20 Effective WordPress Security Measures for Your Website

Wordpress security
While acknowledging that no platform is entirely immune to cyber threats, WordPress security extends beyond mere surface-level defenses.

Ensuring robust security standards is a critical aspect for every website, regardless of its scale or purpose. Whether it’s a large corporate platform, a small business site, or even a personal blog, hackers show no discrimination in seeking vulnerabilities to exploit.

Powering one-third of all global websites, WordPress, a versatile content management system (CMS), grants webmasters the flexibility to modify various elements. However, this popularity has made it a prime target for cyber attacks, posing a considerable threat.

The repercussions of a successful hack can be catastrophic for businesses. From unauthorized access to confidential customer data and credential theft to website misconfigurations, the impact can be far-reaching. Financial devastation is also a real possibility if payment details are compromised. Beyond the immediate consequences, a security breach can erode brand trust, authority, domain value, and even result in a decline in search rankings. These risks underscore the imperative of prioritizing website security.

While acknowledging that no platform is entirely immune to cyber threats, WordPress security extends beyond mere surface-level defenses. It involves safeguarding the source code itself, a shared responsibility between hosting providers and site owners. In this article, we’ll provide an overview of website security and guide you through steps to fortify your site. Keep reading to empower your website against potential threats!

How to strengthen your WordPress Security

Building a worthy website requires time, effort and energy. But, all these efforts will turn to a fiasco if the security is not taken care of. Certainly, not paying due attention to WordPress security can have lasting aftereffects.  

Yet, protecting your website is much easier than you thought. So, if you diligently followed this list of WordPress security measures for your website, I guarantee that the risks will reduce to a bare minimum.

  1. Keep WordPress updated

Many cyber attacks on WordPress sites strike smaller ones. Next to that, those running older versions of WordPress that haven’t been updated are also vulnerable. Owners of these sites might not expect that their sites might be targets, but they may be even more vulnerable than larger sites. Installing all of the frequent updates released by WordPress is a key step in keeping a website secure. And that also includes updates to themes and plugins installed from WordPress and from third-party developers.

  1. Keep your devices secure

WordPress security won’t help if the devices used to manage the site are compromised. Security experts recommend making sure that all computers and mobile devices used for accessing and managing a WordPress site be regularly monitored and updated with effective firewalls and malware scans. 

  1. Secure passwords and permission

Hackers often attempt to get access to a site by “brute-force attack” — entering usernames and passwords again and again until one works. The default username for a WordPress website is “Admin,” which is an easy one to guess. So, you must change that to something unique as soon as possible.

Restricting permission to access the site and its directories and disabling file editing can also help. This is because WordPress code can easily be edited by anyone who can open it. WordPress has several levels of permission, so only assign the highest permission to the few people who need it. Likewise, you should limit login attempts and set notifications for excessive logins. Excessive failed login attempts is a sign that someone is trying to hack into your website using brute force tactics.

  1. Update your PHP to the latest version

Speaking of updates, there is another update that you need to take care of – the PHP version. PHP is the core programming language of WordPress. Certainly, updating it to its latest stable version will enhance your WordPress security.

Note: PHP version 7.0 and older do not have security support and are susceptible to known and unpatched vulnerabilities. Therefore, you must update to the latest PHP version.

Here is how you can update your PHP:

Log into your cPanel

Navigate to the Software section. Click on PHP configuration

Next, select the latest stable version of the PHP and click on update.

Review the changes in phpmyinfo

  1. Remove defunct Plugins/themes

If you have not used a plugin for the longest time, you must get rid of it to secure your WordPress. This is because even though the plugin is no longer in use or is disabled, the files still exist. Further, these files might contain vulnerabilities unknown to you. Above all, attackers could exploit these vulnerabilities easily. Thus, delete the defunct plugins & themes.

  1. Install WordPress security plugins

There are a lot of plugins for security and site monitoring available from WordPress and from numerous third-party designers and developers worldwide. You can install these plugins on any compatible WordPress website for added security that’s specific to a site’s unique functions. Any security plugins that are installed to protect your site will need to be updated as recommended.

These security plugins can be broadly categorized into two groups: full security suites and single-issue security plugins. Full security suites encompass multiple security needs within a single plugin. Some popular options include:

JetPack for WordPress


Sucuri Monitor

These tools cover everything from bot-driven brute force attacks to manual blocking of malware injection attempts and other hacks. They represent a great choice for beginning WordPress owners who want a solution to cover multiple needs.

