How to Secure WordPress: 21 Ways to Protect Your Website

How to Secure WordPress: 21 Ways to Protect Your Website

WordPress is the most popular content management system (CMS), used for all kinds of sites, from personal blogs to eCommerce shops.

Unfortunately, its popularity also attracts cybercriminals to exploit the platform’s vulnerabilities. Sucuri confirmed this claim with a study. 94% of over 60,000 WordPress websites studied in 2019 experienced security breaches.

Before you rush to find another CMS, note that this doesn’t mean that WordPress has a terrible security system. Mostly, WordPress security breaches happen due to the users’ lack of security awareness.

This is why understanding and implementing multiple security measures is essential to keep your website safe from various attacks. To help you in this process, this article will list the best practices and tips to make your WordPress site secure.

Why Do You Need to Secure WordPress?

The consequences of getting hacked are far from pleasant. A breached website may experience significant data, assets, and credibility losses. Furthermore, if your website manages customer information, the incident can jeopardize their personal data and billing information.

It’s predicted that by 2025 the cost of cybercrime damages can reach up to $10.5 trillion per year. Surely you don’t want to be part of that statistic.

Based on WPScan Vulnerability Database, here are some of the most common types of WordPress security vulnerabilities:

  • Cross-site request forgery (CSRF) – forces the user to execute unwanted actions in a trusted web application.
  • Distributed denial-of-service (DDoS) attack – incapacitates online services by flooding them with unwanted connections, thus rendering a site inaccessible.
  • Authentication bypass – allows hackers to gain access to your website’s resources without verifying their authenticity.
  • SQL injection (SQLi) – forces the system to execute malicious SQL queries and manipulates data within the database.
  • Cross-site scripting (XSS) – injects malicious code that turns the site into a transporter of malware.
  • Local file inclusion (LFI) – forces the site into processing malicious files placed on the server.

How to Improve Security in WordPress

Improving WordPress security doesn’t always require advanced technical knowledge and high-risk investments. Simple steps that anyone can do, like updating WordPress software and removing unused themes, help strengthen a site’s security.

That said, implementing one or two WordPress security measures won’t be enough to make your WordPress website completely safe. So, let’s take a closer look at 21 tips that will help boost your WordPress security.

1. Keeping the Site Updated

WordPress releases regular software updates to improve performance and security. These updates protect your site from new online threats. Thus, updating your WordPress version is a simple yet important way to improve WordPress security.

A window showing displaying information about WordPress updates and version

However, more than 50% of WordPress sites are running on an older WordPress version. If your WordPress site uses an older version like 4.x, it is at a higher risk of security breaches.

To check whether you have the latest WordPress version, go to the Updates menu on your WordPress dashboard. If you find your site is using an older version, we recommend updating your WordPress version as soon as you can.

WordPress has a complete list of all the released and upcoming WordPress versions. Keep an eye on the future update release dates to make sure the site won’t run an outdated version of WordPress.

Next up, we advise updating the themes and plugins installed on your WordPress site. Outdated themes and plugins may conflict with the newly updated WordPress core software and cause unwanted errors. Moreover, outdated themes and plugins are prone to security threats as well.

Go to the Updates menu on your WordPress admin panel and find the list of themes and plugins ready for updates. You can update the themes and plugins all at once or separately.

WordPress update themes section

Expert Tip

Automatically updating a major version of WordPress can lead your website to crashes due to incompatibility with older plugins or themes. If you decide to have this option enabled, always make sure that your website is backed up periodically so that you can revert back to previous versions in case of crashes or errors.


Mantas Staniulis

Site Availability Engineer

2. Using Secure Admin Login Credentials

One of the most common mistakes users still make is using usernames like “admin,” “administrator,” and “test.” It is a small yet critical mistake as it puts your site at a higher risk of brute force attacks.

If you’re using a name that’s easy to guess, we recommend changing the username to one that’s unique and secure. Creating a new administrator account with a new username is also a great way to keep your site safe.

Here’s how to create a new WordPress administrator account:

Brute force attacks also target WordPress sites with weak passwords. Therefore, it’s crucial to use a unique and strong password.

