HomeTutorialsThe Ultimate WordPress Security Guide – Step by Step (2020)

The Ultimate WordPress Security Guide – Step by Step (2020)

Nowadays WordPress security is very essential. Do you know there are currently over 1 Billion websites on the web and 36.3% of all websites are created by WordPress? Also, WordPress is used by 63.1% of all websites whose CMS we know. So, the burning question arises, how do you secure your WordPress website and how do you find insecurity?

As WordPress widely used by many personal blogs, fashion, business, and government websites, security is must essential for any WordPress site. Hackers are always trying to get access to these sites and steal valuable user information.

In this post we share with you, how can you improve WordPress security even more.

After installing WordPress you have to secure your site as much as possible. There are lots of WordPress security plugin available. WordFence and Sucuri are the best over the market.

WordPress Security Guide

Using nulled WordPress theme, plugins, lack of security knowledge, poor site management often causes cyber attacks.

Why WordPress Security is very Important?

Did you recognize search engine traffic suddenly drop for your website?  It’s always important to check if the domain name has been blacklisted by Google. Around 20,000 websites blacklisted for malware issues and around 50,000 for phishing. We had built few sites for our clients, but due to security precautions, hackers gained access to our site. And finally, we got blacklisted and, ISPs and email provide flagged us too.


Hackers may crack your site password, install malicious software, upload a script, or anything.  So, it will be the worst nightmare for you if your site being hacked. If you are a business owner, you will probably try to secure your store. As well as, you have to think about WordPress site security to protect it otherwise it will damage your business revenue.

You can use the MXToolBox Blacklist tool to check if your site hacked or not. If you get any problem, contact your hosting provider immediately.

How to secure WordPress site?

You can secure your site by improving the below methods.  Read them and implement them on your site.

Choosing a secure WordPress username and Password

WordPress Username and PasswordWhen any beginners start to use WordPress, they try to use WordPress default username and password. They also use something that’s are so simple to guess. They do it to remind it near future. But they are not looking at WordPress site security.

At the time of the WordPress installation, WordPress uses ‘admin’ as default username. If you are using this change it asap. Brute force tactic used by many hackers to guess your username and password. Username as ‘admin’ is an easy guess option to access your site.

Are you using ‘123456’, ‘password’, or any numeric series as a password?  It’s an easy way to guess it. Try to use uppercase and lowercase letters, numbers, and special characters combination. You can check the list of the most common password which are very easy to guess. There are other password areas such as database, FTP accounts, hosting account, and your addon email which also strong password protection needed. You can also use LastPass.

Using an updated version of WordPress

WordPress is open-source software and they always try to get updated. Nowadays hackers are continuously improving their tactics to hack your site. To protect those WordPress initiate different update versions. This updated version also contains many major, minor bug fixes. You should update your WordPress version.

To run your site you probably install different Themes, Plugins, etc. You have to be sure that your themes and plugins are up to date. Updating plugins and themes fixes security holes.

Using 2-factor authentication

Google AuthenticatorUsing-2 factor authentication is another way to secure your site. As 2-factor authentication, you can use secret code, secret question, or any app which gives you authentication.

For secret code, you can use the Google Authenticator app which sends a code to your phone directly.

You can increase your login page security by adding security question features too. It will prevent many unauthorized accessed users. To use the security question feature simply install the WP Security QuestionThis plugin enables security question feature on registration, login, and forgot password screens. You can protect your account from hackers by asking security questions on the login screen.

Need better Host provider With Hardened Security Standards

Better hosting providerYou need a better hosing provider. So, why? because, a good hosting service provider takes care more to protect their servers against common threats and resolve quickly if something happen. Hosting provider uses different tools to scan malware  and find security problem.

You have to check if they are using most recent version of PHP and MySQL. A good hosing provider uses firewall and they support you 24/7. They will back up your site even hacker delete some content from your site. A better host provider helps your website SEO also.

Shared hosting also good but they have risk due to cross site contamination. Try to use managed hosting service provider. Here are the list of best hosting provider and compared.

Rename WordPress Login Page

WordPress LoginWhen you login WordPress site, you are using something this “domain_name/wp-login.php” . But do you know it may cause server security issue?

wp-login.php is a default login page to access your site. Changing it will increases your website security. However, it is good practice to use separate user and admin login page if you have so many user. Hackers always try to gain access your site. So, they try to do brute force attack in wp-login.php page. They use GWdb (Guess Work Database) which contain millions of combination password.

