Home / Blog / How to Secure Your WordPress Site

How to Secure Your WordPress Site

Secure Your WordPress Site

In a previous article, we emphasized the importance of backing up your website. It’s a necessary measure against unwanted situations as cyber attacks, server malfunctions, or mistakenly deleted files. Still, manual or via a plugin, backups are not enough to claim that a website is secure. In fact, there is no 100% secure website, but some sites are easy to hack while others are way more difficult.
More or less, the Pareto principle is valid when it comes to securing your WordPress site. 20% of measures to fortify your website security are enough to make it 80% more secure. From a scientific viewpoint, it’s pretty hard to quantify a site security. Pragmatically speaking, with just a few tweaks and plugins, you can make your site more secure than the majority of existent websites.
Without any further ado, here are some simple measures to secure your WordPress site. Some require manual action while others require using a plugin.

1. Use an Antivirus Software

To secure your WordPress site, your top priority should be the creation of a secure working environment. Therefore, the first measure is to make sure all the devices used to log in to your website are virus-free. Even though you may be on a tight budget, there are a few top-notch free antivirus solutions. Some of the most used antivirus solutions are Avast, Avira, Bitdefender, Kaspersky, and Panda. Check this article to make a clear idea about the best free antivirus solutions. Use any of them and be sure to update them (automatic updates are the best).

2. Update the WordPress Version, Themes, and Plugins

Even the less experienced WordPress users know that updating WordPress version, themes, and plugins is a serious task. However, many users neglect this aspect. It’s the most underrated activity, and lots of hackers profit from your ignorance.

In the case of a hack, developers are guilty until an update is rolled out. However, you are guilty if you don’t install the update.
Put yourself in the shoes of a hacker. Wouldn’t it be an easy job to profit from a zero-day vulnerability? Usually, the fixing patch is released as soon as possible, and each minute lost gives a hacker additional time to profit from your website. Don’t give an extra chance to hackers but update your WordPress version and the themes and plugins used.

3. Choose a Reliable Hosting Provider

host provider
Did you know that from the total number of hacked website, 41% were hacked due to the host’s poor security? Choosing a secure host is capital, and many people sacrifice security for a cheaper provider. It’s understandable to want to go for cheap hosting, but it’s not a good solution in the long run.

When choosing a hosting platform, look at how they treat security. WordPress.org proposes a list of hosting platforms that satisfy WordPress’s minimum requirements. The list isn’t exhaustive, but these suggestions might be a reliable solution for you.

4. Download Themes and Plugins from Trusted Places

The ideal theme or plugin shouldn’t have vulnerabilities or malicious code. However, even great WordPress developers release themes or plugins with vulnerabilities. My recommendation is to buy themes and plugins only from trusted places. At least, you are sure that they didn’t purposely corrupt the theme or plugin.

Don’t use themes or plugins from websites that don’t have a good reputation. This is what we do at Addendio, where we select trusted sources that we add to our catalogue so you don’t have to worry about it.  Also be very wary of sites that offer you great deals on premium plugins/themes. What it might be a great deal is, in fact, a trap to install malicious code on your site!

However, even plugins and themes from popular places could contain security flaws. The fewer themes and plugins you install, the fewer your chances are of being hacked. Try to limit these to the minimum number possible.

5. Complex Passwords

Use complex passwords to secure your WordPress site
complex passwords

This is another seriously underrated piece of advice. Usually, people are inattentive and use a single password for all accounts. Moreover, many use passwords that are terribly simple to guess. Doing so is a huge mistake because hackers use passwords-cracking methods to get control of your website.

Have you ever heard about brute-force attacks? These attacks try to compute your credentials, and a simple password simplifies the guess work.

Sometimes, the numbers speak for themselves. A good cracking software can identify a lowercase six-character password in 5.15 minutes. You need 8 days to crack a password using six letters, numbers, and special characters! That’s a huge difference.

