Best Tips for Securing Your WordPress Website

WordPress Security

Please Share This Post

Blog post by Chris Green

Blog post by Chris Green

Chris is the owner and lead web designer and SEO expert at Certtech Web Solutions. For over 10 years now, Chris and his team have helped countless businesses achieve online success.

Best Tips for Securing Your WordPress Website

As the world’s most popular website platform, WordPress powers millions of sites. But with great power comes great responsibility – and a greater risk of being hacked.

That’s why it’s important to take steps to secure your WordPress website. Here are 7 must-know tips to help you do just that:

WordPress Security Basics

Your WordPress website is only as secure as you make it. By following a few simple tips, you can help keep your site safe from hackers and other security threats. In this article, we’ll share seven must-know tips for securing your WordPress website.

Keep WordPress and plugins up to date

One of the simplest and most effective ways to secure your WordPress site is to keep WordPress and all plugins up to date. New versions of WordPress and plugins are released regularly to fix security vulnerabilities and bugs. By running the latest version of WordPress and plugins, you close the door on a range of potential security threats.

To update WordPress, simply log in to your site’s Dashboard and navigate to Updates. If a new version of WordPress is available, you’ll see a notification asking you to update.

Use strong passwords

One of the most important things you can do to secure your WordPress site is to use strong passwords. A strong password is one that is at least eight characters long and contains a mix of letters, numbers, and symbols. Additionally, you should avoid using easily guessed words like “password” or easily accessible personal information like your birthdate.

To create a strong password, you can use a password generator like LastPass or 1Password. If you’re creating a password manually, make sure to use a mix of upper- and lower-case letters, numbers, and symbols. For extra security, you can also use a passphrase instead of a traditional password. A passphrase is a phrase made up of multiple words (for example, “correct horse battery staple”). Passphrases are easier to remember than traditional passwords and are just as secure—if not more so.

Don’t use “admin” as your username

One of the most common ways hackers gain access to WordPress websites is by exploiting the “admin” username. If you are still using “admin” as your username, change it immediately!

There are two ways to change your WordPress username:

1. Change it from the WordPress admin dashboard
2. Change it directly in the database (via phpMyAdmin)

We recommend changing your username directly in the database, as it is a more secure method. If you do not have access to phpMyAdmin, you can follow the instructions below to change your WordPress username from the admin dashboard.

Secure Your WordPress Hosting Account

Your WordPress security starts with your hosting account. If you’re on a shared host, your site is only as secure as the other sites on that server. If one of those sites gets hacked, your site could also be compromised. That’s why it’s important to choose a secure WordPress host. In this article, we’ll share seven must-know tips for securing your WordPress website.

Use a secure FTP client

To edit your WordPress files, you need to connect to your WordPress hosting account using an FTP client. WordPress recommends using a secure FTP client like SFTP (SSH File Transfer Protocol).

A secure FTP client encrypts your login details and all data transfered between your computer and the server, making it much more difficult for hackers to intercept and steal your data.

If you’re not sure how to set up SFTP on your hosting account, contact your host’s support team and they will be able to help you.

Use Two-Factor Authentication

One of the most important things you can do to secure your WordPress website is to enable two-factor authentication (2FA). This adds an extra layer of security by requiring you to enter a code from your phone or another device in addition to your password when logging in.

There are many ways to set up 2FA, but we recommend using the Google Authenticator plugin. Once you have the plugin installed and activated, go to its settings page and follow the instructions to set it up.

In addition to 2FA, we also recommend using a strong password for your WordPress account. A strong password is at least 12 characters long and includes a mix of uppercase and lowercase letters, numbers, and symbols.

Protect Your wp-config.php File

Your wp-config.php file is one of the most important files on your WordPress website. This file contains your website’s configuration information including your database connection details. That’s why it’s important to take extra steps to protect this file. In this article, we’ll share 7 must-know tips for securing your wp-config.php file.

Use a security plugin

A security plugin is one of the most important tools you can use to protect your WordPress site. There are many great security plugins available, but we recommend using the iThemes Security plugin. This plugin offers a variety of features to help secure your WordPress site, including user account security, malware scanning, and firewall protection.

To install the iThemes Security plugin, log in to your WordPress site and navigate to the Plugins » Add New page. Then, search for iThemes Security and install the plugin.

Once the plugin is installed and activated, you will be redirected to the iThemes Security dashboard. From here, you can configure the various security settings for your WordPress site. We recommend that you take some time to review all of the available options and configure them according to your needs.

Manually edit your wp-config.php file

For increased security, you can edit your wp-config.php file to include the following:

1. Disable file editing – By default, WordPress allows users with admin privileges to edit theme and plugin files directly from the WordPress dashboard. However, if a user’s account is hacked, this could give the hacker access to your website’s source code. To disable file editing, add the following line of code to your wp-config.php file:

					define( 'DISALLOW_FILE_EDIT', true );

2. Change the default database table prefix – By default, WordPress uses the “wp_” prefix for all database tables. However, since this is a very common prefix, it makes your website more vulnerable to SQL injection attacks. To change the database table prefix, add the following line of code to your wp-config.php file and replace “wp_” with your preferred prefix:

					$table_prefix = 'wp_';

3. Specify strong salts and keys – Salt keys are used to encrypt and secure information in your WordPress database. To specify salt keys, add the following lines of code to your wp-config.php file:

					define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put you6rzt5yu8rdiuytfghbnmki47yrtfdeghujhgtfrdegytqsefgxfgb Assuredly light Transversely epidemic buy baclofen armada.'); define('NONCE

Secure Your Database

One of the most important things you can do to secure your WordPress website is to secure your database. Your WordPress database stores all of your website’s data, including posts, pages, comments, and settings. If your database is compromised, your entire website is at risk. There are a few simple steps you can take to secure your database and keep your website safe.

