WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.
If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.
While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to keep your site secure.
At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security (even if you’re not tech savvy).
We have a number of actionable steps that you can take to protect your website against security vulnerabilities.
To make it easy, we have created a table of content to help you easily navigate through our ultimate WordPress security guide.
Table of Contents
Basics of WordPress Security
- Why WordPress Security is Important?
- Keeping WordPress Updated
- Passwords and User Permissions
- The Role of Web Hosting
WordPress Security in Easy Steps (No Coding)
- Install a WordPress Backup Solution
- Best WordPress Security Plugin
- Enable Web Application Firewall (WAF)
- Move WordPress Site to SSL/HTTPS
WordPress Security for DIY Users
- Change the Default “admin” username
- Disable File Editing
- Disable PHP File Execution
- Limit Login Attempts
- Add Two Factor Authentication
- Change WordPress Database Prefix
- Password Protect WP-Admin and Login
- Disable Directory Indexing and Browsing
- Disable XML-RPC in WordPress
- Automatically log out Idle Users
- Add Security Questions to WordPress Login
- Scanning WordPress for Malware and Vulnerabilies
- Fixing a Hacked WordPress Site
Ready? Let’s get started.
Why Website Security is Important?
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.
Worst, you may find yourself paying ransomware to hackers just to regain access to your website.
In March 2016, Google reported that more than 50 million website users have been warned about a website they’re visiting may contain malware or steal information.
Furthermore, Google blacklists around 20,000 websites for malware and around 50,000 for phishing each week.
If your website is a business, then you need to pay extra attention to your WordPress security.
Similar to how it’s the business owners responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.
Keeping WordPress Updated
WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.
WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.
These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.
Strong Passwords and User Permissions
The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your custom email addresses which use your site’s domain name.
Many beginners don’t like using strong passwords because they’re hard to remember. The good thing is that you don’t need to remember passwords anymore. You can use a password manager. See our guide on how to manage WordPress passwords.
Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.
The Role of WordPress Hosting
Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like Hostinger, Bluehost or Siteground take the extra measures to protect their servers against common threats.
Here is how a good web hosting company works in the background to protect your websites and data.
- They continuously monitor their network for suspicious activity.
- All good hosting companies have tools in place to prevent large scale DDOS attacks
- They keep their server software, php versions, and hardware up to date to prevent hackers from exploiting a known security vulnerability in an old version.
- They have ready to deploy disaster recovery and accidents plans which allows them to protect your data in case of major accident.
On a shared hosting plan, you share the server resources with many other customers. This opens the risk of cross-site contamination where a hacker can use a neighboring site to attack your website.
Using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website
We recommend WPEngine as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry. (See our special WPEngine coupon).
WordPress Security in Easy Steps (No Coding)
We know that improving WordPress security can be a terrifying thought for beginners. Especially if you’re not techy. Guess what – you’re not alone.
We have helped thousands of WordPress users in hardening their WordPress security.
We will show you how you can improve your WordPress security with just a few clicks (no coding required).
If you can point-and-click, you can do this!
Install a WordPress Backup Solution
Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.
Backups allow you to quickly restore your WordPress site in case something bad was to happen.
There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).
We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.
Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.
Thankfully this can be easily done by using plugins like Duplicator, UpdraftPlus or BlogVault. They are both reliable and most importantly easy to use (no coding needed).
Best WordPress Security Plugin
After backups, the next thing we need to do is setup an auditing and monitoring system that keeps track of everything that happens on your website.
This includes file integrity monitoring, failed login attempts, malware scanning, etc.
Thankfully, this can be all taken care by the best free WordPress security plugin, Sucuri Scanner.
You need to install and activate the free Sucuri Security plugin. For more details, please see our step by step guide on how to install a WordPress plugin.
Upon activation, you need to go to the Sucuri menu in your WordPress admin. The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.
The next thing, you need to do is click on the ‘Hardening’ tab from the settings menu. Go through every option and click on the “Apply Hardening” button.
These options help you lock down the key areas that hackers often use in their attacks. The only hardening option that’s a paid upgrade is the Web Application Firewall which we will explain in the next step, so skip it for now.
We have also covered a lot of these “Hardening” options later in this article for those who want to do it without using a plugin or the ones that require additional steps such as “Database Prefix change” or “Changing the Admin Username”.
After the hardening part, the default plugin settings are good enough for most websites and don’t need any changes. The only thing we recommend customizing is ‘Email Alerts’.
