WordPress Security: 14 Pro Tips To Secure A WordPress Website

By WP Saviour •  Updated: 03/04/21 •  14 min read

Seeking to enhance the safety of your WordPress web site?

Right here I’m sharing all the ideas and methods that I’ve discovered operating this award-winning WordPress weblog.

Simply to let you recognize,

In latest instances, WordPress has been extremely focused by hackers. Plenty of customers has requested, “Is WordPress safe?”

Sure, WordPress is safe.

Nonetheless, once we use numerous plugins, themes and a while it’s the internet hosting, which follows safety worst-practices and thus makes our WordPress web site weak to completely different form of assaults and hacks.

Reality: WordPress powers round 33% of the web sites on the earth, which not solely makes it the most well-liked CMS platform but in addition is extra susceptible to hacking.

As an finish consumer, there are some things you are able to do to safe WordPress weblog.

Additionally learn: Finest WordPress safety plugins (Opens in a brand new tab)

My website has been hacked practically 2 instances prior to now by some Arabian and Turkish hackers (at the least that’s what they declare). They infiltrated my website and left it with an unsightly black background that includes GIF pictures of skulls and ravens. That is what made me learn how I may harden WordPress safety.

Over the interval of 10 years, I’ve discovered many tips which I’m sharing with you right this moment so that you simply don’t should face the effort of shedding your WordPress web site within the arms of hackers.

As I discussed above, WordPress is safe by default however while you host it on an unsecured server or while you add new codes within the type of themes and plugins, you might be growing the chances of getting hacked.

As this assist web page on hardening WordPress provides

The vulnerabilities most affecting WordPress web site homeowners stem from the platform’s extensible elements, particularly plugins and themes. These are the #1 assault vector being exploited by cyber-criminals to hack and in any other case misuse WordPress websites.

These vulnerabilities are normally not launched deliberately, they’re a results of errors and oversights throughout improvement. Many plugin and theme builders are usually not extremely versed in safety, and so they’re susceptible to inadvertently write weak code. As vulnerabilities are found, builders normally handle them by releasing updates

Hackers normally hack a WordPress website for the non-public acquire, which is normally within the type of including backlinks to some spammy websites or redirecting a WordPress website to different web sites. Generally it’s accomplished so sophisticatedly that you wouldn’t even know you might be hacked or there’s a backdoor put in in your web site.

Nonetheless, the proprietor begins shedding the site visitors over time (web optimization penalty) and by the point they notice the actual problem, issues are manner out of their arms.  One other worse that might occur is getting blacklisted by a outstanding blacklist authority. This can value you a major quantity of money and time to get your web site out of blacklist.

In accordance with safety agency Sucuri,

of all of the CMS they cleaned in 2018,  WordPress tops the contaminated CMS with 90%.


That’s some scary numbers for any WordPress proprietor and for this reason it’s utmost essential so that you can roll your sleeve and observe these finest practices to reinforce WordPress safety.

14 Confirmed Suggestions To Safe WordPress Weblog

1. Configure WordPress Backups

Though I’ve given a whole lot of confirmed ideas beneath to safe your WordPress weblog, it’s good to be sure that if one thing occurs, you gained’t lose something.

Not having a correct WordPress backup resolution in place is the largest mistake you can also make. When a giant website like Sony or Dropbox may be hacked, your WordPress weblog will probably be comparatively simple to be cracked by a hacker.

So the very first thing is to make sure you’re taking a each day backup of your weblog.

You need to use the backup system supplied by your internet hosting firm or use a third get together backup system reminiscent of VaultPress or Updraftplus. Yow will discover a listing of WordPress backup plugins right here.

In case your internet hosting firm provides backups, guarantee they retailer the backup on a special server.

2. Use A Dependable & Safe Internet hosting Firm


Your WordPress set up is simply software program put in on a server. The muse of a safe web site is a server which has sufficient protections that guarantee your web site is safeguarded towards hackers.

