WebCitz Blog

20 WordPress Security Tips to Keep Your Site Safe

20 Wordpress Security Tips to Keep Your Site Safe

WordPress has become one of the most popular content management systems for websites because it’s so easy to use. The downside, however, is that WordPress sites are also extremely vulnerable to attacks.

With this in mind, it’s important you take a few simple steps to increase security before your site goes live. In this article, we will outline 20 tips that will help keep your website secure and safe from hackers!

Related: 14 Important Questions to Ask When Searching for a Web Designer.

1. Update WordPress Regularly

It’s important that you keep your WordPress installation up to date so it has the latest security fixes. This will help protect against many forms of attack, including SQL injection and brute force attacks.

Person wearing a WordPress shirt working on a computer

2. Don’t Install Plugins or Themes From Untrusted Sources

It’s always a good idea to only use plugins and themes provided by WordPress as they are more trustworthy than those found elsewhere on the Web. If possible, download them directly from within your admin panel.

Screenshot of plugin browser screen in WordPress

3. Create Strong Passwords for Everything

Your accounts should all have different passwords with complex combinations of letters, numbers, and symbols. Although these passwords can be hard to remember, it’ll make it a lot harder for others to crack! Avoid using the same password in multiple places, otherwise just one compromise can result in massive losses.

login credentials screen

4. Protect Sensitive Data with a Plugin

There are many plugins available that can help you protect sensitive data, such as credit card numbers and passwords. These security plugins will help protect your site against hacks, malware, brute force attacks, SQL injection, and more.

Blue locks all running in a row with a single red lock in the center thats unlocked

5. Train Staff in Information Security Basics

It’s a good idea to provide some basic training for your employees so they know how best to keep their data safe when using company computers or accessing websites like yours!

Person pointing at a all teaching people at a meeting table

6. Back Up Regularly

One of the best ways to protect against data loss is to back up everything regularly. You can either do this manually or with a plugin, though make sure you store your backups in an encrypted location!

Server Stacks

7. Install a Firewall on Your Computer – or Use a Browser Extension

A firewall is an application that inspects network packets and looks for malicious activity. This will help protect your computer against viruses and other malware. If you don’t have one already, then consider using a plugin like WP Firewall Pro, which provides protection and monitoring tools.

Person on a computer with google open

8. Don’t Share Login Details with Anyone

If you give out the password to someone you know, you should be mindful that this information can leak, which could lead to dangerous people gaining access to all of your information!

Person with a finger to there mouth shushing

9. Encrypt Sensitive Files like .htaccess & wpconfig.php

If you have any sensitive files that are used to secure your site, then consider encrypting them. This will help prevent people from accessing and modifying their content!

Code on a screen

10. Change Your Login URL

Most WordPress login URLs are “WP-ADMIN” by default, which means hackers can easily identify your login URL, and then try to break into it. To avoid this issue, you can change the URL to include something else, like “MY-SITE.” The iThemes Security plugin has you covered!

Dashed box around WordPress login url

11. Disable XML-RPC API Access if Not Needed

If you don’t need the ability for remote publishing, then disable XML-RPC API access in Settings ? Writing –> Publishing Options so hackers cannot take control of your site.

two people hacking on a computer

12. Disable Directory Browsing

It’s advisable to disable the ability for anyone other than yourself to browse your website directories. If you don’t, files may become accessible if someone guesses what they are called and where they are located on your server!

people working on servers togther

13. Protect Yourself on Public Wi-Fi Networks

Public Wi-Fi is a great way to save money on data but it’s not always safe, especially when using websites like Facebook or Gmail which can provide login details if they aren’t protected with two-step verification! Consider creating an encrypted connection over the network by installing virtual private networking software before logging into anywhere important.

a sign with free wifi written on it

14. Don’t use “admin” as a Username

It’s important to choose an individual user name that isn’t so easily guessed. If you must learn how to protect your WordPress site from brute force attacks by using another layer of security on top of passwords such as CAPTCHAs and rate-limiting.

CAPTCHA box and check box

15. Enable SSL Where Possible

This will make sure the user data is encrypted during transfer and provide an additional security layer should any session cookies be intercepted by third parties (this may happen when someone is in possession of both your PC and device). This step might require some technical input but shouldn’t take too long!

Server dashboard screen

16. Install Google Authenticator App for Two-Factor Authentication

Google Authenticator sends unique codes via text messages whenever someone tries logging into one of your accounts, meaning only authorized users can get past the login screen to access your site.

Google Authenticator logo

17. Scan Your Website Regularly

It’s important that you keep both files and databases up-to-date so they don’t contain any malware or security vulnerabilities, which could be exploited by hackers. There are lots of plugins available to help with this task, but we recommend using WordFence as it has all the features required in one package. It also includes live traffic analysis — useful if something suspicious happens on your site!

Wordfence logo

18. Protect Your wp-admin Area

The admin panel contains most content management information, so it’s important to ensure this is well protected from unauthorized access. There are a number of plugins available that can help do this — we recommend using WP Admin Protector or restricting access via .htaccess if you have advanced technical knowledge.

Wordpress admin settings screen

19. Activate Strong Firewall Rules in phpMyAdmin or cPanel (e.g. DENY all IPs)

If you want an extra layer of protection, then it’s possible to set up rules that will block anyone who tries logging into MySQL with invalid usernames or passwords via phpMyAdmin or cPanel, meaning they won’t be able to do anything else if this happens!

This can also help protect against SQL injection attacks by adding an additional check before rows are inserted into tables, so only authorized users can perform operations.

The word security above a person hacking

20. Limit Login Attempts

This is a good idea to avoid brute force attacks. In the “General Settings,” you can set the number of incorrect passwords allowed before blocking an IP address for a period of time.

Code on a computer screen


In conclusion, there are a lot of things you can do to protect your WordPress site from attacks. These include using strong passwords, backing up regularly, and installing plugins like WP Firewall Pro that will help keep hackers away!

Like most other things, nefarious people probably wouldn’t want much to do with a website that both looks bad and doesn’t have many users, even if it isn’t protected very well. Use these 13 website design best practices and couple them with the security tips you just learned to make an ultimate website with impenetrable security!

Disclaimer: WebCitz, LLC does not warrant or make any representations concerning the accuracy, likely results, or reliability of the information found on this page or on any web sites linked to from this page. This blog article was written by Timothy A in his or her personal capacity. The opinion(s) expressed in this article are the author's own and may not reflect the opinion(s) of WebCitz, LLC.