How to increase the security of your WordPress website [tutorial]

A tutorial on how to increase the security of your WordPress website to protect yourself from malicious software and hackers. Secure your website efficiently.

How to increase the security of your WordPress website [tutorial]

Website security is important for every its owner. WordPress is the most widely used CMS system in the world. Therefore, it is a frequent target of hackers.

Security of WordPress site

A well-secured site is also important for business. If hackers steal your information and passwords and install malware, they can get even to your customers through your website.

Let’s go through the steps you should follow to keep your website safe and secure.

Choosing a secure theme

The theme is a substantial part of the entire website. It provides a number of features and therefore includes a lot of code by default. It is essential to choose a proven and quality them. Some of them even pay for a security audit, thus obtaining a security certificate.

? Tip: I recommend betting on the proven Divi and Avada multifunction themes. I also have great experience with StudioPress themes.

Choosing safe hosting

Choosing a quality hosting is important for securing WordPress websites. Hosting should have an SSL certificate and guarantee 99.9% availability. In addition, make sure that the hosting administration you have chosen is encrypted with the HTTPS protocol.

Therefore, use hosting that is suitable for WordPress websites. Such hosting offers backup of your website, automatic WordPress updates and supports the security of your site. A significant advantage is quality technical support.

? Tip: For a fast WooCommerce website, the key is to choose the right hosting. I recommend relying on proven quality: Bluehost or SiteGround or WP Engine.

Set up data backup

All data needs to be backed up. Don’t just use your hosting. Backup needs to be done in one more place. You can use Dropbox or Amazon. Set up your system to back up the entire database, all plugins, and the theme you use. After backup, verify backup functionality. Make sure not to skip this step.

Ensure the backup can be used. Backup must be carried out at least once a day or at regular intervals. Backup can also be set in a special backup plugin or in a security plugin.

? Tip: I personally use the UpdraftPlus plugin to back up.

Install the security plugin

Sucuri bezpečnostný plugin

Security of the WordPress site also requires the installation of a security plugin. The popular Sucuri plugin will protect you from common types of attacks. It effectively protects your website from malware. After installing it, go through all the necessary settings

? Tip: Similar plugins are the freely available Wordfence Security or premium iThemes Security. The benefit of the latter is the automatic backup of the website that the plugin creates if your site is infected.

Update the website regularly

Regular updating the theme and all plugins is an important part of WordPress security. WordPress developers are constantly working to improve themes and plugins. Their updates may include the removal of some security errors.

Perform this step manually. In the Admin menu, go to the Dashboard and Updates section. Check which plugins need to be updated and update them.

Don’t use outdated plugins

When choosing appropriate plugins for your website, use only those that have been updated recently. Make sure you do not use those that have not been updated for more than two years. You would risk not only the security of the website but also the compatibility of the plugin with your theme.

Use strong passwords

An important point of securing the WordPress website is the use of strong passwords. You should also use passwords for your own access to the website as well as for other users. The most common hacker attack is just theft of the password. It is therefore up to you to make this step as difficult as possible. Use strong passwords also for hosting, email address and FTP accounts.

Do not use the same passwords in all locations. Select a combination of uppercase and lowercase letters, numbers, and characters. The best choice is a password that is not easy to remember.

Use the password manager to remember them yourself. Password manager helps you create strong passwords and stores them all. You can access these passwords with a single password.

To increase the security of your WordPress website, it is also important that you give access to its administration to another person only if necessary. It is also important that anyone who receives such access understands the competence they have in creating and maintaining a website.

SFTP Encrypting

For WordPress website security, it is important that you send data to an FTP site in an encrypted manner when editing a page. Use SFTP encryption.

Ensure yourself SSL certificate


SSL (Secure Socket Layer) certificate ensures your secure, encrypted communication with servers. This communication also applies to your password. Without an SSL certificate, your password will be sent across the site unencrypted.

Remove excess content on the server

Content that is located in the site space (FTP) represents a risk. For example, backups of the entire site in the wp-content / backup directory, where page settings and database content are stored, may be such a risk. Excess and risky files need to be deleted from the site space.

