WordPress is one of the most popular content management systems out there and with good reason. It’s simple to use, there are thousands of themes and plugins available for it, and you can create any type of website with it. It’s no wonder then that WordPress powers 35.6% of all websites on the internet.

But, its popularity comes with a cost. WordPress is often targeted by hackers. According to Sucuri, in 2019, 94% of all website cleanup requests belonged to WordPress, a 4% increase from 2018.

CMS infections comparison

As such, securing your WordPress website should be at the top of your list, whether you have a personal portfolio, a business website or an online store.

When it comes to WordPress security, users usually fall into two camps: the ones who take security seriously and take precautionary measures and those who believe or hope it will never happen to them because their site is not important enough.

To better understand the severity of security issues associated with websites, be sure to visit the Internet Live Stats page sometimes. There, you can see an exact number of websites hacked each day and even watch the number rising in real-time.

Website hacked in real time

22 Steps to Secure Your WordPress Website

To prevent your site from ending up as one of the sites on the Internet Live Stats, follow the tips below and secure your WordPress website.

1. Opt For A Hosting Company With Security Features

The first step towards securing your WordPress website is to invest in a hosting company that implements proper security features. This includes support for the latest version of PHP, MySQL, and Apache as well as a firewall and 24/7 security monitoring.

If possible, choose a hosting company that performs daily backups and regular malware scans (like SiteGround for example). You can even find hosting companies that employ various DDOS prevention measures.

Your hosting company is usually the first wall hackers have to break through to get access to your site so investing more upfront and purchasing a more expensive hosting plan will definitely pay off. We recommend choosing a managed WordPress hosting provider.

2. Use Strong Passwords

Make sure that the passwords for your WordPress website as well as your hosting account area are both secure. Use a mix of uppercase and lowercase letters, numbers, and symbols to come up with a strong password. You can also use a password manager like LastPass to generate and store secure passwords for you.

3. Rename the “Admin” Username

WordPress used to set the default username as admin and most users never bothered to change it. As a result, admin is usually the first username hackers will try when they launch a brute force attack.

As such, you should never use the admin username for your WordPress website. If you’re recently installed your WordPress website, chances are you have had to set your own username. But if you’re a long-time WordPress user, you might still be using the admin username.

If that’s the case, create a new admin username for your site by going to Users > Add new and choosing a strong username and password. Set the role to the Administrator and then click the Add new user button.

Creating an administrator account

You’ll then login with those new credentials and delete your old admin user. Remember to assign all your content to your new admin user before deleting the old one.

4. Use a Contributor or Editor Account to Post On Your Site

If you want to take the above tip a step further, consider creating a contributor or an editor account to add new posts and articles to your site. Doing so will make it harder for hackers to do damage on your site as contributors and editors don’t usually have administrator privileges.

5. Use a Backup Plugin

If you’re not backing up your website yet, you need to start right away. A backup system will help you restore your site if the worst happens and your site ends up being hacked.

Use a plugin like UpdraftPlus to create a regular backup schedule for your website and don’t forget to store the backup files offsite to ensure those files don’t end up infected as well.

6. Harden The Admin Area

When it comes to hardening the admin area, you’ll need to change the default admin URL and limit the number of failed login attempts before a user is locked out of your site.

By default, the admin URL for your website will look like this: yourdomain.com/wp-admin. Hackers know this and will attempt to access this URL directly so they can gain access to your site.

You can change this URL with a plugin like WPS Hide Login.

WPS Hide Login

As far as limiting the number of failed login attempts, you can use Login Lockdown plugin.

Login LockDown

7. Keep Files Up to Date

As we’ve mentioned earlier, outdated files pose a security risk because they leave your site vulnerable to other exploits. That’s why you need to install updates as soon as they are released.

While you’re at it, make sure to regularly go through your installed plugins and deactivate and delete the plugins you’re not using anymore.

8. Protect Your Computer

You might be wondering what does your computer have to do with your website. If your computer is infected with a virus and you access your site or upload files to it, those infected files can infect your website as well. In short, you want to make sure to:

  • Avoid using public Wi-Fi networks to access your site
  • Install anti-virus software and make sure it’s up to date

9. Change Your Database Prefix

Another fact that’s well-known by WordPress hackers is that your database prefix is set to wp. This fact makes it easy for them to guess the table prefix and use automated SQL injections to gain access to your site.

Changing your database prefix is a manual process that involves editing your wp-config.php file and changing the table names using phpMyAdmin. Before making the change, be sure to backup your site as a preventative measure.

Editing wp-config

You’ll need to login to your hosting account and access your cPanel or whichever control panel your host is using. Then, access the File Manager and locate your wp-config.php file in the WordPress directory.

