Skip to content

25 WordPress Security Tips to Keep Your Site Secure

I’ve heard many website owners complain about WordPress security. Some even wonder – is WordPress secure? The thought is that an open source script is vulnerable to all sorts of attacks. Is that a fact? And if so, how do you secure your WordPress website?

Luckily, the lack of built-in WordPress security is a myth. In fact, sometimes it’s the other way around – WordPress websites are much more secure than their online brothers and sisters.

WordPress Security: Simple Tips to Secure Your WordPress Website

Today, I plan to discuss quite a few simple WP security tips that can help you secure your WordPress site even more.

After implementing these tactics and following up with continual WordPress security checks, you’ll be well on your way to secure your WordPress website for good.

Table of Contents:

Why WordPress security is so important

Before we explore the WordPress security checklist, it’s important to understand why WordPress security is so important. This way, you gain peace of mind, since you’ll know exactly why you spent time securing your website, or why you paid to hire that WordPress security expert.

Overall, WordPress security is important for a few reasons:

  1. WordPress is popular: The system works so well that over 43.4% of the internet uses WordPress [1]. Yet, this means that it’s a recognizable interface, even for hackers.
  2. You’ll have failsafes setup before problems occur: Although unlikely, a compromised WordPress site could cause it to crash or run poorly. Failsafes like offsite backup storage and quick backup restores mean you can resolve attacks even after they happen.
  3. WordPress has many moving pieces: From third-party plugins to themes, and hosting companies to the core software itself, multiple elements come together to make WordPress one of the most customizable content management systems around. But with all these moving pieces, vulnerabilities may arise, like if you install a plugin with questionable code or don’t automatically update your WordPress theme.
  4. It has a login area: To this day, one of the most common forms of hacking is the brute-force attack, which involves a bot or person trying multiple usernames and passwords to break into your site. Like all technology, WordPress has a login module, so you must do everything you can to protect the login area and strengthen credentials. The same goes for FTP and hosting login credentials.

Now that you know why WordPress security is crucial, keep reading to dive into the ultimate WordPress security guide, with 25 WP security tips to keep your site secure at all times.

Part (a): Secure your WordPress website by making sure your hosting is safe

Almost all hosting companies claim to provide an optimized environment for WordPress, but do they?

1. Work only with good hosts

You should only work with reliable, high-quality and secure hosting. This piece of advice seems obvious, right?

More or less, everyone thinks their hosting is great until something breaks for the first time. In the real world, not all hosting companies and hosting offerings are created equal.

If you take a look into one of our hosting surveys, you’ll see how different people’s experiences are in terms of overall hosting quality and also individual aspects of their hosting setups, like security, reliability, speed, etc.

Some hosts are simply sub-par and don’t do well under stress.

The bad news here is that most of the time you don’t even know that your host isn’t taking your website security seriously enough. Things like increased hacker attacks, frequent downtime, low performance, might all be a result of inadequate security mechanisms in place.

The reality is that you’re not really going to “fix your host.” The easiest and the best solution is to switch to a different host that’s more secure.

Generally, the more you pay, the better your new host will be, but there are also some budget options you can consider.

If you want to get to the bottom of the topic, we have comparisons of the best hosting options post available in the links box at the top of the page, plus the aforementioned surveys where you can see what other people say.

Here’s a short recommendation if you’re in a hurry:

  • 💪 Best power setup. Kinsta. For $115 / month, you can host up to 5 websites and welcome ~100,000 visitors.
  • 🚗 Entry-level managed host. Flywheel. For $13.00 / month, you can host one website and welcome ~5,000 visitors.
  • 💰 Budget pick. SiteGround. For as low as $2.99 / month, you can host one website.

2. Protect the wp-config.php file

The wp-config.php file holds crucial information about your WordPress installation, and it’s the most important file in your site’s root directory. Protecting it means securing the core of your WordPress blog.

