WordPress Security Guide: 20 Things Which Can Save Your Website

WordPress security guide

One of the scariest things is getting your website hacked because of the poor website security. It’s important to have a WordPress security guide which has every possible way to harden the security of your website.

Though WordPress itself is one of the trustable and secure platforms but still there are many things which can add more security layers.

Have you ever even thought about losing the hard work you have been doing for years? Isn’t that scary?

Well, this fear needs to get away. You should apply all the possible WordPress tips and tricks which can save your website.

This article consists an ultimate WordPress security guide which can help you run a safe website.

Why WordPress Website Security Is Important

There are millions of websites running on this world wide web and many of them get hacked every year.

People start their website and within a few days, they get hacked. What’s the reason? It’s because of the poor website security.

You may be thinking about why would anyone hack your website. You should know that the bots seek for the website having the vulnerabilities and it can be yours on the list.

There are different methods to hack a website. They can inject any malicious code in any of your website’s file or maybe direct hack the login to your website by breaking your password.

It can be anything. You should harden every possible part of your website where there is any vulnerability.

The List of the Tips Included in this WordPress Security Guide

It consists of the basic security tips to the pro. You have to make sure you follow each according to your needs.

#1. Keep Everything Updated

It’s not a new thing to hear. There are thousands of security posts and every post contains this point.

You should always keep your WordPress core updated. Always use the latest version of WordPress and update the plugins and the themes accordingly.

This isn’t only about the security, outdated plugins can conflict with the latest WordPress version which can break your website.

It may be the design or anything else.

Many people even enable automatic updates in WordPress for plugins and themes too. Though if you can manage it manually, you don’t need to choose to enable automatic updates, but still, make sure everything is up to date.

#2. Strong Password

Whenever you create the user for your WordPress website, it’s always recommended to choose a strong password.

It’s not only for the login page, it’s about the FTP account, your web hosting account or any account you create related to your WordPress website.

Most of the people ignore this simple aspect and regret it later.

This may seem to be the simplest yet the most common thing but it means so much.

#3. Change The Default “Admin” Username

When you install WordPress for the first time, you will see the default username as “admin”.

It’s always recommended to change it on the same day your complete your website setup. Just a few days ago, one of my clients faced some issues with her website.

It’s because of her default username. She was lucky that nothing went wrong.

But not everyone is too lucky. Just like the password, you should change admin username and choose something which is known only to you.

#4. Always Have A Backup Tool

Having the backup of your website and the database is the first thing you should write in your to-do list.

In case your website gets hacked, you can restore your website from the backup within a few minutes. But only if you have any backup tool.

There are many WordPress plugins which directly sends the backup file to your Gmail inbox, Dropbox, Google Drive etc.

And you can also backup your WordPress website without any plugin.

#5. Install A WordPress Security Plugin

 improve wordpress website security

The plugins like Sucuri, BulletProof Security, iTheme Security etc can help you maintain the security of your website.

Most of these plugins help you secure your website from the brute force attack by enabling a firewall. They will scan your website regularly.

You can also block the users with their IP address. The number of failed login attempts will be also be shown.

Every security plugin has its own features. You can try any of them and use one accordingly.

#6. Disable PHP Execution For Particular Directories

As you know WordPress CMS is coded in the PHP language and its files and folders consist the PHP codes.

But not everywhere you would want to execute the PHP codes. The folders where your media files get stored don’t need any PHP execution.

You should disable PHP execution for that. It means no extra PHP code can be injected and run by anyone else.

No hacker would able to add a malicious code to that part of your website.

Some security plugins allow you to add this from your admin panel only.

#7. Password Protect Your WP-ADMIN Directory

The first target of the hackers is the login page of your website. In every WordPress security guide, you will find the concept of brute force attack and fake login attempts.

What if you password protect your WordPress Admin directory? Before seeing the login page, one more security layer will get added which will require the username and the password.

It will help you block all the fake login requests people would try.

#8. Add A Security Question To WordPress Login Page

Apart from the username and the password, you can add an extra layer. Add a security question to WordPress login page.

It will authenticate the user. Only the one who knows the answer to that question. You can select the question according to your choice.

If you run a multi-member website, each member can set a security question for their account. It can be done using a WordPress plugin. Install and activate WP Security Questions.

#9. Disable WordPress Directory Browsing

There are many WordPress directories which can be seen by everyone. The hackers can come to know about the data you’re having on your WordPress website.

It can be secured if you disable directory browsing.

You have to add a small code in the .htaccess file of your website. After that, whenever someone would try to browse the WordPress directories, it will show 403 forbidden error.

#10. Change The Database Table Prefix

WordPress security guide

By default “wp_” is the database prefix for all the tables. And it can be a vulnerability for your website.

You should change WordPress database tables prefix to improve the security. You can do that using the wp-config.php file which requires some coding skills.

