For every website owner website security is a matter of great importance. Every day thousands of websites get hacked or affected by malware and penalized or blacklisted by Google. When it comes to WordPress security the WordPress core itself is very secure and the core team works very hard to keep it secure by providing regular updates.
But as a website owner, you can do a lot of things to make your website more secure. So, in this article, I’ll show you some simple steps you can take to improve WordPress security even if you are just a beginner.
Why is security so important?
An unsecured website is an easy target for hackers to steal important informations like personal details, credit card details, passwords etc, this can badly affect your reputation and business. Eventually getting blacklisted with Google penalty and wasting all your efforts to get the search ranking at the first place.
Securing a website is simpler than recovering an affected website, finding the correct person for the job is tough and expensive, as they say “Better be secure than sorry”!
Now let’s take a look at the steps you can take.
To make it easy, I have created a table of content to help you navigate through easily.
- Keep your WordPress updated
- Always use a strong password
- Importance of a Good web hosting
- Regularly backup your WordPress site
- Use reliable WordPress security plugin
- Don’t use “admin” as username
- Disable dashboard file editing
- Limit login attempts
- Two steps to harden your database security
- Password protect your admin login
- Add a security question
- Disable directory indexing and browsing
- Choose themes wisely
- Use reliable plugins only
- Regularly update your theme and plugins
- Use role and privileges properly
- Use SSL certificate for Encrypted Connections
Disclosure: Some of the links here are referral/affiliate links that means if you decide to buy through those links I’ll earn a commission at no extra cost to you. This is how I keep Designtheway.com up and running.
1. Keep your WordPress updated
WordPress is the most popular cms in the world, it powers almost 31% of the entire web. Being so popular the framework is well known to all and the hackers are always on the lookout for a loophole. That’s why the WordPress team works so hard to keep the framework safe and secure by providing regular updates.
As a WordPress owner, it’s your responsibility to keep your WordPress version updated. If you’re using a good hosting company like SiteGround you can get automatic WordPress update option as well.
2. Always use a strong password
As you would do while registration in any site, use a strong password, the same rule applies for your own WordPress site as well. Always use a strong password even though you might be tempted to use more simple and easy to remember password for daily usage. But doing this can give an easy getaway for unauthorized peoples.
To create a strong password you can follow the character combination mentioned in any banking website as a guide, or you can use WordPress auto-generated passwords. To make the whole process of remembering passwords easier you can use a productivity tool like LastPass.
3. Importance of a Good web hosting
Web hosting plays a vital role in a website’s security if the hosting company doesn’t have a good security infrastructure for their own servers your website can be easily infected.
Good web hosting companies like SiteGround take extra care for their servers to protect them from hackers.
If you want even secure hosting option you can go for managed hosting, it’s more secure than shared hosting but is much costlier as well. Managed WordPress hosting providers will attach a higher level of security configuration for your website with auto backup and update feature.
As an industry leader in managed hosting space, we always recommend WPEngine to our clients and readers.
4. Regularly backup your WordPress site
Backups are your best friends at the time of any crises, you must keep backup of your site on a regular basis. If something goes wrong with your site you can always use the backup to restore your site quickly.
So even if your hosting providers keep backups for you it’s your job to download that backup to your local drive or to a third party storage location.
Here is a complete guide on how to backup and restore your WordPress site.
As a rule of thumb if you update your website regularly you should backup your website on weekly basis and if you update daily then should backup daily.
But as a busy person if you can’t do that you can check our care plans where we provide daily backup with other extra facilities.
5. Use reliable WordPress security plugin
No matter how many security steps you have followed and employed it’s always a good practice to have a security plugin especially web application firewall. An active firewall continuously protects your site from malicious attacks.
When it comes to security plugin we always recommend Sucuri they are the industry leaders, they also guarantee malware clean up and blacklist removal. So if your website gets effected you are in safe hands with Sucuri’s professional service.
6. Don’t use “admin” as username
Are you using “admin” as your username? Well, you should never do that. It’s absolutely fine to use it when you are working in your localhost for the sake of remembering it but never in a live site.
You see it makes it a lot easier for hackers to guess the username for brute-force attacks. It’s a very simple step that can reduce the risk a lot, at least makes it harder for hackers to guess the username.
If you already have set “admin” as your username you can simply create a new user from the dashboard and delete the old username. To do that click on
Users > Add New
Click on Add New User button after filling the details. Now you have your new username it’s time to delete the existing user called “admin”, to do that you need to login with the new username first and then go to
Hover on the user and click the Delete button.
Now you will have the option to delete all the content related to the user or you can assign them to another user, for this instance assign the content to the newly created user.
With that, you have successfully changed your username.
Alternatively, you can use a plugin called Username Changer, once installed and activated go to
User > Your Profile
There you will have the option to change the username directly, click on “Change Username” once changed click on “Save Username“.
