25 Ways To Improve WordPress Security

WordPress Security Tips

40% of all websites are powered by WordPress. And it’s popularity makes it a prime target for hackers.

Unfortunately, tons of WordPress websites get hacked every day due to a lack of security or poor security practices.

Reduce your chances of having your site compromised and improve the security of your WordPress website by using this list.

1. Password Protect Your Login Page

Install an extra layer of authentication by password protecting your wp-admin page. To do this, log in to your cPanel and find the “Security” section.

cPanel Security

Then click on “Password Protect Directories” to get a pop up.

cPanel Directory Selection

The pop up will ask for the directory location. Make sure the web root radio button is selected and click “Go”.

The next page might look different depending on your host and the features available to you. But it should look something like this:

wp-admin Directory

Navigate to the folder where your WordPress installation is hosted and click on wp-admin to be led to a page like this:

Password Protect WordPress Directory

In the first box, click the “Password protect this directory” box, create a name for the directory, and save it.

In the second box, create a username and password to add it.

After you’re done, if you navigate to your WordPress login page, you’ll be prompted to enter a username and password before accessing the login page.

Read the Full Article On Password Protecting Your Login Page

2. Limit Login Attempts

You know how your bank locks you out of their website if you try a certain number of password combinations that fail? It’s one of the most reliable ways to stop brute force attacks. Unfortunately, WordPress, by default, let’s users try as many passwords as they want.

To address this, use the Login LockDown plugin or the Limit Login Attempts plugin.

Read the Full Article on the 4 Things You Should Know When Limiting Login Attempts

3. Add a Firewall

Firewalls act a filter between your website and the rest of the internet. If your firewall finds that a fake browser or a bad bot is trying to access your website, it will deny it altogether, not even giving them a chance to guess your password or see your website. Some of the most popular and reputable providers are Sucuri and Wordfence but they both require a paid subscription.

Read the Full WordPress Firewall Installation Guide

4. Use Two-Factor Authentication

Two-factor authentication works by verifying two pieces of information to make sure that only the correct person is accessing the website or account: something you know (your password) and something you have (your smartphone).

You can use a plugin like WP Google Authenticator that requires you to type in a code that’s only generated on your phone in order to log in.

In addition, security plugins like Wordfence have an option to generate a code via text message that you would have to input in order to log in.

Read on How to Use Two-Factor Authentication to Bulletproof your WordPress Login

5. Use a 16-digit Alphanumeric Password With Special Characters

Brute force login attacks, where hackers guess your password, are executed by using a computer to try every single combination of passwords until it gets it right; for example: “aaaaaa,” “aaaaab,” and “aaaaac.”

It’s the most popular way to hack into a WordPress site because it’s the most effective. And it’s the most effective because users tend to choose passwords that are too easy to guess.

If you do the math or use a password checker tool like that from BetterBuys, you’ll see that most easy passwords like “password” would take less than a second to crack using a free tool like John the Ripper.

But if you were to use a 16-digit alphanumeric password with special characters and a mixture of uppercase and lowercase letters like “%GFmQ^opCee#!fmE,” it would take millions of years for John the Ripper to crack.

Read on Why You Need to Make Sure You Use a Strong Password & Why Your Weak Password Can Be Guessed in Less Than One Second

6. Use a Strong Username

Just as important as a strong password is a strong username. Don’t use any dictionary words, emails, or names. Keep it as obscure as your password.

Remember, hackers need two pieces of information to gain access to your WordPress admin:

  • Your Username
  • Your Password

Read on Securing the WordPress Admin User From Unauthorized Access

7. Back Up Your Site Everyday

The best way to fix a hacked website is by using a backup, and you want to keep a fresh backup of your site for any emergency.

However, manually backing up your site everyday isn’t a realistic expectation for any user. That’s why there are plugins like UpdraftPlus that allow you to schedule backups everyday while you sleep.

Read the Guide on Backing Up WordPress

8. Hide Your Login Page

Your site has two default login URLs:

  • /wp-admin.php
  • /wp-login.php

To make it difficult for anyone to find your login page, create a custom URL for it.

Use a plugin like WPS Hide Login, HC Custom WP-Admin URL, or Custom Login URL.

Find the Best Plugins for Hiding the Login Page

9. Change the WordPress Database Prefix

If you’ve spent any time in WordPress, you will have noticed the “wp_” database prefix. By changing this to something unique, you can limit most bot attempts at an SQL injection.

To do this, find the following line in your wp-config.php file:

Change “wp” to anything you want but I recommend that you keep the underscore.

Once you’re happy with the change and upload the wp-config.php file back, you’ll notice that your site will be broken. That’s because the database prefixes do not match your changes.

To change the database prefixes, log in to phpMyAdmin to run SQL queries.

But if you aren’t comfortable directly accessing your database, you can use a plugin like Change DB Prefix.

How to Change the WordPress Database Prefix

10. Don’t Use “admin” As Your Username

Unfortunately, for many managed WordPress hosting plans, your default username is set to “admin.” As a result, many WordPress sites use it and you can see the obvious problem with it. Although you can’t easily change usernames through the WordPress admin, you can create a new user and then delete the old “admin” username.

Don’t Use Admin As Your Username

11. Disable File Editing

If someone breaks in to your WordPress site and tries to change your files, they’ll typically go to Appearance > Editor.