But if you’re not good with it then I would recommend using a plugin. Most of the security plugins allow you to change it from the WordPress admin panel only.

#11. Remove Password Change Link

Many people complain about using a plugin to secure their login panel. There is also a simple solution. It can also be helpful.

On the WordPress login page, you can see the password lost link which can be used to recover your password once you forget it.

What if you totally remove that link? Yes, it can be done. You would need to add one line of the code in the functions.php file of your WordPress theme.

Here is the complete guide to remove password lost link.

#12. Disable Login With An Email Address

In a WordPress website, you can login using the username you choose and the email address you add to your account.

It’s possible that any hacker can hack your email address and will log in to your WordPress website. You wouldn’t even know.

You can disable login with an email address by adding the code in the functions.php file.

#13. Edit Login Error Message

Whenever you fill the wrong login credentials, you get an error which includes the password recovery link.

It can be used to get a new password. Why don’t you change login error message and write something without any link?

Yes, it’s possible. WordPress is an open source platform and you can edit any file. This can be an extra security layer. I always include this in the WordPress security guide.

You may remove the password lost link but if you forget to remove it from the error message, it’s of no use.

#14. Automatically Logout The Users In WordPress

You may have noticed that sometimes due to the poor internet connection or any technical fault, you leave yourself logged into your WordPress admin panel.

Well, this is can be risky. Someone else can use that WordPress login session to hack your website.

You may have noticed it on the multi-user websites. Especially if the data is sensitive. Do you use internet banking? I am sure you do.

If you have ever encountered, you get logged out if you don’t refresh the page and don’t show any activity for a particular duration of the time.

You can set an automatically log out for idle users using a WordPress plugin.

#15. Change The Login Page URL

secure your wordpress website

By default, the WordPress login URL is “htttp://www.example.com/wp-login.php”. You can also login using the wp-admin extension.

Everyone knows about it. To improve the security, you can change this URL using any plugin. It will help you add one more security layer to your WordPress login page.

#16. Limit Login Attempts

This can be something you would want to do. You know that many hackers try the hit and trial method to crack your password.

It may take them many attempts. Why don’t you block them after a few login attempts?

You can use Login Lockdown and set the value accordingly. Most of the people use maximum 3 attempts. After that, the IP address will get blocked.

#17. Protect the WP-INCLUDES Folder

WP-Includes is one of the important folders of the WordPress directory which has some scripts. These scripts shouldn’t be accessed by anyone else.

Hackers may inject their own script and spread the malicious code to your website. It’s important to protect the WP-Includes folder.

You can use the .htacess file to add a security code which will block the access to everyone.

#18. Protect the WP-CONTENT Folder

All the data of plugins, themes, media files are present in this folder. If someone hacks it, your website will go down within no time.

There are some specific file types which can be added. Apart from those, you should block all the other file types, running on your website.

You can protect the wp-content folder by creating a new .htaccess file and add it in this folder.

#19. Protect Your Admin Folder

As you know, every internet connection has an IP address. If you set only one IP address to login to your WordPress admin panel then it can be secured.

If you work from one place then it can be the best way to protect your admin folder. Whitelist your IP address and block all the others.

It wouldn’t let anyone have the access to your login page except you.

#20. Protect the .htaccess File From Unauthorized Access

wordpress website security guide

The .htaccess file is the heart and soul of your WordPress website. You add many codes in this file to protect different directories.

You should always protect the .htaccess file from unauthorized access. It would be dangerous if someone injects any code to this file.

I Hope this WordPress Security Guide Can Help You to a Greater Extent

It’s no new thing that people get scared of the hackers. They should. But it’s not the solution, you have to do some serious things to secure your website.

I have mentioned all the possible website security steps which can be taken. Is your website secure? Have you protected the wp-content, wp-includes, wp-admin folders?

What are the things you want to ask? Have you taken each and every step included in this WordPress security guide? If you have any doubt, feel free to clear it.

You can also connect with us on Twitter, LinkedIn, and Facebook.

by Ravi Chahar

A WordPress Professional and the LinkedIn Influencer. A coder by passion and a blogger by choice. WordPress theme development is his forte. He is your WordPress guy who will teach you how to solve WordPress errors, WordPress security issues, design issues and what not.

Get Free Updates Into Your Inbox

Learn Everything Just Like I Did



  1. Hi Ravi,

    Wow these are some great security tips for people who use WordPress. I am always trying to tighten up the security on my blog. While I’ve never been hacked (knock on wood). I’ve had a client who got hacked.

    It wasn’t easy to clean up their site, it was a total mess. So taking some time out of the day to ensure that my blog is properly secured is worth it in my eyes.

    The last thing I want to do is worry about cleaning up my blog. I currently use a lot of the security measures that you mention here. However, there are a few more things that I could apply to my blog.