Use a security plugin

If you’re serious about securing your WordPress website, then you need to install a security plugin. There are many great options to choose from, but we recommend either Wordfence or Sucuri. Both plugins offer features that will help to secure your site, including malware scanning, user activity monitoring, and blocking malicious traffic.

There are a number of great security plugins available for WordPress, so it’s important to choose one that will work best for your site. We recommend checking out the following plugins:

Manually secure your database

1. Choose a strong password for your database user. A strong password is at least 12 characters long and contains a mix of uppercase and lowercase letters, numbers, and symbols.

2. Connect to your database server using SSL. This will encrypt the connection between your WordPress site and the database, making it more difficult for someone to intercept the communication and steal sensitive information.

3. Restrict access to your database server to trusted IP addresses only. This will prevent anyone who doesn’t have an authorized IP address from even attempting to connect to your database.

4. Use a WordPress security plugin that includes a firewall. A WordPress firewall will help protect your site by blocking malicious traffic before it even reaches your site.

5. Regularly back up your WordPress database. This way, if something does happen to your database, you can restore it from a previous backup instead of starting from scratch.

6. Keep WordPress and all plugins and themes up to date. Outdated software is often the target of attack, so it’s important to keep everything on your site up to date in order to patch any security vulnerabilities that may exist.

7. Use a hosting provider that specializes in WordPress hosting . A good WordPress host will take care of some of the security tasks for you, making it one less thing you have to worry about.

Limit Login Attempts

One of the most important things you can do to secure your WordPress website is to limit login attempts. This means that if someone tries to log in to your site and fails, they will only be able to try a certain number of times before they are locked out. This helps to prevent brute force attacks, where someone tries to guess your password by trying a bunch of different combinations.

Manually edit your .htaccess file

One of the most effective ways to secure your WordPress website is by editing your .htaccess file to limit login attempts. By doing this, you can prevent hackers from repeatedly guessing your password and brute-forcing their way into your site.

There are two things you need to do in order to edit your .htaccess file:

1. Access your website via FTP or SFTP.
2. Navigate to the /wp-content/ directory and look for a file called .htaccess.

If you can’t find the .htaccess file, it’s likely that it’s been hidden. In order to see hidden files, you will need to change your FTP client’s settings. For instructions on how to do this, please consult your FTP client’s documentation.

Once you have found the .htaccess file, download it to your computer and open it in a text editor. Then, add the following code at the top of the file:

					# BEGIN Limit Login Attempts

SecRuleEngine On
SecRule REQUEST_FILENAME "!/wp-login.php" "phase:2,nolog"
SecRule LOGIN_ATTEMPTS ">=5" "drop,t:normalizePath,ctl:rulesEngine=Off"

# END Limit Login Attempts

This code will tell mod_security3 (if it’s installed on your server) to monitor requests made to wp-login.php and drop any request that comes from an IP address that has made more than 5 login attempts within a 5 minute period.

Hide Your WordPress Login Page

One of the most important things you can do to secure your WordPress website is to hide your login page. By default, the login page for WordPress is wp-login.php. However, this page can be easily guessed by hackers and used to brute force their way into your site.

If you’re comfortable editing code, you can add the following to your site’s .htaccess file to secure your WordPress login page:

					# block wp-admin by IP
order deny,allow
deny from all
allow from

This will block all traffic to your wp-admin directory, except for visitors with the IP address (which is usually your local machine). Of course, you’ll need to replace with your own IP address before saving the file.

Monitor Your Website for Malware

One of the most important things you can do to secure your WordPress website is to monitor it for malware. There are a few different ways to do this, but one of the best is to use a WordPress plugin like Wordfence. This plugin will scan your website for malware and notify you if anything is found.

Manually scan your website for malware

1. Use a reputable scanning tool. ideally, you should use a tool that is updated frequently so that it can detect the latest threats. Some of the most popular tools are Sucuri SiteCheck, Wordfence, and Virus Total.

2. Choose a complete scan. This will scan your entire website, including all of the files and folders on your server.

3. Allow the scan to run. This may take several minutes or longer, depending on the size of your website.

4. View the report and take action as needed. If any malware is found, you will need to remove it from your website immediately. Be sure to follow any instructions provided by the scanning tool so that you do not miss any steps in the process.


Following these seven tips will help to secure your WordPress website. Keep your WordPress and plugins up to date, use strong passwords, don’t use the admin username, use a security plugin, limit login attempts, use two-factor authentication, and back up your website. Implementing even a few of these tips will make your website more secure.

More To Explore

WAIT! Before you go...

Get A 100% Free SEO Audit of your website!

Sign up below and receive a FREE no obligation Search Engine Optimization report of your business website.

See how your website ranks on Google compared to your competitors!