  1. From your WordPress Dashboard, navigate to Users -> Add New.
  2. Create a new user and assign it the Administrator role. Add a password and hit the Add New User button once you’re done.
Add new user section in the WordPress dashboard
  1. Log in with the newly created WordPress user credentials.
  2. Head back to the Users section, then navigate to All Users. Select the old admin account that you want to delete. Change the Bulk Actions dropdown menu to Delete, and click Apply.
A window showing how to apply bulk delete action when deleting admin accounts in the WordPress dashboard

Try incorporating numbers, uppercase and lowercase letters, and special characters into your password. We also recommend using more than 12 characters as longer passwords are way harder to crack.

Expert Tip

One key thing to remember is that even though the complexity of a password is important, in cases of hacking, the password’s length will always outweigh the complexity.


Dominykas Vasinauskas

Cyber Security Specialist

If you need help to generate a strong password, there are online tools available for that, like LastPass and 1Password. Moreover, their password management services help you store strong passwords safely, so you don’t have to memorize them.

Password generator tool

If you’re running a business, be sure to use a dedicated business password manager designed for the highest password security standards.

Additionally, be aware of the network you use before logging in. If you’re unknowingly connected to a Hotspot Honeypot – a network operated by hackers – you risk leaking login credentials to the operators.

Even public networks such as a coffee shop or school library WiFi may not be as secure as they appear. Hackers can intercept your connection and steal unencrypted data, including login credentials.

For that reason, we recommend using a VPN when you connect to a public network. It provides a layer of encryption to the connection, making it harder to intercept data and protecting your online activities.

3. Enabling Two-Factor Authentication

Activate two-factor authentication to reinforce the login process on your WordPress website. This authentication method adds a second layer of WordPress security to the login page, as it requires you to input a unique code to complete the login process.

The code is available only to you via text message or a third-party authentication app.

To enable two-factor authentication, install a login security plugin like Wordfence Login Security. Additionally, you’ll need to install a third-party authentication app such as Google Authenticator on your mobile phone.

After installing the plugin and the authentication app, go to the plugin page on your WordPress admin. If you’re using Wordfence Login Security, navigate to Login Security, located on the left sidebar, and open the Two-Factor Authentication tab.

Use the app on your mobile phone to scan the QR code or enter the activation key. Then, you will have to enter the code generated on your mobile phone app to complete the setup.

Two factor authentication section in WordPress

4. Enable the Lockdown Feature

Enabling URL lockdown protects your login page from being accessed by unauthorized IP addresses and brute force attacks. To do that, you need a web application firewall (WAF) service such as Cloudflare or Sucuri.

Using Cloudflare, it’s possible to configure a zone lockdown rule. It specifies the URLs that you want to lockdown and the IP range allowed to access these URLs. Anyone outside the specified IP range won’t be able to access them.

Sucuri has a similar feature called URL path blacklist. Essentially, you add the login page URL to the blacklist so that no one can access it. Then, you whitelist authorized IP addresses to access the login page.

Expert Tip

Note that a blacklist can never be comprehensive since new threats are constantly emerging. And while blacklisting is effective against known threats, it’s useless against new, unknown threats.

Hackers can design malware specifically to evade detection by tools that use a blacklist system.

While whitelisting offers stronger security, it can also be more complex to implement.

In addition, it’s difficult to delegate creating a whitelist to a third party because they will need information on all the applications you use. Because it requires information specific to each organization, it requires more input from users.


Mantas Staniulis

Site Availability Engineer

5. Disabling PHP Error Reporting

The PHP error reporting feature is great for monitoring the site’s PHP scripts. However, displaying your website’s vulnerabilities to visitors is a serious security flaw.

Expert Tip

When PHP error reporting is enabled, it will display the full information about your website’s paths and file structure. It will also display the plugin name on which the error message appeared.

The more information displayed about your website’s backend, the more vulnerabilities it leaves open. For example if it displays a specific plugin, people with bad intentions could use that plugin’s vulnerabilities.


Mantas Staniulis

Site Availability Engineer

There are two ways to disable PHP error reporting – via the PHP file or your hosting account’s control panel.