    For one, I had no clue that you could disable login with an email. I am going to use that security measure for my own blog. I’m sure there’s a couple more things on this list that I could apply to my own blog.

    Thanks for sharing these tips with us, I know they will help a lot of bloggers protect their blogs.

    Have a great day πŸ™‚


    1. Hey Susan,

      There are many things which can be done for a WordPress website. I always recommend disabling the email login because email accounts can be easily hacked which can directly lead to your website.

      Though having a web hosting with no mail() function can work fine still, you should do everything you can to protect your website.
      I am glad you could have some extra knowledge.
      Enjoy your day.


  2. Great post mate. Definitely security is not something to be taken lightly with WordPress given its popularity. A very basic and highly efficient way to start with WordPress security is to install a security plugin like you mentioned in number 5. I consider Word Fence to be the best security plugin though.

    1. Hey Odira,

      It’s always recommended to install a security plugin because not everyone is techie enough to handle a website with codes. A plugin can have multiple features which can add many security layers to your website.
      Wordfence, Sucuri and there are many other plugins.
      Thanks for your input.

  3. Hello Ravi,

    savior πŸ™‚ Thanks for this man.

    Yeah people start their website and within some time its gone, disappeared they got hacked, all their works
    more or little have gone, sounds scary.
    We need to protect our work whether it’s more or less it should be protected. WordPress security is the best way to
    protect our sites and restrict the hackers so that they can’t get access to it and take our hard work away from us.
    The steps you mentioned for the better security checks are awesome, came to know about the how we can change the
    login page URL, something new to learn.

    Thanks for the share.
    Keep Writing.
    Have a great week ahead.

    1. Hey Shantanu,

      WordPress can be overwhelming for many. And keeping your website secure is the challenge. You should take every possible step which can enhance the security.

      Follow the above-mentioned steps and you will have a secure website.
      Thanks for stopping by.

  4. Hi Ravi,

    Wow, this is a great post – very valuable.

    Thank you for showing us how to protect our WordPress site. I didn’t know we could remove the change password link. I’m going to do that and go through the rest of your list to make sure my blog is protected as much as possible.

    I appreciate you for sharing this with us!

    Have a great week.


    1. Hey Cori,

      I always remove the password lost link for my clients. Most of the people don’t have an idea that it can be exploited by the hackers by hit and trial method to break the password.
      They can recover if the email gets hacked. I am glad you could find something valuable.
      Have a great day.


  5. Hey Raavi this is really a must read to all bloggers!
    Thanks for telling this in detail. Presently I am using the free version of WordFence, the other option you mentioned in the post are they better than this? would like to know on this. It is presently doing a good job I believe, may be their pro version may give a better option. Would like to hear on this issue, will these security options free option will do or do we need to go for a better option.
    Thanks for sharing such a lot of information regarding our security of sites.
    Keep sharing
    Have a great rest of the week.
    ~ Philip

  6. Hi Ravi,

    You certainly have done an excellent job on protecting our WordPress Blog. For me, I have managed hosting so I don’t have to worry that much. The only thing I do every now and then is to change my password which is very long lol.

    I will surely pass this on.


    1. Hey Donna,

      Having a managed hosting can save to a greater extent. They take care more than half of the things mentioned above. I have used WPEngine. They are awesome.
      Changing the password is the most common yet important aspect to be taken care of.
      Thanks for sharing your thoughts.
      Enjoy your weekend.

  7. Hello Ravi,

    Nice information.

    I did #7 a long ago and working quite well. Apart from this, I have done almost all things but still, I will recheck if I missed something.

    Thanks for the gentle reminder.

    1. Hey Atish,

      All the things are required to add multiple security layers to a WordPress website. I do all of them using codes whereas I recommend people to use a security plugin.
      It’s because people can break their websites.
      Thanks for sharing with us.

  8. Hey Ravi,
    Happy to be here again,
    This is my second visit, though you haven’t responded to my first comment with doubt. πŸ™
    But sad, I am again here to ask one more question for which I believe you respond!! LOL
    This is in response to your note in point # 1 “Many people even enable automatic updates in WordPress for plugins and themes too. Though if you can manage it manually, you don’t need to choose to enable automatic updates, but still, make sure everything is up to date.”
    As you know I a using your theme and I a sure you update every now and then, but do I need to do anything extra with it as per this statement?

    1. Hi Philip,

      The theme you’re using has been developed according to the latest coding standard of WordPress codex which doesn’t require any update yet.
      If you remember, I asked to add something in the theme files after WordPress policy updates.

      If anything new comes, I will definitely provide you an update. Otherwise, no need.

  9. Hi Ravi,

    I am already checked with #1 to #5, #7, and #16. I thought my site is hack proof until saw this post and some other security options.

    Thanks for sharing the awesome tips. Will implement the additional security soon.

    – Shafi Khan

Leave a Reply

Your email address will not be published. Required fields are marked *