To prevent someone from saving any changes made to your files, you can insert this line of code to your wp-config.php file:

You’ll still be able to edit your files as the owner of the site by either erasing that line of code temporarily or by rewriting your files via FTP.

How to Disable File Editing to Enhance Security

12. Disable XML-RPC

In short, WordPress’ XML-RPC API allows you to execute commands remotely. If you use Jetpack, one of the well known features that utilizes XML-RPC is the ability to create and publish a post without logging in to your WordPress admin.

Unless you use a plugin that uses XML-RPC, it would be best to disable it altogether by using a plugin. However, if you want to selectively disable XML-RPC because you currently have plugins that use XML-RPC, you can find plugins that will do that as well.

13. Stay Up-to-date

Keep your website’s WordPress version and plugins always up-to-date. A majority of updates fix known security flaws.

According to an excerpt from a previous post: “Once a security vulnerability is found in a plugin, the details on how to exploit it will be immediately published online by hackers. Other hackers can use that information to create bots to crawl the web and find websites that have such vulnerabilities exposed, putting your site at risk.”

If you don’t have the time or resources to constantly check on pending updates while making sure updates don’t break your site, consider signing up for a WordPress maintenance plan.

14. Always Use sFTP and SSH

If you’re still using plain old FTP to access your website, you’re putting yourself at serious risk. When you enter your credentials to access your site via FTP, you transmit your access credentials over the network as plain text. This means if you’re on a public network like in a coffee shop, someone will be able to easily grab your access information.

15. Use Reputable Themes and Plugins

Choose only themes and plugins that have been developed by reputable organizations, as it is more likely that they will be proactive about security.

On the other hand, it’s important to never use plugins or themes that are no longer supported. If you find that your site is using a plugin that has been abandoned by the developer, try finding an alternative as soon as possible.

16. Limit the Number of Plugins Used

When choosing a plugin to use, ask yourself if it is absolutely necessary to have and if it meets your security requirements. By definition, the more plugins you use, the more vulnerabilities you’ll expose yourself to. And that’s beside the fact that and unnecessarily long list of plugins are bad from a functionality standpoint.

17. Remove the WordPress Version Number

By default, WordPress displays your WordPress version number in the code. If you’re using an old version of WordPress or you just haven’t gotten to updating it yet, you’ll give away valuable information to hackers, who might use that information to determine which security flaws you might be vulnerable to.

You can remove the WordPress version number by adding this line of code on the top of your functions.php file:

18. Get Notified of Changes to Your Website

Use the Sucuri Security plugin to get notified by email of any changes that get made on your website including changes to any posts, pages, or WordPress files.

19. Monitor Access

Keep a log of every time someone accesses your website and monitor it. You can implement this at the hosting level (typically through cPanel) depending on your host, or you can use Wordfence to view the logs in your WordPress admin.

20. Hide PHP Error Reporting

If one of your plugins are not working correctly, it might display a php error which will include your server path. As much as it is helpful to you, it is also helpful to hackers, whom you will be providing complete information about your website.

It’s best to disable this altogether by adding this snippet to your wp-config.php file:

21. Protect Access to Your wp-config.php File

Your wp-config.php file hosts all your personal information and login information. Hide it by adding this to your .htaccess file:

22. Hide Author Usernames

WordPress has a default setting where anyone can type in your homepage URL + ?author=1 to display the admin username. Hide it by adding this to your functions.php file:

23. Run Regular Malware Scans

You might think that you’ll know your site is hacked when you see this on your website:


Unfortunately, you won’t know that your WordPress website has been hacked most of the time until you run a malware scan, only to discover that someone has been siphoning your information and your customers’ information this whole time.

Got MLS is a trusted and super popular plugin that can be used to run a complete scan and fix any malware issues that are discovered.

24. Limit Admin Access to Certain IP Addresses

You can block all IP addresses from accessing your /wp-admin except for the ones you whitelist. To do this, you’ll have to add this to your .htaccess file:

All you have to do is replace the x’s with your IP address. Remember that for most people, every time you use a laptop computer to connect to a Wi-Fi network, your IP address will change.

You also won’t be able to access your admin on computers and networks whose IP addresses aren’t whitelisted.

25. Remove the Invalid Login Message

When you enter an invalid username or password, WordPress will tell you which one you got incorrect. That means someone who’s trying to guess your login will know which one of the two they got correct.

Therefore, it’s recommended that you don’t display the invalid login message. You can do this by adding this to your functions.php file:

Updates and Detailed Posts

If you think there’s a valuable tip that should be added to this list, go ahead and let me know in the comment section below.

In December 2016, I started a series of WordPress Security posts, where a dedicated post for each tip will be included. They’ll be listed below as the posts roll out!

  1. WordPress Security Tips
    1. Password Protect Your WordPress Login Page
    2. Limit Login Attempts
    3. Add a Firewall
    4. Two-Factor Authentication
    5. Use a Strong Password
    6. Use a Strong Username Other Than Admin
    7. Back Up Your Site Everyday
    8. Hide Your Login Page
    9. How to Change the WordPress Database Prefix
    10. Don’t Use Admin As Your Username
    11. How to Disable File Editing to Enhance Security

Sign Up for New Content