This tactic makes things difficult for hackers to breach the security of your site, since the wp-config.php file becomes inaccessible to them.

As a bonus, the protection process is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.

Now, the question is, if you store it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set to the highest on the priority list. So, even if it is stored one folder above the root directory, WordPress can still see it.

3. Disallow file editing

If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.

If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at the very end):

4. Set directory permissions carefully

Wrong directory permissions can be fatal, especially if you’re working in a shared hosting environment.

In such a case, changing files and directory permissions is a good move to secure the website at the hosting level. Setting the directory permissions to “755” and files to “644” protects the whole file system – directories, subdirectories, and individual files.

This can be done either manually via the File Manager inside your hosting control panel, or through the terminal (connected with SSH) – use the “chmod” command.

For more, you can read about the correct permission scheme for WordPress or install the iThemes Security plugin to check your current permission settings.

5. Disable directory listing with .htaccess

If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.

For example, if you create a directory called “data”, you can see everything in that directory simply by typing http://www.example.com/data/ in your browser. No password or anything is needed.

You can prevent this by adding the following line of code in your .htaccess file:

6. Block all hotlinking

Let’s say you locate an image online and would like to share it on your website. First of all, you need permission or to pay for that image, otherwise there’s a good chance it’s illegal to do so. But if you do get permission, you might directly pull the image’s URL and use that to place the photo in your post. The main problem here is that the image is shown on your site, but being hosted on another site’s server.

From this perspective, you don’t have any control over whether or not the photo remains on the server. But it’s also important to realize that people might do this to your website.

If you’re trying to secure your WordPress website, hotlinking is basically another person taking your photo and stealing your server bandwidth to show the image on their own website. In the end, you’ll see slower loading speeds and the potential for high server costs.

Although there are some manual techniques for preventing hotlinking, the easiest method is to find a WordPress security plugin for the job. For instance, the All in One WP Security and Firewall plugin includes built-in tools for blocking all hotlinking.

7. Understand, and protect, against DDoS attacks

A DDoS attack is a common type of strike against your server bandwidth, where the attacker uses multiple programs and systems to overload your server. Although an attack like this does not jeopardize your site files, it’s meant to crash your site for a long period of time if not resolved. Usually, you only hear about DDoS attacks when it happens to large companies like GitHub or Target. They’re conducted by what many refer to as cyber-terrorists, so the motive might simply be to wreak havoc.

That said, you don’t need to be a Fortune 500 company to be at risk.

If this worries you, we recommend signing up for the Sucuri or Cloudflare premium plans. These solutions have web application firewalls to analyze the bandwidth being used and block out DDoS attacks entirely.

Part (b): Secure your WordPress website by protecting the login page and preventing brute force attacks

Everyone knows the standard WordPress login page URL. The backend of the website is accessed from there, and that is the reason why people try to brute force their way in. Just add /wp-login.php or /wp-admin/ at the end of your domain name and there you go.

What I recommend is to customize the login page URL and even the page’s interaction. That’s the first thing I do when I start securing my website.

Why? Because it’s usually the user’s fault that their site got hacked. There are some responsibilities that you have to take care of as a website owner. So the key question is, what are you doing to save your site from being hacked? Protecting the login page and preventing brute force attacks is one of the best things you can do.

Here are some suggestions for securing your WordPress website login page:

8. Set up a website lockdown feature and ban users

A lockdown feature for failed login attempts can solve the huge problem of continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.

I found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. Along with over 30 other awesome WordPress security measures, you can specify a certain number of failed login attempts before the plugin bans the attacker’s IP address.

9. Use two-factor authentication for WordPress security

Introducing a two-factor authentication (2FA) module on the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, or more popular, the Google Authenticator app, which sends a secret code to your phone. This way, only the person with your phone (you) can log in to your site.

I prefer using a secret code while deploying 2FA on any of my websites. The Google Authenticator plugin helps me with that in just a few clicks.

