How to Secure a Website: 16 WordPress Security Tips and Best Practices

WordPress is the leading content management system (CMS) that powers 43.2% of websites worldwide. The platform’s easy and flexible customization options, extensive plugin ecosystem, and engaging community have led to its immense popularity.

However, this popularity also makes it a hot target of attackers seeking to exploit its vulnerabilities. While the platform itself is highly secure, breaches often occur due to user negligence and unawareness of security practices. But with the right approach, you can thwart potential threats.  And in this comprehensive guide, we’ll provide the essential steps and best practices on how to secure a website that you can use right away to enhance WordPress security.

Why your WordPress website security is so crucial

How to secure a website: Practical tips and best practices 

  1. Keep WordPress and plugins updated
  2. Use strong and unique credentials
  3. Enable two-factor authentication (2FA) for an extra layer of security
  4. Regularly back up your WordPress website and store backups securely
  5. Use a reputable web hosting provider with robust security measures
  6. Limit login attempts to prevent brute force attacks
  7. Secure the WordPress admin area with a password or IP restriction
  8. Use a secure file transfer protocol (SFTP) for file uploads and downloads
  9. Disable file editing through the WordPress dashboard
  10. Implement a web application firewall (WAF) for additional protection
  11. Remove or disable unused themes and plugins to minimize potential vulnerabilities
  12. Set proper file permissions to restrict unauthorized access
  13. Use prepared statements or parameterized queries to protect against SQL injections
  14. Regularly scan your website for malware and suspicious activity
  15. Use SSL/TLS for data protection
  16. Disable directory indexing to prevent unauthorized browsing of directories

Why your WordPress website security is so crucial?

Cybersecurity Ventures predicts that cybercrime will cost the world $10.5 trillion annually by 2025. That’s equivalent to the current market capitalization of the world’s most valuable companies, including Apple, Microsoft, Amazon, and Alphabet combined. While that’s a number on a global scale, the impact of damage from security breaches on individual businesses and websites is equally catastrophic. Here’s a list of things on how negligence in security can impact your business.

Business reputation and customer trust

A security breach can severely damage your business reputation and erode customer trust. According to SurveyMonkey’s polling, 55% of people are less likely to continue doing business with brands that are breached by cyber attacks.

Financial loss

In the aftermath of a security breach, the business has to incur several unnecessary costs, such as the cost of recovering lost data, conducting forensic investigations, and implementing enhanced security. Additionally, the downtime resulting from a security incident can lead to lost sales, missed opportunities, and decreased productivity.

Legal consequences

Various industries and locations have specific security and data protection regulations that you must comply with. Failing to meet these requirements can result in legal consequences, financial penalties, and potential business shutdowns.

Misuse of compromised data

Personal and sensitive data such as names, email addresses, passwords, and even financial information can fall into the wrong hands. Such incidents not only violate user privacy but can also result in legal consequences and hefty fines, especially if you fail to comply with data protection regulations.

How to secure a website: Practical tips and best practices

WordPress security is of utmost importance to protect your website from potential vulnerabilities and attacks. Here are some detailed WordPress security tips and best practices.

1. Keep WordPress and plugins updated

Regularly updating your WordPress website’s themes, plugins, and core files is crucial for enhancing its security. By keeping these components up to date, you ensure that you have the latest security patches and bug fixes installed. This is important because hackers often target outdated software versions to exploit vulnerabilities and gain unauthorized access.

(Frequently check the themes, plugins, and files for updates. )

Updating your website provides several key benefits. First, it patches security vulnerabilities that may exist in older versions, reducing the risk of exploitation. Second, it protects against known exploits that target outdated themes, plugins, and WordPress core files. Third, updates ensure compatibility with the latest web standards and technologies, reducing the risk of compatibility issues or conflicts. Finally, updates often introduce new features and improvements that indirectly contribute to better security.

To effectively manage updates, you can also consider enabling automatic updates or regularly checking for updates in your WordPress dashboard. It’s also crucial to back up your website before performing any updates. By prioritizing regular updates, you actively strengthen your website’s security, protect your data, and maintain a safe online presence.


2. Use strong and unique credentials

Using strong passwords and unique usernames is essential to keeping your WordPress site secure. For maximum security, use a combination of uppercase and lowercase letters, numbers, and symbols when creating your password and username. Avoid common words like ‘admin’ or ‘password123’ as they are easy for hackers to guess. Instead, choose something more vague and unrelated to you or the content of your website.

(Dos and don’ts for creating a strong password)

You can also consider using a reputable password management tool, which can generate long, random characters that are impossible for an attacker to decipher using brute force methods. By taking these precautions with your login credentials, you greatly reduce the risk of unauthorized access to your account.


