If you have a WordPress website, then you should always be serious about security. WordPress is the world’s most popular Content Management System (CMS). According to W3Techs, 32% website is powered by WordPress. Due to its popularity, hackers are more attracted to it.
In this article, I’m going to share top WordPress security tips that help to secure your WordPress website from hackers.
WordPress Security Tips 2019
WordPress is a very secure blogging platform and is improving security through regular updates. So that hackers can not hack the site created on WordPress.
However, many websites are still being hacked. In which there is no mistake of WordPress. The entire credit goes to the website owner when site being hacked. There are some responsibilities that the owner of the website should take care.
Here are some tricks that can help protect your WordPress website from hackers. By implementing these tricks, you can take your WordPress security to a new level.
1. Change Default admin Username
Admin is the most common username for WordPress sites and everyone knows this, even hackers too.
When you install your site on WordPress, the admin is set by default in the Username field. However, we can change this and I also recommend it.
If your site’s username is admin, then it makes brute-force attacks easy for hackers.
WordPress does not allow to change username by default, but do not worry there are two ways that you can use to change it.
- With Username Changer Plugin
- By Create a New User and Delete The Old One
Here I have explained a detailed guide on changing the WordPress username.
2. Change Login URL
WordPress’s default login URL is wp-login.php, wp-admin which all WordPress users and hackers know well.
Hackers constantly try to log in with username and password. But by changing this default login URL page, 99% brute-force attack can be stopped. Reason finding a changed login URL page becomes too difficult for anyone.
You can change your default login URL by installing and activating WPS Hide Login plugin from the WordPress repository.
Here’s a guide – How to Change WordPress Default Login URL
3. Use Two Factor Authentication
Two Factor Authentication (2FA) Adds an additional Security layer to your WordPress login page. When you enter a username and password on your login page, you will have to enter the secret code which will be in your phone only.
As a Two Factor Authentication, a user has various types of options (OTP, Email Verification, Google Authenticator). Of which you can use anyone to improve your WordPress login page security.
Here’s a guide,
- Jetpack Two Step Authentication: Enable Two Factor Authentication to Make Your Site More Secure
- How to Enable WordPress Two-Factor Authentication for Free
- 5 Best Two Factor Authentication WordPress Plugin
4. Use Strong Passwords
According to WordPress Security always use a strong password. For this, you can use the WordPress password generator tool.
Furthermore to maintain better WordPress security, the login password of the website or blog should be changed every few days.
Also, use uppercase, lowercase, special characters # $ – ‘^ & to generate a strong password.
5. Block Suspicious IP
If someone tries to log in to WordPress website repeatedly with incorrect username and password then block such a user’s IP. Here is a
To further improve login security set login limit up to
6. Rename the WordPress Database Table Prefix
When you install WordPress website, its database table prefix name starts with wp_. To see it, go to the phpMyAdmin section by logging in cPanel. Here you will find the name of the database table prefix – wp_comments, wp_options, wp_links etc.
Hackers know this default database table prefix well and spammers and hackers run automated codes for SQL injections. Here is a guide on Wpbeginner – How to Change the WordPress Database Prefix to Improve Security
Otherwise, you can use All In One WP Security & Firewall to change it.
7. Regular Backup of Your WordPress Site
Backup is the best weapon.
Suppose your site is completely hacked. Its content and all data are also deleted, in this situation, you can make your WordPress website completely like before by backup.
If you do not have a backup, then understand that your site is completely over. The hard work of your years has been ruined. From this, you can understand how important it is to regularly backup the site.
If you do not have a backup, then your site will be unusable. Your years of hard work will be ruined. Therefore, it is very important to back up the website regularly.
- How to Backup WordPress site completely using UpdraftPlus plugin
- How to Take Backup of WordPress Site from cPanel Manually
Regular backup of your website is one of the most crucial tasks. No matter how we increase WordPress Security for the hackers, the room remains somewhere.
Furthermore, keep your backup file remote storage such as Google Drive, Dropbox, Amazon S3, etc.
VaultPress is a premium backup plugin from Automattic that provide real-time backup and security scanning service. But for this, you have to spend money. There are many more free WordPress backup plugins available in the market.
