
  5. Avoid the use of nulled WordPress themes
  6. Check your website for malware
  7. Migrate to a more secure web host
  8. Back up your website files frequently
  9. Turn off the File Editing feature
  10. Remove unused themes and plugins
  11. Use .htaccess to disable PHP execution and protect the wp-config.php file
  12. Change the default WordPress database prefix
  13. Limit the number of failed login attempts
  14. Disable the XML-RPC feature
  15. Automatically logging idle users out
  16. Hide your WordPress version from your website
  17. Block others from hotlinking your content
  18. Manage directory permissions

What do you think is the best way to secure WordPress? Let us know in the comments section below!

The author

Edvinas B.

Edvinas is a professional mentor and trainer of customer support agents. When he's not teaching new guys the secrets of providing an exceptional service, he likes to travel the world and play basketball.