The Ultimate WordPress Security Guide


There’s a legitimate reason to be concerned about the safety of your website. According to reports, over 90,000 hacking attempts are made every minute on the WordPress website.

Many website owners believe their site is too small to attract the attention of a hacker. The reality is that since small websites are more lenient with security, hackers find it easier to hack them.

Any WordPress website, no matter how big or small, must implement security measures.

Fortunately, there are a slew of things you can do to keep your website safe from bots and hackers. We’ll show you exactly what steps you need to take to make sure your website is safe in this post.

Importance of Website Security

WordPress is the most popular website-building platform on the planet. There are 75 million WordPress websites on the internet right now, with hundreds of thousands more being produced every day. This level of popularity comes at a cost.

The more people who use it, the more appealing it becomes as a hacking target. Microsoft’s operating system is a bigger priority than Apple’s. Chrome is a more vulnerable target than Firefox. Popularity attracts more publicity, which can be good or bad.

As we previously said, small website owners believe their websites are immune and do not take the requisite precautions, making them a perfect target.

Hackers use websites to carry out malicious operations when they hack your website. They may be using Japanese SEO Spam to launch larger attacks on other websites, send spam emails, store pirated software, inject spam links, sell illegal goods, and create affiliate links, among other items.

That’s the end of the matter. Things can quickly escalate, and search engines can issue misleading site alerts to users, as well as blacklist your site. According to reports, Google blacklists 50,000 websites every week for phishing activities and about 20,000 websites for malware.

Apart from that, your account could be suspended by your hosting company. This means your website will be unavailable for several days, affecting your revenue collection. If you wait too long to repair your website, it will have irreversible consequences for your business.

We should all accept that preventing a compromised WordPress website is preferable to repairing one.

We’ll show you how to keep your WordPress site secure, but first, we’d like to answer a query that many of our readers have.

But Isn’t WordPress Secure?

WordPress’s core is secure. WordPress has a dedicated team of developers who work around the clock to keep the WordPress core secure. They are constantly developing technology and issuing patches and fixes to correct any bugs or errors.

For a long time, there hasn’t been a big flaw in the WordPress hub.

Despite this, every minute of the day, over 90,000 hack attempts are made on WordPress websites. There are two primary explanations for this.

To begin with, WordPress is a very common website. WordPress is used to power 75 million websites on the internet, attracting the attention of hacking groups from all over the world.

The existence of vulnerable and obsolete themes and plugins is another reason. According to research, outdated themes and plugins are a leading cause of more WordPress security breaches.
So, while WordPress is a secure platform, there are other factors that can lead to a website being hacked. As a result, implementing the following WordPress security steps will help save your websites.

How to Secure a WordPress Website?

There are 15 different security measures you can implement to safeguard your WordPress account. These are the ones:

1. Install a WordPress Security Plugin

A security plugin or service’s main functions are to search, clean, and secure. Although there are several security plugins for WordPress to choose from, not all of them are reliable. Some may have a lot of features, but they only make a lot of noise. A skilled hacker can get around such security plugins and gain access to your website.

MalCare is one of the most effective WordPress security scanners available. This is why:

i. MalCare’s Malware Scanner

To run a scan, a WordPress malware scanner needs resources. Many scanners depend on the resources of your web server, which may cause your website to load slowly.

MalCare overcomes this problem by scanning the website with its own server tools. It copies your website’s files to its own server, where the scan is performed. This approach guarantees that your site will not be harmed during the scanning process.

Many scanners only search for known malware, which means they can miss new threats. MalCare is a malware detection tool that can detect all forms of malware, including new ones.

ii. MalCare’s Malware Removal

MalCare provides the quickest malware removal service available. Ticket-based cleaning is available with most WordPress security services. If your website is hacked, you must first submit a ticket, pay the malware removal charge, and then wait for security personnel to clean your site and react. This is a time-consuming procedure that entails granting a third-party access to your website.

MalCare’s Cleaner functions in a unique way. Time is of the essence after a hack. The longer it takes, the more likely your website will be blacklisted by Google or suspended by your web host. To clean a hacker website, MalCare provides an instant WordPress malware removal service. All you have to do is press a button, relax, and wait for the plugin to clean your site in a matter of minutes.

iii. MalCare’s WordPress Protection Measures

All of the precautions we’ve discussed so far – from using a firewall to country blocking to hardening your website – are safeguards that MalCare makes possible with a single click of a button.

