Secure WordPress – How to Ensure the Security of Your Website

Gone are those days when the best websites were those websites that only had the greatest designs and looked more appealing to the eyes. The narrative is changing and people are now beginning to factor security as one of the most crucial parameters when setting up a website. 

Waking up to a website that has just been accessed by notorious hackers is not a pleasant experience for anyone and certainly not a sight anyone wants to behold. It becomes even worse if it were an ecommerce site that was attacked, because you could lose your customers, shut down your operations for a while, and you could even lose a good amount of money in the process – This would all amount to an undeserved victory for the hackers! No reasonable and responsible site owner would like for this to happen. 

This is a pretty serious subject for anyone who owns a website, because if you fail to do the right thing regarding website security, you will only have yourself to blame whenever any disaster eventually strikes. 

Security checklist – What to do to make your WordPress website secure?

How Secured Is WordPress?

Knowing whether wordpress is a secured platform for building websites is a brilliant place to begin our campaign from. People just somehow get the impression that wordpress is not a secured platform for building websites. The reason why that impression is so widespread is very simple – many of them have not adopted the best practices when it comes to website security features; others are still keen on using old-fashioned and almost out of use wordpress software; a couple others still seem like the nulled and ineffective plugins are the only tools available for equipping their websites; another group of persons do not have the slightest knowledge of what web security is all about coupled with the fact that their systems are poorly administered. Common, let’s face it, these are all credible and solid reasons to wreck any existing websites. 

[sc name=”helpbanner” title=”Worried about WordPress safety?”]

For a straightforward answer to the above question, wordpress is a secured platform for building websites. 

There is another group of persons we need to worry about, and these are the people who are sceptical about using wordpress for anything because they feel it is not 100% efficient in terms of security. No website building platform is 100% secured! In fact, if you are committed to looking for a website building software that is 100% secured, then you can be likened to someone who had only dedicated an entire lifetime to chasing after shadows! 

However, wordpress can be said to have great security features as well as controls that can help you minimize and mitigate the risks of falling prey to those who inhabit the dark world of the internet. 

More than 34% of the world’ website are powered by wordpress, and that is a good reason why it should be targeted by hackers. This is why you cannot afford to spare any available security loopholes because if you do, you would be doing that at your own detriment. 

[sc name=”helpchat” ]

WordPress has a few vulnerabilities that have accounted for most of the security breaches that you must have heard of in the past and as at today, especially coming in from those who are still oblivious about what measures could be taken to curb such menace. Some of those vulnerabilities include the use of back doors, malicious redirects, pharma hacks, DOS (denial of service), cross site scripting, and the use of brute force for logging in. Those were some security vulnerabilities that have been masterminded by hackers in the past to wreak havoc on some wordpress servers. Nevertheless, the good thing you should know is that there are various security measures that you can adopt to keep you safe from such attacks.  

Developers are fleshing out thousands of plugins and themes to support the numerous wordpress users with their various goals, and some of these tools have inadvertently created room for certain vulnerabilities and security breaches eventually. But that is not something you should worry about, since there is a dedicated wordpress team that has devoted their time to making sure these security lapses are adequately dealt with and corrected within the shortest timeframe. Some of these professionals are paid to accomplish such tasks, so you can almost imagine how far they are ready to go to stay on top of every security situation.

According to a survey that was conducted by a research group known for reviewing website security, more than 100,000 sites are being attacked by digital thieves on day to day basis. As such, there are a zillion and one things you could do in creating a secure wordpress website that can avoid any of such attacks and preventing against unnecessary financial losses as the case may be. These are some of the steps you could take:

A Secured WordPress Hosting Company Is Better

Never make the mistake of thinking that securing your wordpress website is entirely up to you alone. Your hosting company has got its own responsibilities and if they are not living up to it, your site can be hacked irrespective whatever you do. Only trust your business to web hosting companies that have proven their worth in the industry. Like we said, the moment their security features are compromised, you can only do very little; trust me, you never want to find yourself in that position!

The best hosting companies do employ the use of server hardening as a means of ensuring a safe environment for wordpress websites. It uses several layers that comprise hardware and software to make sure their IT set up is good enough to withstand any security threats, no matter how sophisticated they would be. 

They also ensure that their servers are properly updated with the most recent OS coupled with thorough tests and scans that are conducted regularly to deal with any potential malware and possibilities. 

Trying to run a hosting service without the necessary firewalls and systems for detecting any possible intrusion is just a disaster waiting to happen. These things have got to be in place before advancing to any wordpress installation. These companies also ensure they do not compromise the performance of your website by installing security tools that are not completely supportive of the platform. 

