Inkbot Design
Published in

Inkbot Design

27 Ultimate Steps to a Secure WordPress Site

Ensuring your WordPress site security should be the key priority for all website owners.

Why? Around 23% of all the sites in the world are powered by WordPress.

Hackers are continuously trying to break the security barrier of the world’s most popular CMS.

Cyber-attacks are always painful whether you have a business site, portfolio, or an e-commerce site.

Unfortunately, there is not a single way to protect WordPress websites, as hackers are knocking almost every backdoor that can lead to the control of your admin panel.

So here is the list of the top 27 tips that can help you to secure your WordPress site effectively.

1 — Activate two-factor authentication for WordPress

Activation of two-factor authentication is one of the best ways to minimise brute-force attacks.

In the two-step or two-factor authentication mode, apart from the password, WordPress will also ask for an OTP (one-time password), which can be sent to your personal phone number.

2 — Run scheduled malware scans

Scheduled malware scans help you to stay ahead from malware infections.

You can use different plugins to run scheduled malware scans.

But, stay alerted while downloading plugins, the unauthorised source of plugins can itself cause security issues.

3 — Activate WordPress Brute Force Protection

Activating brute force protection is another way to protect your website from potential brute force attacks.

We suggest you use protection service that can cover both local and network brute force.

4 — Update WordPress on Regular Basis

WordPress releases updates on a regular basis that often includes security patches in the code.

So, try not to miss the updates.

Updating WordPress regularly can solve various security issues automatically.

5 — Use Strong Passwords

Stolen passwords are one of the most common ways used to hack WordPress.

Related Article: Should you Hire a Design Agency or a Freelancer?

You need to select strong passwords for the database, FTP accounts, professional email addresses, and WordPress hosting accounts.

You can use a password manager to manage complex WordPress passwords.

6 — Upgrade to Secure WordPress Hosting

Your web hosting service plays a crucial role in the security maintenance of WordPress.

A good shared hosting provider takes extra care of the service users, while a poor shared hosting provider takes the users’ security issues reluctantly.

So, choose your secure WordPress hosting service wisely.

7 — Use a WordPress Backup Solution

It does not matter how much protection you have set up; your website still has a chance to be hacked.

So, it is smart to keep regular backups.

You can use many paid as well as free WordPress backup plugins to keep your backups in order.

You can even use cloud services (remote locations), such as Dropbox and Amazon to save automatic backups on a regular basis.

8 — Use WordPress Security Plugins

Using WordPress security plugins is common, but a vital step.

With the implementation of the WordPress security plugins, you can easily avoid major security threats and malware.

The use of Sucuri scanner (WordPress plugin) has also gained popularity.

9 — Download Plugins from Reliable Sources

We firmly recommend downloading plugins only from reliable and trusted sources.

You can download plugins as well as themes from

If you feel that is not enough, you can download plugins from other websites, but be careful about site legitimacy.

10 — Keep plugins up-to-date

It is required to up-to-date your plugins regularly, just as you do for the WordPress Core.

Each of the plugins added to your WordPress website is like the possible attachment of a backdoor into the admin’s panel.

In other words, many hackers use plugins as backdoors to enter into the admin’s area.

So, if you are not updating plugins regularly, you may be compromising your WordPress security.

11 — Hide Your Plugins

As we have mentioned, each of the plugins can be a backdoor for hackers.

How great would it be if we could hide our plugins?

Yes, it is doable.

Adding a blank index file in the WP-content/folder/plugins can make all of the plugins invisible.

This is an extra layer of security on a WordPress site.

12 — Activation of Web Application Firewall (WAF)

Enabling Web Application Firewall (WAF) is beneficial.

The activated WAF blocks malicious and suspicious traffic before they even reach the website.

In this case, we also ask you to select the best quality security providers like Sucuri.

13 — Change the default Username

To maintain security, it is smart to change the default username “admin.”

WordPress will let you alter the username by default.

So, you can directly modify the username or use a particular plugin to do so.

Related Article: The Benefits of Live Chat

Since, admin is a default username, not changing the username makes it easier for brute-force attacks.

14 — Disable file editing

WordPress has a built-in code editor helps the user to edit plugins and themes directly from the admin area.

If your site is compromised, then this feature could prove fatal.

We recommend you to add the following code in the wp-config.php file to disable file editing:

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

15 — Disable PHP File extension

Disabling PHP extensions is also a good idea.