Modifying the PHP File

The first method requires adding the following code snippet to the site’s wp-config.php file:

@ini_set(‘display_errors’, 0);

To open the file and make the changes, use either an FTP client such as FileZilla or your hosting provider’s File Manager. Also, make sure to add the snippet before any other PHP directive.

Changing PHP Settings Using the Control Panel

Use the hosting provider’s control panel if you don’t want to deal with coding. Here’s how to disable PHP error reporting from the hPanel:

  1. From your hPanel dashboard, navigate to the Advanced section. Then, click PHP Configuration.
  2. On the PHP Options tab, uncheck the display_errors option and Save.
PHP configuration in hPanel.

6. Using Trusted WordPress Themes

Nulled WordPress themes are unauthorized versions of the original premium themes. In most cases, these themes are sold at a lower price to attract users. However, they usually have a ton of security flaws.

Often, nulled theme providers are usually hackers who hacked the original premium theme and inserted malicious code, including malware and spam links. Moreover, these themes can be backdoors to other exploits that can endanger your WordPress site.

Since nulled themes are distributed illegally, their users don’t receive any support from the developers. This means that if they cause any issues to the site, you’ll have to figure out how to fix them and secure your WordPress site by yourself.

To avoid that, we recommend picking a WordPress theme from its official repository or trusted developers. Look for options in official theme marketplaces such as ThemeForest if you want to buy a premium theme.

WordPress theme directory

Expert Tip

It’s good practice to scan your website’s theme and plugin’s security. Check your WordPress databases vulnerabilities with tools like Patchstack.


Mantas Staniulis

Site Availability Engineer

7. Checking for Malware

Being cautious about plugins or themes that you install on your site doesn’t guarantee that they won’t carry any malware. Viruses, spyware, and ransomware are among the common types of malware you may encounter and can be incredibly harmful. That’s why it’s crucial to scan your site regularly.

Fortunately, there are plenty of great plugins that help to scan malware and improve website security.

Here are some recommendations of WordPress security plugins to install on your site:

Wordfence plugin homepage
  • Wordfence – a popular WordPress security plugin with real-time malware signature updates and alert notifications that inform if another site has blacklisted yours for suspicious activity.
  • BulletProof Security – helps secure your WordPress website with an idle session logout feature that prevents other people from hijacking an unattended device, hidden plugin folders that aren’t visible in the WordPress plugins section, and database backup and restoration tools.
  • Sucuri Security — one of the best WordPress security plugins on the market, offering various SSL certificates, remote malware scanning, and post-hack security action features.

Expert Tip

If your WordPress website is infected with malware, first figure out the severity of infection, then follow these key points:
1. Be sure to always have your wp-admin area accessible, perform a scan, and get rid of the malware.
2. Then, make sure that your plugins, themes, and WordPress core are up to date.
3. Next, check your vulnerabilities database to see if your plugins or themes are listed there as a risk.
4. Finally, take other security measures like using a custom prefix for your database.


Mantas Staniulis

Site Availability Engineer

8. Migrating to a More Secure Web Host

Your web host has a significant role in keeping your site secure. 41% of WordPress websites were hacked due to security loopholes in their hosting accounts.

In other words, your website security won’t matter much if the host’s server is prone to cyberattacks.

If you think your current web hosting company is not secure enough, it’s time to migrate your WordPress website to a new hosting platform. Here’s what you need to consider when searching for a secure web host:

  • Type of web hosting – shared and WordPress hosting tend to be more vulnerable to cyberattacks than other types of hosting due to resource sharing. Migrate to VPS or dedicated hosting to isolate your resources.
  • Security – a good hosting provider monitors its network for suspicious activity and periodically updates its server software and hardware. They also need to have server security and protection against all types of cyberattacks.
  • Features regardless of the type of hosting, having automatic backups and security tools for preventing malware is a must-have feature to safeguard your WordPress site. In the worst-case scenario, use it to restore a compromised website.
  • Support – choosing a hosting company that has a 24/7 support team with excellent technical knowledge is essential. They help you protect your data and tackle any technical and safety problems that may occur.