How to Use MalCare?

  • You must first download and instal the MalCare plugin on your website before using it.
  • Then go to the MalCare dashboard and add your site. The plugin will instantly begin searching your website. It will alert you if it discovers any malicious files on your website.
  • Using MalCare’s Auto-Clean button, you can clean your site right away.

2. Back up the data on a regular basis.

Backups are a safety net for you. If something goes wrong with your website, you can restore it to its previous state if you have a backup.

There are numerous backup plugins available. With so many options, it’s easy to end up with a service that falls short of expectations. You’ll need to know how to pick a backup plugin before you can choose the correct backup service.

Furthermore, checking backup plugins would be time-consuming and costly. Fortunately, we conducted a comparison of the most common WordPress backup plugins on the market. Take a look at the best backup plugins for WordPress.

3. Use a Good Hosting Company

Shared hosting and controlled hosting are the two most common hosting options.

Since it is less costly, shared hosting is very common. It has allowed millions of people all over the world to start their own website without having to spend a lot of money. However, with shared hosting, you share a server with other unrelated websites. When one website is hacked, it is common for other websites on the same server to be hacked as well. As a result, despite their popularity, shared hosting providers are ill-equipped to deal with potentially dangerous circumstances.

Always use a dedicated server if you can afford it. It is more effective at keeping a WordPress site safe. You can see how web hosting affects the protection of a website.

We compared the best WordPress hosting providers because there are so many to choose from. Hopefully, it will assist you in deciding which web host provider to use.

4. Keep WordPress Website Up-to-Date

Plugins, themes, and even the WordPress core grow vulnerabilities over time, just like any other programme.

When developers become aware of the flaws, they issue a fix in the form of an update. Vulnerabilities persist when website owners fail to update their sites.

After releasing a patch, developers explain why it was released, implying that the vulnerability has been made public. Hackers also discovered the security bug and the version in which it operates. They recognise that not every website owner can upgrade their site right away, so they begin searching for sites that are still using the vulnerable edition. They have a fair chance of successfully hacking a large number of sites because of the time difference.

For example, according to statistics, over 80% of websites were hacked because they were not updated!

Your WordPress account must be updated on a regular basis. Learn how to update your WordPress platform in a secure manner.

It’s possible that you’ve noticed that some plugins and themes haven’t been changed in a long time. The programme is usually abandoned by the developers. It’s best to uninstall the plugin or theme from your website and replace it with anything else.

5. Use an SSL Certificate

Take a quick look at this website’s URL.

Have you noticed the lock? This lock indicates that the site is secured with an SSL certificate. SSL stands for stable socket layer, which encrypts data as it travels between the browser and the website.
What is the reason for this? Since information (such as credit card numbers) sent from a visitor’s browser to your website can be intercepted and stolen. And if the data is compromised, hackers would be unable to access it if it is secured.

6. Protect Your WordPress Login Page

One of the most frequently targeted areas of a WordPress platform is the login page. Hackers attempt to guess the login credentials in order to gain access to the WordPress admin section, where they would have full control over the website. As a result, it’s critical to set up the proper security on your WordPress login page. Let’s take a look at the various methods for securing your login page and increasing WordPress login protection.

i. Use Unique Username

If the hacker can guess your username, he or she just needs to find out your password. It makes a hacker’s job a lot simpler with one less thing to think about.

The username ‘admin’ is one of the most common WordPress usernames. WordPress allowed users to use the username “admin” until a few years ago. Despite the fact that ‘admin’ is no longer auto-suggested by WordPress, it is still commonly used. As a result, you must take steps to ensure that your administrators do not use “admin” as a username in conjunction with these widely used usernames.

Using this list any time a new user account is generated will help to keep your WordPress safe. Furthermore, if any of your current users have common usernames, tell them to update them. Here’s a tutorial on How to Change WordPress Username that they’ll find useful.

ii. Change Your Display Name

Hackers skim through your website looking for show names in order to infiltrate it. They try to log in using various variations of those terms. Hackers are well aware that using the same username and show name is not unusual. If Sophia Lawrence is a show name, they might try to log in with the username sophialawrence, sophia.lawrence, or sophia.

You may update your show name to protect your site from this.

