WordPress Website Security: 10 Ways to Make Your WordPress Site Secure


Forbes reported a staggering 30,000 website hacks in the world every day in 2013. And as websites increase, we imagine this number has continued to skyrocket since that time, placing cybersecurity center stage for businesses worldwide. With this in mind, we’ll share 10 ways to secure a WordPress site from hackers 

WordPress is the most popular content management system (CMS for brevity) globally with a market share of 40.5%, according to data from W3Techs. It’s an open-source CMS that’s user-friendly, SEO-friendly, and highly customizable. WordPress predicts that its growth will continue considering that millions of websites are created on the platform every single day and the platform supports 120 languages. 

WordPress is the go-to platform for many big names across most industries. For example, heavyweights’ websites such as TED, NBC, CNN, UPS, Tech Crunch, and Best Buy call it home.

When millions of websites are hosted on the platform, security becomes a concern. Although WordPress has tough security features built into its platform, the websites hosted on WordPress are often hacked due to the lack of sufficient security measures, human error, and persistent trials by the bad guys. 

If you own or operate a WordPress website, then there are certain steps you can take to prevent any attack on your site. Contrary to popular belief, you don’t have to be a tech-savvy person to know how to secure your WordPress site from hackers.

In this article, we’ll share 10 ways you can secure your WordPress site. We’ll then also talk about the types of impacts someone hacking your website can have on your business.  

10 Ways to Make Your Website a Secure WordPress Site

WordPress Security
WordPress Security

Cybint Solutions reports that 95% of cybersecurity breaches are due to human error. But this startling number has a silver lining: it means that we, as humans on the victim side of cyberattacks, play an important role in data breaches. We can either:

  1. Contribute to preventing breaches — We can do this by following security protocols, becoming more cyber-aware through training (which teaches us how to deal with situations with precautionary measures), and by implementing processes, policies, and technologies that improve our WordPress website security.
  2. Contribute to the problem by enabling breaches to occur — We can do this by: 
    • neglecting to follow industry best practices, 
    • not educating ourselves about how to recognize and respond to attacks, and 
    • ignoring or not following the website security processes, policies, and tools that help to prevent attacks.

Of course, the first option is the one everyone should aim for. Unfortunately, though, many people unintentionally fall within category #2. Here are some of the ways you can improve WordPress website security. 

#1. Invest In Your WordPress Website Security

A good investment in the security of your website will lead to a strong security backbone for the future. There are many possible areas from which an attacker can penetrate your site’s security defenses. This includes the servers of various service providers for your website.

Choose a Secure WordPress Hosting Service

Choosing a secure hosting service for your WordPress site is the first — and perhaps the most crucial — decision you can make. If someone breaches your web host’s servers, you’re going to be in trouble. Hence, before deciding on the web host, you should learn what security measures and processes they have in place to secure your data. 

Some hosting providers will promise to give you services at a discounted price, but they’ll cost in the end in terms of poor website security. On the other hand, well-known web hosting services will give you better security. Some of the web hosts will also offer you facilities to restore your website in an unlikely event of a breach.

Invest in a Website Security Certificate (SSL/TLS Certificate)

The next best thing to invest in is an SSL/TLS certificate for your WordPress website. An SSL certificate (or, more accurately, a TLS certificate) ensures a secure, encrypted transfer of data between the server and the client using the secure TLS protocol. This means that only the intended parties can access the encrypted data while it’s in transit. Anyone else who tries to intercept the data will only see gibberish because they won’t have the necessary decryption key.

SSL Enabled WordPress Site
SSL Enabled WordPress Site

By installing an SSL/TLS certificate on your site, you can switch your website from HTTP to HTTPS. This migration is a way to ensure that users’ web clients trust your website because it requires your server to authenticate itself before creating that secure connection.

Since the prefix HTTPS and the padlock are displayed publicly, every visitor who visits your website will be able to check if the site is secure.  

Invest in a Secure Wi-Fi Provider

The third investment you must make is investing in a secure Wi-Fi provider. If your router is hacked, then all your devices will be open to the hacker. You should enable the highest level of encryption on your Wi-Fi. The firmware on your router should be up to date. Discourage your employees to use open networks. There is a heavy price to be paid for using the so-called free Wi-Fi networks.

#2. Close the Back Door to Your WordPress Website

You already know how to enter your website through the front door (i.e., your dashboard) by logging in and giving your password. But did you know that there are backdoors to your website that can help a hacker break-in?