Hostinger’s WordPress hosting offers the essential resources and features needed to protect your WordPress website, such as a web application firewall. Hostinger also provides VPS hosting and cloud hosting if you prefer to keep resources isolated.

9. Install an SSL Certificate

Secure Sockets Layer (SSL) is a data transfer protocol that encrypts the data exchanged between the website and the users, making it that much more difficult for attackers to steal important information.

In addition, SSL certificates also boost the website’s search engine optimization (SEO), helping it gain visitors and increase website traffic.

Websites with an SSL certificate installed will use HTTPS instead of HTTP, so it’s easy to identify them.

A browser highlighting Google's URL

Hostinger includes a free Let’s Encrypt SSL certificate on all web hosting plans. Additionally, Hostinger also offers the option to upgrade to a Comodo PositiveSSL certificate.

Once you have an SSL certificate installed on your hosting account, you need to activate it on your WordPress website.

Plugins like Really Simple SSL or SSL Insecure Content Fixer handle the technical aspects and SSL activation in a few clicks. The premium version of Really Simple SSL also has an option to enable HTTP Strict Transport Security headers that enforce HTTPS use when accessing the site.

Once that’s done, the last step is changing your site’s URL from HTTP to HTTPS. To do so, navigate to Settings -> General and find the Site Address (URL) field to change its URL.

WordPress dashboard General Settings menu with Site Address (URL) option highlighted

10. Backing Up as Frequently as Possible

Creating WordPress backups regularly is equally important as arming your site with various WordPress security measures. This prevents you from losing all your work and essential information in the event of a security breach and makes it easy to restore your website if needed.

A few ways to create backups are downloading the website files and database, using the hosting provider’s backup tools, or installing a WordPress backup plugin.

To create a backup via the hPanel, access Files -> Backups. On the Generate new backup section, click Select.

Generate new backup option in the backups section in hPanel

Once you have a copy of your WordPress website files, download the files by clicking Select on the Files backup section and select the files you wish to download.

File backups option in the backups section in hPanel

If you have a WordPress backup plugin, easily create and download backup files from the WordPress admin panel. Every plugin has a different interface, but, in general, the feature is accessible from the plugin dashboard.

Here are our recommendations for WordPress backup plugins:

  • VaultPress – a Jetpack-powered plugin equipped with backup and restoration tools, site migration services, and automated file repair to restore malware-infected files.
  • UpdraftPlus – a beginner-friendly and multilingual WordPress backup plugin to back up selected files or the entire website. It also provides an option to send the backup files to your email address.
  • Backup Guard – a feature-packed WordPress security plugin that offers unlimited backups, cloud storage integration with Dropbox and Google Drive, backup logs, and email notifications.

11. Turning Off File Editing

WordPress has a built-in file editor that makes editing WordPress PHP files easy. Despite that, this feature can become a problem if hackers gain control of it.

For this reason, some WordPress users prefer to deactivate this feature completely. Add the following line of code to the wp-config.php file to disable it:

define( 'DISALLOW_FILE_EDIT', true );

If you want to re-enable this feature on your WordPress site, simply remove the previous code from the wp-config.php file using an FTP client or your hosting provider’s File Manager.

12. Removing Unused Plugins and Themes

Keeping unused plugins and themes on the site can be potentially harmful, especially if the plugins and themes haven’t been updated. Outdated plugins and themes can increase the risk of cyberattacks as hackers can use them to gain access to your site.

To delete an unused theme, open your WordPress admin dashboard and navigate to Appearance -> Themes. Click on the theme you want to delete, and a pop-up window will appear and show the theme details. Click the Delete button on the bottom-right corner.

A screenshot showing how to delete a WordPress theme

To delete an unused plugin, go to Plugins -> Installed Plugins. You should see the list of all installed plugins. Click the Delete button under the plugin’s name. Note that the delete button will only be available after the plugin is deactivated.

A screenshot showing how to delete installed plugins

Expert Tip

When deleting a popular plugin or theme from your WordPress dashboard, you might not have the option to use a custom uninstaller (where you can choose to completely remove all of the data regarding that plugin/theme). In this case, to completely remove an unused plugin/theme, you’ll need to do it manually via FTP and access your database and remove the plugin or theme entries by hand.