Use Smart Login Credentials

You can make your wordpress website elusive to hackers by simply indulging in the use of brilliant passwords and usernames. Some site admins for whatever reasons still prefer to use dumb looking passwords for logging into their sites, and when that happens, you can almost guess the consequence. According to a survey that was undertaken by a tech journal a couple of years back, the most commonly used passwords by site admins is 1234567, followed by a host of other easily guessable passwords. That is how bad it is.

You wonder why advanced websites forcefully employ the use of password strength to measure the complexity of your passwords. If you are hoping to have a highly protected wordpress site, then you will need to begin by adopting great passwords that cannot be guessed right away by potential hackers! 

Fortunately, there are a host of tools online that you can aid your choice of passwords. Throw in a few search into Google and I am sure you would come across befitting answers. 

The wordpress installation comes with a default username known as Admin, never try to use that account. Come up with your own unique username for your admin, assign it the administrator role. And then delete the default admin username when you are done creating your custom admin account.  Another way of achieving this is by going into phyMyAdmin and execute the command below. Of course, after backing your tables up.

UPDATE wp_users SET user_login = ‘customadminuser’ WHERE user_login = ‘admin’;

There Is Nothing Like The Latest Version Of PHP

WordPress as we know it, relies greatly on PHP for getting stuffs done. As such, it is hardly a no-brainer to know that your host’ server should be running the most current version of PHP for your website to stay safe. 

Every PHP version that is released only gets the desired support for the next two years. After that period, users will be using it at their own peril. And unfortunately, many users as much as 56% are still using the 5.6 or a lower version of PHP for their web endeavours. 

This is substantially inadequate and inappropriate, and will only lead to more problems for website owners. You don’t have to be in this category if you don’t want to have a heartache managing your wordpress website. 

Besides sacrificing sensitive data to hackers on a platter of gold, running an old version of PHP can very well affect your wordpress site’ performance, and such a factor is not what anybody wants to joke with these days. 

Find out the PHP version that you are currently served with by your wordpress host. You can do that by a couple of ways. One way to do that is by running your website on pingdom. And if it happens to be below the acceptable current and safe version of PHP, then you could use your CPanel to switch your version. 

Have Your WordPress Admin Locked Down

Having your wordpress admin section adequately locked down is a good way to secure your website. This will make it almost impossible for hackers to locate any backdoors on your website because that is where some of them like to begin with. Now, you can do this in two ways. First, you can frustrate your attackers by modifying the URL of your wordpress login. 

Default URL for wordpress admin is in this format If you can change this, you would be doing yourself a whole world of good because everyone out there (including the good and bad) knows that as the default URL, and may decide to try their luck. 

To successfully modify this URL, there are a couple of free plugins that you can use such as the WPS Hide login. 

The second way is to limit the number of times someone can try to login. This method has proven to be exceptionally effective at keeping hackers at bay. Explore the tools that are out there as they can help you define durations for lockout, number of times to login, as well as IP blacklists and whitelists. 

Everything You Are Using Should The Latest Version

In line with what we have mentioned before, too many wordpress users find themselves tangling with outdated pieces for building their websites. These users hardly realize that a simple trick to creating a secure wordpress website is by making sure everything you are using for that project should be the latest versions. Everything ranging from the WordPress software to your choice of themes to the plugins you are using, has to be the latest copy there is. These updated versions usually come with improved security as well as numerous bug fixes. 

Excommunicate yourself today from the bandwagon of businesses who just feel they do not have any need for updating whatever they are using. That is a business strategy that will only lead to doom later on. You are likely to come up against bugs or even end up with a broken site simply because you are using an outdated version of a plugin to execute your wordpress site. 

Secure wordpress settings

Another interesting statistics for website owners is that over 50% of the wordpress vulnerabilities exploited by hackers are a consequence of outdated plugins. Save yourself the heartache by exploring any of the best wordpress website security plugin available. Also, experts often recommend that you do not just pick up any plugin on the web and start using them. If you can have access to plugins that are trusted, then that will be a lot better. Hence, develop the habit of getting your plugins from the developers’ repository or use online scanning tools to run a check on whatever you are downloading before applying them for your use. 

[sc name=”helpchat” ]

READ MORE  How to improve website credibility - Criteria and guidelines

Updating WordPress Core

Most hosting companies do offer one click solutions for updating your wordpress core. This is a much easier option since it is just going to take care of the update automatically. 