- UpdraftPlus WordPress Backup Plugin
- All-in-One WP Migration
- Backup & Restore Dropbox
- Duplicator – WordPress Migration Plugin
8. Update WordPress Core File
The WordPress Developer Team regularly updates WordPress to fix its bugs, security patches, etc. Therefore, always keep your WordPress site up-to-date. If you do not take the updates seriously, you may have to face security vulnerabilities. Hackers can inject malware into your site.
Plugins and themes that have not been updated for years, do not use them. Use their alternatives.
9. Disable File Editing from Dashboard
WordPress allows you to edit your theme and plugin files directly from your WordPress dashboard. This feature can raise security risk on your site. That’s why I recommend turning it off.
To disable it, simply paste the following code in your wp-config.php file before /* That’s all, stop editing! Happy blogging. */ line.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
Alternatively, you can use All In One WP Security & Firewall to disable with 1-click.
Note: Before putting the code, backup your wp-config.php file.
10. Secure WP-Config.php file
The wp-config.php file contains with sensitive data such MySQL settings, Secret keys, Database table prefix, ABSPATH etc. Therefore it is very important to secure it.
You can disable editing feature for WP-Config.php by putting the following code snippet into the
deny from all
Furthermore, you can set permission for it – 400 or 440. So that no other user could read or write it.
It is very important to secure wp-config otherwise your site may be hacked from this small file.
11. Change Permissions for File and Directories
Changing file permissions for WordPress Security is also a good step in securing the site. But if you misconfigure, it can put your site security in danger.
According to WordPress.org, all directories must have “750” or “755” permissions and for files “644” or “640”.
For wp-config.php this permission should be “440” or “400”.
The permissions of the directory should not be “777”. If the permissions of any directory or file is “777”, then change it immediately. Because it’s not right for WordPress security.
You can manually change it. Just log in to your cPanel and navigate to File Manager. In addition, you can also change via an FTP connection. For this, you need to download a Filezilla.
Otherwise, you can use All in one wp security and firewall plugin to change this permission with a single click.
12. Hard Password for User Account
Here is a plugin – Force Strong Passwords that forces the user to use strong and difficult passwords. This plugin is very useful for multi-author blogs.
13. Disable Directory Indexing and Browsing
Directory browsing is used by hackers. Through this hackers try to find out the location of files in your site and what is the weakness in it. Then try to hack the site.
Some WordPress folders, such as wp-content, wp-include contain with sensitive data. Which can be easily seen by directory browsing. The WordPress website’s themes, plugins and media uploads are stored in the wp-content folder. Anyone can access this content or data and hack the site.
If you do not disable directory browsing, it is like giving an open invitation to hackers.
That’s why it is highly recommended that you turn off directory indexing and browsing. You have to do a simple job to stop the directory browsing. just add the following line in your .htaccess file.
14. Delete WordPress Meta Generator and Version Information
You can also secure your WordPress site from hackers by removing WordPress version. Hackers also search for the version of WordPress website when they hack. Go to ‘View page source’ and see the version Info of any WordPress website.
Anyone can see see the version Info of any WordPress website by going to ‘view page source’.
To secure WordPress website from hackers, remove the WordPress version. All In One WP Security & Firewall plugin can remove it with 1-click.
15. Use SSL Certificates
SSL means ” Secure Socket Layer “. The SSL certificate creates an encrypted connection between your web server and visitor’s browser which makes a secure transfer of personal information.
SSL certificates are often used to secure debit cards/credit card transactions, data transfers, and login etc.
If your site has an SSL certificate, the hacker cannot easily steal your data while transferring.
Now, Google is also using the SSL certificate as a Google ranking factor.
16. Secure Your .htaccess file
To secure this file, just add the following code in it.
<files ~ "^.*\.([Hh][Tt][Aa])">
deny from all
Any unauthorized access to this file can be stopped with the following code.
17. Secure WP Login Page by .htaccess
This is a great way to improve WordPress security by pasting a small code snippet in .htaccess.
This method is not recommended if you do not have a Static IP address otherwise it will also block you.
allow from [insert your IP address]
deny from all
18. Use Antivirus in Your Computer
If you want to improve your WordPress website security more, use a good antivirus in your PC. Many people do not consider it important. But hackers use such viruses that can steal important data, usernames and passwords from computers without antivirus.
That’s it! These are some very easy but effective WordPress security tips, which will help to secure your WordPress site. And can make the hacker’s life more complicated.
Share it & leave comments on what you think about these WordPress security tips.
Find this article helpful? Don’t forget to share!