A safe WordPress internet hosting normally has:

I perceive that it’s laborious to know which internet hosting firm is dependable towards hackers & that’s why I’ve created this checklist of safe WordPress internet hosting firms:

  1. SiteGround: An award-winning internet hosting that makes use of anti-bot AI system to forestall some well-known assaults.
  2. Bluehost: One of many prime rated hosts which provides nice safety.
  3. WPEngine: A managed WordPress internet hosting firm which is really helpful for enterprise WordPress websites. They provide backups and safety on a number of ranges.
  4. Kinsta internet hosting: This one is ideal for WordPress weblog with excessive site visitors. ShoutMeLoud.com can also be hosted on Kinsta internet hosting.

In case your present internet hosting firm isn’t safe and supply no security-related help, shifting to any of the above-listed hostings will make an enormous distinction.

3. Use the Newest model of WordPress

Retaining your WordPress software program updated is probably the most primary safety tip for any WordPress blogger. That is one thing that you simply by no means need to miss.

Every time WordPress is sending an replace, it implies that they’ve mounted some bugs, added some options, and most significantly, added some safety features and fixes.


If you see the message: “WordPress x.x.x is obtainable!”

Replace it.

These days, with one click on updates, it’s very simple to improve your weblog.

Be sure that your theme and plugins are appropriate with this newest model of WordPress. If an replace has been rolled out and it’s not a safety replace, I counsel you look forward to 5-6 days earlier than different customers cease reporting bugs within the newest model.

4. Replace WordPress Plugins


As I discussed above, WordPress releases an replace to repair bugs and safety holes, and the identical goes with plugins.

Many instances, a weak plugin or third get together script can create a safety gap in your WordPress web site.

One such problem which now we have seen prior to now is the Timthumb vulnerability. This was due to a script, and plenty of plugins which have been utilizing this script grew to become weak too. Such form of Zero-day vulnerability is tough to keep away from, however by limiting the variety of plugins, scripts, and themes you can also make WordPress website safer.

At all times use plugins that are frequently up to date and have good help. In case you are utilizing a plugin which has not been up to date for some time, discover a substitute for it.

5. Use Newest PHP model

PHP is the spine of WordPress and at the moment, the 7.Three is the most recent model of PHP. In accordance with the official PHP stats web page, they provide safety help to any secure model of PHP for two years solely.


Meaning if you’re utilizing something beneath PHP 7.1, you aren’t going to get safety updates.

Right here is an fascinating stat from WordPress.org, about 71.8% of the WordPress web site are utilizing outdated PHP.


Relying upon the internet hosting setting you might be utilizing, you may shortly change your PHP model. I strongly suggest you to first create a staging setting after which check the most recent PHP model. That is to make sure the compatibility as at instances, outdated plugin and theme may trigger a difficulty.

You possibly can verify the PHP model of WordPress from the dashboard and ask your internet hosting help to check and replace your PHP model. Bluehost customers can observe this tutorial to replace PHP model on cPanel.

6. Use Internet utility firewall (WAF)

A firewall exists between your internet hosting server and community site visitors. The function of the firewall is to filter out the commonest risk earlier than it reaches the machine your WordPress web site is hosted.

There are three commonest forms of firewall resolution that you need to use on WordPress:

  1. On the community degree: That is normally saved on the community degree or machine degree and works when you find yourself internet hosting WordPress at an information heart you personal. That is the most costly choice and normally utilized by an enterprise-level web site the place they’ve management over the bodily area the place the server is put in.
  2. On the host degree: That is hosted on the web-application degree, in our case it’s WordPress. This isn’t really helpful as finally, your host has to do the heavy lifting of filtering out the site visitors. That is undoubtedly higher than a network-based WAF however the native server sources it requires, it’s not the best choice.
  3. Cloud-based WAF: Cloud-based WAF are normally carried out at DNS degree and it filters the commonest sort of threats earlier than it even hit your WordPress server. That is the best one to implement and most economical in sense. The one draw back is, it could require you to vary the DNS.

Some widespread sort of risk which is detected and guarded by WAF are: Cross-site scripting (XSS) assaults, SQL injection assaults, session hijacking, and buffer overflows. This can be a protocol degree 7 protection within the OSI mannequin.

There are two really helpful companies that you need to use to implement WAF:

This can be a extremely really helpful WordPress safety function for WooCommerce and different WordPress web sites which is made for enterprise.

7. Conceal WordPress Model

Let’s assume you don’t have these 2 minutes to replace your WordPress core information. The listed WP model can spark an concept for a hacker to interrupt in. In case you are operating an older model of WP and everybody is aware of it, belief me, you might be doomed.

