How to Secure WordPress Website: 17 Best Practices

How often do WordPress websites get hacked? 

Approximately 9 websites per minute, 13,000 a day, 390,000 a month, and 4.7 million a year. That’s how many WordPress sites get hacked.

Despite hosting over 43% of all websites, WordPress remains quite vulnerable because of its open-source nature.

Consequently, ignoring security precautions results in WordPress websites becoming more vulnerable to hacker attacks.

What is the solution, then? How to secure WordPress website from security threats?

In this guide, you’ll learn about all the key safety practices you should implement for your site. Consider these as WordPress security checklists to protect your site.

1. Restrict Access to the wp admin Directory

Wp-admin, also known as the house login page, is the gateway to your website’s administrative backend. Clearly, it’s the heart of your website, which is why restricting access to it will make your site more secure and solid. 

Limiting access to the wp-admin directory ensures that only authorized users can manage the website’s settings and content. Using this proactive measure, all unauthorized users, including potential attackers, cannot gain access to the site’s backend.

You can limit access to wp admin in different ways, like:

• IP whitelisting: Protecting the administrative area from unauthorized access by allowing only access from specific IP addresses.
• Two-factor authentication (2FA): Add an additional layer of defense by using a second form of identification.
• Changing login URLs: Change the default login URL for wp admin to prevent unauthorized access.

These are fundamental steps to ensure the robust security of WordPress websites. Ensure that you implement all these to keep your site protected from cyber threats.

2. Use a Unique Username and Password:

Following restricting wp-admin directory access, you should immediately use robust login credentials.

Creating a secure username and password is a crucial step in protecting your website. Using usernames like ‘’admin’’, ‘’administrator’’ or ‘’test’’ makes your site more vulnerable to hackers.

By changing the default username to something unique, you will prevent potential brute force attacks. Likewise, use a strong password policy that includes a mix of uppercase and lowercase letters, numbers, and symbols for added security.

Here are some suggestions you can follow to create strong passwords:

• Length: Always aim for at least 12 characters as longer passwords are more difficult to crack.
• Complexity: Mix upper and lowercase letters, numbers, and symbols. Do not use predictable patterns or personal information.
• Uniqueness: Create an individual password for each of your online accounts. Never use the same password for multiple sites.

3. Set a Limit on Login Attempts:

WordPress’ unlimited login attempt feature makes things easier but exposes it to brute force attacks at the same time. Default settings allow users to attempt unlimited logins, making it easier for hackers to guess the password by trying different combinations.

Even so, you can secure WordPress site by limiting login attempts using a plugin. Choose high-quality security plugins to stop unauthorized login attempts by limiting the number of tries.

With plugins, you can limit how many incorrect passwords are allowed before locking the user’s account. Some of the best login security plugins are:

• Limit Login Attempts Reloaded
• Limit Attempts by BestWebSoft
• Loginizer

4. Use Only Trusted WordPress Plugins: 

Not using a safe and trusted WordPress plugin is a common reason many site owners face security issues. Installing and using unsafe plugins can expose your site to hacking, as many contain vulnerabilities or malicious code.

Although WordPress boasts an extensive collection of 59,556 free plugins, you shouldn’t look elsewhere. Also, if you want to check the security of a plugin, you can use  WordFence or WPScan.

5. Get Your Safety on the Top with Salt Changes:

One of the most critical but often overlooked security precautions is not changing salt keys. It adds another layer of protection when saving passwords, signing into cookies, and so on.

When you set a password on your site, it’s initially saved as plain text.. Afterward, WordPress safeguard password by hashing passwords before storing them in the database.

The hashing process strengthens passwords against different types of attacks, such as rainbow table attacks. You can manually change your site’s salt keys or use plugins like Salt Shaker.

6. Keep WordPress, Theme and Plugin Up-to-date:

Using outdated versions of WordPress, themes, plugins, and add-ons can pose significant security risks. Outdated software may have security vulnerabilities that hackers can use to break into your site, putting your data at risk of theft or malware.

WPScan reports that outdated plugins account for 52% of WordPress vulnerabilities, and outdated themes contribute to 11%. To ensure the security of your site, it’s crucial never to neglect updating all the software.

Additionally, updates not only address security issues but also include bug fixes and performance optimizations. Keeping your website’s software up-to-date is essential for enhancing stability, speed, and overall user experience. 

7. Routinely Backup Your Website to Maintain Data Integrity:

Having a backup is one of the first defenses against WordPress security threats, and it’s true.  You can’t predict when your site might encounter various issues, including cyberattacks or physical damage to a data center.

As a result, when you have a backup of your site, you can restore it without difficulty. And when it comes to backups, most hosting companies offer reliable backups these days.

If that’s not enough, there are free and paid plugins to help. Whenever you use a backup plugin or service, ensure that it regularly saves your entire site.

8. Change WordPress Database Prefix:

It may seem unconventional, but maintaining default settings on your website leaves it vulnerable to cyberattacks. Consequently, changing the WordPress database prefix is advisable as a website security measure.