  1. Backup your WordPress site

Backing up your WordPress website is always a good idea in case of accidental loss or errors when editing WordPress. It also makes good sense from a security standpoint to back up your website. You should do this at least once, and preferably multiple times. If a site is compromised with malicious code or viruses, a clean backup can be restored at any time, or the site can be moved to a new host if necessary using the backup versions.

To make your backups more functional, you should include the following files and folders in your backup:

1. The WordPress Files

  • The Core Installation
  • WP Plugins
  • WordPress Themes
  • Images and Files
  • JavaScript and PHP scripts, and other code files
  • Additional Files and Static Web Pages

2. The WordPress Database

The WordPress database stores crucial information like details of posts, pages, comments, tags, users, categories, custom fields, etc. Hence, it is extremely important to include this in the backup.

Verifying that the backup is functional is part of the process. In the end, make sure to test if the backup completes its motive and allows quick and full recovery of your working website.

Note – Maintain your backup against a date and time stamp.

a) Backup of the WordPress Database

For the WordPress database backup, use the MySQL command line. Otherwise, administrative interfaces like phpMyAdmin can also be used.

You can take backups manually, through cPanel, cloud, etc. We have covered a few methods here:

a) How to do Manual backup of WordPress

Follow these steps to take a backup manually –

Compress your website files

Download it to your local device

Store it remotely

Build a backup manager with files name, backup date & time as a parameter

Now, backing up manually can prove to be a tedious & time-consuming task. You have to monitor the download of each & every file carefully. Further, the management of backups is again a lot of work.

The one free alternative offering full backup capabilities that stand out of the list is BackWPup. You can skip all this, and use a WordPress plugin instead. Plugins like Updraftplus, Backupbuddy, etc automate the whole process of backing up and is super easy to use.

b) WordPress backup through cPanel 

Another option is to backup through Cpanel. Here is how you can do this:

Log into your cPanel control panel.

Click on the “Backup” icon.

Select “Generate / Download a Full Backup”.

Select “Home Directory” in “Backup Destination” and enter your email address, before clicking the “Generate Backup” button.

You’ll receive an email when the backup is ready.

c) Cloud Backup of your WordPress

Backing up on the cloud is the most convenient way for backing up a WordPress website. Various cloud services like Amazon S3, Dropbox, stash, etc simplifies the backup procedure.

  1. Host your WordPress website on a secured server

The hosting server plays an important role in the security of your WordPress website. Choosing a host wisely can be a game-changer in WordPress security. While selecting a server you must consider the following:

  • Authority
  • Reviews and ratings
  • Support
  • Customization
  • Loading time
  1. Customize the login page to increase security against Brute-Force attacks

Protecting your login and admin pages is another way to secure your WordPress. Attackers can break into your website through brute-forcing if it is left unsecured. Now, brute-force attacks use the hit and trial method to guess the combination of username and password of your website at a freakingly high speed.

Set strong and unique usernames & passwords for each of these pages. Avoid using an obvious username like ‘admin’, your website’s name, your own name, a proper word that could be found in the dictionary. Same goes with the passwords, refrain from using ‘Password’, your own name, your website’s name, etc as your password.

  1. Protect wp-config File

 wp-config.php contains the configuration details of your WordPress website. Any absurd compromisation in this file can break your website completely. Hence, the wp-config file should be handled with extra care and must be secured with utmost urgency. Further, it also stores sensitive information about WordPress database credentials.

Some ways to secure the wp-config file are:

Moving it outside the root folder

Blocking internal access and code modifications to your wp-config.php

Modifying the default wp-config.php File

Setting 400 permission in the wp-config.php file. This means that the user and groups have permission to only read and others have no access at all.

  1. Restrict Access To wp-admin

The wp-admin is the administrator area of your website. It can be said that it is the controller of your website. Hackers constantly try to brute-force it to hijack the whole website. This makes it vital to secure the wp-admin area to tighten your WordPress security. You can secure your wp-admin area as follows:

Restricting access and allowing only selected IP addresses to your admin page is one way to secure it. This way, any unknown IP automatically gets blocked. In your wp-admin folder, create a .htaccess file and paste the following code there:

  1. Stay on top of spam

New WordPress sites and those that aren’t regularly maintained are prime targets for spam comments. Such spam can easily infect a site with malware. Hence, you should set tight spam filters and keep them updated with the latest version. Next to that, it’s essential to monitor comments carefully and block questionable comments from your site’s Admin WordPress dashboard.