Most theme designers lately eliminate it for you, however simply to verify, go to your capabilities.php and add this line:

I shouldn’t have to say this, however I do know too many individuals who use ingenious and insanely complicated passwords like:


Please make your passwords complicated, add a few particular characters (%&*#), and preserve altering it each 5 or 6 months.

I might additionally prefer to suggest a plugin known as Login Lockdown. This plugin will document all IPs and time stamps of failed login makes an attempt. After a particular variety of failed makes an attempt from a specific IP, the IP will probably be blacklisted. This helps loads to forestall any brute-force assault.

At your finish, you also needs to begin utilizing a password supervisor like Dashlane that can enable you additional enhance your password safety.

Additionally, learn:

By altering the WordPress login URL web page, you might be stopping a whole lot of assaults and hacking try. Particularly, if you’re somebody who has a handful of individuals or simply it’s good to login to WordPress dashboard, altering login web page will supply an excessive amount of assist. There are a couple of added advantages that discover it in my earlier tutorial on easy methods to change the WordPress admin login URL.

10. Set Google alert for listed pages

This is without doubt one of the much less identified tips that you need to use instantly. You need to use Google alerts to ship you an alert every time Google indexes a brand new web page in your area identify. Plenty of time, WordPress hackers provides new pages and posts which aren’t proven within the backend or frontend, nevertheless it will get listed in Google.

If you set an alert like this, you’d know if one thing is occurring with out your discover. Because it’s free and takes solely 2-Three minutes to set it up, it’s completely price it.

Right here is how you are able to do it


Now, you’re going to get on the spot notifications when a brand new web page is listed within the search engine.

11. Examine WordPress Folders File Permissions


Go to the File Supervisor in your cPanel, or log in to your FTP software program, and verify the file attributes of your WordPress folder.

It’s good if it’s 744 (learn solely). In case you discover it to be 777, think about your self extraordinarily fortunate that you simply haven’t gotten hacked but.

When most bloggers change internet hosting, they don’t notice how their file permissions additionally get modified. Be sure to confirm all file permissions after migrating your internet hosting.

12. Delete Default Admin Person

This is without doubt one of the most important ideas for individuals who want to create a safe WordPress weblog. The default “admin” username is susceptible to brute-force assaults as a result of most individuals by no means change it.

If you set up WordPress, be sure you use a customized username and don’t use “admin”.

You possibly can create a brand new consumer with “Administrator” rights, and provides this new administrator a nickname that will probably be publicly displayed in case he/she writes a submit. Now, log off after which log again into the newly created admin account and delete the outdated “admin” consumer.

Be sure to attribute all usernames and hyperlinks to the brand new consumer which you may have created.

Right here is an alternate technique to change the default username:

13.  Conceal The Plugins Listing

The plugins folder /wp-content/plugins/ shouldn’t be exhibiting the checklist of folders and information within them.

Strive visiting your plugins folder (change area.com together with your area identify):

In case you see a listing of folders and information, it’s good to cover them.

To cover these folders, it’s good to create a brand new .htaccess file and drop it in your plugins listing.

# BEGIN WordPress RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # Prevents listing itemizing IndexIgnore *

# END WordPress

If you have already got a effectively written .htaccess file in your root listing, including a separate .htaccess to a person folder isn’t going to trigger any hurt.

Additionally, check out this submit for higher understanding of easy methods to edit the .htaccess file.

14. Flip Off Database Errors

In older variations of WordPress, if there have been errors within the MySQL database, it could present the precise error on the browser itself giving the hacker priceless details about your database.

To forestall this, it’s good to replace your WordPress to the most recent model, so that it’s going to solely present a basic error message like “Database connection error” as a substitute of exhibiting precisely what’s fallacious

Log in to your WP dashboard and replace your WordPress core information.

WordPress Safety: Over to you

Nicely, I hope this information helped you to grasp the significance of WordPress safety and helped you harden it.

Once more, it’s a sensible concept to take computerized backups of your WordPress weblog at common intervals to be sure you can at all times roll again your weblog to a wholesome situation.

gp-3604483 as-8487843

WP Saviour

I am a WordPress specialist. My mission is to help you create beautiful websites with ease!