WordPress database stores crucial information for your website’s seamless operation. And by default, WordPress employs ‘’wp_’’ as the prefix for all tables within the database.

If your site is targeted by a hacker, the default table prefix makes it easy for them to guess and exploit vulnerabilities. In this case, you can either change the database prefix manually or use your hosting’s phpMyAdmin.

We’ll show you how to change WordPress database prefix with a cPanel in the section below:

1. Log in to cPanel and access phpMyAdmin.
2. Select your WordPress database.
3. Edit wp config.php:

Open the file, find $table_prefix = ‘wp_’;, and change it to $table_prefix = ‘newprefix_’; (replace newprefix_ with your actual new prefix).

4. Rename tables in phpMyAdmin:

• Select all tables with the old prefix.
• Under “With selected:” choose “Replace table prefix”.
• Enter the old and new prefixes, then click “Go”.

5. Save wp config.php. After that clear caches and visit your site to check if it’s functioning properly.

Note: To mitigate the risk of accidental data loss, back up the database before making any changes

9. Switch to a Security-focused Hosting Service:

According to GoDaddy, 41% of websites have been hacked because of vulnerabilities in their hosting providers. Therefore, in today’s digital world, overlooking your hosting provider’s security is simply not an option.

Go for a quality hosting provider with a strong focus on advanced security to ensure a protective hosting environment. Pay attention to the following key aspects:

• Web Application Firewall WAF: Protect your website against unauthorized access by installing barriers.
• Content Delivery Network (CDN): Spreads content to servers worldwide for better performance and security.
• DDoS Protection: Ensure that your website is not affected by Distributed Denial of Service attacks.
• Domain name privacy: Protect your personal information when registering a domain.
• Spam Filters: Stop unwanted and potentially harmful emails from reaching your inbox.
• Virus Protection: Define and implement measures to detect and eliminate malware threats.
• Integration of the latest PHP and MySQL technologies: To ensure compatibility with the latest web development technologies.
• Secure File Transfer Protocol (SFTP or SSH): Ensure secure file transfers between your server and your PC.
• SSL certificates: Integrate Secure Socket Layer (SSL) certificates on your website to safeguard data integrity.

While finding a provider offering everything might be tricky, prioritize these essential features for a worry-free experience. Remember, neglecting hosting security can lead to devastating consequences like data security breaches, downtime, and many more. 

10. Automatically Log Out Idle Users for Extra Protection:

Implementing automatic logout for idle users is a crucial security measure to ensure your site’s safety. WordPress itself does not provide this feature, so you’ll need a plugin like Inactive Logout. Using this plugin, you can set a customized time limit for idle users.

For those with coding expertise, you can manually add a code snippet to your WordPress functions.php file to achieve automatic logout for idle users. Simply Insert the following code:

function auto_logout_idle_users() {
    $idle_time = 600; // Set idle time in seconds (here, 10 minutes)
    if ( ! is_admin() && $_SESSION['last_activity'] + $idle_time < time() ) {
        wp_logout();
        wp_redirect( home_url() );
        exit();
    }
    $_SESSION['last_activity'] = time();
}
add_action( 'init', 'auto_logout_idle_users' );

Users often forget to log out, leaving their devices unattended. This poses a security risk, as unauthorized users could hijack sessions, change passwords, and modify files. Thus, incorporating the termination of inactive sessions into your site security checklist is essential.

11. Turn Off PHP Error Reporting to Avoid Disclosing Vulnerabilities:

PHP error reporting has the potential to expose sensitive information about your server and application to any visitor, which can pose a serious security risk to your site.

Therefore, it’s crucial to disable it to mitigate WordPress security vulnerabilities. You can disable PHP error reporting in different ways, like using a PHP file or accessing your cPanel.

In the section below, we’ll show you how to configure the php.ini file:

• Locate your php.ini file on cPanel’s dashboard or in the FTP client’s file manager.
• Set display_errors to Off.
• This change affects all scripts on the server.

Note: Although disabling PHP error reporting enhances security, it’s important to implement alternative monitoring and debugging methods. Regularly review your logs and conduct security audits to ensure ongoing site protection.

12. Prevent Unauthorized Actions by Managing User Roles:

Having multiple user accounts on a site isn’t a problem; the issue is not managing those accounts appropriately. You should avoid granting unrestricted site customization or editing access to all users, as even minor actions can make your site vulnerable to hackers.

Give roles to users for the exact duration that an action is mandatory, regardless of how many user accounts you have. WordPress includes multiple roles, such as:

1. Administrators: In WordPress, administrators have full access to all aspects of the site, like settings, themes, plugins, users, and content.
2. Authors: Authors will only be able to write, edit, and publish their own posts.
3. Editors: Editors can publish, edit, and delete any post on the site, regardless of the author.
4. Contributors: Contributors can write and edit their own posts but cannot publish them.
5. Subscribers: As subscribers, it is their role to interact with the site on a user-level.