You can use Rename wp-login.php   plugin to change your wp-login.php page . After installing wp-admin directory and wp-login.php page become inaccessible. 99% brute force attack can be stopped by renaming wp-login.php page. It doesn’t rename or change files in core, nor does it add rewrite rules. To remember your site URL, you should bookmark it. After deactivating this plugin, your site back exactly to the state it was before.

Installing WordPress Security Plugins

WordPress_security pluginIf you are a beginner or not familiar with WordPress security, then try to install a security plugin. Security plugins helps you to protect your site against Malware, spam, malicious redirects, code injections and more.

You can use Wordfence as a Firewall and security scanner which is more than 3M+ active installation.

Another popular plugin is Sucuri. It has malware cleanup and blacklist removal guarantee.

Disable File Editing in WordPress Default Editor

Disable file editingYou can edit your .php and .css file by going Appearance > Editor. But think about it if someone access your site and insert some code in .php file by theme editor. So, it will be better for you to disable default editor of WordPress.

You can disable editor by inserting below code in wp-config.php file.

define( ‘DISALLOW_FILE_EDIT’ , true );

Limit user Login Attempts

login lockdownYou can limit user login attempts. You can try to login as many as you want which is WordPress by default. Hackers may access your site by brute force attacks or trying different password combinations.  You can use Wordfence or Sucri to limit your login attempts. However, if you want to focus only login attempts, then use Login LockDown.  This helps to prevent brute force password discovery. Currently, the plugin defaults to a 1-hour lockout of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel.

Changing WordPress Database Prefix

WPDB ManagerAt the time WordPress installation, WordPress uses wp- as default table prefix.  It is easy to get access by SQL injection attacks and hackers to get access to your database and steal valuable information. To change this you can use the WP-DBManager plugin which allows you to do this task within a single click. You can change this as minewp- or wprenew- or anything else.

Regular WordPress Backups

Updraftplus backup pluginAnytime your website is a hack. So, it is better to plan for you to install a backup plugin. If something goes wrong that cannot be fixed, use your backup to restore the entire site. You can use UpdraftPlus WordPress Backup Plugin. It allows you to set up automatic backup schedules, for the ultimate in convenience.  You can back up your files and database backups into the cloud and restore them with a single click.  It is a better idea to backup your site on a physical device or hard disk. I’d recommend you keep at least monthly backup. Check here the most popular WordPress backup plugins.

Idle Users automatically log out

Leaving your WordPress site screen as idle may cause serious security issues. This increases security risk and the hacker can steal your session, change information of your site, gain access to your password, and even they can alter a user account. You have to ensure that after a certain period of time as an idle user, WordPress automatically be logged out. To set up automatic logged out functionality for an inactive user, you can simply install Inactive Logout. You can setup Idle Time from WP Admin > Settings > Idle User Logout. You can also set up the behavior of the plugin for each user’s role.

Using SSL to encrypt data

Really simple SSL pluginUse Secure Socket Layer (SSL) certificate to ensure secure data transfer between user and server. After getting SSL, it would be difficult for hackers to gain access or hack your site. SSL also increases ranking in google.

To purchase an SSL certificate contact with your hosting provider. If your Hosting service provider allows free SSL then you can also implement it by your own. Check the SSLforfree site to get a free SSL certificate. But for free SSL you have to renew after every 3 months. After getting certificate install Really Simple SSL WordPress plugin to activate it.

Audit Log

Audit LogFor a multi-author site, security is very important. Suppose, you hire a few authors or writers to publish or maintain a few contents. A writer just change passwords so that another writer cannot log in or can change the theme, plugins anything. To solve this problem you can use WP Security Audit Log plugin to monitor what’s happening to your website. It has an audit log report that lets you know about users’ activity. You can also specify any approval for a specific area. This plugin helps thousands of WordPress administrators and security professionals keep an eye on what is happening on their websites.

Removing WordPress version number

It becomes easier for hackers to hack your site by knowing the WordPress version number. They can make a perfect attack. You can use any WordPress security plugin to remove this version number. If you want to do it manually for RSS feeds, then use the below code in your functions.php file.

function vinno_remove_version() {
return ”;
add_filter(‘the_generator’, ‘vinno_remove_version’);

Hotlinking must be blocked

Suppose you have uploaded an image in your server. A person uses a hotlink to show that image on his website. That’s mean image will be shown to his website though the image will be loaded from your server. As a result of your bandwidth decreases, which costs you money. Many websites use the .htaccess file to protect hotlinking.

You can prevent hotlinking by installing any WordPress Security plugin such as Wordfence, All in One WP Security, etc.

Thanks for reading this article. If you have any questions feel free to ask me via comment box.


Please enter your comment!
Please enter your name here

Most Popular

Recent Comments