Home Tutorials How to secure WordPress websites: A Step-by-Step Guide 2020

How to secure WordPress websites: A Step-by-Step Guide 2020


So you own a WordPress website, and you are wondering how to secure WordPress websites and keep the bad guys out? Here in this article, I am going to share a step by step guide which you should follow to be able to protect your WordPress website from getting hacked.

secure wordpress websites

Today, WordPress is the most widely used and the most popular web publishing software having 60.4% of market share, which means that 33.5% of all of the websites online uses WordPress. Hence, WordPress users have likely more chances of getting attacked by hackers. That is why you should learn how to secure your WordPress website and protect it from evil eyes. Since you are reading the article, this means that you already own an excellent WordPress website, in case you don’t have one learn how to install WordPress on server and localhost.


Now let’s dive into the process and see what actions you can perform to secure WordPress websites and protect it against nasty hackers.

How to secure WordPress websites?

Follow the steps given below one by one, to secure WordPress websites. You should perform all of these actions altogether to tighten the security and make it even harder to hack into your website.

Secure WordPress website from online attacks

1. Setting up a strong firewall

Setting up a strong firewall that monitors the traffic coming in and out of your web server is very crucial. The firewall should have strict rules of verifying and restricting users who are performing abnormal activities. The very easy way of setting up a firewall is by installing security plugins like WordFence, iThemes Security (formerly Better WP Security), All In One WP Security & Firewall, etc. These plugins add a layer of security into your site at the same time Installing and configuring these plugins are easy. Just install any of them and follow the wizard to complete their setup.

These plugins often offer multiple features like:

  • Firewall (blocks malicious traffic)
  • Login Security
  • 2FA Authentication (controls Bruteforce)
  • Google Captcha (controls spamming)
  • Automatic blocking malicious users and attacks, and more

So that is why you cannot miss installing any of these plugins to protect and secure WordPress websites.

2. Changing the admin login route or URL

Since WordPress is open-source, everyone knows the admin login URL of a typical WordPress website. It is obviously /wp-login.php or /wp-admin . So anyone can access it if you keep the login URL the same and don’t change it. So change the admin login URL of your WordPress website. This can be done simply by installing plugins WPS Hide Login. There are multiple plugins like this in the WordPress repository.

Follow the steps to set up the WPS Hide Login:

  • First Install the WPS Hide Login Plugin for free from the WordPress repository.
  • Goto Settings > WPS Hide Login
  • Under WPS Hide Login > Set the new login URL > Save Changes.

Hiding the login URL will protect the site against Bruteforce attacks. But make sure you keep the login URL secret.

3. Limit Failed Login Attempts

Limiting failed login attempts is a great way of dealing with Bruteforce attacks. The users who are making a few failed login attempts proves that the user is not genuine and you must block him before he figures out the correct password and gets into your website. So limit failed login attempts to like 3 or 4 attempts is good.

You can use plugins like Limit Login Attempts, WPS Limit Login, etc. However, some security plugins also have such features that eliminate the use of these plugins. Remember that installing more plugins has an adverse effect, it can significantly slow down your website’s loading speed.

4. Changing the admin user name

In most cases, website owners keep the admin username as “admin” so they become an easy target for the hacker. They did not have to figure out who is the user having administration privileges on your site. So always try not to add “admin” as your username in a WordPress site.

If you already have set “admin” as your username, you can change it easily using plugins like Username Changer. Otherwise, you can manually make the change in the database using PhpMyAdmin.

5. Keep strong and complex passwords

Keeping your password similar to your username or name is too dangerous. The hacker can guess your password in no time and hack into your site. You can use password managers to store and generate complex passwords for you. They will also sync your passwords with your other devices so you never face any problem signing in with other devices. So always keep strong passwords to secure WordPress websites or any other account.

6. Monitoring changes made in your site

Monitoring the changes made into your site is a good practice. If you monitor the different activities performed on your site you can quickly detect abnormal activities that were performed and take necessary actions to prevent any damage. You can do this by installing plugins like Simple History, WP Security Audit Log, Activity Log For MainWP, etc. Install any of these plugins and keep track of the changes performed on your site and keep your WordPress website secure.

7. Enable 2FA Authentication

Enable 2 Factor Authentication (2FA) while logging into your site. It is very crucial because even if someone guesses your password they won’t be able to access your dashboard as the 2FA will fail anyway. So having set up 2FA does increase your website security. You can find this feature in the security plugins I mentioned above in the first point. You can also use a separate plugin instead.

8. Enable Captcha while login

Enable captcha while logging in will help prevent Bruteforce attacks. So always enable captcha to prevent bots and secure your WordPress website. This feature can also be found in the security plugins mentioned in the first point or you can use a separate plugin.