3. Enable two-factor authentication (2FA) for an extra layer of security

Enabling two-factor authentication (2FA) provides an additional layer of security to your WordPress site. With 2FA, users are required to provide a second form of verification in addition to their password when logging in. This extra step adds an extra level of protection, even if passwords are compromised. Common 2FA methods include receiving a unique code via SMS, using a mobile app like Google Authenticator, or utilizing hardware tokens.

(How two-factor authentication works)


Codes are only available through text messages or third-party identification. To use 2FA on your WordPress site, you need to install a login security plugin such as Wordfence login security. You should also install a third-party authentication app such as Google Authenticator on your mobile device. After installing the plugins and the authentication app follow these steps to enable two-factor authentication:

Go to the login page in your WordPress admin. If you are using Wordfence login security, go to the login security menu on the left panel.

  1. Open the two-factor authentication tab.
  2. Use your phone to scan the QR code or enter the unlock code
  3. Enter the code generated by the phone app in the recovery code section
  4. Press the Activate button to complete the setup

You can also, download the recovery code if you do not have access to the device with the authentication app


4. Regularly backup your WordPress website and store backups securely

(Reasons you should regularly backup your WordPress website)

Creating a regular backup of your WordPress site is an important migration measure as it will help you recover your site after an incident of cyber attack. The backup file should contain the entire WordPress installation, including the database file and WordPress core files. You can use plugins like All-in-One WP Migration to back up your site with WordPress.

To create a backup file using this plugin, follow these steps:

  1. Install and activate the All-in-One WP Migration plugin from the WordPress Plugin Directory
  2. Once activated, you will see a new menu item labeled All-in-One WP Migration in the left-hand sidebar of your WordPress admin panel
  3. Click on the All-in-One WP Migration menu item to expand its options
  4. From the expanded menu, select Backups
  5. On the Backups page, click on the option to Create Backup
  6. The plugin will start creating a backup of your entire WordPress installation, including the database and files.
  7. Once the backup creation process is complete, the backup will appear on the Backups page, where you can manage and download it

To download the backup and save it for storage, follow these steps:

  1. Still, on the Backups page, locate the backup you want to download from the list.
  2. Click on the Download button next to the backup.
  3. A file will be generated, and your browser will prompt you to save it to your desired location on your computer.
  4. Choose a secure storage location for the backup file, preferably external to your website’s server

5. Use a reputable web hosting provider with robust security measures

The effectiveness of the multiple WordPress security measures can be compromised if your hosting environment is vulnerable to cyberattacks. Therefore it is crucial to select a hosting provider that ensures a secure place for your website data and files on their server.

(Choosing a reputable and secure hosting provider is a key factor for your WordPress website’s security.)

If you believe your current web hosting company lacks adequate security, it may be time to migrate your WordPress website to a more secure hosting platform. When searching for a secure web host consider the following factors.

  • Type of web hosting: Shared hosting and WordPress hosting pose a higher vulnerability to cyber attacks due to resource sharing. To enhance security, consider VPS or dedicated hosting to ensure resource isolation.
  • Security: Ensure your hosting provider actively monitors networks for suspicious activity and regularly updates server software and hardware. Always choose a reputable hosting provider to prioritize security.
  • Features: Regardless of hosting type, safeguard your WordPress site by implementing automatic backups and utilizing security tools to prevent malware. These measures can be crucial in the case of an infected website.
  • Support: Opt for a hosting company that offers 24/7 support and possesses extensive knowledge in addressing security and safety concerns. This ensures prompt assistance and protects your data effectively.

6. Limit login attempts and implement a login lockdown to prevent brute force attacks

Legitimate users typically require only a few login attempts, making any excessive attempts a clear indication of a potential attack. It is crucial to implement a limit on login attempts as a standard practice to enhance the security of your WordPress website.

(Limiting login attempts protects your website from password-cracking techniques such as brute force and dictionary attacks.)

By limiting the number of login attempts through measures like IP blocking or account lockouts, you can significantly reduce the risk of successful login attacks. Implementing security plugins that offer features like restricting login access or adding CAPTCHA verification can further enhance the security of the login process. These measures effectively thwart automated login attempts and provide an additional layer of protection for your WordPress site, safeguarding it against unauthorized access and potential security breaches.


7. Secure the WordPress admin area with password protection or IP restriction

If a hacker gets into your control panel, they can steal your confidential customer information, install malware, lock you out of your account, or deface your website. To protect your login, data, and content, it’s important to take steps to secure your WordPress admin area. Consider the following points.