To do so, paste the following code in a notepad and save it as .htaccess.

Then upload it to /wp-content/uploads/ folders.

<Files *.php>
deny from all

16 — Change File Permissions

We strongly advise you not to configure directories with 777 permissions.

According to, it is better to opt for 750 or 755 instead of 777.

When you are working on the site, you can set files to 644 or 640.

17 — Use HTTPS

An SSL certificate cannot secure you from hackers itself.

An SSL certificate is only meaningful when your site has a payment system or deals with personal information of the users.

It is easy to shift from HTTP to HTTPS, and there are tonnes of guidelines available on online.

However, we ask you take help or consult with the technical support before and during the shifting of the site from HTTP to HTTPS.

18 — Put Limit on Login Attempts

WordPress offers countless attempts to try to log in, which makes it vulnerable to Brute Force attacks.

Using WAF can solve this issue automatically.

But, if you are not using WAF, then you can use plugins like Login LockDown.

19 — Change WordPress Database Prefix

The WordPress users by default carry the “wp_” WordPress database prefix.

Using this default prefix can reveal your table name to hackers.

We strongly suggest you change the WordPress Database Prefix.

20 — Disable Directory Indexing and Browsing

Hackers can use directory browsing to identify any file kept by the admin that has known vulnerabilities.

This particular file with vulnerabilities could be utilised by hackers to access the website.

In order to disable Directory indexing, you have to add following texts to the .htaccess file.

Options -Indexes

21 — Use Password Protect WP-Admin and Login

Hackers can access wp-admin folder and login page without much difficulty.

Using password protected WP-Admin and Login can block these requests.

22 — Automatically log out Idle Users

The Idle User Logout plugin is a user that you can use to logout when the user is inactive, and not working.

With this plugin, you can set an ideal time, after which the user is automatically logged out.

23 — Use CDN Service

CDN is a Content Delivery Network that offers you alternative server nodes.

Related Article: How To Trademark A Logo

These alternative server nodes are perfect for improving the response time and download speed of the users globally.

On the other hand, the CDN network requires meeting specific security regulations to protect the users’ data and others who are using cloud systems.

Many WordPress users compromise speed to ensure security.

With CDN services, you can have both speed and security.

CloudFlare CDN and MaxCDN are two of the best CDN service providers currently.

24 — Hide the Admin Page

The first and foremost step taken by a hacker is to find your login page.

Hiding the login page URL could be a shrewd move from your end.

For this, you just have to modify your login page URL.

Alternatively, you can use WPS Hide Login Plugin and Protect WP-Admin Plugin to change the login page URL.

25 — Disable XML-RPC in WordPress

The XML-RPC is a popular plugin used to connect a WordPress site with the web and mobile apps.

On the other hand, XML-RPC can also allow for brute-force attacks.

While XML-RPC is active, the hackers can use hundreds of passwords by using the system.multi-call function.

Therefore, we strongly recommend disabling this feature.

26 — Fixing a Hacked WordPress Site

When or if your website is hacked, hackers can install a backdoor.

If the WP maintenance provider failed to fix this backdoor, there is a chance of another hacking incident.

So, while securing your WordPress website, be careful.

27 — Add Security Questions to WordPress Login

This is a simple but efficient method to make it harder for the hackers to control your website.

You can set a security question with the help of the WP Security Questions plugin.

It is recommended that you should not ask any question which has an obvious answer and the hacker can easily find it.

Offer personal and odd questions to perplex the hackers.


All of the 27 steps discussed in this article are capable of cutting the leads that could lead to the WordPress security breaching.

However, it is unwise to claim that the methods discussed here can make your WordPress site 100% secure.

Hackers are getting more creative with time.

So, try to follow all of these steps to secure your WordPress site as far as you can and ask for help as soon as you encounter any security breaches.

If you wish to discuss how we can develop your brand or provide graphic design for your product or business, email us at:

Inkbot Design is a Creative Branding Agency that is passionate about effective Graphic Design, Brand Identity, Logos and Web Design.

T: @inkbotdesign F: /inkbotdesign



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Inkbot Design

Inkbot Design


Inkbot Design is a Branding Agency & Graphic Design Studio. We Help Businesses Grow with Professional Logo Design, Brand Identity, Web Development & Marketing.