Select ‘Edit My Profile’ from the drop-down menu. After that, change your ‘Nickname.’ Save the change. Select ‘Display Name Publicly As’ from the drop-down menu. A drop-down menu appears, with the new show name mentioned. Select it and save your changes.

iii. Prevent Username Discovery

Aside from the show name, another way to get the username from your website is to use the WordPress Rest API. This is a major WordPress security flaw. This core WordPress feature, which was introduced in 2016, allows anyone to find details about users on your blog. All they have to do is go to iv and type in the URL.

To prevent this from happening, use the following code snippet in the functions.php file. It’ll hide the user’s list and give you a 500 error if you try to run the URL again.
[php]add_filter( ‘rest_endpoints’, function( $endpoints ){

if ( isset( $endpoints[‘/wp/v2/users’] ) ) {

unset( $endpoints[‘/wp/v2/users’] );


if ( isset( $endpoints[‘/wp/v2/users/(?P<id>[\\\\\\\\d]+)’] ) ) {

unset( $endpoints[‘/wp/v2/users/(?P<id>[\\\\\\\\d]+)’] );


return $endpoints;

[/php]The username is one of the two components of a login credential. Let’s look at the second component – password, and try and figure out how to secure it from hackers.

iv. Enforce Strong Passwords

Isn’t any password good enough to secure my website? The response is no, because hackers are actively attempting to guess WordPress site passwords in order to gain access.

They use a technique known as brute force attacks, in which they programme bots to make millions of login attempts in under a minute in order to guess your passwords.

If you use a simple password like Passw0rd123$, the bot will guess it and crack it in a few seconds. This is why it’s important to use a password that’s both special and complex.

While WordPress encourages users to use strong passwords that are generated automatically, you can still build an account with a weak password. As a result, the responsibility for creating secure passwords falls on your shoulders.

– Create Long Passwords

Passwords of more than 8-10 characters are generally considered powerful and difficult to crack. Each character you add to your password strengthens it. However, password cracking technology has improved considerably in recent years. As a result, several WordPress security experts advise using passwords that are 15 characters long.

Long password: pd&&)xG56ZhLNrjl4jjNJ4#h (hard to remember)
Long passphrase: Its wolf was white as you know nothing Snow, John (easy to remember)

– Use a Combination of Uppercase, Lowercase, & Special Characters

Bots are designed to carry out password cracking procedures in brute force attacks. They will, for example, attempt to guess the correct password by using a combination of lowercase letters (‘a’, ‘b’, ‘c’, etc.). They will break the password after just a few attempts if they use a simple password like “testpass.”

Hence if you use a mix of both lowercase and uppercase characters, it’ll take them a long time to find out the password. A well-programmed bot, on the other hand, can try a few million passwords per second. As a result, using a combination of special characters, numbers, and lower and uppercase letters can make the password unpredictable and difficult to crack.

  • Add caps – TestPass
  • Add numeral and symbol – TestPass123$

– Avoid Using Common Words and Publicly Known Details

Words like ‘test,’ ‘admin,’ and ‘login’ are often used by WordPress users. Since these are some of the passwords that bots try first, don’t use them. The top 25 most widely used passwords, according to an infographic by Splashdata, are:

  • Common Sports and Interest like ‘baseball’, ‘football’, and ‘Star Wars’, ‘Princess’, ‘Solo’ etc.
  • Numbers in Order like ‘87654321’, ‘0123456’, etc.
  • Letters in Order like ‘abc123’, etc.

Hackers who are targeting your website can take information from it and test it out. Bots will try different variations of the term to break into your account, such as ‘GoThrones123′ or ‘gameofthrones123′, if you have a website based on your favourite TV show Game of Thrones. To avoid this from happening, create a password that contains no references to the website.

Password protection reduces the risk of a security breach. Strong passwords, on the other hand, can be difficult to recall unless you have a few tricks up your sleeve.

v. CAPTCHA-based Protection

Using CAPTCHAs, in addition to using unique usernames and secure passwords, is an excellent way to avoid brute force attacks on your WordPress website.

A CAPTCHA is created after a certain number of failed login attempts to decide if the user is human or a bot. Bots can’t read CAPTCHAs because they’re built that way. As a result, brute force attacks are thwarted because bots are unable to enter the login page until they solve the CAPTCHA.

