Improve Security WordPress Site

How to Improve the Security of a WordPress site is an issue that every WordPress user needs to pay attention to. Every day google blacklist thousands of websites for security reasons.

Google Safe browsing report
Source: Safe Browsing: malware and phishing

As you can see on February 23, 2020, Google count more than 47000 websites as a phishing website. And every day, around 1000 website lists as malware websites.

Website security involves mostly the hosting server and the WordPress source code. Today We will discuss how to increase the Security of your WordPress Site.

Why is Website Security Important?

In the Internet era, it is difficult for companies to conduct business without the Internet, and keeping a website safe should be a top priority.

By improving network security, you can reduce opportunities for privacy violations, identity, or information theft. Piracy is a significant concern for companies and suffers from it.

As hacking tools become more and more complex, high IQ is not required to hack someone’s computer or server. Of course, some people have developed complex skills and know-how to infringe on the privacy of users in many ways, but this type of person is not as common as it used to be.

How to Increase The Security Of WordPress Site?

1. Choose a safe and reliable host

Choose a safe and secure host carefully; do not use free hosts and low-quality hosts. Free hosting is only suitable for learning at the beginner. You can use free hosting only for learning purposes. But We don’t recommend using free hosting to host officially launched websites. Of course, it’s best not to use the services of those host companies that are particularly cheap and have little management experience.

It is better to use VPS hosting because it will give you some extra features that will save you money and improve security.

There are some excellent quality hosting companies that are recommended by WordPress. Such as Bluehost, Namecheap, Godaddy, and so on.

2. Update the latest version of WordPress

In statics have seen that most of the hacked website was an older WordPress version. So Only download the source code from the official WordPress site. Do not download from third-party websites. Upgrade to the latest version of WordPress whenever possible, and patch bugs in time, including WordPress core source code, WordPress themes, and WordPress plugins.

3. Use official WordPress themes and plugins

The official ones mentioned here are the official WordPress themes or plugins. Official themes and plugins are reliable and malware. You can use them without any hesitation. Also, you can use premium themes and plugins from the authorized websites. Try to avoid using “cracked” versions of themes and plugins. Crack versions have tended to input malware on your website that can be insecure on your website.

4. Modify the database default prefix wp_

Many bloggers who first installed WordPress used the default table prefix wp_ of the database directly when installing WordPress. It is said that this default prefix will have security risks, so it is generally recommended to modify the database directly when installing WordPress The default table prefix wp_, such as abc_, etc.

For new WordPress users, to reduce database damage caused by misoperation, it is recommended to directly install the Change Table Prefix plugin to modify the default table prefix. The method is straightforward, you can directly enter in the background> Plugins> Add New> search “Change Table Prefix” to find and click “install now.”

As the Change Table Prefix plugin is successfully installed and enabled, directly in the background> Settings> Change Table Prefix> check “Would you like to your custom prefix.”. And then fill in the table we want to modify below Prefix (such as abc_), and finally click the “Click To Change Table Prefix” button to successfully edit the table prefix, as follows:

5. Modify the default username admin

WordPress 3.0 and above already support custom login username during installation. If you use the default admin, we suggest you modify it according to the following methods: Three ways to change your WordPress Username

It is also recommended to adjust the nickname in “My Profile” and set other ways to “publicly show as” a non-username:

6. Use advanced passwords, change passwords often

It is recommended to use complex passwords with uppercase letters, lowercase letters, numbers, and other symbols, such as nuH4j & * aHG%dMz, and avoid using birthdays, mobile phone numbers, Whatsapp numbers, etc.

Tasty Passwords by Mozilla

Mozilla Firefox has counted this sweet password. But cute passwords won’t protect you from hackers. Try to use a variety of passwords. You can use an auto-generated password also.

7. Hide WordPress version information

By default, the WordPress version information is output in the header. You can add this inside the function.php file.

// Hide version number  
function remove_version_info() { return ''; } add_filter('the_generator', 'remove_version_info');

Also, you can use Sucuri to remove the WordPress version.

Improve security WordPress Site by hardening

8. Modify the access permissions of the wp-admin directory

You can protect it by restricting the IP address to the WordPress admin folder, and all other IP addresses return a forbidden message. Also, you need to put a new .htaccess file in the wp-admin directory to prevent the .htaccess file in the root directory from being replaced.

9. Regularly backup website data

Backup is an important thing to secure your website. Remember, nothing is 100% secure in this world. Everything has a back door.

If NASA, Google, or popular site can hack, so why not yours. It’s best practice to backup data regularly. So that you can recover your site if anything happens.

You can use the WordPress backup plugin for automatic or manual backups. There are some free plugins that you can use, but it has a limit. Such they can reserve up to 1000 MB or like this.

There are so many hosting companies that provide free and automatic backup every day. We suggest using Namecheap or other best hosting services.

Here is the backup plugins that you can use.



These are the most reliable backup plugins. Also, you can find others on the WordPress plugins site.

10: Disable plugins and Theme Edit

In default, anyone can edit WordPress themes and plugins from the admin area. But this is a security risk for your website. We recommend to disable edit option. Because sometimes hackers can try to edit your themes or plugins to input malware.