10. Use your email to login

By default, you have to input your username to log into WordPress. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is created with a unique email address, making it a valid identifier for logging in.

Several WordPress security plugins allow you to set up login pages so that all users must use their email addresses to log in.

11. Rename your login URL to secure your WordPress website

Changing the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via wp-login.php or wp-admin added to the site’s main URL.

When hackers know the direct URL of your login page, they can try to brute force their way in. They attempt to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations).

At this point, we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.

This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it.

The easiest way to change your login URL is to use the aptly named plugin WPS Hide Login. It’s very simple to use; just input your new login page URL and save the changes. You can set the URL to anything you want.

12. Adjust your passwords to strengthen WordPress security

Play around with your passwords and change them regularly to secure your WordPress website. Improve their strength by adding additional words and making your passwords longer.

Notice that we’re not necessarily advising you to keep adding more uppercase and lowercase letters, numbers, and special characters to your passwords. Many people opt for long passphrases instead since these are nearly impossible for hackers to predict but easier to remember than a bunch of random numbers and letters.

There’s a popular comic strip by xkcd on how deceiving some seemingly-secure passwords can be:

password strength to increase wordpress security

It turns out that using a complicated phrase can often be much safer and also 10x easier to remember.

13. Use a password manager

Okay, we all know that we should change our passwords often and that they should be difficult to crack. We know what we “should” do, but it’s not always something we have time for.

This is where some quality password managers come into play. They will not only generate secure passwords for you but then store them inside a secure vault, which will save you the hassle of having to remember them.

👉 Here’s an in-depth comparison of ours looking into the best password managers in the market.

14. Automatically log idle users out of your site

Users leaving wp-admin panel of your site open on their screens can pose a serious WordPress security threat. Any passerby can change information on your website, alter a person’s user account, or even break your site altogether. You can avoid this by ensuring that your site logs people out after they have been idle for a certain period of time.

You can set this up by using a plugin like BulletProof Security. This plugin allows you to set a customized time limit for idle users, after which they will automatically be logged out.

Part (c): Secure your WordPress website through the admin dashboard

For a hacker, the most intriguing part of a website is the admin dashboard, which is indeed the most protected section of all. So, attacking the strongest part is the real challenge. If accomplished, it gives the hacker a moral victory and the access to do a lot of damage.

Here’s what you can do to secure your WordPress website admin dashboard:

15. Protect the wp-admin directory

The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached, then the entire site can get damaged.

One possible way for you to prevent this is to password-protect the wp-admin directory. With such a WordPress security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other secures the WordPress admin area.

Setting this up usually involves adjusting your hosting setup via cPanel. Still, this isn’t too difficult to do if you follow the right steps.

16. Use SSL to encrypt data and improve WordPress security

Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.

Getting an SSL certificate for your WordPress website is simple. You can purchase one from a third-party company or check to see if your hosting company provides one for free.

lets encrypt to increase wordpress security

I use the Let’s Encrypt free open source SSL certificate on most of my sites. Any good hosting company like SiteGround offers a free Let’s Encrypt SSL certificate with its hosting packages.

The SSL certificate also affects your website’s Google rankings. Google tends to rank sites with SSL higher than those without it. That means more traffic. Now who doesn’t want that?

Enabling SSL on your WordPress site is very simple. In 99% of the cases, all you need to do is install the Really Simple SSL plugin and activate it. No other settings are required.

17. Add user accounts with care

If you run a WordPress blog, or rather a multi-author blog, then you need to deal with multiple people accessing your admin panel. This could make your website more vulnerable to WordPress security threats.

You can use a plugin like Password Policy Manager if you want to make sure that whatever passwords users make are secure. This is just a precautionary measure, but it’s better than having several users with weak passwords.

18. Change the admin username

During your WordPress installation, you should never choose “admin” as the username for your main administrator account. Such an easy-to-guess username is approachable for hackers. All they need to figure out is the password, then your entire site gets into the wrong hands.

admin username change

I can’t tell you how many times I have scrolled through my website logs, and found login attempts with username “admin”.

