25 Best Tips to Secure Your WordPress Website in 2018

By: Sunil Kumar |  In: WordPress  |  Last Updated: 2017/12/27

25 Best Tips to Secure Your WordPress Website in 2018

Security is the main concern when running a website. As a website owner, it’s your responsibility to secure your website. WordPress or your hosting provider is not always responsible when your site got hacked. because it’s your baby and you have the responsibility to secure it form threats.
You can blame WordPress or server but at last, it was your content. You worked day and night to grow this baby and when it got hacked – only you are the person responsible for this.

NOTE:- Since we do not know your site we are not sure how it will respond to these tips. We highly suggest to backup your site before trying any of the methods here.

1. Customize Your Login URL

WordPress default login URL is www.yoursite.com/wp-login.php. The biggest mistake people make is don’t change this default URL. So it becomes easy for a hacker to get into your site.
Change your default login URL to something else which is not easy to guess and never mention this URL anywhere on your website.
To change login URL you can use “Rename wp-login.php” plugin. When you install this plugin an option will be added to  Settings › Permalinks › Rename wp-login.php where you can change your login URL.

2. Protect the wp-config.php file

The “wp-config.php” file holds key configuration information including your database name, table prefix, security keys etc. for your WordPress site, and as such, it’s important to protect it from intruders as much as possible.
The default location of wp-confing.php is your root directory. by default WordPress allow you to move this file one level up from your root directory. Sometimes you don’t notice and heart of your website is accessible via /wp-config.php.
If you move this file somewhere else it is not easy to access the file.

3. Disable PHP Error Reporting

Sometimes you enable error reporting to debug the issue and you forgot to disable it. If everything works well it’s fine But you get a single error on your website and your directory structure will be exposed to thousands of the people.
When a hacker knows the directory structure it makes easy to enter into your website.
To disable error reporting add this code to your wp-config.php file-

@ini_set(‘display_errors’, 0);

4. Use Strong Passwords

The password is vital to your WordPress security. That’s why you need to start using a strong password. A strong password is one in which you

  • Don’t have your site name
  • don’t have your name
  • don’t have a common dictionary word
  • not easy to remember
  • have a combination of letters, numbers and special characters.
  • the password is at least 15 characters long.

If you don’t know how to come up with a strong password, just use a service like LastPass that will do the work for you.

5. Protect the wp-admin directory

You might be thinking wp-admin directory is already password protected. You need to login to your WordPress site to access it.
It’s Right.
But what I am talking about is an extra layer of a password to protect your wp-admin directory only. If you have no idea how to password protect a directory this guide you can follow.

6. Remove WordPress References from Your Theme

Hackers will only know you are using WordPress or not by your site. If you have mentioned anywhere or by the  URL  structure like /wp-content/style.css.
fI they know you are using WordPress they are going to attack your website as they know how WordPress websites work and what is the directory structure. It becomes easy for them if they know you are using WordPress.
Remove every sign that reflects you are using WordPress so they don’t get to know about your platform.

7. Remove Your WordPress version number

Here’s the thing, if the hackers know which version of WordPress you use, it’s easier for them to tailor-build the perfect attack.
For some reason, if you are unable to upgrade to latest version of WordPress, do not let hackers know your current version. As the bugs of all previous versions are known to everyone through wordpress.org, it will easier for them to attack your website.
you can find version number at following places-

  • Scripts and styles with query strings: subscriptions.css?ver=4.0
  • The RSS feeds’ generator tag: <generator>http://wordpress.org/?v=4.0</generator>
  • The headers’ generator tag; <meta name=”generator” content=”WordPress 4.0″ />

To hide version number from your WordPress add this line in your theme’s function.php file

<?php remove_action('wp_head', 'wp_generator'); ?>

8. Implement Two-Factor Authentication

Even if you are not using “admin” as username and using a very strong randomly generated password, Brute force can still be a problem. To address this problem you should be using things like 2-factor authentication.
The essence of two-factor authentication for WordPress security is exactly as implied in the name, two forms of authentication. It’s the standard today for enhanced security at your access points.
There is a plugin called Google authenticator which you can use to enable 2-factor authentication for your WordPress website.