The default alert settings can clutter your inbox with emails. We recommend receiving alerts for key actions like changes in plugins, new user registration, etc. You can configure the alerts by going to Sucuri Settings » Alerts.
This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as Malware scanning, Audit logs, Failed Login Attempt tracking, etc.
Enable Web Application Firewall (WAF)
The easiest way to protect your site and be confident about your WordPress security is by using a web application firewall (WAF).
A website firewall blocks all malicious traffic before it even reaches your website.
DNS Level Website Firewall – These firewall route your website traffic through their cloud proxy servers. This allows them to only send genuine traffic to your web server.
Application Level Firewall – These firewall plugins examine the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as the DNS level firewall in reducing the server load.
To learn more, see our list of the best WordPress firewall plugins.
We use and recommend Sucuri as the best web-application firewall for WordPress. You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.
The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. Basically if you were to be hacked under their watch, they guarantee that they will fix your website (no matter how many pages you have).
This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge $250 per hour. Whereas you can get the entire Sucuri security stack for $199 per year.
Improve your WordPress Security with the Sucuri Firewall »
Sucuri is not the only DNS level firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs Cloudflare (Pros and Cons).
Move Your WordPress Site to SSL/HTTPS
SSL (Secure Sockets Layer) is a protocol which encrypts data transfer between your website and users browser. This encryption makes it harder for someone to sniff around and steal information.
Once you enable SSL, your website will use HTTPS instead of HTTP, you will also see a padlock sign next to your website address in the browser.
SSL certificates were typically issued by certificate authorities, and their prices start from $80 to hundreds of dollars each year. Due to added cost, most website owners opted to keep using the insecure protocol.
To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.
Now, it is easier than ever to start using SSL for all your WordPress websites. Many hosting companies are now offering a free SSL certificate for your WordPress website.
If your hosting company does not offer one, then you can purchase one from Domain.com. They have the best and most reliable SSL deal in the market. It comes with a $10,000 security warranty and a TrustLogo security seal.
WordPress Security for DIY Users
If you do everything that we have mentioned thus far, then you’re in a pretty good shape.
But as always, there’s more that you can do to harden your WordPress security.
Some of these steps may require coding knowledge.
Change the Default “admin” username
In the old days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it easier for hackers to do brute-force attacks.
Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.
However, some 1-click WordPress installers, still set the default admin username to “admin”. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.
Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.
- Create a new admin username and delete the old one.
- Use the Username Changer plugin
- Update username from phpMyAdmin
We have covered all three of these in our detailed guide on how to properly change your WordPress username (step by step).
Note: We’re talking about the username called “admin”, not the administrator role.
Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
You can easily do this by adding the following code in your wp-config.php file.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.
Disable PHP File Execution in Certain WordPress Directories
Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed such as /wp-content/uploads/.
You can do this by opening a text editor like Notepad and paste this code:
<Files *.php>
deny from all
</Files>
Next, you need to save this file as .htaccess and upload it to /wp-content/uploads/ folders on your website using an FTP client.
For more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories
Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.
Limit Login Attempts
By default, WordPress allows users to try to login as many time as they want. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different combinations.
This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the web application firewall mentioned earlier, then this is automatically taken care of.
However, if you don’t have the firewall setup, then proceed with the steps below.
First, you need to install and activate the Login LockDown plugin. For more details, see our step by step guide on how to install a WordPress plugin.
Upon activation, visit Settings » Login LockDown page to setup the plugin.
For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.
Add Two Factor Authentication
Two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.
Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.
First, you need to install and activate the Two Factor Authentication plugin. Upon activation, you need to click on the ‘Two Factor Auth’ link in WordPress admin sidebar.
Next, you need to install and open an authenticator app on your phone. There are several of them available like Google Authenticator, Authy, and LastPass Authenticator.
We recommend using LastPass Authenticator or Authy because they both allow you to back up your accounts to the cloud. This is very useful in case your phone is lost, reset, or you buy a new phone. All your account logins will be easily restored.
We will be using the LastPass Authenticator for the tutorial. However, instructions are similar for all auth apps. Open your authenticator app, and then click on the Add button.
You will be asked if you’d like to scan a site manually or scan the bar code. Select the scan bar code option and then point your phone’s camera on the QRcode shown on the plugin’s settings page.