Find the table prefix line which looks like this: $table_prefix followed by a = sign and the table prefix itself. Replace the default string with your own prefix using a combination of numbers, underscores, and letters like so:

$table_prefix = ‘hgwp_3456_’;

Once you’re done editing the wp-config.php file, exit the File Manager and access the phpMyAdmin so you can change all the table names. Doing this manually can be tedious as there are 11 tables in total that you need to edit. Instead, you can input an SQL query by going to SQL tab

running an SQL query

Then input this:

RENAME table `wp_commentmeta` TO `hgwp_3456_commentmeta`;

RENAME table `wp_comments` TO `hgwp_3456_comments`;

RENAME table `wp_links` TO `hgwp_3456_links`;

RENAME table `wp_options` TO `hgwp_3456_options`;

RENAME table `wp_postmeta` TO `hgwp_3456_postmeta`;

RENAME table `wp_posts` TO `hgwp_3456_posts`;

RENAME table `wp_terms` TO `hgwp_3456_terms`;

RENAME table `wp_termmeta` TO `wp_a123456_termmeta`;

RENAME table `wp_term_relationships` TO `hgwp_3456_term_relationships`;

RENAME table `wp_term_taxonomy` TO `hgwp_3456_term_taxonomy`;

RENAME table `wp_usermeta` TO `hgwp_3456_usermeta`;

RENAME table `wp_users` TO `hgwp_3456_users`;

While the above query should change your database prefix everywhere, it’s a good idea to run another query to make sure any other files using the old database prefix get updated:

SELECT * FROM `hgwp_3456_options` WHERE `option_name` LIKE '%wp_%'

You’ll also want to search for theusermeta and replace any leftover old prefixes with the new one:

SELECT * FROM `hgwp_3456_usermeta` WHERE `meta_key` LIKE '%wp_%'

10. Harden Your .htaccess and wp-config.php Files

.htaccess and wp-config.php are the most important files in your WordPress installation. As such, you need to make sure they are secure and protected.

Simply add the codes below to your .htaccess file, outside the # BEGIN WordPress and # END WordPress tags to ensure the changes aren’t overwritten with each new update.

<files wp-config.php>

order allow,deny

deny from all


<Files .htaccess>

order allow,deny

deny from all


<Files wp-login.php>

order deny,allow

Deny from all

# allow access from my IP address

allow from


The snippets above will protect your wp-config and .htaccess as well as limit access to the wp-login.php screen.

Lastly, add the snippet below to prevent PHP file execution:

<Files *.php>

deny from all


11. Check and Change the File Permissions

When you’re done securing your .htaccess and wp-config.php file, stay a little longer in your cPanel and check the file permissions for the files and folders in your WordPress website.

File Permissions

According to the WordPress codex, the permissions should be set as follows:

  • All directories should be 755 or 750
  • All files should be 644 or 640
  • wp-config.php should be 600

If your settings are different, hackers could easily read the contents as well as change the contents of the files and folders which can then lead to your site being hacked as well as other sites on the same server being hacked.

12. Use Two-Factor Authentication

Consider using a plugin like Google Authenticator to set up two-factor authentication for your site. This means that in addition to entering your password, you will also have to enter a code generated by a mobile app to log in to your site. This can stop brute-force attacks so it’s a good idea to set it up now.

Google Authenticator

13. Disable XML-RPC

XML-RPC allows your site to establish a connection with WordPress mobile apps and plugins like Jetpack. Unfortunately, it’s also a favorite of WordPress hackers because they can abuse this protocol to execute several commands at once and gain access to your site. Use a plugin like Disable XML-RPC plugin to disable this feature.

Disable XML-RPC

14. Use HTTPS and SSL

The Internet has been buzzing with blog posts and articles about the importance of HTTPS protocol and adding SSL security certificates to your site for quite some time now.

HTTPS stands for Hypertext Transfer Protocol Secure while SSL stands for Secure Socket Layers. In a nutshell, HTTPS allows visitor’s browser to establish a secure connection with your hosting server (and therefore, your site). The HTTPS protocol is secured via SSL. Together, HTTPS and SSL ensure that all the information between a visitors’ browser and your site is encrypted.

Using both on your site will not only increase your site’s security, but it will also benefit your search engine rank, establish trust in your visitors, and improve your conversion rate.

Talk to your hosting provider and ask about the possibility of obtaining an SSL certificate or to point you in the direction of a reputable company where you can buy one.

15. Disable Theme and Plugin Editing Through Your WordPress Dashboard

Having the option to edit your theme and plugin files right within your WordPress dashboard is handy when you need to quickly add a line of code. But it also means that anyone who logs into your site can access those files.