Mantas Staniulis

Site Availability Engineer

13. Using .htaccess for Better Security

The .htaccess file ensures that WordPress links work properly. Without this file declaring the correct rules, you will get a lot of 404 Not Found errors on your site. Additionally, the file can also help you secure your WordPress website even further.

For example, .htaccess allows you to block access from specific IPs or disable PHP execution on particular folders. The examples below show you how to use .htaccess to harden your WordPress security.

Before making any changes, we strongly advise you to backup the old .htaccess file. If anything goes wrong, you’ll be able to restore your site easily.

Restricting Access to the WordPress Administrator Area

The following code grants access to the administrator area only to specific IPs:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
allow from

Be sure to change to the desired IP address and add it inside of your /wp-admin folder. If you’re not sure what your IP address is, WhatIsMyIP can help identify it.

If you use more than one connection to manage the WordPress site, include all IPs by repeating the code as many times as necessary.

Disabling PHP Execution in Specific Folders

Hackers often upload backdoor scripts to the Uploads folder. By default, this folder only hosts uploaded media files, so it shouldn’t contain any PHP files.

To keep a safe WordPress site, disable PHP execution in the folder by creating a new .htaccess file in /wp-content/uploads/ with these rules:

<Files *.php>
deny from all

Protecting the wp-config.php File

The wp-config.php file in the root directory contains WordPress core settings and MySQL database details, thus making it the most important file on your site hence why the file is also a hacker’s primary target.

Protect this file and keep WordPress secure by implementing these .htaccess rules:

<files wp-config.php>
order allow,deny
deny from all

14. Changing the Default WordPress Database Prefix

The database holds and stores all crucial information required for your site to function. Due to this reason, hackers often target the database with SQL injection attacks. This technique injects malicious code into the database and can bypass WordPress security measures and retrieve the database content.

SQL injections comprise 80% of cyberattacks executed on WordPress websites, making it one of the biggest threats. What makes hackers execute this attack is that many users forget to change the default database prefix wp_.

Let’s take a look at two methods that can be implemented to protect your database from SQL injection attacks.

Changing Table Prefix

Before proceeding, make sure to back up your MySQL database.

  1. From your hPanel dashboard, navigate to the File Manager section and open the wp-config.php file. Alternatively, use an FTP client to access the file.
Wp-config.php file in the public_html folder as shown in hPanel
  1. Look for the $table_prefix value within the code, then replace the default database prefix wp_ with a new one, as shown in the example. Use a combination of letters and numbers to create a unique prefix for the website.
    * WordPress Database Table prefix.
    * You can have multiple installations in one database if you give each
    * a unique prefix. Only numbers, letters, and underscores please!
    $table_prefix = 'wp_1secure1_';
  1. Moving back to the hPanel dashboard, go to phpMyAdmin in the Databases section. Then, open the site’s database by clicking Enter phpMyAdmin.
Enter phpMyAdmin button on hPanel.
  1. If you have multiple databases, find the database’s name in the wp-config.php file. Look for the following block of code:
    // ** MySQL settings - You can get this info from your web host ** //
    /** The name of the database for WordPress */
    define( 'DB_NAME', 'MySQL Database' );
    /** MySQL database username */
    define( 'DB_USER', 'MySQL Username' );
  1. From the phpMyAdmin dashboard, navigate to the SQL tab at the top menu bar.
phpMyAdmin dashboard highlighting the SQL option in the menu bar
  1. Enter the following query in the SQL query editor to change your database prefix:
    RENAME table `wp_tablename` TO `wp_1secure1_tablename`;
  1. Remember to change wp_tablename with your current table name and wp_1secure1_tablename with the new prefix and table name. Repeat this line of code based on the number of the tables you want to rename, then select Go.
A screenshot showing how to edit wp_tablename in the SQL query editor

Changing the Prefix Manually

Depending on the number of plugins you’ve installed on your site, you may need to update some values in the database manually. Do this by running separate SQL queries on tables that are likely to have values with the wp_prefix – these include the Options and Usermeta tables.