7. Disable dashboard file editing
By default WordPress allows you to edit files from the dashboard itself it’s made for the convenience of the users but can be a security threat if gets in the wrong hands. So it’s always safe to disable the editing option from the dashboard.
To disable editing from dashboard simply add this code to wp-config.php file
If you are using Sucuri you can do this from its dashboard as well. This code will disable editing option from dashboard only but you can always edit the file via FTP or Cpanel.
8. Limit login attempts
In WordPress, you can try unlimited login attempts, but this is an open invitation for brute force attack and can take up your valuable server bandwidth.
However, you can easily limit this login attempts and block the user for a certain period of time. If you are using any security plugin like Sucuri or Wordfence it will automatically do it for you, but if you are not using any security plugin then you can use Login Lockdown plugin.
It’s a very simple plugin after activation go to
Settings > Login LockDown
Adjust the settings according to your requirement and save it, that’s it.
9. Two steps to harden your database security
You can follow a simple 2 step process to harden your database security. First while installing a new WordPress set a unique name for your database don’t use the same name as your site name it’s very easy to guess and hackers can take advantage of it.
In case you have an existing site check this tutorial on how to change database name on existing sites.
Second, by default WordPress sets all the tables name with wp_ as a prefix, you should change this to a unique one as well. Something like ds59_ is much harder to guess than wp_, you get the point right. For existing sites, you can check this guide.
10. Password protect your admin login
Generally one can access the WordPress dashboard login page from the wp-admin folder, this allows hackers to run DDoS easily on that folder. However, you can add an extra layer of security to that folder by adding a server site password protection.
Check out this detailed tutorial from wpbegginer for step by step instruction.
11. Add a security question
You can add an extra layer of security to your WordPress admin login by adding a security question, this makes it even harder for unauthorized users to access your dashboard. You can use WP Security Question plugin to get this feature.
12. Disable directory indexing and browsing
If you allow users to access your directory listing they can view your file and folder structure and can access images directly, more so this allows hackers to check your site for any vulnerable files and take advantage of it.
So you should keep directory indexing inaccessible from the unauthorized user, to do this open .htaccess file via FTP or Cpanel and add the following code:
Make sure to save and upload the file again to the server.
13. Choose themes wisely
Always choose and use trusted themes only, if you are using a free theme make sure you download it from the WordPress library and check the user ratings and reviews before using it.
Every theme is checked properly before its uploaded to the WordPress library, but premium themes are generally more secure and built for better performance. I personally recommend Divi theme apart from that you can buy themes from the marketplace like ThemeForest as well.
14. Use reliable plugins only
Most of the new WordPress users just go about downloading any plugin they find in the library. Even though all the plugins in the WordPress library are checked before uploaded but not all are properly maintained by the authors to keep the security standards.
Those plugins can lead to security issue for your site so only download some essential plugins for your website.
Few rule of thumb for plugin download:
- Always check the plugin review and last update status before downloading from WordPress library.
- Never download any plugin from un-trusted websites that can lead to a serious security issue.
- Always purchase premium plugin from trusted sites and marketplaces like Codecanyon.
15. Regularly update your theme and plugins
Much like WordPress itself, well-maintained themes and plugins release updates from time to time to maintain the security and compatibility level with WordPress updates. These updates can be related to new features, bug fixes or security patches.
If you don’t update these plugins and themes they can cause security concern for your website, so always keep your themes and plugins updated.
16. Use role and privileges properly
If you are running a multi-author WordPress site you need to understand user role and privileges properly. You should never give administrator access to anyone you can’t trust 100%. You can read this detailed guide on role and capabilities to understand who can do what.
For example, if you want to allow someone to add posts as a guest author to your site, simply give Author role where the person can only add or edit his/her post and nothing else. If you manage these roles properly and follow the guide it can reduce a lot of security threats.
17. Use SSL certificate for Encrypted Connections
There is a general conception that people trust HTTPS site moreover HTTP sites when it comes to payment. That’s true but it’s not the only reason you should use SSL certificate, you should use it for security and reliability as well.
HTTPS (Hyper Text Transfer Protocol Secure) allows a browser to securely connect with a website, so for a multi-author site every time a user is logging in the data is securely encrypted and it’s hard for someone to steal the information in between.
As of from January 2017 google chrome has started to show all the HTTP site connection as non-secure, this can affect the reliability of your site. Many good hosting companies like SIteGround now allow you to use free SSL certificate with Let’s Encrypt.
Many WordPress users don’t give importance to WordPress security until their website is hacked or affected by malware and end up paying way more than these security measures can actually cost.
No one can give you 100% security guarantee but you should take some proactive measures to make it as secure as possible. Hope these steps and tips can help you make your website more secure.