That’s all, your authentication app will now save it. Next time you log in to your website, you will be asked for the two-factor auth code after you enter your password.
Simply open the authenticator app on your phone and enter the code you see on it.
Change WordPress Database Prefix
By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.
You can change your database prefix by following our step by step tutorial on how to change WordPress database prefix to improve security.
Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.
Password Protect WordPress Admin and Login Page
Normally, hackers can request your wp-admin folder and login page without any restriction. This allows them to try their hacking tricks or run DDoS attacks.
You can add additional password protection on a server-side level, which will effectively block those requests.
Follow our step-by-step instructions on how to password protect your WordPress admin (wp-admin) directory.
Disable Directory Indexing and Browsing
Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.
Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.
You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see .htaccess file in WordPress.
After that, you need to add the following line at the end of the .htaccess file:
Options -Indexes
Don’t forget to save and upload .htaccess file back to your site. For more on this topic, see our article on how to disable directory browsing in WordPress.
Disable XML-RPC in WordPress
XML-RPC was enabled by default in WordPress 3.5 because it helps connecting your WordPress site with web and mobile apps.
Because of its powerful nature, XML-RPC can significantly amplify the brute-force attacks.
For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.
But with XML-RPC, a hacker can use the system.multicall function to try thousands of password with say 20 or 50 requests.
This is why if you’re not using XML-RPC, then we recommend that you disable it.
There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step by step tutorial on how to disable XML-RPC in WordPress.
Tip: The .htaccess method is the best one because it’s the least resource intensive.
If you’re using the web-application firewall mentioned earlier, then this can be taken care of by the firewall.
Automatically log out Idle Users in WordPress
Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.
This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.
You will need to install and activate the Inactive Logout plugin. Upon activation, visit Settings » Inactive Logout page to configure plugin settings.
Simply set the time duration and add a logout message. Don’t forget to click on the save changes button to store your settings.
Add Security Questions to WordPress Login Screen
Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.
You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.
For more detailed instructions, see our tutorial on how to add security questions to WordPress login screen.
Scanning WordPress for Malware and Vulnerabilies
If you have a WordPress security plugin installed, then those plugins will routinely check for malware and signs of security breaches.
However, if you see a sudden drop in website traffic or search rankings, then you may want to manually run a scan. You can use your WordPress security plugin, or use one of these malware and security scanners.
Running these online scans is quite straight forward, you just enter your website URLs and their crawlers go through your website to look for known malware and malicious code.
Now keep in mind that most WordPress security scanners can just scan your website. They cannot remove the malware or clean a hacked WordPress site.
This brings us to the next section, cleaning up malware and hacked WordPress sites.
Fixing a Hacked WordPress Site
Many WordPress users don’t realize the importance of backups and website security until their website is hacked.
Cleaning up a WordPress site can be very difficult and time consuming. Our first advice would be to let a professional take care of it.
Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.
Allowing a professional security company like Sucuri to fix your website will ensure that your site is safe to use again. It will also protect you against any future attacks.
For the adventurous and DIY users, we have compiled a step by step guide on fixing a hacked WordPress site.
Bonus Tip: Identity Theft & Network Protection
As small business owners, it’s critical that we protect our digital and financial identity because failure to do so can lead to significant losses. Hackers and criminals can use your identity to steal your website domain name, hack your bank accounts, and even commit crime that you can be liable for.
There were 4.7 million identity theft and credit card fraud incidents reported to the Federal Trade Commission (FTC) in 2020.
This is why we recommend using an identity theft protection service like Aura (we’re using Aura ourselves).
They offer device & wifi network protection through their free VPN (virtual private network) which secures your internet connection with military-grade encryption wherever you are. This is great for when you’re traveling or connecting to your WordPress admin from a public place like Starbucks, so you can work online safely and privately.
Their dark web monitoring service constantly monitors the dark web using artificial intelligence and alert you if your passwords, social security number, and bank accounts have been compromised.
This allows you to act faster and better protect your digital identity.
That’s all, we hope this article helped you learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.
You may also want to see our ultimate WordPress SEO guide to improve your SEO rankings, and our expert tips on how to speed up WordPress.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Syed Balkhi says
Hey WPBeginner readers,
Did you know you can win exciting prizes by commenting on WPBeginner?
Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
You can get more details about the contest from here.
Start sharing your thoughts below to stand a chance to win!
Leanne says
This is one of the best tutorial sites (on any subject matter) I have found. Thank you I will refer wpbeginner to others – awesome site!