Instead of going through all your tables one by one, use the code below to filter all values that contain the following prefix:

SELECT * FROM `wp_1secure1_tablename` WHERE `field_name` LIKE '%wp_%'

wp_1secure1_tablename contains the table name in which you want to perform the query. Meanwhile, field_name represents the name of the field/column where values with wp_prefix most likely appear.

Here’s how to manually change the prefix value:

  1. From the phpMyAdmin dashboard, navigate to the SQL tab at the top menu bar.
  2. Enter the code from before in the SQL query editor to filter the values containing wp_, then click Go. Be sure to modify the information according to your actual table and field names.
A screenshot showing how to enter the wp_ values code in the SQL query editor
  1. When you get the results, update all values from wp_ to your newly configured prefix by clicking the Edit button next to the targeted field. Change the prefix value, then click Go. Do this to all filtered values.
A screenshot showing how to update the wp_ values
  1. Repeat these steps for the rest of the tables within the database.

Securing a New WordPress Installation

If you haven’t installed WordPress yet but want to keep its database safe when you do, there’s no need to perform the steps above. WordPress automatically requires you to decide what table prefix to use during the database setup process.

15. Limiting Login Attempts

WordPress allows its users to make an unlimited number of login attempts on the site. However, this is a perfect opportunity for hackers to brute force their way using various password combinations until they find the right one.

That’s why placing a limit on failed login attempts is important to prevent such attacks on the website. Limiting failed attempts can also help monitor any suspicious activities that happen on your site.

Most users only need a single try or a few failed attempts, so you should be suspicious of any questionable IP addresses that reach the attempt limit.

One way to limit the login attempts in order to increase WordPress security is by using a plugin. There are many great options available, including:

  • Limit Login Attempts Reloaded – configure the number of failed attempts for specific IP addresses, add users to the whitelist or block them entirely, and inform website users about the remaining lockout time.
  • Loginizer – it offers login security features such as two-factor authentication, reCAPTCHA, and login challenge questions.
  • Limit Attempts by BestWebSoft – automatically block IP addresses that go over the login attempt limit and add them to a deny list.

One of the risks of implementing this security measure is getting a legitimate user locked out of WordPress admin. However, you shouldn’t be worried about that, as there are plenty of ways to recover locked-out WordPress accounts.

Additionally, to take a step further to protect your website from brute force attacks, consider changing the login page’s URL.

All WordPress websites have the same default login URL – Using the default login URL makes it easy for hackers to target your login page.

Plugins like WPS Hide Login and Change wp-admin Login enable custom login URL settings. If you use the WPS Hide Login plugin, go to Settings -> WPS Hide Login on your WordPress dashboard and fill in the Login URL field with your custom login URL.

Filling in the login URL field in WPS Hide Login plugin

16. Disabling XML-RPC

XML-RPC is a WordPress feature that allows users to access and publish content via mobile devices, enable trackbacks and pingbacks, and use the Jetpack plugin on their WordPress website.

However, XML-RPC has some weaknesses that hackers can exploit. The feature lets them make multiple login attempts without being detected by the security software, making your site prone to brute force attacks.

Hackers can also take advantage of the XML-RPC pingback function to perform DDoS attacks. It allows attackers to send pingbacks to thousands of websites at once, which can crash the targeted sites.

To determine whether XML-RPC is enabled, run your site through the XML-RPC validation service and see whether you receive an error or a success message. If you get a success message, the XML-RPC function is running.

There are two methods to disable the XML-RPC function – using a plugin or manually disabling the function.

Disabling XML-RPC Using a Plugin

Using a plugin is the faster and simpler way to block the XML-RPC feature on your website. We recommend the Disable XML-RPC Pingback plugin to do this job. It will automatically turn off some of the XML-RPC functionalities, thus preventing hackers from performing attacks using this security flaw.

Disabling XML-RPC Manually

Another way to stop all incoming XML-RPC requests is by doing it manually. Locate the .htaccess file in your root directory and paste the following code snippet inside your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
 allow from

If you want to allow XML-RPC to access a particular IP, replace with the IP address or delete the code line altogether.