Secure WordPress website at the hosting level

1. Disable folder indexing at hosting

If you don’t have an index.html or index.php file in the folders of your WordPress site, the server returns a list of all the files present in that directory/folder. And as a website owner, you never want to show what files are there in your webserver. It will help the attacker to find what themes or plugins you are using. This gives the attacker more information to plan an attack on your website. So always turn off folder indexing (directory listing) in your hosting account to secure wordpress websites.

Steps to disabled folder indexing at your hosting:

  • Login to you Cpanel.
  • Goto Folder Index Manager section.
  • Select wp-content, wp-admin, wp-includes folder > Choose No Indexing > Save changes.

2. Disable Theme/Plugin file editing

Suppose a user in your site has admin access this means he/she can make changes to the theme or plugin files installed in your WordPress site. Suppose a hacker got access to any of the user’s accounts having admin rights then he can easily modify your website files. So to prevent such attacks always disabled the file editing. This you can protect and secure WordPress websites.

You can do so by inserting a simple line of code into your wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

secure WordPress website

3. Password protect the wp-admin Directory

Again protecting your wp-admin directory is very important. The wp-admin folder is the core of WordPress if someone gets access to that folder he can easily edit the code files in there. Once somebody makes changes or added some malicious code in your website files it will be very much difficult to detect that change. So password protecting the wp-admin directory is a good idea to secure WordPress websites.

Steps to password protect the wp-admin directory:

  • Visit the Cpanel of your hosting provider
  • Navigate to the Password Protect Directories feature
  • Select the wp-admin directory > Set password > Save

4. Hiding the “wp-config.php” file

The wp-config.php is the important configuration file of a WordPress website. It contains some of the vital information which is needed to run your WordPress website. This file contains several confidential information like DB name, DB username, DB password, and several other settings so protecting that file becomes a priority. By default the wp-config.php exists in the public_html directory of your server. Now you can move the file out of the public_html folder and it will not break your website. This way you can secure WordPress websites.

5. Using SSL for data encryption

Using SSL does not only secure WordPress websites but also helps to gain the trust of your site visitors. Having an SSL certificate installed will encrypt all the connections made with your website and help protect your website’s data. If you don’t https:// on your web site’s link, it tells visitors that your website is not secure and unsafe to visit.

You can buy one SSL certificate from a leading CA (Certificate Authority) or you can get a free SSL Certificate for your Website, from free CA like Lets Encrypt.

Secure WordPress websites: Some extra security measures

1. Add Cloudflare to secure WordPress website

Secure WordPress websites
source: cloudflare.com

Cloudflare is a web-services company who provides several services like content-delivery-network services, DDoS mitigation, Internet security, and more. You may have added Cloudflare with your WordPress website to add SSL or make your website load faster. But do you know Cloudflare also provides a firewall feature that you must use to add an extra layer of security to your WordPress website? Now you can set the rules of the firewall to block malicious traffic. Let’s see who to set up the Cloudflare firewall to secure WordPress websites.

We will block the users who try to visit our admin routes from other countries. There is no need for users from different countries to visit our website’s admin panel or dashboard.

Steps to set up a Cloudflare firewall rule to block threats:

  • Log in to Cloudflare.com > Select your website.
  • Goto to firewall section > Firewall rules
  • Create a new firewall rule > Add a name
  • Click on edit expressions > Add the below code
  • Then Choose Block > Save

((http.request.uri.path contains "/wp-login.php") or (http.request.uri.path contains "/xmlrpc.php") or (http.request.uri.path contains "/wp-admin/" and not http.request.uri.path contains "/wp-admin/admin-ajax.php" and not http.request.uri.path contains " /wp-admin/theme-editor.php")) and ip.geoip.country ne "US"

secure wordpress website

Here we are blocking the users who are trying to visit the admin routes from different countries other than the US. Change the country to your country code. Otherwise, you will block yourself.

More about Cloudflare firewall rules: Read more

2. Always update your themes and plugins

There might be several errors present in the themes and plugins you use. The developers always fix them and send updates and you must update them to stay safe. If you don’t update them there may be a chance of getting hacked due to the vulnerability that was present in the theme or plugin. It is a great measure to secure WordPress websites.

secure WordPress websites

3. Never use Nulled Themes or Plugins

Using nulled themes is the main reason why most people get hacked. Nulled themes contain malicious code which will help the hacker to take over your site. Finding malicious code embedded in a nulled theme/plugin is almost impossible. Even if you take the security measures still there might be chances of getting hacked, so stay away from using nulled themes. Buy a theme from the original author or use free themes instead.

Thus these are some of the steps you can take to secure WordPress websites. In the article, I have talked about multiple plugins to install. As I mentioned earlier installing too many plugins might slow down your website which you obviously don’t want. Install plugins having multiple features so that you can skip installing some specific ones. Did I miss anything? Do mention in the comments below.

I will update the article if I find news ways to protect and secure WordPress websites. Thanks for reading. And do share it with your friends.




Please enter your comment!
Please enter your name here