The iThemes Security plugin can stop such attempts by immediately banning any IP address that attempts to log in with that username.

19. Monitor your files

If you want some added WordPress security, monitor the changes to your website’s files via plugins like Wordfence, or again, iThemes Security. Both of these plugins can also scan WordPress for vulnerabilities and notify you if they find any.

Part (d): Secure your WordPress website through the database

All of your site’s data and information is stored in the database. Taking care of it is crucial. Here are a few things you can do to make it more secure:

20. Change the WordPress database table prefix

If you have ever installed WordPress then you are familiar with the wp- table prefix that is used by the WordPress database. I recommend you change it to something unique.

Using the default prefix makes your site database prone to SQL injection attacks. Such attacks can be prevented by changing wp- to some other term. For instance, you can make it mywp- or wpnew-.

If you have already installed your WordPress website with the default prefix, then you can use a few plugins to change it. Plugins like WP-DBManager or iThemes Security can help you do the job with just a click of a button. (Make sure you back up your site before doing anything to the database).

21. Make backups regularly to secure your WordPress website

No matter how secure your WordPress website is, there is always room for improvements. But at the end of the day, keeping an off-site backup somewhere is perhaps the best antidote no matter what happens.

If you have a backup, you can restore your WordPress website to a working state any time you want. There are some plugins that can help you in this respect. For instance, there are all of these.

If you are looking for a premium solution then I recommend VaultPress by Automattic, which is great. I have it set up so it creates backups every week. And should anything bad ever happen, I can easily restore the site with just one click.

I know some larger websites run backups every hour, but for most organizations that is complete overkill. Not to mention, you would need to ensure that most of those backups are being deleted after a new one is made since each backup file takes up space on your drive. That said, I’d recommend weekly or monthly backups for most organizations.

On top of the backups, VaultPress also checks my site for malware and alerts me if anything shady is going on.

22. Set strong passwords for your database

A strong password for the main database user is a must since this password is the one WordPress uses to access the database.

As always, use uppercase, lowercase, numbers, and special characters for the password. Passphrases are excellent as well. I once again recommend LastPass for random password generation and storing. A free, and quick, tool for making strong passwords is the Secure Password Generator.

passwords

23. Monitor your audit logs

When you’re running WordPress multisite, or handling a multi-author website, it’s essential to understand what type of user activity is going on. Your writers and contributors might be changing passwords, but there are other things you might not want to happen. For instance, theme and widget changes are obviously only reserved for the admins. When you check the audit log you’re able to make sure that your admins and contributors are not trying to change something on your site without approval.

audit log

The WP Security Audit Log plugin provides a full list for this activity, along with email notifications and reports. At its simplest, the audit log could help you see that a writer is having trouble logging in. But the plugin might also reveal malicious activity from one of your users.

Part (e): Secure your WordPress website through themes and plugins

Themes and plugins are essential ingredients for any WordPress website. Unfortunately, they can also pose serious security threats. Let’s find out how we can secure your WordPress themes and plugins the right way:

24. Update regularly for WordPress security

Every good software product is supported by its developers and gets updated now and then. These updates are meant to fix bugs and sometimes have vital security patches. WordPress, and its plugins, is no different.

Not updating your themes and plugins can mean trouble. Many hackers rely on the mere fact that people can’t be bothered to update their plugins and themes. More often than not, those hackers exploit bugs that have already been fixed.

So, if you’re using any WordPress product, update it regularly. Plugins, themes, everything. The good news is that WordPress automatically rolls out updates for its users, so you’ll receive an email notifying you of the update and information on the fixes in your dashboard.

As for the plugins, you must update them manually by going to Plugins in your dashboard. When a plugin has a new version, it notifies you and provides a link to update now.

update plugins to keep wordpress secure

As an alternative, you could opt for a managed WordPress hosting plan. Along with many other features and improvements to your WordPress security, quality managed hosting offers automatic updates for all elements of your WordPress site.