Each of these roles has specific permissions that determine what a user can and cannot do. Aside from that, it’s a good idea to delete the default admin account, since attackers often target predictable usernames like “admin” or “administrator”.

Also consider implementing the following best practices along with removing the default admin account:

• Whenever access is no longer needed, revoke it promptly.
• Delete accounts you don’t use anymore.

13. Using Reverse Proxy to Defend Against DDoS Attacks:

DDoS attacks involve attempts to overwhelm a website or server by flooding them with excessive traffic, often from multiple sources. Dealing with such cyber attacks can be challenging, but DNS software is crucial to prevent site crashes. 

In that case, you have to use DNS software to prevent site crashes. By using DNS software like Cloudflare, Akamai CDN, and Fastly Deliver, you can reduce the impact of DDoS attacks by filtering out malicious traffic before it reaches your web server.

DNS software is crucial in identifying and blocking traffic originating from malicious IP addresses or geographical regions. This type of software can also distribute incoming traffic across multiple servers.

14. Set Strict File Permissions for Controlled Access:

While many people overlook this crucial security precaution, it’s essential not to underestimate file permission management. Having strict file permissions is essential to controlling access on your installation and server.

A website with overly permissive permissions is susceptible to unauthorized access, potentially resulting in harm. Alternatively, setting permissions that are too restrictive may break your site’s functionality.

You can set file permissions for controlled access in a variety of ways, such as through cPanel or an FTP client. These are the steps for setting WordPress file permissions using an FTP client:

1. Get an FTP client and install it.
2. Use your FTP  login credentials to connect to your hosting server.
3. Go to your WordPress installation’s root directory.
4. Click on a file or folder, then click “Permissions” or “Change Permissions.”
5. Specify the following permissions:

Files: 644 (rw-r–r–)

Folders: 755 (rwxr-xr-x)

By checking the appropriate box, you can set permissions recursively for subfolders and files.

6. In order to save the changes, click the “OK” button or “Apply” button. 

Note: Be sure to create a backup of your site before making any changes to avoid losing any data accidentally. You can check out this article to learn how to manage file permissions through your hosting service.

15. Hide Your WordPress Version

If potential attackers cannot figure out your website’s WordPress version, there is a significant reduction in the risk of unauthorized access or exploitation. This precautionary measure is particularly useful for older WordPress versions.

You can accomplish this by using a dedicated WordPress security plugin such as ‘’Wordfence Security.’’ Alternatively, you can edit the theme’s functions.php file to mask the WordPress version. 

To manually perform the process, follow these instructions:

1. Navigate to the WordPress dashboard and go to “Appearance,” then select “Theme Editor.”
2. Choose the ‘’Theme Functions’’ (functions.php) file on the right-hand side.
3. Add the following code snippet at the end of the functions.php file:

function custom_remove_version() {
    return '';
}
add_filter('the_generator', 'custom_remove_version');

4. Now save the changes made to the functions.php file and you’re done.

16. Protect Your System Against Malware by Scanning It:

Every day, the AV-TEST Institute registers more than 450,000 malicious programs (malware) and potentially unwanted applications (PUA). Also, there are other types of malware with a polymorphic nature, making it imperative to conduct regular malware scanning.

In order to conduct a scan on your site, it’s essential to use WordPress security plugins. There are a number of free and premium plugins available for conducting scanning. Some of the top-quality plugins include:

• Wordfence Security
• MalCare Security
• BulletProof Security 
• Sucuri Security

17. Regularly Conduct Security Audits to Identify Risks

Last but not least, if possible, conduct security audits on your site on a regular basis. Performing this will help you protect your site from evolving threats and security vulnerabilities.

While conducting a security audit, there are several things you need to keep in mind, for example:

1. Check if your site is loading slowly.
2. Monitor for any significant traffic drops.
3. Verify the presence of any unauthorized links.
4. Investigate unauthorized login attempts.

There are basic security audits that you can perform. However, if you’re wondering how to check WordPress website security through an advanced-level security audit, you’ll need the plugin’s help.

There are plenty of plugins available that you can use to perform security audits and identify risks, for example:

• Firewall
• Security Ninja
• Sucuri Security
• Wordfence
• iThemes Security
• WP security audit log

These tools can enhance your site’s security posture and assist in identifying and mitigating potential risks.

Closing Thoughts

Do you want more? 

We believe all the security precautions we’ve included in this guide are good enough to ensure your site’s safety. 

Throughout this guide, we’ve covered a comprehensive range of security practices for you to explore. From using plugins to manually editing various WordPress core files through cPanel or FTP, we’ve provided an exhaustive list.

When choosing a security plugin for your site, choose one that offers real-time updates and solutions. For additional insights into WordPress security plugins, refer to this article.

Lastly, if you believe we have overlooked something in this guide on securing your WordPress website, please leave a comment.