How to Secure a WordPress Site in 20 Easy Steps (2021)

Published on September 16th, 2016

Last Updated on May 5th, 2021

Tags: ,

Share This Article

Want to know how to secure a WordPress site easily?

With hackers devising ever-more ingenious ways to dupe workers and individuals into handing over valuable company information, businesses must exercise due diligence to remain one step ahead of cybercriminals.

As technology advances, hackers also learn how to step up their game, so previously available methods to stop that hacker may not be a good way to take. This is why we need to search for updated steps to secure your WordPress sites against hackers.

You are probably wondering what is the right method on how to secure a WordPress site. It can be intimidating to see a long list of security measures to secure a website from hackers. That is something we are aware of. So, to make putting these security measures in place as simple as possible, we’ve organized this hacker defense list with ease. We recommend bookmarking this page and returning to it as you progress through it.

We wanted to educate companies, employees, and users on how to prevent these attacks from succeeding. Without further ado come and check the easy steps on how to secure a WordPress site.

1. Select a Good Web Host 

Website protection is easy to miss, and we typically just consider it when it’s too late. However, just as you would purchase home security systems or insurance in the event of an accident, you can invest in adequate security measures before anything bad happens.

There is no one-size-fits-all solution for keeping your website secure. There are, however, measures you may take to create a barrier around your website, such as using firewalls, security extensions, and keeping your site software up to date, among other things.

All of this will be for naught if your host does not prioritize protection. It’s like installing the best security system in the world for your house but leaving the front and back doors wide open.

Daily database backups, firewalls, and other approaches would be in place by a high-quality host to secure not only the web server but the datacenter as a whole.

As you can see, investing in hosting is more important than you would expect. Spend some time exploring all of the web hosting options you have available, rather than jumping at the cheapest offer or the first host you come across.

Article Continues Below

You can always upgrade to a different host later on, but it’s always better to get it right the first time. Instead of having to switch hosts and move your entire site every time your site expands, it’s easier to find a host that can scale with you over time.

Recommended good hosting for WordPress:

SiteGround

SiteGround Hosting

Cloudways

Cloudways Hosting

Kinsta

2. Take a Regular Backup

The best thing you can do for your website’s protection is to make daily WordPress backups. Backups give you peace of mind and will save you from disasters like being hacked or inadvertently lock yourself out of your site.

There are a variety of free and paid WordPress backup plugins available, with the majority of them being fairly simple to use.

Manual Backup

  1. Begin by signing into your web hosting account.
  2. Look at the list of available resources for a backup program. You can use it to retrieve the most recent backup file if your host has one.
  3. Look for a program like PHPMyAdmin and MySQL if you don’t see one. In most cases, the title would include the words “PHP” or “SQL.” Open each one separately and save the files to your computer.
  4. You may also use an FTP manager to gain access to the website files you require. FileZilla is a popular option.
  5. You’ll need your site’s FTP information, which can be found on the hosting platform.
  6. After you’ve granted FileZilla FTP access to your site, copy everything from your web host’s main file. Make certain nothing is deleted.

Plugins

If you’re going to use the plugin, go to the Plugins tab in WordPress and install it there. You’ll be guided to the plugin shop, where you can search for and download the plugin. Since much of the procedure is automated, it will be fast and simple. After you’ve installed the plugin, trigger it and follow the manufacturer’s instructions. It will usually be as simple as pushing the backup button in the plugin’s interface.

Hosting Site Automatic Backup

Backups of your website are made automatically. Similar to doing a manual backup, log into your hosting account. Look for the tool that the host has for automatic backups. When you open it, it should give you an option to download the backup files. If you have any questions, reach out to your host for assistance.

3. Install a WordPress Security Plugin

If you’re wondering if WordPress security plugins are required, the answer is yes. This fact is important to remember: the average website is attacked 44 times a day.

And if either of these attacks succeeds, it could be disastrous for your online company. More importantly, Your WordPress hosting provider alone can’t protect your WordPress site from all threats.

Anti-virus software is used to keep your computer secure. As a result, it makes sense to safeguard your web project. This can be accomplished by using WordPress protection plugins. Intruders may cause a sharp drop in site traffic if they are not detected or are detected too late. Infected websites are identified by search engines like Google, which send an alert message to the user to discourage potential hacking.

After regular backups, we must set up an auditing and tracking system to keep track of anything that occurs on your website.

Article Continues Below

4. Don’t Use Nulled Themes

Nulled WordPress themes and plugins are unethically distributed pirated versions of paid WordPress themes and plugins.

People who resell nulled products claim that since WordPress and any derivative works (such as plugins and themes) are authorized under the GPL, it’s perfectly legal to copy and distribute them.