Disable this feature by adding the following code to your wp-config.php file:

// Disallow file edit

define( 'DISALLOW_FILE_EDIT', true );

16. Move The wp-config.php File To A Non-WWW Directory

As mentioned earlier, the wp-config.php file is one of the most important files in your WordPress installation. Make it harder to access by moving it from the root directory to a non-www accessible directory.

  1. For starters, copy the contents of your wp-config.php file into a new file and save it as wp-config.php.
  1. Go back to your old wp-config.php file and add the line of code below:

  1. Upload and save the new wp-config.php file to a different folder.

17. Change Your WordPress Security Keys

WordPress security keys are responsible for encrypting the information stored in the user’s cookies. They are located in the wp-config.php file and look like this:

define('AUTH_KEY', 'put your unique phrase here');

define('SECURE_AUTH_KEY', 'put your unique phrase here');

define('LOGGED_IN_KEY', 'put your unique phrase here');

define('NONCE_KEY', 'put your unique phrase here');

define('AUTH_SALT', 'put your unique phrase here');

define('SECURE_AUTH_SALT', 'put your unique phrase here');

define('LOGGED_IN_SALT', 'put your unique phrase here');

define('NONCE_SALT', 'put your unique phrase here');

Use the WordPress Salts Key Generator to change them and make your site more secure.

18. Disable Error Reporting

Error reporting is useful for troubleshooting and determining which specific plugin or theme is causing an error on your WordPress website. However, once the system reports an error, it will display your server path as well. Needless to say, this is a perfect opportunity for hackers to discover how and where they can take advantage of vulnerabilities in your site.

You can disable this by adding the code below to your wp-config.php file:


@ini_set(‘display_errors’, 0);

19. Remove the WordPress Version Number

Anyone who takes a peek at the source code of your website will be able to tell which version of WordPress you’re using. Since each WordPress version has public changelogs that detail the list of bugs and security patches, they can easily determine which security holes they can take advantage of.

WordPress version

Luckily, there’s an easy fix. You can remove the WordPress version number by editing your theme’s functions.php file and adding the following:

remove_action('wp_head', 'wp_generator');

20. Use Security Headers

Another way to secure your WordPress website is to implement security headers. Typically they are set at the server level in order to prevent hacking attacks and reduce the number of security vulnerability exploits. You can add them yourself by modifying your theme’s functions.php file.

Security Headers

Cross-scripting attacks

Add the following code to whitelist allowed content, script, styles, and other content sources:

header('Content-Security-Policy: default-src https:');

This will prevent the browser from loading malicious files.

Iframe clickjacking

Add the line below to instruct the browser not to render a page in a frame: header(‘X-Frame-Options: SAMEORIGIN’);

X-XSS-Protection and X-Content-Type-Options

Add the following lines to prevent XSS attacks and tell Internet Explorer not to sniff mime types

header('X-XSS-Protection: 1; mode=block');

header('X-Content-Type-Options: nosniff');

Enforce HTTPS

Add the code below to instruct the browser to only use HTTPS:

header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');

Cookie with HTTPOnly and Secure flag in WordPress 

Tell the browser to trust only the cookie set by the server and that the cookie is available over SSL channels by adding the following:

@ini_set('session.cookie_httponly', true);

@ini_set('session.cookie_secure', true);

@ini_set('session.use_only_cookies', true);

If you don’t want to add these headers manually, consider using a plugin like Security Headers. Regardless of which method you choose to implement the security headers, be sure to test them using Security Headers website and entering your site’s URL.

21. Prevent Hotlinking

Hotlinking is not a security breach per se but considering it refers to another website using your site’s URL to point directly to an image or another media file, it is considered theft. As such, hotlinking can lead to unexpected costs not only because you’ll have to deal with legal ramifications but also because your hosting bill can go through the roof if the site that stole your image receives a lot of traffic.

Add the code below to your .htaccess file if you’re using the Apache server and replace the dummy domain with your actual domain name:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Alternatively, if you’re using NGINX servers, you’ll want to modify your config file with the following:

location ~ .(gif|png|jpe?g)$ {

valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;

if ($invalid_referer) {

return 403;



22. Log Out Idle Users

The last tip in this guide for increasing your site’s security is to log out idle users after a period of inactivity. You can use a plugin like Inactive Logout to automatically terminate inactive sessions.

Inactive Logout

This is necessary because if you log into your website to add a new blog post and get distracted by another task, your session can be hijacked and hackers can abuse the situation to infect your site. It’s even more important to terminate inactive sessions if you have multiple users on your site.

Wrapping Up

WordPress is a powerful and popular CMS that makes it easy for anyone to create a website. But because it’s so popular, it’s also a favorite target for hackers. Luckily, there are a number of steps you can take to protect your WordPress site and if you follow the tips in this article, you’ll be well on your way to having a secure WordPress website.