Don’t Use Common File Paths for Critical Pages (Such as Your Website Login Page)

Using /wp-login.php or /wp-admin in your URL for your website login page makes your login page easy for hackers to find. A hacker can then use the login form to launch brute force attacks to try to hack your website. To prevent this kind of attack, you should first change the URL of your login page. There are also WordPress plugins available that will help you to change your URL in seconds. 

Set the Maximum Number of WordPress Login Attempts 

This will limit the number of times a user can enter an incorrect password. You will be notified if someone is trying to use brute force attacks by entering different passwords. It will also restrict this particular IP address from accessing your website.

Implement Strong Password Security Best Practices

WordPress plugins for security will provide you enough safety from the outside world. Having said that, the most crucial defense against hackers is a strong password. If your password is 123456 or password or 1asdasdasd, you cannot expect your website to be safe from attackers. These are some of the most commonly used passwords in the world, according to this HuffPost article.

Secured WordPress Website
Secure WordPress Website

Your password should be long and strong. Some people use password generators that give random characters, which results in creating passwords that are strong but hard to remember. This is why the FBI says that using passphrases instead of traditional passwords to secure your accounts is more effective and provides better account security. Passphrases consist of an assortment of words that has 15 or more characters cumulatively.

Consider that Nordpass reports the average user has between 70 and 80 passwords. I know what you are thinking: “How can I remember so many different passwords?” Well, frankly, you can’t. So, one solution is to use a password manager to store all your passwords in one place. A password manager is like a vault for all your passwords — and all you have to remember is a master password to access and use it.

Oh, and another quick note: never use the same password for multiple accounts. If one account is hacked, it will be easier for someone to use the same password to access your other accounts. 

Create Unique Usernames for Admin Accounts

Generic usernames like “admin” or “webmaster” should be avoided as they’re easy to guess. The best way to login into your account is by creating a unique username. 

You should always use multi-factor authentication or PKI certificate-based authentication to log in because they’re more secure than using passwords alone. A hacker needs to have access to your phone in addition to your password and email address if he wants to hack your website. It is improbable that the hacker will have access to all those things at the same time. Hence, you can count on safety.

#3. Protect Your Database File

Change the name of your database file to something innovative. For example, if your website name is example.com, the name of your database will automatically be wp_example. Changing the name of the database to something unique will throw hackers off its scent. You can either change the prefix from wp_ to something else like 312_. Of course, another option is to change the name of the database to something like a good job.

WordPress Database Protection
WordPress Database Protection

Alternatively, you can change both. The name of your database file can be 312_goodjob. This is a very useful trick to protect your site against SQL injection attacks.

An SQL injection is a website security vulnerability in which an attacker modifies the queries made by an application to the database. Bad guys can capitalize on this to view or make unauthorized changes to your database info. They also can use SQL injection attacks to alter the content and the behavior of the application. And by escalating the SQL injection, they can launch a DoS (denial of service) attack if they so desire. 

For a more in-depth look at what SQL injections are, check out this great video from PortSwigger:

#4. Update Your .htaccess File

Always add an index.html file to your directory. Without this file, your directory can be viewed by anybody without a password. To put a stop to this kind of viewing, update your .htaccess file by adding the following code:

Options All -Indexes

Malicious redirects are placed in the .htaccess file of your website when it is attacked. By whitelisting only your IP address in this file, you’ll make it almost impossible for anybody to hack into your website. 

#5. Protect Your WordPress Configuration File

The WordPress configuration file (wp_config.php) is one of the most significant files for your website. This file is stored on your root directory and contains WP installation information. If you alter it (such as by changing its location), you can protect it better from attackers. 

One way to do this is to move it from the root directory to a higher level. WordPress considers this file a critical resource and can see it even if it’s on a higher level. Thus, cybercriminals will have to dig deeper to try to find the gold.

You can also copy the contents of the wp_config.php file in another file that’s not accessible online. In the original wp_config.php file you can just add the link to the content file.

Alternatively, you can change the permissions of your wp_config.php file. Most WordPress root directory files have 644 permissions, which means that the file is readable by everyone. However, only the owner and his group can make any changes to the file. By updating the permissions to 400 or 440, you can prevent any user on the server from reading it. You can make these changes using your FTP client. 