Some managed hosting providers include Kinsta, SiteGround, and Flywheel. You can learn more about the top managed WordPress hosting here.

25. Remove your WordPress version number

Your current WordPress version number can be found very easily. It’s basically sitting right there in your site’s source view. You can also see it on the bottom of your dashboard (but this doesn’t matter when trying to secure your WordPress website).

version number

Here’s the thing: if hackers know which version of WordPress you use, it’s easier for them to tailor-build the perfect attack.

You can hide your version number with almost every WordPress security plugin that I mentioned above.

For a more manual approach (and to also remove the version number from RSS feeds,) consider adding the following function to your functions.php file:

function quick_remove_version() {
  return '';
}
add_filter('the_generator', 'quick_remove_version');Code language: JavaScript (javascript)

Final thoughts on how to secure your WordPress website

If you are a beginner then that was a lot to take in. You might feel like you just finished reading the ultimate WordPress security guide. The good news is that you don’t need to be a WordPress security expert to put it to use.

Everything that I mentioned in this article is a step in the right direction and something you should consider doing to help secure your WordPress site. Think of it as a 25-step WordPress security checklist and go through each step one at a time until you finish. Remember that the more you care about your WordPress security, the harder it gets for a hacker to break in.

With that being said, probably equally as important as security is website performance. Basically, without a website that loads quickly, your visitors will never get a chance to consume your content. The average website visitor will only wait for 2 seconds before getting frustrated and leaving.

Here are some resources that can help you win the performance game and make sure that your website loads lightning fast:

  • 🕸️ Use a quality CDN. Some of them are even free. Here’s a comparison of the top options: MaxCDN vs CloudFlare vs Amazon CloudFront vs Akamai Edge vs Fastly
  • 🏎️ Tune up some things under the hood of your site. Check out 11 ways to speed up WordPress by scrolling back to the top of this page and clicking on the link in the related posts box.

If you have any questions on how to secure your WordPress website, let us know in the comments and we’ll answer them! So what are your WordPress security challenges?

Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:

 

Written by Ahmad Awais, Joe Warnimont, Karol K.

Yay! 🎉 You made it to the end of the article!
WPShout Editorial

64 Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Shanora Networks
September 17, 2018 11:15 pm

You’ve hit on a lot of key points. I really appreciate you mentioning #9, add accounts with care. Clients frequently come to us with several admin privileged accounts, and they have no idea to whom they belong or if they belong to someone who might want to sabotage the site.

Aanchal Kaura
May 16, 2018 8:16 am

Hell Ahmad, First of all thanks to sharing these tips to secure wordpress website ad a common man can easily protect their website by following these simple tricks. Three of your tricks are really helpful ie “Use 2-factor authentication, Adjust password and Back-Up site regularly”. Again thanks to this amazing blog. I will definitely share this.

Nour Homsi
April 4, 2018 12:00 pm

Well, it seems that I have to thank you ! You almost saved my life !
p.s: My website is actually my life 🙂
great work Ahmad, keep it up.

William Patterson
April 1, 2018 10:03 pm

Which security plugin do you find better, wordfence or itheme security?

B. Frances
March 29, 2018 7:04 am

Thank you Awais for sharing such a great tutorial regarding WordPress security tricks. Keep on sharing more tutorials as it’s going to help us a lot.

Calla Gold
March 16, 2018 4:08 pm

I liked your indepth steps to securing a WordPress site. As one of those people who should do more this was great.

Expobiz ITSolutions
March 15, 2018 2:44 pm

Your blog is really helpful to secure the wordpress website. I appreciate your blog. But I also agree with Alexis that unique username is much safer than the email address. Keep continuing post the useful information.