17. Automatically Logging Idle Users Out

Many users forget to log out of the website and leave their session running, allowing someone else who uses the same device to access their accounts and potentially exploit confidential data. This is especially true in public computers available in internet cafes or public libraries.

Therefore, it’s crucial to configure your WordPress website to log out inactive users automatically. Most financial institution sites use this technique to prevent hackers from hijacking their sites, ensuring that their client’s data is safe.

Using a WordPress security plugin is one of the easiest ways to log an idle user out automatically. Inactive Logout is one of them. Aside from terminating unattended idle users, this plugin can also send a custom message to alert an idle user that their session on the website will be ended soon.

18. Hiding the WordPress Version

Hackers can break into your site much easier when they know which version of WordPress you’re running. They can use the vulnerabilities of that version to attack your site, especially if it’s an older version of WordPress.

Luckily, it’s possible to hide the information from your site using the WordPress Theme Editor.

  1. From your WordPress dashboard, navigate to Appearance -> Theme Editor. Choose your current theme and select the functions.php file.
A screenshot showing how to edit theme in WordPress
  1. To remove the version number from the header and RSS feeds, paste the following code to the functions.php file:
    function dartcreations_remove_version() {
    return '';
    } add_filter('the_generator', 'dartcreations_remove_version');
    You can also add this line to remove WordPress generator meta tag:
    remove_action('wp_head', 'wp_generator');
  1. Click Update File to save your changes.

Keep in mind that hiding its version doesn’t improve WordPress security by itself. It just simply removes information that helps hackers attack your site easily. Therefore, it’s still necessary to implement other safety measures.

19. Blocking Hotlinking

Hotlinking is a term used when someone uses your image’s URL to display a picture on their site. It’s a bad practice because every time people visit a website with hotlinks to your content, it uses up your bandwidth.

As a result, your site will slow down, potentially reaching your bandwidth limit. Aside from additional costs, hotlinking is also illegal if it links to licensed images that you’ve acquired.

To see if your content was hotlinked, type the following query in Google Images, replacing with your domain name.:

Luckily, there are a few ways to prevent hotlinking. You can use an FTP client, a security plugin, a CDN, or edit the control panel’s settings.

Using an FTP Client

This method is one of the most effective ways to disable hotlinking. All you need to do is connect to your website via an FTP client and paste the following snippet to the .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F]

This code will block hotlinking from all sites. However, you have to add your domains, social media networks, and popular search engines to allow them to crawl images on your website.

Remember to add the file formats you want to block on the last line of the given code.

Using a WordPress Security Plugin

If you prefer to install a plugin instead, we recommend the All in One WP Security & Firewall plugin.

All In One WP Security & Firewall plugin

Once you’ve installed and activated the plugin, go to WP Security -> Firewall -> Prevent Hotlinks. Check Prevent Image Hotlinking and click Save Settings to finish the process.

Prevent hotlinks section in the All In one WP Security & Firewall plugin

Using a Content Delivery Network (CDN)

A CDN uses a group of remote servers to provide fast content delivery. Setting up CDN servers on WordPress sites can improve security, reduce bandwidth, and increase speed.

The method for disabling hotlinking may be different for each CDN Provider. Cloudflare, for example, has a built-in dashboard setting called Hotlink Protection that can be easily activated under the ScrapeShield tab.

Accessing Control Panel Settings

Log in to your hPanel account. Find the Other section on your hPanel dashboard and choose Hotlink Protection.

Hotlink protection in the hPanel dashboard

On the hotlink protection settings page, choose the file extensions you want to block from direct access. Once you’ve configured the settings, click Save.

A screenshot showing how to configure hotlink protection in hPanel

If you’re using cPanel, log in to your hosting account and go to the Security section. Choose the Hotlink Protection option.

Security section in cPanel highlighting the hotlink protection menu

Make sure the hotlink protection is enabled by clicking the Enable button at the top. Then, configure the hotlink protection by entering URLs that are allowed to hotlink to your site and file extensions that you want to block from hotlinking.

Click Submit once you’re done.