WPBeginner Support says
You’re welcome and glad you’ve found our content helpful
Admin
Daniel says
You know there are guys charging more than $50 or $100 dollars to teach you how to do all of this, and you gave it for free! Thanks heaps guys!
WPBeginner Support says
You’re welcome
Admin
Power says
Thanks for the article, its really useful
WPBeginner Support says
You’re welcome
Admin
Mydas says
This was super-useful. I have the coding skills to implement all of it, and now I can take much better care of my and my clients’ WordPress installations. Thank you for the info, it’s so complete that I can’t believe it’s free xD
WPBeginner Support says
You’re welcome, glad our guide was helpful
Admin
Splendor Edesiri says
Please do I need a VPN to access my WordPress site from the backend as part of my WordPress site security.
WPBeginner Support says
No, that is not required
Admin
Kam says
Thank you for this article. It is essential reading!
If you have a host like Bluehost, is it essential to have backup with a plugin such as Updraft plus + remote storage? After all, hosting providers should be providing backup?
WPBeginner Support says
While some hosts offer backups, we still recommend creating your own backups for safety
Admin
Kyle B. says
Changing the database prefix won’t make any difference. Other than that, not a bad article.
WPBeginner Support says
Thanks for sharing your opinion and glad you liked our article
Admin
kalmoa says
just an FYI, with Nginx there is no directory-level configuration file like Apache’s .htaccess. All configuration has to be done at the server level by an administrator, and WordPress cannot modify the configuration, like it can with Apache. So the part about ‘Disable PHP File Execution’, cannot be completed by wordpress installs running on Nginx. That includes myself, who is running my wordpress install on Vultr. Their one-click wordpress install gets deployed on Nginx (ubuntu 18.04)
WPBeginner Support says
Thank you for sharing this for the users who specifically are using Nginx for their site.
Admin
Tom says
What is the best method to update plugins if I have several that need updating? Update one at a time and see if the updated plugin breaks any of the functionality on the website?
WPBeginner Support says
If you are concerned an update would break your site, we would recommend testing the update by following our guide on how to create a staging environment below:
https://www.wpbeginner.com/wp-tutorials/how-to-create-staging-environment-for-a-wordpress-site/
Admin
Kartik Satija says
Amazing article, very well articulated and documented.
Thank you all so much for this.
More power to you guys, keep up the good work.
Cheers,
Kartik.
WPBeginner Support says
Glad you found our guide helpful
Admin
MIMIFTAH says
Very Informative content. Thanks
WPBeginner Support says
You’re welcome
Admin
Liz says
Great article. I have a question about the hardening options. I read that enabling hardening on all options can cause some plugins or the theme to break/not work properly. If this happens, how difficult is it to fix? It seems like there’s more to it than just reverting the hardening option. Any insight you could offer would be greatly appreciated. Thanks!
WPBeginner Support says
It would depend on the specific hardening recommendation, plugin, and error message for the difficulty should an error appear. Otherwise, most plugins shouldn’t have an issue
Admin
Gary Starling says
Very helpful suggestions and well explained from the basic to the complex
Thank you four your explanations
WPBeginner Support says
You’re welcome, glad our article could be helpful
Admin
Andrei says
Hi guys,
After the first user enumeration, brute force a security plugin will block that IP address.
If you password protect the wp-admin directory the plugin can no longer block that IP.
Is that a correct assessment?
WPBeginner Support says
Correct, there would be a similar load to a blocked IP but if you need many new users to access your site then limiting login attempts would be better than password protecting your wp-admin
Admin
Andrei says
Ok, I finally understood how this works and sharing here for everyone. Password protecting wp-admin is done at the server (Apache/Nginx) level. If a user enumeration, brute force is unable to bypass the server level, it would not be able to touch PHP/MySQL. Thus, password protecting wp-admin does not put additional load on the database.
Peter says
Very informative and helpful, I have configured all the hardening procedure you mentioned, Thanks a lot.
WPBeginner Support says
You’re welcome, glad our guide was helpful
Admin
Aqib khan says
i will always follow you.i will always love you and always share such a fresh and cool content to make us smile.Thank You.
WPBeginner Support says
Thank you, glad you’ve enjoyed our content
Admin
mahmoud says
I love this site. you’re offering precious information.