WPEZI
February 27, 2018 2:53 pm

Thanks for the great article, we also agree with you and we also think Wordfence is a great plugin to boost security and help monitoring the files on your site. Always also remember to use strong passwords and limit logins too. Very useful

Opine
February 24, 2018 3:04 am

I’ve been wondering for years why they won’t update it and fix the known flaws.

Jhanvi
February 21, 2018 10:40 am

Thanks for sharing how to secure wordpress website. Wordprees website is not secure it have some security protection. Before reading this blog I was facing many issues in wordpress website. And now i resolved. Good Job! Thank you So much !!

Michelle Morrison
February 12, 2018 10:25 am

You can use the services of a hacker for many things. You will be surprised at how it can make life easier for you
Need a hacker?
mail: cybertronxiii@gmail.com
Mobile phone hack, e-mail hacks, database penetration, Private Online Investigation, Remote Access Trojan, RDPs, Computer hack and Remote system control, virus, phishing and many more. Send an e-mail for further enquiries

Alexis Wilke
February 10, 2018 2:28 pm

“3. Use email as login” — I have to disagree with that one. You probably have many people who know your email address. Actually, even just creating a new email address is likely enough for you to receive emails even if you never broadcast that email to anyone. So it’s not any safer than a Username. The problem is if your CMS leaks your username. If not, then you can use a top secret username and that’s much safer than a (semi-)public email address.
What will leak your username, from what I’ve seen, is your theme. Just conduct tests first to make sure that the username doesn’t get shown anywhere (on any standard page.)

Soumitra Ghotikar
April 14, 2018 6:20 am
Reply to  Alexis Wilke

” conduct tests first to make sure that the username doesn’t get shown anywhere (on any standard page.)” …… How to conduct these tests ?

Alexis Wilke
April 14, 2018 12:55 pm

I would suggest a local website setup. Test on your local website until things look satisfactory. Write down any steps if you make any changes so you can apply those changes later on your main website. How to hide the username may require you to edit your HTML to remove it from your pages if your theme currently shows it. Also removing the HTML is a wise idea, even if your theme has a flag to show/hide the name (i.e. with time it could leak…)

Steve Rooney
February 8, 2018 2:54 pm

simply contact cheeterhacker )(at )outlook (dot) com for hacking services. let his work tell you who is he is, i bet you would also give your testinmony lik am doing now .

Runingmart
February 5, 2018 12:46 pm

Really very Nice and Wonderful love useful Blog Post

Christain Disc
February 4, 2018 1:35 pm

Nice article. The best way to hack whatsapp, phones, get remote access to devices is by hiring a professional to do it for you.
I will personally recommend a blog to you that will point you in the right direction today.
visit: prohackersondarkwebblog dot blogspot dot com.

Bijad
January 31, 2018 12:24 pm

Viruses and security breaches can happen at anytime. Our company has been using DarkWeb to protect our email accounts, phones and devices from getting hacked, and I highly recommend it for businesses. They also provide hack services. visit darkwebsolutions dot co

Madison West
February 2, 2018 10:10 am
Reply to  Bijad

I must say this is legit! My company was going through some cyber extortion at some time. The Dark Web hacker was able to remove, track and identify the person behind it.

Tim
January 11, 2018 6:54 am

Awesome article with very comprehensive list of plugins and tips.
Personally, I’m using BackWpup to create backups and Prevent Direct Access to protect PDF files. Both are awesome!

Soumitra Ghotikar
April 14, 2018 6:30 am
Reply to  Tim

Thanks Tim. Tell more about protect PDF Files please !

jasa websitejepara
January 3, 2018 11:21 am

what do you know about indoexploit, because my username in wordpress was changed with that name
and my plugin menu in wordpress menu has gone

Nirmal Kumar
December 15, 2017 6:39 pm

That was very useful. You mentioned about making some changes to the code in .htaccess and wpconfig.php file . What if, these changes blocks myself from logging in?

Lawrence
December 12, 2017 1:17 pm

Good post. Though I was aware of the some, may were new and interesting. Have compiled them for the must do list this month. Eager to apply them.Thanks again for the helpful post. Much appreciated.