To get this done, go into the wordpress dashboard and click on ‘Update Now’. 

You can equally accomplish this goal by doing a manual download of the latest wordpress version. The only thing with this method is that you will have to be extremely cautious so you don’t end up overwriting the wrong directories. Hence, you are hereby recommended to consult a developer before going ahead with this option. 

Observe These Steps When Upgrading To The Latest Version:

Updating WordPress plugin

You can also update your wordpress plugin automatically or manually. The automatic process of updating is almost similar to the way it is done above. 

To do this, navigate to your wordpress dashboard and click on ‘Updates”, select the plugin you would like to update and click ‘Update plugins’. It is as simple as that!

For a manual update, acquire the plugin from the developer’ repository or go to wordpress repository and download it and have it uploaded via FTP so as to overwrite the plugin that was previously at this directory: /wp-content/plugins.

HTTPS Is Better For Encrypted Connections

One major misleading belief among site owners is the fact that many assume that SSL is only fitting for people who run websites that deal with financial transactions using credit cards and stuffs like that. HTTPS, which is Hyper Text Transfer Protocol Secure, is just a measure that ensures your web application or web browser connects with a website securely. 

So if you want to stay safe within the online community, then you ought to make sure you are always using HTTPS for all your encrypted connections. And for your information, there are many obvious reasons why HTTPS is recommended for everyone, even when you are not running an e-commerce site. Some of those reasons include: encryption of web contents; enhances your chances with search engines; guarantees site visitors that you can be trusted; site will not be marked as non-secured; boost your site performance by a reasonable degree. 

Adopt Two – Stage Authentications

Sometimes you cannot rely on password verification alone for protecting your wordpress sites. In fact, you can’t be too sure about the strength of your password. Those hackers could just stumble on your password and you do not want to tell the rest of the story!

Two stage authentication has become a priority these days because it uses another method in addition to your password before approving login. In many occasions, the additional method talked about could be a phone call, a simple text message, or an OTP (One time password). 

Brute force attacks are mostly unsuccessful with websites that employ 2-stage authentication processes. Hence, two stage authentication is one of the wordpress website security features that you don’t want to take for granted!

WordPress Version Should Be Hidden

A reliable way of keeping your wordpress site secured from unauthorized access is by making your wordpress version unknown to those who care to know. Nothing would make an intruder happier than to know that you are using a wordpress that is out of date. The more information they have about your wordpress website configuration, the higher their chances of attacking such a site. 

Normally, the version of your wordpress site is always written in your website’ source code header. However, if you are implementing the latest wordpress version, then you will not have any need for this as an extra security measure. 

Having said that, if you are using an old version of wordpress, you can remove the version, by introducing the following code to your functions.php file:

function wp_version_remove_version() {

return ”;


add_filter(‘the_generator’, ‘wp_version_remove_version’);

Or preferably, you could adopt a one click solution for getting the job done. A viable solution is Perfmatters. 

edit wordpress code

Enhance wp-config.php

A key feature as you orchestrate any wordpress install is the wp-config.php. It contains some highly valuable information about your installation such as your database login, security encryptions and other related information. You can fortify the way this file looks by doing some of the things that will be highlighted below:


include(‘/home/your_unique_name/wp-config.php’); Please note that your own directory path would depend on that of your web host as well as set up. 

You don’t need XML-RPC

Records have shown that XML-RPC is becoming popular to hackers for carrying out brute force measures on wordpress sites. As stated by a web expert, one of the shortcomings of XML-RPC is that it allows users to make multiple calls on a single request via its system.multicall method. This is undeniably good when it is used for the right reasons. The only problem is that it can also be used by the wrong fellows to aid their own evil and selfish course. 

So that is why you certainly do not need any XML-RPC; it seems like more of a security liability than it is an asset for protection. That being said, it is very unlikely that your wordpress site is running with this feature enabled at the moment. But just so you are absolutely sure about it, you could try using any of the available tools online to verify its status. And if it happens that it is enabled, then please do very well to disable it before going live with your wordpress site.

Adopt Security Plugins For WordPress

If you were thinking that security plugins for wordpress was just for the fun of it, then I think you can be forgiven. WordPress security plugins remain a vital part of keeping your wordpress site secured. 

From the generation of strong passwords whenever users are creating their profiles, to malware scanning, to keeping track of DNS changes, the uses of these security plugins are simply numerous and too important to be undermined. Some of the notable plugins in the world of wordpress security include WordFence Security, SecuPress, iThemes Security, and WP fail2ban. These best wordpress website security plugin do ensure that from time to time they check your site and ensure that the core files have not been compromised in any away. 