1. Never use the default admin username

By default, the first user account for every new WordPress installation is assigned the alias “admin”. Hackers are already aware of it and they just need to crack or guess your password. If you are currently using admin as your username, it is recommended to change it.

2. Password protect wp-admin folder

Any third party can claim the wp-admin folder and login page without any verification. The wp-admin folder contains important administrative files, so you should protect it with a username and password.

3. Create a custom login URL

You can access any WordPress website URL by adding /wp-login.php to the login screen. For example, if your domain is www.example.com, your login page would be www.example.com/wp-login.php. This makes it easier for the hackers to access your login page. However, by creating a custom URL, you add an extra layer of security making the login page less predictable.

4. Restrict access to specific IP addresses

If only a few users need access to your WordPress admin area, you can edit your site’s .htaccess file to restrict access to specific IP addresses. This allows you to block users from unknown IP addresses.


8. Use a Secure File Transfer Protocol (SFTP) for File Upload and download

Secure File Transfer Protocol (SFTP) is a secure and encrypted method for transferring files between systems over a network. It has the security features of Secure Shell (SSH) with the file transfer capabilities of FTP, making it a reliable way to upload, download, and manage files remotely.

By utilizing SFTP, you ensure that files exchanged between your local system and the WordPress server are encrypted, making it difficult for unauthorized individuals to intercept or tamper with the transferred data. This helps safeguard sensitive information, such as login credentials, personal data, or any other confidential files.

To use SFTP for file transfer with your WordPress website, you will typically need an SFTP client software or a dedicated FTP client that supports SFTP. When connecting to your website’s server, ensure you specify the SFTP protocol and provide the appropriate login credentials. Using SFTP is especially important when handling sensitive files, such as plugin or theme updates, backups, or configuration files. It adds an additional layer of security to the file transfer process, reducing the risk of unauthorized access or data interception.


9. Disable file editing through the WordPress dashboard

Disabling file editing through the WordPress dashboard is a crucial security measure for your WordPress website. By default, WordPress grants administrator-level users the ability to directly modify theme and plugin files within the dashboard. This feature provides convenience but also increases the chances of security risks. In the case of a security breach or even unauthorized access, malicious individuals can manipulate core files, resulting in a compromised website.

To enhance security, it is advisable to disable file editing through the dashboard. By doing so, even if an administrator-level account is compromised, attackers won’t have direct access to core files. This provides an added layer of protection and preserves the integrity of your website. Implementing this measure involves a simple modification to the wp-config.php file, limiting file editing to secure methods like FTP or SSH. While authorized users can still access files safely through these methods, unauthorized individuals are barred from exploiting this vulnerability.


10. Implement a web application firewall (WAF) for additional protection

A web application firewall (WAF) protects websites from common web attacks. They work by filtering and monitoring HTTP traffic between your website and the Internet, filtering out malicious traffic before it can reach the website. WAFs are highly effective in preventing major types of attacks, such as cross-site scripting (XSS), SQL injection, and file injection, which makes them an important part of a layered security approach.

(Implementing WAFs provides an additional layer of security)

WAFs operate on rules. These rules are designed to identify malicious traffic and block it. You can update these rules as per the needs, which makes them a valuable tool for responding to new attack vectors. For example, if a new DDoS attack is detected, WAF rules can be updated to block the attack. This can help to protect web applications from being taken offline by a DDoS attack.


11. Remove or disable unused themes and plugins to minimize potential vulnerabilities

Placing unused plugins and themes on your website can cause problems, especially if the plugins and themes are not updated. These unused assets may have the vulnerability and being outdated they may haven’t been fixed. This could work as possible vulnerabilities that the hacker can exploit to gain access to your website. You can follow these steps to make remove the unused plugins:

  1. Go to Plugins → Install Plugins.
  2. You will see a list of all installed plugins. Click Delete on the plugin name to remove it, or click Deactivate to disable it.

To remove unused themes:

  1. Go to Appearance → Themes.
  2. Click Delete on the theme name to remove it.

You can also use a popular plugin manager to identify and delete unused plugins.


12. Set proper file permissions to restrict unauthorized access

Setting up access permissions is a great way to improve the security of your WordPress website. By defining which users can read, write, or edit with your WordPress files or folders, you can prevent unauthorized users from accessing sensitive files or making changes to your website.

Here’s how you can set access permissions in WordPress:

  1. Go to Settings > Permissions
  2. In the User Roles section, you will see a list of all the user roles on your website
  3. For each user role, you can set the following permissions:
  • Read allows users to view the website’s content.
  • Edit allows users to edit the website’s content.
  • Publish allows users to publish new content on the website.
  • Manage other users allows users to manage other users on the website.