Although this is true, it frequently comes at a high price. It not only costs money to good WordPress firms, but it also jeopardizes the protection and reputation of websites that use nulled WordPress themes and plugins. Yes, these nulled themes and plugins are often the cause of website hacking.

5. Use a Strong Password

Passwords are the weakest point of any degree of protection for your online accounts. Your material and vital information are at risk if anyone gains access to your credentials.

While most websites today have additional security protection, someone who recovers or guesses your password can easily circumvent the site’s other security measures.

Be sure to have at least ten characters. This is where things can get complicated. You should avoid using personal information or information about your pet, as these are the first targets for hackers. Pay careful attention to two main details when deciding the strength of your password: the difficulty and length you select.

Complex, long-tail passwords are difficult to crack. Use a variety of characters, including lower and uppercase letters, symbols, and numbers, to construct complex but memorable passwords.

6. Use Password Manager

Now you’re probably wondering how you’re going to remember all of these different passwords for business email accounts, web hosting, domain registrars, social media accounts, and the WordPress admin section, among other things.

A password management software can help with this.

A password manager is a program that stores all of your passwords and allows you to control them with a single master password. It also assists you in creating solid passwords and storing them in the cloud while creating new accounts.

Article Continues Below

The best feature of password managers is that they have auto-fill capabilities.

This eliminates the need to recall or enter information for places where you already have an account.

Here is a list of the 3 best Password Management Apps in the market.

LastPass

LastPass

LastPass manages your password vault with a master password, which is also the key to all of your online accounts.

1Password

1PassWord

They allow you to share passwords with friends, family, and coworkers. You may also invite guests to share a small amount of information with you.

Dashlane

As you fill out online forms, Dashlane generates powerful passwords for you. It encrypts and saves your passwords, as well as auto-filling them for you.

You can also exchange passwords with friends and colleagues using Dashlane.

7. Install SSL Certificate

Secure Sockets Layer (SSL) is a globally recognized encryption technology. This allows a web browser and a webserver to communicate in an encrypted manner.

The padlock and the HTTPS protocol are enabled when you install one on your website (webserver). This enables reliable communication between a web server and a browser.

  • From the plugins page of your WordPress admin dashboard, you can check for and install all of the plugins mentioned below.
  • Simply type the plugin’s name into your browser and install and trigger it.
  • After the plugin has been installed and enabled, go to the appropriate settings page for each plugin to complete the operation.

8. Verify WordPress HTTPS success on the frontend

Check  success on the front-end you should go to the public parts of your site and verify two things:

  1. Make sure that if you enter your URL as http://yourdomain.com, it automatically redirects you to https://yourdomain.com.
  2. Then, on all of your site’s pages, make sure you see the “padlock.” It should look like this if you’re using Google Chrome:

9. Disable File Editing

The WordPress admin area comes equipped with two file editors by default: one for theme files (Appearance > Theme Editor) and another for plugin files (Plugins > Plugin Editor). The Plugin Editor, for example, has an alert near the “Update” button that reads “Warning: Making changes to active plugins is not recommended.”

These alerts are a good start, but disabling file editing on a WordPress platform is always a good idea for security reasons. If an attacker gains access to an “Administrator” account on your WordPress site and a file editor is open, changing a plugin or theme with malicious code is a piece of cake.

A Step-by-Step Guide on Disabling File Editing in the WordPress Dashboard

how to secure WordPress site - Disable file editing
  1. A text editor and access to your wp-config.php file are needed.
  2. In a text editor, open the wp-config.php file.
  3. Avoid editing somewhere above the line in that file that says /* That’s it! */ Replace define( ‘DISALLOW FILE EDIT’, true ); with define( ‘DISALLOW FILE EDIT’, true ); with define( ‘DISALLOW FILE EDIT’, true ); with define( ‘
  4. Save the document.
  5. Check your WordPress dashboard; the links at “Appearance > Editor” and “Plugins > Editor” should no longer be visible (even if you have an Administrator account).

10. Change your WP-login

Moving the WordPress login page to a fresh, specific URL is a fast and easy way to keep the bad guys out. When it comes to battling random attacks, hacks, and brute force attacks, changing the login URL from which you and your users access your WordPress site may be extremely beneficial.

Using a free plugin like WPS Hide Login, which has over 800k active users, is the most popular and possibly easiest way to alter your WordPress login URL page.

Once downloaded and activated, all you need to do is:

  1. From the Settings tab in your right-hand sidebar, choose WPS Hide Login.
  2. In the Login URL sector, type your new Login URL route.
  3. In the Redirection URL region, type a particular redirect URL. When anyone attempts to access the regular wp-login.php page or the wp-admin directory while not logged in, this page will be shown.
  4. Press the Save Changes button.

11. Limit Login Attempts

A user will only be allowed to enter the correct login credentials a certain number of times. You may, for example, grant three attempts. The user will be locked out of their account if they do not enter the correct credentials three times.