#6. Block Hotlinking

When you upload an image on your website, it creates an opportunity for other blogs or websites to display your image on their pages. They do this by “hotlinking” linking the URL of the image. Since the image is hosted on your server, you’ll carry the burden of having extra traffic accessing that image. This can result in a slower website for your domain and potentially higher hosting costs, too. Yikes.

Hotlink Protection
Hotlink Protection

The following image shows you what happens when the image/content from your site is hotlinked to another site. The content from “original.com” is hotlinked by “thieving.com” in the following example:

Image showing the process of hotlinking.

Thankfully, there’s something you can do to stop this from happening: 

Use a CDN to Block Hotlinking

Many CDN providers including Cloudflare, Amazon S3, and KeyCDN have hotlinking protection built into their platforms. This method is easy as you do not have to alter your WordPress site in any way.

Use WordPress Plugins for Hotlinking Protection 

Some WordPress plugins provide broad-spectrum security, which includes protection against hotlinking.

Disable Right-Click on Your WordPress Site 

Sounds quirky? Yeah, but it helps make stealing or linking to images more difficult. Although it’s not a fool-proof way to protect your files from being copied, it gives protection to a certain level.  

Enable Hotlink Protection on NGINX 

According to Ubiq, if you use NGINX, you can make the following changes to your server’s config file to turn on hotlink protection for your domain. In this example, original.com represents your domain:


location ~ .(gif|png|jpe?g)$ {

  valid_referers none blocked website.com *.original.com;

   if ($invalid_referer) {

      return 403;



Forbid Hotlinking in Apache 

While running your WordPress site on Apache, you have several options to deal with hotlinking, according to the official Apache website:

Example 1 Deny the request. In this situation, if an image link request comes through that didn’t originate on your domain, you can set your server to deny the request outright. In this example, original.com again represents your domain:

RewriteCond “%{HTTP_REFERER}” “!^$”

RewriteCond “%{HTTP_REFERER}” “!www.original.com” [NC]

RewriteRule “\.(gif|jpg|png)$”    “-”   [F,NC]

Example 2 Display something other than the requested image. Rather than failing or denying the request, an alternative action is to cause your server to display another unrelated image instead. (Maybe one with a message like “Stop Hotlinking My Stuff!” to really drive home your point to the hotlinker.) 

RewriteCond “%{HTTP_REFERER}” “!^$”

RewriteCond “%{HTTP_REFERER}” “!www.original.com” [NC]

RewriteRule “\.(gif|jpg|png)$”    “/images/no-no-bad-dog.jpg”   [R,NC]

Example 3 Redirect the request. 

The third option is to redirect the image request to another site’s image. Now, this can be kind of mean to the owner of the site you’re directing the hotlinker to. However, it’s a good way to stop people from hotlinking your content.

RewriteCond “%{HTTP_REFERER}” “!^$”

RewriteCond “%{HTTP_REFERER}” “!www.orignial.com” [NC]

RewriteRule “\.(gif|jpg|png)$” “http://adifferentwebsite.com/image.png”   [R,NC]

Of these techniques, the last two tend to be the most effective in getting people to stop hotlinking your images because they will simply not see the image that they expected to see.

#7. Prevent DDoS Attacks

Do you remember this headline from a June 18, 2020, BBC article?, Amazon ‘thwarts largest-ever DDoS cyber-attack.” I remember it distinctly as I was shocked at the sheer scale of the numbers. The article shared that Amazon fended off a 2.3 Tbps attack in February of that year. To give you a little context, that means it was 44% larger than any DDoS attack Amazon had ever seen before. The previous record was a 2018 attack of 1.7 Tbps.

Prevent DDoS Attacks
Prevent DDoS Attacks

Well, that said, what is a DDoS attack? A distributed denial of service, or DDoS for short, is an attack where one or more attackers use a network of connected devices to flood traffic to a particular website. The goal is to overwhelm it to the point that it crashes and goes offline. An attacker may want to disrupt your website for many reasons, but DDoS attacks are often financially motivated. DDoS attacks frequently target the websites and services of popular and well-known sites and companies. There are many types of DDoS attacks:

Application Layer Attacks 

These types of DDoS attacks, which include GET and POST floods and low-and-slow attacks, target vulnerabilities in Windows, Apache, and other systems. 