I’m a beginner and this is helpful.
but can I only have a strong password and disable indexing to do the matter?
what about all these plugins I think they will affect the site speed or this not installed on the site?
WPBeginner Support says
For your concern with plugins slowing down your site, you shouldn’t need to worry, we explain our reasoning behind this here: https://www.wpbeginner.com/opinion/how-many-wordpress-plugins-should-you-install-on-your-site/
Admin
Krishna says
Hi WP Beginner Team,
Thanks for such a brief explanation of WordPress security. This article was very useful and let know the value of wp security for the users and website owner.
THANKS AGAIN…
WPBeginner Support says
You’re welcome, glad our article was helpful
Admin
Kushal says
I used all plugin that you mentioned sucuri, itheams, wp serber and jetpack. How many plugin can I use on my website.
WPBeginner Support says
We would recommend sticking with only one plugin for a specific feature but for in general how many plugins to use you would want to take a look at our article here: https://www.wpbeginner.com/opinion/how-many-wordpress-plugins-should-you-install-on-your-site/
Admin
Leighann says
This was SO helpful. Thanks for the information and saving me so much time!
WPBeginner Support says
You’re welcome, glad our guide could be helpful
Admin
Dietrich says
Hi
Is it okay to use Sucuri and Wordfence at the same time? I installed Wordfence since Sucuri’s free version doesn’t have a firewall feature.
WPBeginner Support says
We would not recommend using both, multiple security tools can conflict with each other and cause issues with your site.
Admin
Yiannis Christodoulou says
Very helpful article.
Thank you for sharing.
WPBeginner Support says
You’re welcome, glad our article could help
Admin
Steve Schultz says
Your free Sucuri Security plugin link is broken … 404 error.
WPBeginner Support says
Thanks for letting us know, the link should be fixed
Admin
Monty parihar says
Now my website is secured, after read your post immidiatly we install security plugin. Thank u WP Beginner.
WPBeginner Support says
You’re welcome
Admin
Melvin Adame says
Amazing read! Security should always be the #1 priority for any website owner, for their sake and their visitors.
WPBeginner Support says
Thank you, glad you like our content
Admin
Adil says
Thanks for all this info!
WPBeginner Support says
You’re welcome
Admin
Mark Bunner says
Some good tips here. I have already used a lot of them; but it gives a few other areas to think about.
WPBeginner Support says
Thank you, glad you like our recommendations
Admin
Chukwuemeka Ebuka says
Am very grateful for this article, all thanks to wpbeginner.com.
WPBeginner Support says
You’re welcome, glad our article could be helpful
Admin
Heidi says
Great article, thanks! I think I’ve done most of these things now (except ones requiring coding). I did however have a problem setting a password for the admin folder. While I worked out how to do this in cPanel (under ‘directory privacy’), when I went back to my dashboard I found I was locked out. Then I spent over an hour on chat support with Bluehost only to discover what I suspected – that when you log in to WP from Bluehost it takes you straight to the admin area, so there is no opportunity to login to the admin folder, which means you just get locked out. Guess this is a problem with Bluehost and the only solution they gave me was install a plugin
WPBeginner Support says
If you’re using their link from the hosting dashboard to log into your site that may be true but if you add /wp-admin to your domain then it should take you to the login page which will bring up the additional login requirement
Admin
Heidi says
Ok great thanks, I’ll try that.
Julian Song says
Awesome article on security. Setup WordPress is easy, but to managed it need lots of study & research. Your blog helps the community more than you can imagine. I even share your blog on the recent WordPress meet-up as one of the best guidelines.
WPBeginner Support says
Thank you for your kind words and sharing our articles
Admin
Malith says
Thank you very much!
WPBeginner Support says
You’re welcome, glad our guide could be helpful
Admin
Shiva Prasad says
Thanks for being a good mentor and for guiding me on the right path. I will always be thankful to you.
WPBeginner Support says
Glad our guides could help you
Admin
Majid says
Hi,
I am new to wordpress, I am using bluehost to host my website, when I cliked on the wordpress button, it automatically took me to cPanel, without asking any password, which passwords are we talking about?
P.S at the right top corner I could see Howdy, my name…does that mean is that my username?
I do’t remember installing wordpress on bluehost, neither did I enter any username or password separately for wordpress.
Please help.
WPBeginner Support says
That is BlueHost’s tool to make setting up your WordPress site easier, our article is talking about the password for your WordPress site. You can change your password for your site under Users>Your Profile. The name next to Howdy should be your username.
