WordPress Security: 10 steps to secure your website

If you have your website on WordPress, you are among the 38% (of almost 1.7 billion) total websites on the internet today. Using one of the best content management systems for your website does ensure better functionality and management for your website. However, it also throws you under the radar of hackers and malicious actors. So, if you have a WordPress website today, there are reasons for you to worry. Capturing the largest share of websites on the web, WordPress websites remain the most sought after prey for cyberattacks. Any minor vulnerability and loophole in your WordPress website’s core, or in the plugins & themes you use, your passwords, and configurations can compromise your WordPress security just like that. Therefore, it is extremely important that you employ the right WordPress security measures to harden your website’s security. We discuss them in this article. Continue reading on.

A breakdown of WordPress vulnerabilities into different types; Image source: Astra Security

10 Steps to secure your WordPress website

1. Update your WordPress regularly

According to a report by WPbeginner, around 86% of the attacks on WordPress happen due to outdated versions of CMS, plugins and other extensions. Almost all software versions sprout vulnerabilities in them over time due to obsolete security practices, or introduction of flaws and bugs, so it becomes necessary to update them. Your outdated software is of great use for a hacker, he/she can use this information to manipulate the vulnerabilities in your website and thousands other websites that employ the same software version.

Source: wpbeginner

When a new update is released, it comes with patched vulnerabilities. So if you are still using the old version, now is the time to update it. An update usually includes improved security measures, features and performance enhancements. To upgrade your WordPress regularly, log in to the admin area, and go to Dashboard>>Updates. You can see whether a new version is available or not. All you have to do now is to select the ‘Update Now’ button to start the update.

Source: wpbeginner

2. Use a web application firewall 

Using a web application firewall to monitor and filter out attacks at the very entry of your website ensures maximum security of your website. One of the leading WordPress firewalls you can deploy on your website for 24*7 protection of your WordPress instance is Astra Security’s end-point firewall. This firewall installs as a plugin on your website and operates on your own server, so absolutely no DNS change is required to use it. Astra’s intelligent firewall blocks all attacks such as — XSS, CSRF, SQLi, Spam, Bad Bots, RCE, RFI, LFI, and several more. This firewall remains active round the clock giving you a peaceful sleep in the night.

How Astra’s end-point firewall works?; Source: Astra Security

3. Regularly backup your website

The best way to strengthen WordPress Security is by backing up your website on a regular basis. So, when a hacker attacks your website, you can start your website by reinstalling the backup instead of starting from scratch.

You can use a backup plugin for this purpose. There are numerous backup plugins available in the market. For example, UpdraftPlus has some updated security features, at an affordable price.

4. Use secure admin login credentials

The default admin username provided by WordPress is ‘admin’, and it has often been seen that users tend to use the default usernames. This error can become fatal if left unchecked because a hacker can brute-force your account. You can use the below-mentioned steps to change the username for your existing WordPress website:

  • In the WordPress dashboard, go to Users>>Add New.
  • There, create a new user and then assign the role of admin to that user. Click the Add new user button once you are done.

Source: hostinger

  • Log in with the newly registered username.
  • From the Users section, delete the old admin account.

5. Limit login attempts

Limiting login attempts is one of the best ways to complete WordPress security. Several hackers use a brute-force attack to hack a website. If the login attempt to your account is unlimited, it is so much easier for a hacker to brute-force their way into your website. You can prevent this by assigning a limit to the allowed login attempts at one go.

You can use a plugin for this purpose as well. There are several plugins available in the market. These two are some of the popular limit login attempts:

Source: themeisle

6. Use strong passwords

Make sure that the password for your website is unique. SplashData’s 2018 list of passwords shows that the most commonly used password throughout the year (in order of popularity) was 123456. Using a password this simple can put your website at a security risk. To strengthen the password, try to incorporate a mixup of uppercase and lowercase letters with numbers and special characters. You may also use the default auto-generated password.

7. Install the WP Hardening Plugin

The WP Hardening plugin makes it easier to tweak WordPress security changes with just a click. You can change your default admin URL, hide your WP version number, disable XMLRPC, WP API JSON, directory listing and many more security changes with a toggle of a button. This multi-purpose security tool saves you time and effort and at the same solidifies your website security.

8. Protect the wp-config.php file

The wp-config.php is an important file, it contains crucial information about the WordPress website’s configuration including the credential details. To protect this file, change the location of this file by simply moving it one step ahead of your WordPress root directory. This change won’t affect your website, but it will make it difficult for hackers to find it. Also, set secure file permissions to restrict access to the file.

9. Protect the .htaccess file

To secure the .htaccess file of your WordPress website, simply copy these codes to your .htaccess file.

Source: websitesetup

These codes will help you strengthen the security of the .htaccess file as well as that of the wp-config.php file. Also, add this snippet to stop the PHP file execution:

Source: websitesetup

10. Scan your website regularly

Even though you have best security practices in place, checking up on your website’s well-being should be on your list. We suggest scanning your website regularly for malware and other discrepancies. You can use an automated malware scanner to scan your complete website on regular intervals. Astra’s Security Suite comes pre-packaged with a firewall, malware scanner, country and IP blocker and several other security tools. Available at a very reasonable price (starting at $19), you can use Astra’s automated malware scanner to not only scan but also review changes in your website’s files. This on-demand scanner is available to you 24*7 and can be used for one-click malware removal (you can remove any malicious files) also.

Malware flagged by the Astra Malware Scanner; Source: Astra Security


With this, we are nearly at the end of our discussion on WordPress security. I hope that through this article all your queries have been resolved. But if you have further questions, drop by some comments and we will help you through it.