To demonstrate how to restrict login attempts on your platform, we’ve chosen the MalCare Security Plugin. It also protects the website at all times, rather than only restricting login attempts.

Let’s get started:

  1. Install MalCare on your website first. Activate the plugin and go to your WordPress dashboard to use it.
MalCare
  1.  Pick Secure Site Now after entering your email address.
  2. MalCare will take you to its own dashboard, where it will conduct an automated search of your website.
  3. Your site’s login attempts are automatically restricted.

12. Update Your WordPress

Consider what happens if you don’t update your phone or device for a period of time. The program may slow down, you will encounter bugs, and your protection may be jeopardized. Since the program, you’re using is old, you’re having trouble discovering the latest features and advantages you think you should have. A WordPress platform will behave similarly. This is why it is important to update WordPress.

There are two simple ways to get your WordPress account up to date. The first is automatic, while the second is manual. Allowing WordPress to update itself is arguably the simplest method of doing so.

  1. Check notification in your WordPress dashboard when a newer version is available, as well as a couple of other places where the appropriate update is marked:
How to Secure WordPress site - Secure Updates
  1. Tap the Update Now button to get started. The most recent version of WordPress will be downloaded and installed behind the scenes from wordpress.org.

13. Update Theme and Plugin

Like WordPress, the themes and plugins installed should also undergo updates. It is also important to keep your site safe.

  1. To update themes and plugins, Simply go to the WordPress admin area’s Plugins » Installed Plugins tab. The list of all your installed plugins will appear here, with a path to ‘Enable auto-updates next to each one.
  1. To enable automatic updates for individual plugins, click the “Enable auto-updates.”

14. Choose a Good Theme and Plugin

A stable and safe WordPress theme and plugins are those that don’t have any (known) security flaws, are regularly modified, adhere to proper code standards and are compatible with both your WordPress version.

For themes

Use theme check plugin

  1. Install and trigger the plugin before performing a scan.
  2. Then, under Appearance, you’ll see a new Theme Check tab on your dashboard. There, you can choose the theme you want to test and simply press a button to let the plugin handle the rest:
how to secure WordPress site - Choose Theme and Plugin
  1. Once Theme Check completes the test, it will tell you whether the theme passed or failed. If your choice doesn’t pass, you might want to consider using a different theme, particularly if it doesn’t meet the other criteria we mentioned earlier (regular updates and strong user reviews).

For Plugins

  1. Check for the plugin name on a site like WPScan Vulnerability Database to see whether any results suggest the plugin is vulnerable. This service provides a list of plugins as well as known vulnerabilities.
  1. Then you may search the database for a specific plugin or filter all of the vulnerabilities.

15. Implement 2 FA

2FA is a highly secure method of verifying a WordPress user’s identity by sending a one-time password to a physical device, such as a smartphone before they can log in.

Even if attackers guess or acquire valid WordPress passwords, they still need system access.

To learn how to use 2FA on your WordPress website, follow the steps in this guide.

Before anything else Install the WP 2FA plugin and activate it

After you’ve installed and enabled the WP 2FA plugin, a setup wizard launches automatically

  1. Click on the “Let’s get started!” button.
how to secure WordPress site - WP2FA
  1. An authentication app (recommended) or an email will create a one-time password. Click Next after you’ve chosen your code distribution form.
secure WordPress site - WP2FA
  1. On your mobile device, download the LastPass Authenticator app.
how to secure WordPress site - LastPass
  1. Scanning the QR code on your computer screen with the LastPass app. Alternatively, use the LastPass app to enter the randomly generated key from the setup wizard.
  2. Inside the WP 2FA setup wizard, click I’m Ready.
how to secure WordPress site - WP2FA setup wizard
  1. Select Continue & customize the settings if your website has many admin users and roles. This will allow you to set up general plugin rules for these users.
  1. Press Continue Setup after checking the box to identify the authentication method for other users.
  1. Apply the 2FA to all users or limit the authentication to specific users. Select Continue Setup to proceed.
  1. If all users must be authenticated, make exceptions to the rule by removing specific users and functions. Continue with the setup.
  1. Decide if other users should configure 2FA right away or whether they should wait a while. To proceed, choose Continue Setup.
  1.  Select Everything done after checking the box to notify WordPress users via email to introduce 2FA.
  1.  You won’t be able to reach your WordPress account if you lose or lock your phone. To stop being locked out, click Generate backup codes to generate ten static backup codes.
  1.  The developed codes should be downloaded or printed and kept in a safe place.

16. Use an Activity Log

Install and enable the WP Activity Log plugin on your WordPress site to get started.