  1. Update WordPress security keys

Secret security keys ensure the security of cookies in your WordPress website. You must set up security keys to discourage any stealing of cookies and impersonation of users. After you have set the secret security keys, it will nullify all the current sessions and will require the user to re-authenticate. Above all, the administrator must change the security keys if there is any compromisation to them or even suspicion of compromisation.

You can generate secret keys both manually as well as with the help of an online key generator. WordPress also has its official secret key generator. Generate keys from here and paste these keys in the wp-config file and you are good to go.

  1. Hide the WordPress version number to protect WordPress from known vulnerabilities

Known vulnerabilities in different WordPress versions are easily available on the internet. These databases serve as a treasure for hackers. They use bots/botnets to hunt for WordPress websites with these outdated versions. Once a bot reaches your website, the first thing it looks for its version number and the listed vulnerability in it. When they do find one such website, they exploit the vulnerability.

 You can protect your website from these attacks by simply hiding your WordPress version number.


Hide the WordPress version number from Generator meta tag,

Navigate to your root directory

Go to /wp-content/themes/ directory

In the functions.php file, add the following line of code

remove_action(‘wp_head’, ‘wp_generator’);

Hide the WordPress version number from the default RSS feeds as follows:

Navigate to your root directory

Go to /wp-content/themes/ directory

In the functions.php file, add the following lines of code at the bottom

function remove_wp_version_rss() {





There are plugins available which hide the WordPress version number, we recommend using the Meta Generator and Version Info Remover plugin.

  1. Disable PHP execution when not needed

While WordPress automatically runs PHP file execution for all directories of the website, it’s best that you disable it for such directories as /wp-content/uploads/. You’ll be able to do this using FTP access. Here is how:

Access your website with FTP

Navigate to /wp-content/uploads/ directory

Paste the following code and save the document under the .htaccess format.

<Files *.php>

deny from all


  1. Improve hardware protection

It’s only logical to protect the hardware you are accessing your website with. A non-secured PC with security vulnerabilities serves as a way for hackers to enter your website. Ensure that your gadget is well-protected by a firewall and anti-virus software installed. This will not only block WordPress attacks but also any coming online security threats.

Like in the case a website, defunct plugins are a problem, similarly obsolete & defunct applications are an invitation to the threat too. Thus, remove all unnecessary/obsolete applications from your device.

Most applications ask for different permissions right after you install them. As a thumb rule, try giving the least privileges to them.

  1. Disable script injections

Disallow script injections to prevent hackers from injecting malicious code into existing PHP documents. You can disable the script injections by adding the following code:

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

  1. Download plugins from reputable sources

Not all plugins have dedicated developers behind them. A lot of plugins on WordPress aren’t even maintained that often. So, before opting for any random plugin by a third party you must consider the following points:

  • Reviews and ratings
  • Last update and the frequency of updates


  1. Scan WordPress for malware & backdoors regularly

Monitoring your website is equally important than securing it. Having a proactive malware scanner that scans your website periodically is crucial for WordPress security. Scanning your site every once in a while for viruses and malware lets you be updated with the well-being of your website.

By scanning the website, you’ll be able to detect the risk of security breaches instead of having to deal with actual attacks as they happen.

  1. WordPress Security Audit

You applied every security measure on your site, however, even then it needs regular maintenance. A premium security audit can greatly help you here. Every now and then your website needs to be checked for new vulnerabilities and broken security.

Astra’s Vulnerability Assessment and Penetration testing program has engineers look into your website for possible vulnerabilities. In a security audit like this, your source code, plugins, and themes are thoroughly audited. It also uncovers loopholes and backdoors in your website.


These WordPress security tips will ensure that your website remains protected from online threats.

Cyberattacks may come in different forms, from malware injection to DDoS attacks. WordPress websites, in particular, are common targets for hackers due to the CMS’s popularity. Therefore, WordPress website owners must know how to secure their sites.

However, securing a WordPress site is not a one-time task. You need to continuously reassess it since cyberattacks are ever-evolving. The risk will always be there, but you can apply WordPress security measures to reduce those risks.

Hopefully, this article helped you understand the importance of WordPress security measures and how to implement them.

You must persevere to apply and maintain these on your WordPress site for enhanced security. 


Leave a Comment

Your email address will not be published. Required fields are marked *

Getting Started with Canva
Getting Started with Canva Ebook

Social Media

Most Popular

Get The Latest Updates

Subscribe To Our Weekly Newsletter

No spam, notifications only about new products, updates.


On Key

Related Posts