Your Ultimate Guide to WordPress Security

Share on facebook
Share on twitter
Share on pinterest

It is 2019 and web security has never been more important than it is today. Every where you look there are bad guys just looking for an opportunity to either steal some valuable info like credit card information or just sabotage your website for the fun of it. WordPress websites in particular have become a favorite of cyber criminals as it continues to grow in popularity. 

But wait … why would anyone want to hack my small website?

This is actually a pretty common question I often receive. Many website owners believe that just because they don’t have a big or popular website, they are immune to attacks. This is a huge misconception because hackers and malware do not discriminate. Of course there are hackers who will go after specific and popular websites to achieve a very specific goal however most hackers will attack any website if given the opportunity to do so. 

In this extensive tutorial, I am going to show you the key steps that you need to take to make your website as hard as possible to hack and frustrate anyone who tries to do so. Strap on your seat belt and get ready to get your hands dirty with some WordPress security.

Table of Contents

  1. Hosting
  2. Change Default Login URL
  3. Use Strong Passwords
  4. Run Updates
  5. Use Legit Plugins
  6. Remove Unused Plugins
  7. Use HTTPS & SSL
  8. WordFence Security Plugin
  9. Create With the Help of a Community


The security of your WordPress website starts from your web hosts. Good web hosts take extra steps to ensure their servers are protected against common threats and also offer additional security features to their clients like automatic backups and WordPress updates.  

If you want my personal recommendation for a web host, look no further than Siteground. These guys offer free malware scans and daily backups to all their customers. They also have an extremely affordable 24 hour website monitoring service at just $2 per month. 

If you would like to learn more about this incredible hosting company, check out my extensive article about them here – Why SiteGround are the Best Web Hosting Company.

Change the Default Login URL

Everyone knows that to login to the back end of a WordPress website, all you do is add ‘/wp-admin’ at the end of the site’s url, press enter and presto you are offered the login page. The good news though is that you can change this default url to something unique like ‘/ilovealex’ or ‘/webmonkey’.

The best way to do this would be to use the wps hide plugin. This is a pretty lightweight plugin that offers you the ability to customize your login url and make it one level harder for your site to get hacked. Just don’t forget your new login url.

the wps hide plugin

If you want a tutorial on how to do this, I do have a video lesson that will show you.

Use Strong Passwords

Okay okay you have heard this a bazillion times but I just had to say it one more time.

Believe it or not in the year 2019, there are still folks who insist on using ‘strong’ passwords like ‘qwerty’, ‘swordfish’ and my all time favorite password which is ‘password’.

Seriously do this people ever learn???

Do strive not to be this lazy and use a strong a password. Try coming up with a password that

  • Is at least 8 characters long
  • is a combination of letters and numbers
  • has at least one capital letter
  • has at least one special character like ‘@’ or ‘#’

If you can come up with a password that meets these requirements, you will have a strong solid password that would take light years to crack.

Update All Themes, Plugins & the Core

Updates are not only provided to improve functionality and design but also to patch up any discovered vulnerabilities that can be exploited. When you are running an outdated theme or plugin, you are leaving your website exposed to malware and hackers. This is exactly why you constantly need to ensure that your plugins and themes are fully updated. 

It’s not just your themes and plugins that need to be updated though, your WordPress installation itself (aka the core) also needs to be kept updated. 

Use Legit Plugins & Themes

One of the best things about WordPress is its open source community that allows anyone to develop and publish a plugin or theme for use.

The downside here though is that it also allows Bob with 2 weeks experience working in PHP to ‘develop’ and publish his very own plugin filled with bugs and security holes.

In other words, there is no real screening process that a plugin or theme must go through before it becomes live on the internet. Lots of WordPress users end up downloading and installing plugins that are no good.

You can protect yourself from such by downloading plugins that

  • are from a reputable developer e.g MyThemeShop
  • have good ratings and reviews
  • is compatible with your version of WordPress
  • the latest update is no longer than a year from the current date
  • has at least 1000 downloads

If a plugin you see doesn’t satisfy these requirements, I would recommend looking for another one.

Another great thing about WordPress is that with nearly 50,000 plugins available, you are very likely to find an alternative for the same plugin.

Remove Unused Plugins

Another excellent practice for plugin management. Uninstall every inactive plugin on your site as even in their inactive state, they could still be exploited. I would recommend however that you keep one or two inactive themes installed. This is recommend because in a situation where your active theme goes crazy or something else happens, having a standby theme to switch to would be very helpful for debugging purposes.


Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP which is the protocol through which data is sent between your browser and the website that you are connected to. To ensure that HTTPS is actually working, you are going to need something called SSL.

Secure Sockets Layer (SSL) is a technology that is used to create an encrypted link between a web server and a web browser. This is particularly useful on websites where sensitive information like credit card details are used for transactions.

Now you are going to need an SSL certificate for this and you can use a free service like lets encrypt to get one.  Alternatively, many web hosting companies like SiteGround offer this service from the control panel and will require only a couple of clicks to get it working on your site.

Want a video tutorial on how to install SSL on your WordPress website, check out this tutorial.

Use WordFence Security Plugin

While there are a ton of security plugins out there, I personally recommend WordFence. This all-in-one security plugin provides you with an extensive set of security features designed to make your website hardened against attacks. 

The plugin provides a firewall, malware scanner and 2 factor authentication methods among other tools to make it a truly robust security plugin.

Check out my extensive tutorial below on how to use this powerful plugin.

Limit Login Attempts

Have you ever heard of a brute force attack? It basically involves a hacker trying every possible combination of words, letters and symbols to try and guess what your password is.

The most effective way of preventing this type of attack is to limit the number of incorrect login attempts that can be made at a time. You can use the WP Limit Login Attempts plugin to set this security feature.

Downgrade the Admin Username

A lot of people tend to use the ‘admin’ username for the administrative account on their website. This is not advisable as it is probably the username with the most number of hack attempts to uncover the password associated with it.

Many security experts recommend removing the admin username completely and using a different username for the administrative account. Now while this is good advice, I am going to recommend a slightly different approach which is to use a different username for the administrative account but keep the admin username and give it the role of a subscriber.


Good question. So if a hacker knows that the admin username exists on your site (and yes a good hacker will know), the inclination would be to think that the username is for the administrative account. As a result, Mr Robot is going to spend all his time trying to figure out what the password is not knowing that the account has zero administrative privileges.  This is a great way to keep

Disable PHP File Execution in Certain WordPress Directories

WordPress is built using PHP and as a result almost every directory that makes up your WordPress website will have PHP files in them. You may need to work in some sub directories of key directories like the wp-content folder that contains the files for your themes and plugins.

However in a directory like the   This a great way to harden your website’s security.

Open up your favorite text editor, paste the code below in it and save the file as .htaccess

 deny from all 

Then via FTP, upload the file to the /wp-content/uploads/ folders.

More Articles

Subscribe to my Newsletter

Get an email whenever I release a brand new post straight to your inbox. I promise not to o spam you

Share this post with your friends

Share on facebook
Share on google
Share on twitter
Share on linkedin

Leave a Comment