Use The Most Recent HTTP Security Headers

A convenient way of improving the website security features of your wordpress website is by leveraging security headers. Their configuration is normally at the level of the web server, instructing the browser on what to do whenever it is dealing with the contents on your website. A lot of HTTP headers are out there for your using pleasure; however, this article is just going to list some of the most important ones here: Public-Key-Pins, X-XSS-Protection, Strict-Transport-Security, Content-Security Policy, X-Frame-Options, and X-Content-Type. 

If you are, however, unsure of the type of HTTP security headers, you could do a check by opening up chrome’ developer tools, and look closely at the header contained in the first response. 

Again, if you aren’t comfortable with handling this on your own, you could consult the services of a developer. 

Examine File As Well As Server Permissions

In the course of your installation as well as web server, it is extremely important that you know a thing or two about your file permissions. If you do not have permissions that are rigid enough to forestall criminal tendencies, you could be throwing away a lot without you even realizing it. 

You must know how to assign the right file and directory permissions to the appropriate users. In case you are not aware, read permissions are suitable for users who are cleared to read files, write permissions is for those users who have the rights to change stuffs on the said file, while the execute permission is strictly for those users who are allowed to run scripts. 

As for directories, Read permission can be assigned to someone who has the right to access and view contents of the said directory; Write permissions is suitable for users who can add to or delete files from the specified directory; Execute permission is have the right to access the specified directory and run commands as well as functions on them. 

Try not to mix these up by assigning the wrong user a different permission. As a more direct guide, you could use these highlights below for assigning permissions on your wordpress site:

Always Ensure Backups

The sermon of backups is a never-ending one, but alarmingly, users aren’t doing enough to back up their stuffs. It is absolutely correct that you can fight off your attackers by deploying some of the most advanced security measures that are at your disposal. 

However, in the world of computers anything is bound to happen. So the only way you can be sure of your contents is by ensuring you engage backup activities from time to time. Fortunately, many hosting companies are now offering backup services in various formats. Some are so easy that all you are expected to do is simply click a button and your wordpress site would be backed up. 

Nevertheless, if you are patronizing a hosting company that lacks such features, you are not alone. There are several plugins for automating your backup and ultimately making it a convenient process. The plugins let you have a copy of your backup through FTP or integrated with an external storage like Google Drive, Dropbox, or Amazon S3. Some of such plugins include WP Time Capsule, UpdraftPlus, BackWPup, Duplicator, etc. 

Note: Most web experts and recommend incrementally based solutions as the way to go here. Such plugins require less resources and do not inhibit performance. 

Alternatively, you could address your backup challenges by subscribing to backup services. These services help you store your content on the cloud for a little token on a monthly basis. They include CodeGuard, VaultPress, and BlogVault. 

DDOS Protection

If you think getting your site hacked can be a funny experience, then wait until you encounter a DoS or denial of service attack. This attack leverages on using various system in attacking a single website. Their motive? Often times, the focus of such attacks is just to bring down your site for short period of time. 

There are services that can help you fight off this form of attack on your wordpress site. One of such services is Cloudfare. What they offer against DDOS attacks can be relied upon for anyone who truly wants to keep these blood suckers away from their sites. It works in mysterious ways, one of which is to protect your IP address with a proxy, so that hackers don’t know exactly how to get you. 

Secure Hosting

A secure hosting company can be a good way to avoid all these troubles. If you lack the expertise or technical know-how to implement all of the options that have been recommended above, your hosting company would be glad to give you a helping hand, since that is one way to help their clients achieve their business targets. So you can save yourself the energy by hooking up with one today! 


You do not need to run your wordpress site without adopting the necessary security measures because that is the way everybody is doing it. And with all what you have learnt on this post, you would be guilty to hinge your excuse of a successful hacker attack on not knowing what you should have done. Why not take that bold step on your website security by creating a wordpress website security checklist and use that ensure that all security features are in place before you do anything. The funniest part is that some of these security measures do not cost as much as many people fear. You can deploy the best website security features without having a burn a hole in your pocket. All the above measures are all inexpensive when compared to the cost you will have to incur when your wordpress site is allowed to suffer some downtime due to security breaches that were masterminded by hackers. Therefore, stay safe today by not neglecting all the advice that have been dished out in the course of this post as that is the most assuring way to ensure your business is never interrupted.