Soumitra Ghotikar
April 14, 2018 6:31 am
Reply to  Lawrence

Can you share that ?

NCode Technologies
December 6, 2017 9:15 am

Great Article on WordPress Website security tips. I have read many articles on wordpress security but all of them are mostly focused on only changing login url, creating strong username/password and installing security plugins. But this one is almost a guide it self on WordPress Security. I never thought of Database while thinking of securing my website. It’s really of great help. Thanks for the detailed article.

sameera sam
November 24, 2017 9:26 am

Great Article And Great Tips..!! This is Amazing security tutorial to prevent from anybody of malicious activity and My Site was recently attacked and i resolved my issue with these steps.

Fernando Fas
November 16, 2017 4:39 pm

Great article and great content. I’ve been working with different CMS along the years and all of them require security. WordPress is an amazing platform and is free, so if you think is not good for you because you need to do little tweaks to keep it safe, try something else. I love WordPress and my clients are very happy with it. Never had any issue in terms of security. Cyber attack can happen with any CMS. If you look around where banks and multinational companies are attached, most of them do not use WordPress and they still have a huge damage in their system. I will bookmark this excellent post which I will follow for my actual and next projects with WordPress. Thank you.

Joseph GodwinKe
October 17, 2017 7:50 am

Thank you

Ray Boller
October 10, 2017 12:37 pm

Thank you for your wonderful article. Where else could someone get that kind of information in such an ideal way of writing? I have a presentation next week, and I’m on the lookout for that information.

Sabina Ionescu
October 10, 2017 2:35 pm
Reply to  Ray Boller

Glad it helped Ray and good luck with your presentation! A WordCamp or something else?

nick richards
October 9, 2017 11:43 pm

secured and safe exploit in hacking wordpress, express mail, website hack, increased credit score and any possible hack services contact trivagohacker@gmail dot com

Hunter
October 9, 2017 11:53 pm
Reply to  nick richards

Bro can you help me with my hack difficulties i need you reply soonest thanks

Sarkari Naukri Adda
October 6, 2017 2:17 pm

thank you for sharing this helpful information about word press.

Pushpender Kumar
September 8, 2017 7:28 pm

Thanks For The Great Article, I Want To Know Can We Change Login And Registration URLs Without Using Any Plugins, And If We Can Then How Can We Do It?

Syed Immad Zafar
August 23, 2017 2:07 pm

Worth sharing (y)

Susan Barrett
May 24, 2017 7:21 am

Hi people!! When an attacker took down our site we were devastated, We did not have a backup and the hosting company did not care. We paid a recovery fee to {ZEUSHACKERS01 At OUTLOOK dot COM} and they had the site working again the next day, and even fixed another issue that existed with the website before the hacking. They were great, reliable and very fast. They offer lots of hacking services like social media hacks like facebook hacks,improve credit score, upgrading school grades and so many hacking services. Thank me later!

AB Sketch
May 22, 2017 11:02 am

Did any one test these tricks, I would like to know about it. Few of them well know, but do we need to follow all of above given tricks?

Cyndee Adkins
October 9, 2017 4:24 pm
Reply to  AB Sketch

I’ve been hacked on a shared server, having multiple sites affected. I did almost all of the above, plus a few other hardening tricks to the .htaccess file. Once the infected files were removed and these tips put into place, I’ve not been hacked since. They definitely work.

Sabina Ionescu
October 10, 2017 2:53 pm
Reply to  Cyndee Adkins

Nice to hear that Cyndee and thanks for vouching!

Soumitra Ghotikar
April 14, 2018 6:36 am
Reply to  Cyndee Adkins

Thanks you very much for letting us know this. I am currently facing such an issue like yours. Do you recommend NOT TO USE shared hosting ?