Hotlink protection section in cPanel

20. Managing Directory Permissions

Prevent hackers from gaining access to your admin account by determining which users can read, write, or execute your site’s files or folders. Use one of the following options to manage file and folder permissions:

  • Using the web host’s File Manager – find the file or folder you want to change and right-click on it. Choose the Change permissions option, and a pop-up box will appear. Enter the desired file permission number for the appropriate users and group.
A screenshot showing how to change file permissions in hPanel
  • Use an FTP client – navigate to the file or folder, then right-click on it. Look for the CHMOD or the File Permissions option, then configure the file permissions settings.
A screenshot showing how to change file permissions through an FTP client

21. Monitor User Activity

Tracking activities in your admin area is an excellent way to identify any unwanted or malicious actions that put your website in danger. This method is recommended if you have multiple users or authors accessing your WordPress website.

That’s because users may change settings that they should not, like altering themes or configuring plugins. By monitoring their activities, you know who’s responsible for these unwanted changes and if an unauthorized person may have breached your WordPress website.

The easiest way to track user activity is by using a plugin such as:

  • WP Activity Log – monitor changes on multiple website areas, including posts, pages, themes, and plugins. This plugin also logs newly added files, deleted files, and modifications to any file.
  • Activity Log – it monitors various activities on your WordPress admin panel and lets you set rules for email notifications.
  • Simple History – in addition to recording activity log on WordPress admin, it supports multiple third-party plugins like Jetpack, WP Crontrol, and Beaver Builder, recording all activity related to them.


Cyberattacks may come in different forms, from malware injection to distributed denial-of-service (DDoS) attacks. WordPress websites, in particular, are common targets for hackers due to the CMS’s popularity.

Therefore, it’s essential that website owners know how to make their WordPress site secure. To recap, here are 21 methods to help make your WordPress website more secure:

  1. Keep your site up to date.
  2. Use secure admin login credentials.
  3. Enable two-factor authentication.
  4. Enable the lockdown feature.
  5. Disable the PHP error reporting feature.
  6. Use a trusted WordPress theme.
  7. Regularly scan your site for malware.
  8. Migrate to a more secure web host.
  9. Install an SSL certificate.
  10. Create backups frequently.
  11. Turn off the file editing feature.
  12. Remove unused themes and plugins.
  13. Use .htaccess to disable PHP execution and protect the wp-config.php file.
  14. Change the default WordPress database prefix.
  15. Limit the number of failed login attempts.
  16. Disable the XML-RPC feature.
  17. Automatically log out idle users.
  18. Hide the WordPress version used on your website.
  19. Block hotlinking from other websites.
  20. Manage directory permissions.
  21. Monitor user activity.

We hope this article helped you understand the importance of WordPress security measures and how to implement them.

Feel free to leave a comment if you have any questions or tips regarding WordPress security. Good luck!

How to Secure WordPress FAQ

Does WordPress Need a Firewall?

Setting up a firewall is necessary as it can help guard your WordPress site against hacking attempts or other forms of cyberattacks by blocking unwanted traffic. Since WordPress doesn’t come with a built-in firewall, you can set it up by downloading a plugin such as Sucuri.  

Is WordPress Easily Hacked?

WordPress is one of the most secure CMSs out there, but if you don’t invest in any protective measures, your website will be at risk of being hacked. Make sure to follow our guidelines to secure your WordPress site. 

Why Is My WordPress Not Secure?

If your browser states that WordPress is not secure, that means your site doesn’t have an SSL certificate or it isn’t configured correctly. Consider installing one or switching to HTTPS to fix the issue.

Is a Security Plugin Necessary for WordPress?

Yes, installing security plugins such as Jetpack and Wordfence can help protect your WordPress site in the long term. Remember to only install the necessary ones as having too many plugins can break your site. 

How Do I Secure My WordPress Site Without Plugins?

Implementing some of the basic WordPress security practices such as conducting regular maintenance and activating 2FA can be effective for your site. That said, installing WordPress security plugins will help protect your site against any risks and issues. 

The author

Leonardus N.

Leo is a Digital Content Writer at Hostinger. He loves to share his web hosting and WordPress knowledge to help people build a successful online presence. During his free time, he likes to play music and learn audio engineering.