Comprised of numerous deceivingly harmless requests, these attacks crash the webserver with the number of requests. The magnitude of these attacks can be measured in requests per second (RPS for brevity). 

Protocol Attacks 

This type of DDoS attack sends heaps of protocols to the server to crash it. Some of the protocol attacks are fragmented packet attacks and SYN floods, though there are other types as well. 

These attacks are nerve-wracking mainly because they utilize actual server resources or the resources of intermediate communication equipment like firewalls or load balancers for the attack. The magnitude of these attacks is measured in packets per second (or PPS).

Volume-Based Attacks

The goal of this type of attack is to inundate the target website’s bandwidth by flooding it. Volume-based attacks, measured in bits per second (BP), include spoofed-packet floods such as ICMP and UDP floods.

To prevent DDoS attacks, the best way is to recruit third-party security providers like Sucuri or Cloudflare. DDoS protection is also given to you by many host providers with their plans. 

#8. Keep Your WordPress Patched and Up-To-Date

Like most website platforms, WordPress is constantly evolving and has vulnerabilities that cybercriminals can exploit Any vulnerabilities or glitches that WordPress discovers (or that users and security researchers report) are fixed through patches and other updates. The updated versions are freely available to the users online. The latest WordPress version available is WordPress 5.4.2 with the bugs fixed and vulnerabilities patched.

WordPress Update
WordPress Update

If you’re worried that these updates will take forever to install — don’t worry. Installing WordPress updates typically takes only minutes. WordPress automatically rolls out updates for small changes. But they’ll typically send an email when there are major updates to be made. This way, you can plan for downtime and warn your customers about it in advance.

Having said that, many users do not update their software regularly, leaving their sites and data vulnerable to glitches and attacks. During this time, the attackers will have a field day and will attack such users. 

Our study of 60,140 small businesses’ websites concluded that 76% of WordPress sites use older versions of WordPress. 

A figure showing the distribution of WordPress users according to the version they use.

In addition to the WordPress version, you should also update the WordPress plugins and the themes you use for better security. The third-party plugins and themes are also updated regularly to free them from all known bugs and glitches. This will fix known bugs and related issues.

#9. Don’t Display What Version of WordPress Your Site Uses

You can never be certain when a hacker will attack you or how. However, you can be sure of one thing: hackers will utilize every bit of information they can find to launch attacks against your site. This essential information includes which WordPress version you use. Therefore, it’s a good idea to hide the version of WordPress you’re currently using.

WordPress version numbers are typically visible in the bottom right-hand corner of your website. Older WordPress versions have known vulnerabilities that bad guys can exploit. Thus, regularly updating and patching your WordPress version is also a great idea. Waiting to update your WordPress site to the latest version leaves a window of opportunity that bad guys can take advantage of. 

There are WordPress plugins available online that can help you to hide the version number. Alternatively, you can do it manually by removing it from the RSS feeds. You can do this by adding the following code to your function.php file, according to WPBeginner:

function wp_version_remove_version() {

return ”;


add_filter(‘the_generator’, ‘wp_version_remove_version’);


#10. Create and Maintain Multiple Website Backups

Let’s face it: no matter how many precautions you take and the safety measures you implement, it’s still possible for someone to hack your website. This is why you need to have a backup plan — and in this case, I mean have literal backups of your website and data.

WordPress Backup
WordPress Backup

A good rule of thumb is to maintain multiple current backups of your website. This way, you’re not hung out to dry in case of an unfortunate event of being hacked. WordPress has a backup service that stores your backups on the cloud for a fee. Also, you can use WordPress plugins to store your data in your cloud space. Back-ups should include (but not be limited to):

  • Site content (such as copy, images, videos, etc.),
  • Database content,
  • Plugins,
  • Themes, and
  • Other files.

The US Computer Emergency Readiness Team recommends something known as the 3-2-1 backup rule. And don’t worry, it’s not complicated. Basically, this rule states that you should:

  • Keep 3 copies of all your important files,
  • Store them in 2 different storage media (to guard them against mishaps), and
  • Maintain 1 copy off-site for additional protection.

What Consequences Will You Face If Your WordPress Website Gets Hacked?

The consequences you will face if your website is hacked are multi-faceted but often can be categorized in a few key ways. Of course, some losses and damages are more difficult than others to determine and calculate. Some of the obvious impacts of you being a victim of hacking are as follows:

Website Security
Website Security

Data Theft and Loss

In today’s world, data is the new currency. IBM reports the average cost of lost or stolen records is $150.