You can use Sucuri to disable your file editor. Install Sucuri and activate it then go to Sucuri>Settings>Hardening. And apply hardening to disable plugin and theme editor. This is a great option that you should not miss.

There is another way to disable it to input some code into the wp-config.php file

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

11: Set Two-factor authentication to Improve Security

Two-factor or Multi-factor authentication is an authentication method where the user should pass some security checks. It adds some extra steps to your necessary login procedure. Without this security check, no user can log in the website.

An excellent example of two-factor authentication is your ATM card. If you want to withdraw money, then you have to input the password that only you know. And after withdraw, you will get a message to your phone. But in this case, you will be given a secret pin to log in to your WordPress website. That only you know.

Famous Search Engine Google first introduced Two-factor authentication.

This is a very effective way to improve the security of your WordPress site. Whenever someone tries to log in, he has to provide a pin code that will be sent on his mobile phone.

You can search Two Factor Authentication on WordPress plugins library for this plugin. This is a high-security plugin that you can try to improve your WordPress website security.

However, there are also some disadvantages to using two-factor authentication. So you should be carefully thinking.

12: Set Security Question On login Page

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

You can add security questions by installing the WP Security Questions plugin. After activating, you need to visit the Settings » Security Questions page to configure the plugin settings.

13: Use Login Attempt

You can try to login as many times as you want. This is the default WordPress settings. We think it helps hackers to try again and again. They can try as many times as they wish.

You can solve this very quickly by using a plugin. We suggest using the Login Lockdown plugin to limit the login attempt. Install and activate it, then do the settings as you want.

14: Change Salts Keys Regularly

WordPress Salts keys or authentication keys can enhance the security of your site by adding an extra layer of protection to your login credentials.

You can add Salts keys manually. But we suggest using the plugin. Sucuri can help you to update your Security keys daily or weekly or anytime. You can use Salts Shaker also.

Change wordpress salts keys

For activating salts or secret keys, go to Sucuri>Post-Hack then set your interval. Even, if you feel anything is happening to your website, then change salts keys quickly from here. Whenever it changes secret keys, all computers automatically will be Log Out.

16: Change File Permission

WordPress file read and write permissions and ownership play an indispensable role in the overall security of the WordPress website, so we need to ensure reasonable settings as much as possible.

WordPress file permissions determine who can access files on the WordPress website. File permissions are mostly a way to organize and manage files and folders. If it is not set up correctly, it may expose your website and website visitors to significant risks.

Generally, normal users should use only index.php file. And other data should be hide because of security reasons. So go your Cpanel and protect the password another folder that you don’t want to show.

Using the right security measures to protect your WordPress site is crucial. By setting the correct file permissions, you can ensure that your website will not be attacked by unauthorized file editing. Similarly, users will not accidentally cause problems by making simple mistakes.

It should be noted that the file permission setting needs to be flexible. For example, for some files that will not be updated for a long time, set more strict permissions; after being tampered with by the hacker, after processing the data, it is necessary to establish more strict file permissions. However, these settings may cause the WordPress core, theme, or plugin not to be updated online regularly, so at this time, we may need to release the permissions temporarily. Otherwise, we can only do it through a manual update.

Recommend file to hide

These files are recommended to hide or protected to increase the WordPress Website security

17: Scan Virus Frequently

Many hosting companies provide a virus scan facility. It can help you to remove your website malware or other viruses. In case if you face any malware attack, then quickly can scan and extract.

Virus Scanner to improve security WordPress Website

Namecheap provides us Virus Scanner to scan the virus. It is very helpful to scan the all folder.

18: Install Security Plugin

These security plugins are recommended to use to improve your website security.


Jetpack is a must need a security plugin. It is recommended to use this plugin. This plugin is maintenance by


We have already discussed about this plugin. So download and install this plugin to secure your website.

Wordfence Security – Firewall & Malware Scan

This is one of the best security plugins. It has more than 3 million active installations. And Wordfence provides some most effective security features.

WordPress Firewall 2

This plugin can help you identify/block some active attacks, such as directory scanning, SQL injection, WP file scanning, PHP EXE scanning, etc. And can direct it to 404 or homepage. If there is a problem, you can also notify you by e-mail to handle it, and you can block the access of some IPs.

iThemes Security (formerly Better WP Security)

Since most WP websites have plugin vulnerabilities, weak passwords, and outdated plugins/programs, hiding these vulnerabilities can better protect the website, such as protecting login and management areas.

Login Lockdown

This plug-in can record the IP address and time of a failed login attempt. If the failed login from a specified IP address exceeds a particular condition, the system will prohibit this IP address from continuing to try to log in.

Limit Login Attempts

Limit Login Attempts to limit the number of login attempts to prevent brute force attacks and enhances the security of WordPress.

WP Security Scan

The plugin will automatically perform a security scan of WordPress according to the above security suggestions to find any problems.

Security is the most critical factor for any WordPress website. And it is better to take a step before happening anything. Otherwise, you can lose time and money to get back your website from hackers. We hope this article will help you to improve the security of your WordPress Site.

Leave a Reply