If you are running a WordPress website right now, and not concentrating on maintaining the code of your site secure, you could be vulnerable to some critical problems. It is to be noted that WordPress security is not programmed.

The WordPress Attack Report in 2017 created by Wordfence expressed that users must start thinking about protecting your WordPress site or blog.

Also, you may recall the brutal mass attack WordPress sites endured in December 2017.

Therefore, for 2019, it is time for you to focus on protection for your WordPress site.

Regardless of the level of security of your WordPress website, the WordPress development company can always make improvements.

But in the end, keeping an offsite backup somewhere is perhaps the best antidote to the developer, no matter what. If you have a backup, you can restore your WordPress website anytime if you wish.

Here are 25 tips to secure a WordPress site or blog:

1. Ban Users and Put Up Lockdown Features

A lockdown feature for multiple failed attempts to login can resolve the massive issue of consistent brute force efforts. Hacking efforts with continuous incorrect passwords will be restricted when the site is locked and you receive notification of this unapproved activity.

The iThemes Security WordPress plugin is among the best plugins for this purpose.

2. 2FA

When you introduce the 2FA (Two-factor Authentication) module on the login page, you add an extra layer of security that provides users login details for two separate elements.

The owner of the site or blog determines what these two elements will be. You can have the usual password followed by a secret code or secret question.

As an alternative, you can also use the Google Authenticator app, which sends a code only you can see on your phone. This way, only you, since you have your phone, can log in to the site.

3. Email Login

It is by default that you need to put your username when logging onto WordPress. When you use an email address instead of your username, you can make your site more secure. The reasons behind this are fairly obvious.

Emails IDs are much harder to predict than usernames. Also, any user account on WordPress is made with an individual email ID, making it a legitimate identifier for login purposes.

Many security plugins for WordPress allow you to create login pages that every user must use their email IDs to get in.

4. Customize Your Login URL

It is easy to change your login URL. The WordPress page for login can be, by default, easily accessed through wp-admin or wp-login.php added to the main URL of the site.

When hackers get to know the login page’s primary URL, they can try to push their way in. This trick disallows unauthorized access by entities and only the person with a precise URL can now log in. The iThemese Security plugin comes in handy here as well.

5. Adjust Passwords

Change your passwords as often as you can to ensure safety for your WordPress site. Enhance their power by adding lowercase and uppercase letter, special characters, and number.

You can opt for passphrases instead of a password since it is more difficult to crack for hackers. It is also easy for you to remember.

6. Automatically Log Passive Users Out Of Your Site/Blog

Someone might leave the website wp-admin panel open and forget about it, which leaves WordPress vulnerable.

Any passerby can edit information on the site, change the user account of the user’s or even destroy the site completely.

You can avoid this by ensuring your site logs users out if they remain passive for a certain time period.

7. Wp-admin Directory Protection

At the heart of any WordPress site lies the wp-admin directory. Thus, if this section of your website gets broken into, the whole site can get destroyed.

One potential way to counteract this is to protect the wp-admin directory with a password. When this safety measure is in place, the owner of the site may enter the dashboard by presenting two passwords.

One password protects the login page while the other protects the admin area on WordPress.

8. Encrypt Data with SSL

You can protect the admin panel by implementing a Secure Socket Layer (SSL) certificate. SSL ensures data transfer between the server and the user browser is protected, thus, making it arduous for hackers to break through the connection.

Acquiring an SSL certificate for your website is easy. You can buy one from an external company or check if the company you are hosting your site with is offering it for free.

Additionally, there’s another advantage of getting an SSL certificate. Google ranks websites that have the certification higher than those who don’t have it.

9. Carefully Attach User Accounts

If you operate a blog with WordPress, then you may be dealing with several people entering your admin panel. This can make your site more exposed to WordPress security issues.

In such cases, you can opt for a plugin such as Force Strong Passwords. You can, with this plugin, make sure user passwords are secure. This is just prevention, it is better than having many users with insecure passwords.

10. Change the Username for Admin

Choosing your username as admin during the WordPress installation is a cardinal sin. This username is too easy to guess, which makes it easy for hackers to breach. All they require is to figure the password out and then your whole website falls into the incorrect hands.

11. Keep an Eye on Your Files

If you need extra WordPress security, keep an eye on the changes to the files on your website through plugins like iThemes Security or Wordfence.

12. Edit the WordPress Database Table Prefix

If you have ever installed WordPress, you will know the wp-prefix the WordPress database uses. You need to change it to something else, give it a unique name.

Utilizing the default prefix makes the database of your site vulnerable to SQL injections, which can be blocked by editing the wp- to mywp- for instance.