9. Back up your site regularly

Backups are your website insurance. There are a lot of reason you should be backing-up your WordPress website. One of them is security reason.
Suppose you are hacked and you don’t have a recent backup of your website, what are you gonna do now? it’s not easy to sit and generate whole content once again. It’s your year’s hard work and it’s going to take the same time again to generate the whole content. but if you have a backup you just restore it and you are done.
So please make sure you insured your website and taking backup on regular basis. This is not the thing you have to do manually. There are a lot of awesome backup plugins available which you can use to schedule a regular backup of your website.

10. Set up website lockdown and ban users

A lockdown feature for failed login attempts can solve a huge problem, i.e. no more continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.
I found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. You can specify a certain number of failed login attempts after which the plugin bans the attacker’s IP address.

11. Block Brute Force Attacks

In Brute force attack, someone tries to guess your username and password by hit and try with a script. So you should be using a strong password and a good method to block the user after a number of unsuccessful login attempt.
You can also use HTTP authentication to block Brute force authentication.

12. Change the WordPress database table prefix

If you have ever installed WordPress then you are familiar with the wp- table prefix that is used by the WordPress database. I recommend you change it to something unique.
Using the default prefix makes your site database prone to SQL injection attacks. Such attack can be prevented by changing wp- to some other term.
If you have already installed your WordPress website with the default prefix, then you can use a few plugins to change it. Plugins like WP-DBManager or iThemes Security can help you do the job with just a click of a button. (Make sure you back up your site before doing anything to the database).

13. Change the “admin” username

This is perhaps the easiest step you can take to protect your site from hackers. Most of the people especially beginner forgot to change the WordPress default username(admin) to something else. Using admin as username solves 50% of the hackers problems. they just have to run the brute force on password only.
By removing default username you are making it harder for hackers to break into your website.
Simply create a new user in WordPress at Users > New User and make that a user with Administrator rights. After that, delete the admin user. Don’t worry about the post or pages the admin user has already created. WordPress will nicely ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.

14. Change Your Password Regularly

The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. A key to this is making it Complex, Long, and Unique.
You can add some extra security by keep changing your password. By changing the password regularly you are making sure that you don’t give enough time to brute force script to guess the password. While changing the password you make sure that you force WordPress that you log out from everywhere you are logged in so that you log out automatically if you have left logged in to your site at somewhere else.

15. Be selective with XML-RPC

XML-RPC is an application program interface (API) that’s been around for a while. It’s used by a number of plugins and themes, so we caution the less technical to be mindful how they implement this specific hardening tip.
While functional, disabling can come with a cost. Which is why we don’t recommend disabling for everything but being more selective on how and what you allow to access it. In WordPress, if you use Jetpack you’ll want to be extra careful here.
There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.

16. Configure Automatic Core Updates

As I mentioned earlier it is easy for a hacker to break if they know you are using an older version of the WordPress. Everyone knows the loopholes in an older version of WordPress through wordpress.org. Even if they don’t know the version you are using they will surely try to break using the loopholes in the older version.
So make sure you keep your WordPress on the latest available version. Site maintenance should be one of your habits. Try to automate these updates.
The same things apply to themes and plugins also.

17. Never Use Premium Plugin for Free

I understand that budget is one of the most important assets of a website. Especially when you are a beginner and not earning anything from the website. But it is not as important as your website security.
What is the point of saving some money on the cost of your website security?
If you need a premium plugin go buy it. Don’t download it illegally. Sometime hacker themselves buy a premium plugin and modify it and avail it for free in the market.