Styled Themes
April 24, 2017 3:59 pm

we been sending our customers and free theme users to this article for ages when they mention they have WP security challenges or get hacked due to poor hosting etc.
if only people implemented 20% of these simple tips… WP reputation would be so much better.

Rochell Marco
April 12, 2017 10:01 am

For security purpose, you have explain it very well enough, no doubt. I got some thing new from this article. Thanks for sharing!

radikaze
March 29, 2017 1:01 pm

Dude your website is very slow

MatchOfTheDayOrg
March 4, 2017 10:23 pm

Very breif guide, Thanks

Eromosele frank
March 3, 2017 6:56 am

I want to let the world know about Doctor otata the Great spell caster that brought back my husband to me when i thought all hope was lost. Doctor otata used his powerful spell to put a smile on my face by bringing back my man with his spell, at first i thought i was dreaming when my husband came back to me on his knees begging me to forgive him and accept him back and even since then he loves me more than i ever expected so i made a vow to my self the i will let the World know about Doctor otata because he is a God on earth. Do you have problems in your relationship ? have your partner broke up with you and you still love and want him back ? Do you have problem with your finance ? or do you need help of any kind then contact Doctor otata today for i give you 100% guarantee that he will help you just as he helped me.Contact him via betterlife994@gmai.com or WhatsApp +2348119020900

Paul Megan
February 12, 2017 7:34 pm

I’ve come to understand that genuine hackers always have tools handy to work with, no
genuine hacker will ask you to pay for tools before your work is done, don’t fall for their
lies, I have been jacked several times by all these fake assholes. So i met pavelnovakbreach@gmail.com
he actually solved my problem, i was in dire need of a hacker to monitor my wife’s activities online,
Pavel was able to reveal my infidel wife’s activities, for that I am grateful to him, he offers services
ranging from Facebook, whatsapp, emails, Twitter, Kik, imo, cell phone, website hacks, changing DMV records,
background checks, locating individuals, expunging criminal records and so much more, if you are in dire need
of a hacker you should contact this man, he is smart with his services and takes payment at the point of delivery,
i had to write this about him, tell him Wayne reviewed him when he starts asking questions.
nnnnnnnnnnnnnnnnnnnn

Hasan Rasheed
February 10, 2017 2:01 pm

very informative!

stewartcristan
February 10, 2017 1:32 pm

Great! It’s very helpful blog for WordPress users.

A visitor
February 7, 2017 3:19 am

Very helpful article. thank you Ahmad.

Prosenjit Samanta
February 6, 2017 9:00 am

Thats really a great checklist. Thanks

Prosenjit Samanta
February 6, 2017 8:58 am

Hey, thats a really good and helpful checklist. Thanks.

Maximilian Bayer
January 27, 2017 7:27 pm

Is it possible that Ask Apache Password Protect is preventing Google Authenticator to work? I had the 2 way Authentification setup up working fine until i activated Ask Apache Password Protect, now i have a password for my admin panel but the 2 way Authentification is gone. Do you know of any conflict of those two plugins?

3D Walkthrough
January 27, 2017 8:44 am

Thanks for this post, I just installed the limit login
attempts plugin you suggested. However, I don’t see where to fill in the
number of attempts to be allowed. Ideas?

Heather Brown
January 18, 2017 10:41 pm

I was lucky enough to have my hosting site Ecomlane handle my front and back end security for me. Can’t beat free SSL from them!

Snigdha Saha
January 17, 2017 9:27 am

Learn so many new things . Thanks !

amik
January 16, 2017 7:43 pm

glad i found these tips. will apply them

amik
January 16, 2017 7:38 pm

Ultimately the best tips for security

Biplab Acharjee
January 15, 2017 7:52 pm

hi, Ahmad, Thanks for providing almost every possible way to protect our site from unwanted risks. Very Informative post 🙂

How Mate
January 15, 2017 11:44 am

Love for two factor authentication, because this is great plugin and resolve all type brute force attack.

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!

64
0
Would love your thoughts, please comment.x