6. Limit Login Attempts

limit login attempts to secure your WordPress site
limit login attempts

In addition to a complex password, limiting the number of login attempts is a decisive measure against brute force attacks. By default, WordPress doesn’t limit the number of attempts to log in. It means that hackers can try as many username and password combinations as they want.
Login LockDown is a plugin that allows you to limit the number of login attempts and set a retry wait time. It’s simple to set up, and it will significantly secure your WordPress website.

Try Login LockDown for Free

7. Change the Login URL

You don’t need to be a hacker to know that WordPress login URLs take the shape of website.com/wp-login.php? or website.com/wp-admin. By changing your login URL, you create some serious trouble for a hacker. Nobody will guess a login page with the URL website.com/go. On top of that, it’s easy and takes less than five minutes to do.
As you probably guessed, there are plugins that do it. We recommend Lockdown WP Admin or iThemes Security.

Try Lockdown WP Admin for Free   Try iThemes Security for Free

8. Add a Security Question on the Login Page

A complex password, a limited number of login attempts, and a customized login URL will fortify your login page. However, you can still add an extra layer of protection by using a security question on the login page. It’s a good measure to take when you have external contributors.
Create a question that is easy for your contributors to answer but difficult for others, and bang!—a hacker encounters another block. WP Security Question is a plugin to secure your WordPress site with a security question.

Try WP Security Question for Free

9. Disable the Theme and Plugin Editor

theme and plugin editor
If you didn’t know that WordPress has a built-in theme and plugin editor, then disable it. If you use it sparingly, disable it. Consider keeping it only if you use it regularly.
The built-in editor lets you customize themes and plugins, which means that deleting a single line of code may crash the entire website. In this way, a hacker who has compromised a user account may cause harm the website in no time.

Disabling the editor is simple. Go to your wp-config.php file and insert this line of code:

define( ‘DISALLOW_FILE_EDIT’, true );

10. Use an HTTPS Encryption

Anytime someone clicks on a link on your website, the browser exchanges information with the server. If this connection isn’t secure, a hacker can intercept the messages. Sometimes, these messages contain sensitive data such as passwords and usernames. An HTTPS (Hypertext Transfer Protocol Secure) encryption make the data exchange secure.

This encryption can be implemented by installing an SSL certificate. An SSL certificate lets visitors know that you are trustworthy by displaying a green padlock icon. If you run an e-commerce website, you need immediately to buy an SSL certificate.

11. Use a Security Plugin

You don’t have any excuse if you don’t use a security plugin. The WordPress repository is full of security plugins, and some of them are complex solutions to secure your WordPress site. It’s up to you which one you use, but we believe these are probably the best:



Wordfence is one of the most downloaded free plugins; it has more than two million active installs. It’s not an exaggeration to say that it’s a mandatory plugin for every WordPress website. It fulfills many tasks:
– identifies malicious traffic and stops their action;
– blocks common security threats;
– checks and enforces strong passwords for all users;
– scans the website’s core files;
– monitors traffic in real time.
Certainly, Wordfence has the potential to secure your WordPress site against a lot of viruses and hackers.

Try Wordfence for Free

Sucuri Security

Use sucuri security to secure your WordPress site

Sucuri Security is another plugin that strengthens the security of a website. It’s a complex plugin that removes malware, monitors file integrity, and notifies the admin for special actions. 300+ people trust and use this plugin. Therefore, it fully deserves your attention.

Try Sucuri Security for Free

Bullet Proof Security

Use bullet proof security to secure your WordPress site

Bullet Proof Security is another complex plugin to secure your WordPress site. It is for less experienced users; it benefits from a one-click setup wizard. This plugin assures firewall security, hides the plugins folder, changes the prefix of your database table, and monitors logins. Additioally, it creates backups of files and databases.

Try Bullet Proof Security for Free


In conclusion, it’s not rocket science to secure your WordPress site. It’s mostly about using good security plugins and focusing on simple measures.
What do you do to improve your website’s security? Do you have a special tip that wasn’t mentioned here? Please leave us a comment with your thoughts.


Author: Daniel

Daniel Pintilie is part of our editorial team and he enjoys writing articles about WordPress, development, and Internet Marketing. In his spare time, Daniel plays video games and reads non-fictional books.

Add your opinion

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>