18. Prevent users from browsing your WordPress directories

Enabling directory browsing is like keeping your door open always. You are giving chances to the hackers to look into your wealth and inviting them to steal this.
A simple trick is to upload an empty index.html or index.php file in each directory and subdirectory except root directory.
Or create a .htaccess file in your WordPress root directory and add the following line at top of the file-

Options -Indexes

It will prevent the outside world from seeing a listing of files available in your directories in case the default index.html or index.php files are absent from those directories.

19. Add user accounts with care

If you are not the only user to who has access to your site, be careful when setting up new user accounts. You should keep everything under control. Try to grant minimum required permissions to a user. A user should have access to the functionalities that are essential to do his job.

20. Password Protect the Admin Dashboard

It is always a good idea to password protect the wp-admin directory of your website. None of the files inside wp-admin is intended for your visitors or contributor.
Once protected, even admin also have to provide the password to access the admin dashboard.

21. Plugins are your biggest risks

As the largest CMS around WordPress gets a lot of attention from third-party developers who create and distribute WordPress plugins. and plugins are the greatest thing in WordPress. but sometimes these plugins can be problematic.
To deal with this problem you have to make a list of requirements for which you need a plugin. Now create a list of plugins which best suit your requirements and list 2-3 plugins for every requirement and find best on by doing a little research. Check ratings, reviews, update logs, the support they provide and choose the best one. To be more sure you can test these on your staging environment or on your testing website.
Using this approach you will be only required plugins actually good plugins.

22. Use best security plugins

Most WordPress users try to find free plugins instead of best plugins. In my opinion, use premium plugins at least for security purpose.
There are plugins which are developed only because the developer wants to learn how to create a plugin or its fun creating a plugin. and if a developer is maintaining a plugin just because it is fun, chances are he or she did not take the time to do proper security checks.
But this is not true for premium plugins. Each plugin is checked for security before releasing. and they spend a good time researching on latest security features. which makes a plugin least vulnerable to security.

23. Get Better Hosting

You can trick out your site all you want with all the latest security hacks but if you don’t have a good hosting provider, your efforts aren’t going to matter all that much. In fact, security experts WP White Security reported that 41% of WordPress sites were hacked due to a security vulnerability on the host itself. That’s edging on half there, which means you need to do something about your hosting plan, ASAP.
If you want to use shared hosting, make sure your plan includes account isolation. This will prevent someone else’s site on the server from affecting yours in any way. But I think it’s a much better idea to use a service that’s catered directly toward WordPress, however. A managed hosting provider that specializes in WordPress is more likely to include a WP firewall, up-to-date PHP and MySQL, regular malware scanning, a server that’s designed for running WordPress, and a customer service team that knows WordPress inside and out.

24. Stop PHP Execution in wp-Content

One of the measures that you can take to improve your WordPress security is disabling PHP execution in certain WordPress directories.
Create a .htaccess file in your /wp-content folder and paste following code into it

<Files *.php>
deny from all

This code checks for any PHP file and denies access to it.

25. Disable File Editing

By default, WordPress allows administrative users to edit PHP files of plugins and themes inside of the WordPress admin interface.
This is often the first thing an attacker would look for if they manage to gain access to an administrative account since this functionality allows code execution on the server.
Entering the following constant in wp-config.php disables editing from within the administrative interface.

define('DISALLOW_FILE_EDIT', true);


Whether you are a WordPress beginner or webmaster make sure that you use the best security practice to prevent your site from hackers. Most of the things are tiny things which can be done easily and will have a great impact on your website security.
WordPress always try to implement new security features but Don’t rely only on the WordPress or your hosting provider for security. Do a little work by yourself and stay secure.
Now it’s your turn. Mention in comments which tips you are already using and which not.


  • Very great post. I simply stumbled upon your weblog and wanted to mention that I’ve really enjoyed surfing around your
    blog posts. After all I will be subscribing for
    your feed and I hope you write once more soon!

  • Leave a Comment

    Your email address will not be published.


    Sunil Kumar

    I am the owner of acmeextension. I am a passionate writter and reader. I like writting technical stuff and simplifying complex stuff.
    Know More

    Join more than 10,000 others Web Developers