Once you have set the permissions for each user role, click Save.


13. Use prepared statements or parameterized queries to protect against SQL injections

SQL injection is a type of cyber attack in which malicious actors insert harmful SQL code into input fields on a website to manipulate the site’s database and compromise its security. One effective approach to defend against SQL injection is to use prepared statements or parameterized queries. These techniques help prevent malicious SQL code from being injected into your queries by treating user input as data rather than executable code. The following are the steps to implement prepared statements or parameterized queries to protect against SQL injections:

  1. Choose a supported programming language and database combination.
  2. Rewrite queries using placeholders or parameters.
  3. Prepare the query template with placeholders for pre-compilation.
  4. Bind user-supplied values to the placeholders.
  5. Execute the prepared statement or parameterized query.
  6. Avoid dynamically generating queries with user input.
  7. Implement server-side input validation and sanitization.

By following these steps and implementing prepared statements or parameterized queries, you can significantly reduce the risk of SQL injection attacks and ensure the security of your website database.


14. Regularly scan your website for malware and suspicious activity

There are over 450,000 new malware and potentially unwanted programs (PUAs) registered every day. Certain types of malware have polymorphic abilities, allowing them to evade security detention by changing their structure. Therefore, it is important to regularly scan your WordPress site for malware because attackers are always creating new threats.

But the good thing is there are numerous scanner plugins available for WordPress that can help you identify and deduct such malware. These plugins offer a variety of security features such as real-time scanning and alerts, database backup, recovery tools, and other advanced features. Some of these popular plugins that you can consider include Wordfence and Sucuri Security.


15. Use SSL/ TLS for data protection

Secure Socket Layer or SSL is a security protocol that encrypts the data exchanged between websites and visitors, making it difficult for attackers to steal sensitive information. Most of the reputed hosting providers offer SSL certificates in their hosting plans. Additionally, many web security platforms and content delivery networks (CDNs) also provide free SSL certificates. You should check if your hosting provider or other web services comes with an SSL certificate. If not, you can always opt to buy it.

Once you have an SSL certificate installed on your website, you’ll be able to update the WordPress address and site address from “HTTP” protocol to the “HTTPS” protocol. The “HTTPS” protocol indicates that the connection between the web server and the browser is secured using SSL/TLS encryption. The “s” in “HTTPS” stands for “secured,” indicating the added security provided by the SSL certificate.


16. Disable directory indexing to prevent unauthorized browsing of directories

Disabling directory indexing is an essential measure to prevent unauthorized browsing of directories on your WordPress website. By default, web servers may display a list of files and folders when an index file is not found, potentially exposing sensitive information and vulnerabilities in plugins, content, or server configurations.

Hackers can exploit directory indexing to gather information about your website’s files and folders, which could be used to target vulnerabilities, gain unauthorized access, or steal data.

To disable directory browsing, you can add the directive Options -Indexes to your website’s .htaccess file. This file can be accessed through an FTP client or your web hosting control panel. Here’re the steps:

  1. Access your website’s .htaccess file, using an FTP client, such as FileZilla, or through your web hosting control panel.
  2. Locate the .htaccess file. It’s usually located in the root directory of your WordPress installation. If you cannot find it, ensure that you have enabled the option to display hidden files.
  3. Download a backup copy of the .htaccess file: Before making any changes, we recommend creating a backup of the original file and downloading it to your local computer.
  4. Open the .htaccess file in a text editor such as Notepad or TextEdit.
  5. At the bottom of the .htaccess file, add the directive Options -Indexes
  6. After adding the code, save the modified .htaccess file.
  7. Use your FTP client to upload the modified .htaccess file back to the root directory of your WordPress site, replacing the original file.
  8. Visit your website and try accessing directories without an index file. You should now see a “403 Forbidden” error or a similar message, indicating that directory indexing is disabled.

Alternatively, you can also use some security plugins that offer an option to disable directory indexing.


Wrapping up

To wrap up, securing your WordPress website is of utmost importance in the face of ever-evolving cyber threats. By implementing strong passwords, regular updates, and choosing a secure hosting provider, you can fortify your site against potential attacks. Remember, WordPress security is an ongoing process that requires vigilance. We hope this comprehensive guide has provided you with valuable insights to enhance your WordPress security. Safeguard your website and ensure a safer online presence for both your visitors and business. Stay secure and stay informed.

Shreyasi Choudhury: Shreyasi Choudhury, a content writer at Techuz, a premier web and mobile app development firm, I specialize in simplifying intricate technical ideas into compelling content. Proficient in SEO strategies and abreast of industry trends, I deliver captivating tutorials, documentation, and content to enrich user experience and foster success.