  1. You’ll notice a new menu item called WP Activity Log in the left sidebar of your admin panel once it’s been enabled. To begin using this plugin, enter your license key and then press the “Agree & Enable License” button.
how to secure my wordpress website - Use an activity log
  1. If enabled, new options will appear in the left sidebar’s WP Activity Log menu. To keep track of what’s going on with your website, go to the WP Activity Log » Log Viewer tab.
  1. The most recent events are also shown in the top bar of your computer by this plugin. You can also go to the Log Viewer page by clicking on those updates. The log page will show you all of the events that have occurred on your website. Important information such as the event’s date, the user involved, the user’s IP address, and the event message will be given.

17. Automatically Log Idle User of Your Site

If you have a multi-author WordPress account, you can set WordPress to log out inactive users automatically.

Brute force attacks may be launched by inactive or idle users. Hackers can use a session or cookie hijacking method to gain unauthorized access to your site if a user remains inactive for an extended period of time after logging in. This is why most bank and financial websites log out inactive users automatically.

It’s easy to configure WordPress to log out inactive users automatically. Idle User Logout can be downloaded, installed, and enabled on your WordPress account.

  1.   To configure the plugin, go to Settings> Idle User Logout after it has been enabled.
how to secure wordpress site - log idle user out
  1. The Auto Logout time is set to 30 seconds by default, but you can change it to whatever you want. After that period of time has passed, all of your site’s users will be automatically signed out.

18. Monitor Your Files

It’s a good WordPress security practice to keep an eye on your site’s files. If your website is compromised, you’ll be glad you took the precautions. You can install Sucuri to monitor files on your site.

Sucuri is one of the most effective security plugins available. It not only tells you whether your site has been compromised, but it also shows you file changes and other server activity.

how to secure wordpress site - Monitor Your Site

19. Change the WordPress Database Table Prefix

A plugin may be used to modify the database prefix. To modify the database prefix in WordPress, follow these simple steps.

  1. To get started, go to the WordPress dashboard.
  1. Click on the ‘plugins’ tab and then on ‘add new.’
  1. In the WordPress plugin repository, look for Brozzme DB Prefix & Tools Add-ons.
  1. To install Brozzme DB Prefix & Tools Addon on your site,
  2. Click the install now button.
secure wordpress - Change the WordPress Database Table Prefix
  1. Select DB Prefix from the Tools menu. Check your database’s existing prefix and replace it with the new one

7. You’re done when you click the “Change DB Prefix” button.

20. Change the Admin Username

This method is really simple, and anyone can use it to create a more secure admin username for their WordPress site right away. The key rationale is to create a new user and assign an administrator function to them, then uninstall the default admin and assign all of the old admin’s content to the new one.

  1. Create a new user. Go to your Dashboard and log in. Hover over Users on the left-hand menu and select Add New.
  1. Fill in all of the necessary fields. You should give it a username that is more difficult to remember (this is our goal). Choose Administrator from the Role drop-down menu to give this new user administrative rights. Then press the Add New User button.
  1. Log out of the admin account. Hover to the top right of the page to log out.
  1. Log in with a new user account. Now log in again to your Dashboard but by a new user account.
  1.  Delete the default admin. In the Users section, select All Users. Hover over the default administrator and select Delete.
  1. Verify that the deletion was effective. Tick the box next to Attribute all content to save all the content you’ve previously generated with the old admin account. Select the new admin username from the drop-down menu.

Over to you!

If you’ve ever had your website hacked, you know how frustrating it can be.

Hackers may harm your IP’s credibility, steal your confidential information, delete or alter your data, inject malware into SQL databases, and insert backdoors into your scripts to allow future attacks. Furthermore, hacked sites are often the subject of subsequent attacks.

Without a doubt, this makes cleaning and restoring hacked websites incredibly difficult.

The easiest way to avoid being a hacker’s target is to avoid them in the first place. Taking a few precautions now will save you a lot of time and aggravation later.

This article has a lot of information about how to protect your website from hackers. Your website is extremely useful.

We’re not just talking about you and your visitors when we say it’s valuable. Perhaps you run a small online store or a hobby blog that a select group of people read on a regular basis.

The deal is that even if the direct financial gain from hacking your website isn’t important, the benefits of using a clean website to sell illicit or grey market goods make the hack worthwhile for the hacker.

As a result, a small website is no defense against malicious intent.

Second, it is incumbent upon us all to safeguard our users’ data and identities. By visiting a site at all, they are putting a certain amount of confidence in it, and we should be aware of this when considering website protection.

Being diligent and taking a cautious approach to security will help you stop a hacker. It’s critical to understand that safeguarding your website from hackers and malicious attacks is a continuous operation. There are several measures you can take just once, but the most important thing is to stay informed about changes in the threat landscape.

We hope that this article gives you everything you need to know on how to secure a WordPress site! Let us know how you get on!

A team of WordPress experts that love to test out new WordPress related software, WordPress plugins and WordPress themes.