Admin
Terence Vickers says
You may have a typo in the XML-RPC section which is a bit confusing.
Presently reads: “This is why if you’re not using XML-RPC, then we recommend that you disable it.”
If I’m not using i There would likely be no way to disable it.
WPBeginner Support says
Apologies for any confusion, with that statement we mean if you’re not using it for a specific plugin or other need then we would recommend disabling it rather than meaning if it is disabled to disable it. We’ll look into clarifying that
Admin
Syed Gallani says
I understand keeping wordpress updated is essential for security, but is it really necessary ,from security point of view, to update all the plugins. How outdated plugins can make your website more prone to being hacked?
WPBeginner Support says
It would depend on the plugin for how it could make your site vulnerable but some plugins may have code that could be out of date for a newly discovered issue with a piece of code.
Admin
David Anozie says
A big thank you! Your the boss.
WPBeginner Support says
Thank you for being one of our readers
Admin
Nick says
Would blocking Search Engine Spiders (via robots.txt) from Indexing directories help with security?
WPBeginner Support says
No, it would only mean those search crawlers would not look at your site.
Admin
寒星 says
It’s turely helpful to maintaining WP. I love it and thank you so much.
WPBeginner Support says
You’re welcome, glad our article was helpful
Admin
peg says
i’m learning the hard way! : ) i’m so glad to have found you. i have a hacked 5-year old site hosted on godaddy (can’t get into the admin at all) … they want $300 to fix it, so i’m rebuilding on bluehost and implementing your security suggestions. looking forward to learning much more! thank you so much for this resource.
WPBeginner Support says
You’re welcome, glad our guide can help
Admin
Jeff Moyer says
Great comprehensive list thank you! Limiting the amount of login attempts I find is a big one since it will discourage a lot of hackers right from the get go. It might be frustrating if you lost or forget your passwords but still well worth it.
WPBeginner Support says
You’re welcome, glad you liked our article
Admin
Tanmay Kapse says
An awesomely detailed post!! each and every thing is described perfectly. Keep up the good work
WPBeginner Support says
Thank you, glad you liked our content
Admin
Sunny Chawla says
Much obliged to you for supportive page improve my site
WPBeginner Support says
Glad our guide could be helpful
Admin
Santhosh Naikar says
What are things I need to worry when it is hosted on a internal network[Has access to only systems with in our office network]?
WPBeginner Support says
Your main concern for an intranet would be to ensure each user has the correct privileges for their role, after that it would be protecting yourself from brute force attacks and similar.
Admin
steven suslick says
I find this and many of the posts very helpful. I have a hack related question. Google analytics is reporting strange pages that do not actually existing in my posts. The all seem to have a /?s= for example /?s=dox. I can not seem to locate source any suggestions?
WPBeginner Support says
Those pages are from users using the search on your site, for the second someone searched for the word dox
Admin
Emmanuel Ikechukwu says
This is the best wordpress online tutor i have come across so far.
WPBeginner Support says
Glad our articles are helpful
Admin
Bobbie Camp says
Found this article to be very helpful. I am very new and not “techy” and need all the assistance I can get. Appreciate your easy to read instructions.
WPBeginner Support says
Glad our articles could help
Admin
Jemes says
It is very helpful. Thanks
WPBeginner Support says
You’re welcome
Admin
NICHOLAS AMOL GOMES says
Thank you for helpful page improve my site
WPBeginner Support says
You’re welcome
Admin
Brad Vincent says
Hey guys,
I must agree with your mentions of Sucuri – they have sorted out a couple of hacked sites of mine over the years. Worth every penny!
I am really loving these extended posts with all the info I need. I have been following your website speed post and that has made a big difference to my sites. After I have finished with that I will be following this one for sure.
Awesome work and much appreciated.
WPBeginner Support says
Thank you, glad you find our articles helpful
Admin
Brian says
What are your thoughts on Wordfence and Sucuri on the same WP installation? They seem to have some similar functionality so was wondering how much more I get with both versus just one security tool. Is Wordfence a reasonable alternative?
WPBeginner Support says
We would recommend only one at a time to prevent conflicts between the plugins.
Admin
Mark says
I use Wordfence and Sucuri for different functions. While they may at first appear to be competitors, they are actually complementary. I’ve had no issues running both … so far … but of course there are incompatibilities among plugins in general.