MalCare and other WordPress security plugins create image-based CAPTCHAs that can only be solved by a real person.

vi. Implement Two-Factor Authentication

Have you ever noticed how common services like Facebook and Gmail need users to verify their identity when they attempt to log in? A code is sent to the phone number associated with your account, which aids in the verification of the user. Two-factor authentication is what it’s called.

Two-factor authentication is not available in WordPress. As a result, you can use this guide on How to Add WordPress Two-Factor Authentication to enforce this on your WordPress account.

7. Set Up a Firewall

Some of the hundreds of visitors that come to your website are malicious. Visitors like these come to your site with the aim of discovering flaws that they can manipulate to take control of it.

Any request made to your website by a visitor is checked by a WordPress firewall. Any computer that a visitor uses – desktops, smartphones, tablets, and laptops – has an IP address associated with it. The user will be blocked if the request comes from a questionable IP address; otherwise, they will be able to access the site. Your first line of protection against malicious traffic is a successful firewall.

A WordPress firewall plugin, such as MalCare’s, includes an advanced firewall that improves security. It not only monitors and records traffic requests made on your site, but it also monitors and records bad traffic. It keeps a record of any new bad IP address it encounters. If the bad IP wants to reach your site again, it will be blocked immediately.

8. Harden Your Website

Hackers take advantage of certain popular areas of a WordPress website, according to our findings. You may, for example, use your security keys to gain access to your website or instal malicious plugins or themes. You must take action to fortify your website in order to protect it from hackers.

9. Employ Least Privileged Principles

Administrator, Editor, Author, Contributor, Subscriber, and Superadmin are the six default WordPress user positions. The assignment of these tasks must be performed with caution. Each job has its own set of responsibilities and powers. Let’s take a look at what they’re all about:

The Administrator is at the very top of the organisational chart. He has complete control over the website and is able to perform the following tasks:

  • Content can be created, edited, and deleted.
  • Edit the code of plugins and themes
  • Organize all of your plugins and themes.
  • User accounts can be created, modified, and deleted.

When you move down the hierarchy, your rights diminish. The Editor can’t make big changes, but he can manage categories and links, moderate comments, write, update, and remove posts, and build, edit, and delete articles. There are less permissions for the author, contributor, and subscriber.

The highest level of accountability is that of an Administrator, whose powers should be delegated to people you trust would not misuse their authority.

If the wrong people get admin access, they might try to take advantage of it. They may, among other things, instal rogue plugins and themes, steal your data and sell it for a profit, and store illegal files and directories.

10. Blocking Suspicious IP Addresses

Examine the log of IP addresses that have attempted to log in unsuccessfully if you have a WordPress security plugin like MalCare installed on your website.

Notice how some of them could be using popular usernames like “adm2016” (which we discussed in the “Using Unique Username” section). This image shows a history of unsuccessful login attempts on one of our websites.

11. Implement Country Blocking

Hackers have access to websites all over the world thanks to the internet. They may be based in Russia and targeting a New York-based website.

China, the United States, Turkey, Brazil, and Russia are the top five countries where hacking attempts originate, according to statistics.

It’s simple to verify users who want to log into your website if you have MalCare enabled. You can see where they came from.

If you already have users in the United States, then login attempts from other countries are almost certainly malicious.

Login attempts were made from four separate nations, as seen in the picture above: the United States, the United Kingdom, Russia, and China.

You don’t need traffic from other countries if you’re just targeting particular countries like the United States, so you can block the United Kingdom, Russia, and China.

12. Hide WordPress Version

A hacker can even look up the WordPress version you’re using to see if you have any files with known WordPress vulnerabilities. New WordPress updates are often overlooked by website operators, leaving their sites vulnerable.

Hackers can take advantage of any flaw in the previous version of the core WordPress installation. As a result, hiding the WordPress version you’re using might be beneficial.

To do so, add a line of code to the function.php file.

Step 1: Go to your host account and log in. Access cPanel > File Manager > public html.

Step 2: Go to wp-content in the public html folder and pick your active theme’s folder.

For example, if you’re using the Twenty-Nineteen default WordPress theme, choose the “twenty nineteen” folder.

Note that we are currently using the ‘personalblogily’ theme on our websites; you might be using a different theme.

Step 3: Right-click on the function.php file and select Edit. Here, place the following code.

