WordPress website security
Simple guide to WordPress website security. Image: David Randulfe.

WordPress is one of the most widely used platforms for hosting and site building in the world. Developers of the WordPress team do their best in rolling out monthly updates to keep sites secure, but admins can always tune their settings and install additional plugins to bolster security.

With cyber-attacks on the rise, it is always advised to use every security measure at our disposal that we consider can make us be safer. Regular maintenance, of course, is also something that should always be kept in mind and be automated if possible.

Below we list some general and advanced security tips, as well as some useful plugins you can install if you want to protect your site from threats.

WordPress Security: General tips

It should go without saying, but most of the things some people consider standard security measures remain largely unknown to many admins and users. The first thing you should do and that many take for granted is to keep WordPress, themes, and plugins updated at all times.

Also a bit of common sense, but anything you download should be trusted by WordPress. Plugins, themes, and other add-ons that are not in official libraries or have ratings that validate their authenticity and security should not be installed.

It is suggested that admins change their default ‘admin’ name on the platform since this is considered dangerous. Many people use the standard admin moniker and it is a source of vulnerabilities, almost as potentially harmful as a weak password.

People who want to stay safe online using WordPress should also consider a top-down approach and choose a hosting provider that meets their security needs. Performing regular backups of the site’s data is also a good preemptive measure in case the worst should happen.

Advanced tips to keep everything in order

For those with an IT support team or a little bit more programming smarts, there are a couple of things you can do to tighten the security of your site. Inserting a single line of code into the wp-config.php file can save you the hustle of manually updating WordPress core, themes, and plugins.

Other areas of interest to admins are those that display the WordPress version in which the site is running. If, by any chance, you have not updated yet, this could be a source of critical vulnerabilities, particularly with the periodical discoveries that make old versions of the platform prone to cyber threats.

To safeguard these areas and leave no traces for hackers to find, a longer stream of code needs to be added to the functions.php file. This hides version numbers in the header, the RSS feeds, area, and other parts.

Of course, adding more features like two-factor authentication, attack monitoring, renaming and removing login pages, and additional scanning and backup capabilities is also advised. This can all be done by installing free plugins.

Useful plugins you have to consider for your website

Wordfence is a household name at this point, and with good reason. The plugin uses the Falcom caching engine to routinely scan your site for vulnerabilities, as well as to optimize booting times to make it “50 times” as fast and secure according to the developers.

This add-on brings two-factor authentication via SMS with it, but you can also use Google’s own Google Authenticator, Duo Two-Factor Authentication, Clef, Authy, or other built-in features in all-in-one plugins that you install.

Such other plugins may include Sucuri Security, which offers file integrity monitoring and activity auditing. It also scans your site for malware threats and blacklists users and traffic in collaboration with Google, McAfee, Norton, and Sucuri itself.

Developers claim Sucuri Security can protect you against zero-day vulnerabilities and DDoS attacks. It can also keep your security logs safe in the company’s cloud should hackers breach your walls and manage to get access.
Other similar suites include Bulletproof Security, iThemes Security, and All in One WP Security and Firewall. All offer a standard set of security options with varying additions like easy-to-use setup, stronger encryption, and customizable protection.

You can also put a limit on login attempts, a common source of brute force attacks, by installing plugins like Login Lockdown and Jetpack Protect. Move Login and the previously mentioned iThemes Security also allow you to relocate the login page from its usual default URL.

Finally, as a general rule of thumb, themes and plugins that go unused but remain installed should be removed since they could be the source of potential vulnerabilities. The Plugin Activation Status add-on does a good job at detecting and uninstalling everything that is outdated but still stored on your site.


  1. Well I will prefer that, whenever WordPress notify you to update your plugins you should have to update them. And do not use common password to access your wp-admin. Also do not access your WP-admin from unknown places like Cyber cafe, friend’s home.