Verizon reported that hacking was involved in 45% of the data breaches they analyzed in 2020. The FBI IC3’s 2020 Internet Crime Report confirms that the total losses stemming from personal data breaches and corporate data breaches amounted to $323.39 million in 2020. These stomach-lurching figures aren’t for the faint of heart, can we agree? Realistically, these figures show how much you stand to lose if your website gets hacked. 

Your web servers are home to many types of data that hackers love to steal. And if they can get their hands on it, some hackers will publish sensitive information online just because they can. Others do it because they want to use this data to access to bank accounts or other information they can use to carry out equally bad deeds.  

Hackers might also use the data for identity theft of your customers and yourself. They can sell the data in the market for money, and then someone else will use your data for their benefit. 

Financial Impacts

Did you know how much you stand to lose if your website gets hacked and your data is breached? It’s not just the direct financial costs but also the indirect costs that can hit you the hardest. Following are just some of the ramifications you might face if your WordPress website gets hacked:

Secure Payment
Secure Payment
  • Direct fines and fees: The Payment Card Industry Data Security Standard (PCI DSS) must be followed by all companies and organizations that use credit card-related data to process or handle payments. If you lose your customer’s data to a breach, you’ll be subject to fines specified by the individual credit card companies directly. Both regulatory agencies and card networks will impose penalties on you.
  • Investigation of the breach: The forensic investigation to know the causes of the data breach needs to be carried out after the breach. The cost of this investigation is substantial and has to be borne by the website owner.
  • Future security costs: Once your data is compromised, you will have to incur remediation costs and take steps to prevent future breaches or hacks from occurring. This means you’ll have to spend more than you are currently spending on the security of your website. 

Let’s paint a not-so-pleasant image of what also happens (and other financial impacts that can result) when your site gets hacked: 

  • Your website might go down completely, showing an error message to the visitors, or it might be extremely slow if it has been hacked. This will result in the loss of business until you’re able to bring it back online. 
  • Your SEO rankings will plummet drastically, causing further losses. 
  • The traffic on your website will fall. And some customers may never return to your website to buy anything resulting in a fall in the customer base. 
  • You might also have to spend money to restore your website to normal. And even after that, your share prices might not recover to normal for a long time. 

Oh, and this doesn’t even count in the costs associated with lost or stolen data. Considering that the IBM report we referenced earlier indicates that the average cost of a data breach in the US is $8.64 million, it’s easy to see why website hacking is such a big (and costly) deal. 

Reputational Damage and Loss of Trust

An “Error 500” message means your website is experiencing an unexpected error for some reason — of which there are many possibilities. One possibility is that your site has been hacked and is experiencing latency. The hackers might use your website to store or transfer illegal files like pirated movies or music and will run those files on your server. Your IP address might be used to send out thousands of spam emails. As a result, your host provider might suspend your account till you have recovered.

Website Error (500 Internal Server Error)
Website Error (500 Internal Server Error)

Hackers might also redirect your website’s traffic to a malicious site they control so they can steal your customers’ data. As you can imagine, this will do significant damage to your reputation and the trust people have in your website.

There can also be legal repercussions of data theft if customers decide to sue you. The financial and goodwill loss may be too great for you to handle. 

Final Thoughts On WordPress Website Security

Can you tell me what Adobe, Dubsmash, eBay, LinkedIn, Marriott International, MySpace, and Yahoo have in common? All these companies were being hacked and their data breached. Millions of dollars were lost due to each of these breaches not to mention the loss of numerous data files. If these huge corporations with seemingly endless resources can become victims of a data breach, small and medium-size companies managed by people like us are an easy target. 

Website security is a perpetual responsibility for all website owners and admins. Website security should be treated on an equal footing as tax requirements or as any other crucial part of your job. Web security is much more than investing in high-tech equipment. Your WordPress site is an asset and should be treated as such. Protect your website as you would protect your office space. Remember, your WordPress site security rests in your hands.

What’s your Reaction?
Megha can usually be found reading, writing, or watching documentaries, guaranteed to bore her family. She is a techno-freak with interests ranging from cooking to travel. A regular contributor to various web-security blogs, she has earned her Diploma in Network-centric computing. Being a mother has taught her to speak less and write more (coz who listens to moms, right?).