[php]function wpbeginner_remove_version() {

return ”;


add_filter(‘the_generator’, ‘wpbeginner_remove_version’);
[/php]Save the file, and this will remove the WordPress version number from being displayed anywhere on your site.

13. Check Activity Log

Keeping a close eye on all that goes on with your WordPress website helps you to spot suspicious activity early on. This will assist you in thwarting any potential malicious hack attempts until they damage your WordPress website.

Installing a plugin to keep track of anything that happens on your WordPress website in a WordPress activity log is one way to do this. You can choose from a number of different plugins. One such plugin is WP Security Audit Log.

14. Login with just your email address

You can log in to WordPress using either your username or your email address. As a result, disabling the use of usernames on your website could deter hackers from launching brute force attacks.

No Login by Email Address is a plugin that prevents users from using usernames to log into your website.

15. Use HTTP Authentication

HTTP authentication adds another layer of security to the WordPress login page and is a critical move toward WordPress security. The user must enter the HTTP credentials in order to access the page. They will not be able to reach your site’s login page until this is done.
HTTP Auth, for example, is a plugin that aids in the creation of this protective layer over your login page. Remember to give your users the HTTP authentication credentials. Otherwise, they will be shut out and unable to access your website.

Common But Obsolete WordPress Security Measures

There is a lot of advice that site owners get in the world of WordPress security. However, some of this guidance is ineffective. We’ll go through some of the most popular security advice that has significant drawbacks. These safeguards don’t really protect the website because hackers have figured out how to get around them.

  • Hide the login page for WordPress
  • Passwords should be set to expire after a certain amount of time, and auto-logout should be activated when there is no activity.

1. Hide WordPress Login Page

Single websites are seldom targeted by hackers. Automated bots are programmed to target WordPress login pages. WordPress websites come with a default login page URL that looks like this: ‘’, as someone who has used WordPress for a long time knows.

This makes the automated bots’ job even simpler. As a result, changing your website’s login page to something like “” can help deflect an assault.

There are several plugins that can help you hide your WordPress login page, such as WPS Hide Login, Hide WP-Admin, and so on.

Drawback: While this can easily deter automated hacking attempts, it does not ensure that your website is safe. This is due to the fact that software such as WPS Hide Login have a default login URL. As a result, hundreds of thousands of websites that use the tool have the same login page URL. Hackers can easily determine the URL format and initiate attacks using it.

Furthermore, if the login page is hidden without adequately telling all users, it can be very inconvenient. It might even cost you a day’s worth of work.

2. Set Passwords to Expire

You may have found that certain e-banking services require you to update your password after a certain amount of time has passed. This is a security feature that guarantees that if your account is compromised, the hacker has a short window of opportunity to exploit it. Applying the same safeguard to your WordPress sites mitigates the risk.

You may set user passwords to expire after a certain number of days with the Expire Passwords plugin. Users are required to change their passwords.

Drawback: While this measure provides some protection, hackers still find a way to get around it. When they hack your site, they can, for example, build new user accounts or add secret backdoors. So, even though you change your password often, they’ve already set up other access points.

3. Auto-Logout When There’s No Activity

Abuse of user rights is more likely on websites with many users. It’s also higher for people who do their job from home. It’s possible that a user will need to leave their desk to attend to urgent business and will forget to log out.

What if the website were abused during this time? You can set up your WordPress website to automatically log out users who have been inactive for a long time to reduce the risk of harassment.

Idle Session Logout is a function of the Inactive Logout plugin. This allows you to specify an appropriate amount of inactivity, such as 10 or 20 minutes, during which the user is automatically logged out.

Drawback: If anyone tries to snoop around on your site, they’ll probably do so right after the user leaves. In situations like this, signing out inactive users would not avoid user rights violations.

Last Thoughts

We understand that was a lengthy and somewhat daunting read. But, before you go off and take a nap, consider the following:

  • Make a note of this article.
  • Share it with your colleagues, neighbours, and anyone else you think will profit from our advice.
  • From our WordPress blog, you can find more guides like Secure Your WordPress Site With wp-config.php.

We sincerely hope you found this article to be beneficial. Finally, since implementing all of these security measures can be daunting, we recommend conducting daily WordPress security audits and using a premium WordPress security plugin like MalCare to manage security for you.

You’ll have access to useful security features like a firewall, routine malware scans, WordPress hardening, and much more with MalCare. You will relax knowing that the protection of your website is taken care of.