When you have installed you WordPress already with the prefix provided, you can use plugins to edit it like iThemes Security of WP-DBManager.

13. Regular Back-ups

Your WordPress website may be among the most secure websites out there, but that doesn’t mean you don’t stop improving it.

However, when everything is said and done, it is still a good idea to store your backup externally somewhere else, so no matter what happens, you will have something to fall back onto.

When you have your backup, you can return your website to its previous working state whenever you want.

14. Set Strong Database Passwords

A powerful password for a person using the primary database is an absolute necessity since you use this password to access the database.

As always, use special characters, number, lowercase and uppercase characters for the password. Passphrases are a great choice as well.

LastPass is highly recommended for generating random passwords and storing them. Secure Password Generator is a quick and free tool for creating powerful passwords.

15. Keep an Eye on Your Audit Logs

When you are operating WordPress on multiple sites or managing a multi-creator website, it is important to know what kind of user activity is happening.

Even if your writers or contributors are editing the passwords, there are a few things that cannot happen without your permission.

For example, widget and theme edits are of course saved for the admins. You need to review the audit log to make sure your admins or writers are not trying to edit things that you don’t approve of.

16. Wp-config.php File Protection

The file of wp-config.php holds critical data about the installation of your WordPress, and it is the most crucial file in your website’s root directory.

Securing it means protecting the heart of your blog. This method makes everything harder for hackers to break into the site’s security since the file wp-config.php becomes unavailable to them.

17. Ban File Editing

If any user has passage to your dashboard, they can modify any files belonging to WordPress’s installation.

This contains all themes and plugins. If you forbid file editing, no one will be able to change the files—even hackers.

18. Carefully Insert Directory Permissions

Incorrect directory permissions can be dangerous, specifically if you’re running in an environment of shared hosting.

In this case, editing directory permissions and files is an excellent move to protect the website.

You can do this either manually or through setting File Manager in your control panel.

19. Ban Directory Listing

If you formulate a new index as part of your site and do not place an index.html file into it, you may be astonished to see that your guests can receive a comprehensive index listing of every item that’s in that index.

20. Disallow All Hotlinking

If you’re working to ensure your WordPress website, hotlinking is not recommended. Hotlinking is when someone else takes your photo and captures the bandwidth of your server to display that image on their site.

In conclusion, you’ll see your server costs rising and your loading rates slowing down.

Although there’re some standard techniques for stopping hotlinking, the simplest method is to obtain a WordPress safety plugin such as the All in One WP Security and Firewall plugin.

21. Protect Yourself From DDoS Attack

A DDoS attack is a popular kind of exposure upon your server bandwidth, wherever the criminal uses various applications and ways to overload the server.

It won’t expose your files, but an attack like this can crash your site for a long time if you can’t get it fixed.

22. Update Often

Every sound software product is backed by its developers and receives updates regularly. These updates are intended to correct bugs and contain critical safety patches. WordPress and its plugins are no different.

Not refreshing your plugins and themes can spell trouble. Therefore, if you’re utilizing any product from WordPress, renew it frequently.

23. Eliminate Your WordPress Variant Number

Always change the version of your WordPress from your site because if hackers see it, they basically hit the lottery as now they can customize how they want to attack you. You can protect your variant number with any of the security plugins mentioned before.

24. Remove Unused Plugins and Themes

Remove all the unused plugins and themes from your admin panel. Unused plugins and themes make your site sluggish and exposed to safety threats.

It is actually apparent that you don’t update when you are not using them. This allows a hacker to gain a knothole inside the old component and obtain entrance to your website.

25. Choose the Best Hosting Company

The easiest method to manage your site’s security is to work with a hosting provider that gives added layers of protection. It may appear attractive to work with a budget hosting provider, but don’t be influenced by this way.

It can, and usually does create issues later on. Spending a little bit extra for a top-notch hosting firm indicates extra layers of protection that are automatically assigned to your WordPress site.


WordPress protection is among the important elements of a website. If you don’t manage your WordPress safety, hackers can strike your site easily.

Managing your website safety isn’t difficult and can be achieved without wasting massive amounts of money.

It’s not a secret that WordPress, although it’s the most popular CMS platform nowadays, can not boast the highest level of security.

But still, more and more people migrate their websites to WordPress, moreover that with the help of automated service it became as easy as ever before.

Thanks to CMS2CMS, the automated forum and website migration service, the content from your website can be safely moved to the WordPress platform in about 15 minutes.

There’s also a Free Demo migration available, which lets you preview the result.

Indeed, WordPress is a great platform to run a website on, and if you know some basic safety rules – your website is out of danger!