Change the prefix

During the installation of WordPress theme, WordPress will ask you what prefix you want to use. WordPress uses the default prefix. If you select the default wp_ prefix, you will make it easier for hackers to work. Therefore, I recommend changing it to anything else.

Enable Firewall (WAF) application

For better security of your WordPress website, use a Firewall (WAF) that blocks malware before it reaches your site. I recommend using Sucuri for this purpose. It guarantees protection against malware.

Do not use username “admin”

For WordPress website security, you need to change your preselected username. Create a new administrator account and delete the default one. Do so as soon as you install the WordPress theme.

Choose a username that cannot be guessed. If you already have WordPress installed and you use the name “admin”, it can be changed. Create a new user and delete the original user. The solution may also be to use a plugin to change the user name.

Turn off editing of themes and plugins

WordPress includes a built-in code editing feature that allows you to edit themes and plugins in the administrative menu. It is advisable to turn it off in order to prevent this option from falling into the wrong hands. To do so, add the following code to wp-config.php file:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Check the files you upload to the website

Upload only files that don’t contain viruses to your website. Check your computer regularly with an antivirus program.

Secure logging in to the administrative menu


WordPress allows an unlimited number of attempts to log in to the administration menu. You can set the maximum permissible error rate to ensure logging in. For example, three incorrect attempts.

In addition, you can also set a time period for incorrect logins – three logins in three minutes. If someone logs in incorrectly four times, you can block his IP address for a few minutes. Do this by installing the Login LockDown. Once activated, go to Settings »Login LockDown.

Use 2-step verification

One of the reliable ways to secure WordPress sites is also two-step verification. This will allow you to protect your website access with a password and with your phone.

Hide the login page

Securing the WordPress website will also increase the hiding of the login page. WordPress uses or to login to the administration. You can rename it using WPS Hide Login.

Watch out for SPAM comments


The SPAM commentary often contains links to websites where malware is located. If you don’t want to disable all comments, you need to review them. The most popular comment checking tool is the Akismet plugin, which evaluates comments and filters them. Akismet is installed on every WordPress theme. Find Akismet in the themes menu and tick the “activate” box.

Attention: Akismet plugin is free for non-commercial websites only.

Do not sign in to an unsecured Wi-Fi network

For WordPress site security, it’s also important that you don’t use an insecure network to sign in. A hacker on the same network can detect your login or cookie for permanent sign-up.

Moving wp-config.php

To increase the security of the WordPress website, I recommend moving the wp-config.php file to the above directory. Perform this step only if it does not interfere with your website’s functionality and if you have only one domain in hosting. In this file, you have stored data such as database name, password, and so on. By moving it, you will hide it from hackers.

Rights setting

The next step to increase the security of your WordPress site is to set access rights to folders and files. You should use these rights setting for the website:

All directories - 755 or 750
All files - 644 or 640
wp-config.php — 600

Turn off PHP error reporting

The error message may also display the path to your files. But you can disable it. Simply add these two lines to your wp-config.php file:


Turn off XML-RPC Pingback

The XML-RPC Pingback feature allows you to link the page to trackbacks and pingbacks. However, it is also an option for hackers. XML-RPC Pingback security is provided, for example, by the iThemes Security plugin.

Removing WordPress version number

In the WordPress source code, there is a meta tag with the version of WordPress in use. This information may be misused by hackers. You can easily hide it using the Meta Generator and Version Info Remover plugin or by adding code to the functions.php file found in your theme:

remove_action('wp_head', 'wp_generator');

Set automatic logout for long inactive users

Some users leave the screen for a long time, although they are still signed in. To increase the security of your WordPress website, you can set them to log out automatically. You may have noticed that banks are also using similar settings. This is because, in the absence of a logged-in user, hackers can make changes to their passwords or accounts.

You can do so by using the Inactive Logout plugin to automatically disable inactive users.

Summary of WordPress safety tips

I consider the choice of quality hosting to be the most important. Hosting should have SSL certificate. I recommend staking on verified quality: Bluehost or SiteGround or WP Engine.

Next, be sure to use strong passwords and install / configure one of the verified security plugins – SucuriWordfence Security alebo iThemes Security.

Was this article helpful for you? Support me by sharing, please. 👍
WordPress Návod v PDF


Please enter your comment!
Please enter your name here