5 WordPress Security Tips You Need to Implement Right Now

You probably already know the obvious security measures to take in protecting your WordPress website.

Possibly you know you have to make your site’s password “strong” (a mix of special characters, uppercase letters, lowercase letters, and numbers). You shouldn’t use “admin” as a username, and you should change passwords often. You probably already use two-factor authentication on your WordPress site and have your site backed up. And you never download premium plugins for free or from unknown sources. So what else is there?

Here we’ll discuss a few more WordPress security tips using little known, but profoundly effective methods that you can, and should, use to protect your WordPress site.

1. Rename or relocate your login page


The default login page for your site is “www.websitename.com/wp-login.php” (or “www.websitename.com/wp-admin”). One of the ways to protect your site is to hide or obscure the login page so hackers cannot find it easily. Controlling your login access by limiting the number of login trials each time and the time span between login trials would also improve security.

If you already have Jetpack installed, you can activate its “Brute Force Protection” module. With this module activated, Jetpack will update the Dashboad with the number of malicious login attempt to your website. You also have the option of whitelisting a number of IP addresses. From Jetpack go to “Settings” and then to “Protect,” followed by “Configure,” and you’ll see what looks like the image below.


Cerber Security and Limit Login Attempt is an alternative plugin to Jetpack. If you’d rather not use Jetpack, Limit login is an option. As of the date of writing, the plugin has been installed over 40,000 times and maintains a nearly pristine reputation as 108 out of 111 users rated it five stars.

Limit Login is fairly easy to use, but configuring its “Hardening” section improves your site’s security. All access to the XML-RPC server, which includes trackbacks and pingbacks, are blocked by default. If for any reason you’d be accessing WordPress’ rest API (for example, your blog’s Android or iOS app needs it), then let WP rest API & XML-RPC be accessible.


2. Host where it’s safe

Since a whopping forty-one percent of WordPress sites’ security breaches originate from the host’s end and not the site itself, it’s commonsense to make sure that your host is secure. In fact, hosting carries the most weight when it comes to security. Only eight percent of hacks happen due to weak passwords, twenty-nine percent due to theme, and twenty-two percent due to plugins. So about half your site’s safety relies on hosting.


Make sure your account includes account isolation if you use shared hosting. Your account will be protected from whatever happens on other people’s websites. However, it’s best that you use a service that’s designed with WordPress users in mind. Such services would include WordPress firewall, zero-day malware attack protection, updated MySQL and PHP, specialized WordPress servers, and a WordPress-savvy customer service. Hosts like WP Engine, Siteground, and Pagely have strong safety track records.


3. Stay up to date and use only updated software

You know that you have to use updated antivirus and other relevant anti-malware protection for your computer. This precaution also goes for plugins and themes. Keep them up to date, and if you have any themes or plugins in your repository that are not in use, remove them. If it’s right for your site, consider setting your plugins and themes to update automatically. To set up automatic updates, put some code into your wp-config.php. The following is the code for plugins:

add_filter( 'auto_update_plugin', '__return_true' );

And for themes, use this code:

add_filter( 'auto_update_theme', '__return_true' );

If you want a hands-off approach to site maintenance, then you may consider automating WordPress updates. Note, however, that setting up an auto-update might break your site, especially if plugins incompatible with the latest WordPress update run on your site. To set up an automatic update for your WordPress site, insert the code below into your wp-config.php file:

# Enable all core updates, including minor and major:
define( 'WP_AUTO_UPDATE_CORE', true );

4. Remove plugin theme editor and PHP error reporting

Disable your built-in editor for plugins and themes if you don’t routinely tweak and change settings (or run any other maintenance on your plugins and themes). This is for the security of your website.

Authorized WordPress users have access to this editor, making your site vulnerable to a security breach if their accounts get hacked. In fact, hackers can take down your site by modifying the code in that editor. To disable the editor, insert the code below into your wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

Error reporting is good. It helps you with troubleshooting. The only problem (and it’s a big problem) is that error messages also carry with them your server path. Hackers could look at your server path and easily gain a clear understanding of your website’s structure. Although PHP error reporting is good, it’s BEST disabled altogether. Use the code snippet below for your wp-config.php file:

@ini_set(‘display_errors’, 0);

5. Use .htaccess to protect special-purpose files


The .htaccess file is important because it’s the heart of your WordPress website. This file is responsible for your site’s permalinks structure and security. Outside of the #BEGIN WordPress and #END WordPress tags, there is no limit to the number of code snippets that you can add into your .htaccess file to change the visibility of files inside of your website’s directory.

If you haven’t done so already, hide the wp-config.php file of your site. That file is pivotal to your site’s activities and contains your personal information as well as other important details relevant to your site. You may use the code snippet below to hide it.

order allow,deny
deny from all

To restrict admin access, simply create a new .htaccess file and upload it to your “wp-admin” directory. Afterward, insert this code:

order deny,allow
allow from
deny from all

Input your IP address in the right spot. To allow access to your wp-admin from multiple IP addresses, list those IP addresses, each of them on a separate line, as allow from IP Address. You may restrict access to your wp-login.php in just about the same way. Just add this code snippet into your .htaccess:

order deny,allow
Deny from all
# allow access from my IP address
allow from

If you’d rather not block all IP addresses, just specific IP addresses that want to gain access to your wp-admin or wp-login.php, you may block individual IP addresses using this code:

order allow,deny
deny from 456.123.8.9
allow from all

You can also block people from viewing your site directory by making it not able to be browsed. You can use this code snippet to do that:

Options All -Indexes


This has been an actionable guide to help you improve your WordPress website’s security. The most crucial of these options is one that’s quite simple to implement now – find a host with a pristine reputation for security, as half of your site’s security rests on your host.

What security tip was most useful to you and why? Do you have any other security tips that are not listed here? Mention it (or them) in the comments.

Nicholas Godwin
Nicholas Godwin

Nicholas Godwin is a technology researcher who helps businesses tell profitable brand stories that their audiences love. He's worked on projects for Fortune 500 companies, global tech corporations and top consulting firms, from Bloomberg Beta, Accenture, PwC, and Deloitte to HP, Shell, and AT&T. You may follow his work on Twitter or simply say hello. His website is Tech Write Researcher.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox