How to Secure Your WordPress Site​

Computer Security

According to known statistics, around the world, more than 100,000 websites are attacked every day. WordPress, being a platform used for about  40 % of sites around the world, is particularly well attacked, leading to the kind of sites infected (83%, according to a 2017 study).

WordPress is thus one of the most frequent targets of hackers who usually target the template, main files, plugins and the login page.

But not only WordPress sites are attacked by hackers! Any website runs the risk of receiving a “visit” from these intruders. And to perpetuate frequent attacks and multiple sites simultaneously, hackers use software that crawls the web, looking for targets. These are called “bots”.

What problems do hackers bring?

Hackers can breach the security of your WordPress site, leading to harmful consequences.

  • They can steal or expose the data of the company and its customers;
  • They may completely erase the content of the website;
  • They can cause the site to infect other visitors, seriously damaging your company’s image.

After all, no one wants to access a company website that has viruses and hackers stealing data, do they?

And what can I do to protect my WordPress site from these intruders?

Always keep your WordPress version up to date

The key is to always have the latest version installed. An outdated version will be an easy target for hackers. Always make a backup copy before applying an update.

Update theme (template) and plugins

Each update will not only bring you more features, but it will also fix bugs and improve security. This will help your website to remain safe from vulnerabilities that intruders could exploit.

It is extremely important to keep all themes (templates) and plugins up to date. I don’t recommend configuring automatic updates in WordPress. Some updates can “break” your website. You should always make a backup copy of your database and files before proceeding with any update. After the update, check the website if everything is working well.

If we have an outdated plugin, the probability of a hacker entering our site is much higher.

We need to pay attention to old plugins, which we no longer use. Unfortunately, some may continue to function even after the user has stopped using them. Hackers often take advantage of these plugins and update them with malware.

Use a firewall

A firewall is a network security device that blocks intruders. The firewall monitors inbound and outbound network traffic and decides to allow or block traffic.

Have secure hosting

Any business must use a VPS. If there are problems that threaten the security of your WordPress site, you will need the support of your hosting (hosting) company so that you can respond quickly and accurately.

Use the latest version of PHP

It is important that you always use the latest version of PHP on your server. Newer versions are better at fighting hackers as obsolete code from older versions may no longer be supported.

Use secure usernames and passwords

To keep your website safe you should always use names and passwords that are smart and difficult to access. The typical passwords “12345”, “password”, “123456789”, “111111” are examples of what not to choose as they are always the first options for hackers when trying to access your site. Many users use this type of password because they are easy to memorize, but this makes the probability of being stolen by intruders much higher.

Regarding the username for your WordPress site you should never leave the default name “admin”. Instead, create a different name, just yours. If you leave the default name half of the hacker’s work is done and just guess the password.

Use Two-Factor Authentication

And even if you think your password is secure, this alternative is always highly recommended. When using two-factor authentication, the probability of the password being stolen is very low. With this method, the user first needs the password to enter, and then a message or confirmation call is sent to their mobile phone. It can also be a password followed by a secret question, a secret code, a set of characters or words, etc. This way it is almost impossible for an intruder to enter your site.

Use email as login

Usually, by default, you enter your username to connect and login. But using email is much safer. This is because usernames are easier to guess while email IDs are more complex.

Change your passwords often

Change your passwords regularly to avoid unwanted entries.

Install an SSL certificate and use HTTPS

This allows your browser to connect to a website securely.

Change permissions

File permissions control how users interact with files on the server. That is, who can read or execute a given file. The permissions on the wp-config.php file should be changed to 440 or 400 to prevent other users from reading it.

Disable XML-RPC

XML-RPC allows communication between WordPress and other systems, with HTTP acting as the transport mechanism and XML as the encoding mechanism. There are no security issues directly with this feature, but rather with the file that is used that can trigger an attack on the website. In recent years XML-RPC has become a major target for brute-force attacks. For this reason, the best thing is to turn it off.

Hide WordPress Version

If someone finds you using an outdated WordPress version, hackers are more likely to notice your site’s vulnerability. Leaving your WordPress version visible, when it’s out of date, is like a flag to warn hackers that your site is unprotected. The best option would be always to update your website so that problems like these do not happen and your website is more protected from hacker attacks.

Have the latest HTTP security headers

HTTP security headers are a way to prevent your website from suffering threats even before they happen. When a user visits your site, the web server will send an HTTP header response back to that user’s browser. This response informs you of error codes.

Improve Database Security

For example, if your site is called “Croissant shop” your database would be called, by default, “wp_croissants shop”. If you change this name to something different it will be much more difficult for hackers to identify your site and access your database.

Use Secure Connections

Always make sure your WordPress hosting (hosting) offers SFTP or SSH. Keeping your connections safe is an important step for your website to be protected from possible attacks. Try accessing your WordPress account with cable connections. Avoid accessing open or public wi-fi. If your connection is via Wi-Fi, use one of the following security protocols: WPA-2, WPA or WEP. Pay attention to file permissions on your installation and on the webserver. If permissions are weak, it will be easier to access your site. Choose to have more restricted permissions.

Prohibit File Editing

WordPress sites often have multiple users and administrators. Unfortunately, many companies also give admin access to contributors so that they can edit the content. This is in no way advised and could even compromise the security of your website. You can also disable the “Appearance Editor” in WordPress.

If you don’t allow file editing, even if a hacker manages to log in as an administrator on your WordPress dashboard, he won’t be able to modify any files.

Disable directory listing with .htaccess

If you create a directory on your site and don’t put an index.html file, your visitors can get a list of the directory and what it contains.

Avoid Hotlinking

Perhaps you’ve never even heard of this term. Hotliking is when you find an image on the net and use its URL on your website. The image is then displayed on your website, but served from the original location. It turns out to be advantageous for you, but not for the site from which you took that image. You are using resources from another site, putting it on yours.

Backup regularly

As much as you think you are doing everything for your site to be protected from attacks, the truth is that there is always that possibility. So you should always make a backup to make sure you don’t miss anything important. By automatically creating a daily backup of your website, any information can be retrieved.

Protect yourself from DDoS attacks

DDos, Distributed Denial of Service, is an action performed by a network of computers or bots that intensively send data or request data from a server (the target site). The high pressure of requests strains the server’s capacity, making it slow. It may not be as dangerous as hacker attacks that can completely destroy your site, but they can also bring your site down for hours or even days.

You must use a security service such as Cloudflare or Sucuri

What are the best plugins to protect your WordPress site?


This is one of the best and most complete plugins for WordPress sites and in addition to its functions as a security guard for your site, JetPack also helps in page optimization.

Allows you to follow the audience, monitor the site, offering even a multitude of other features in a single plugin. For all these reasons, JetPack is well known and chosen by WordPress site users.


This is another famous security plugin for WordPress websites. It monitors hackers’ visits and entry attempts, recording their origin, IP address, time and length of stay on the site.

Wordfence protects against login attempts and immediately alerts us in the event of an occurrence.


Considered by many users to be the best security plugin for WordPress, Sucuri is free. Once installed, Sucuri analyzes the website and detects any vulnerability or something wrong that could facilitate hackers’ entry. Sucuri scans the website for intruders, protects effectively, takes security actions after an attack, and regularly notifies you.

iThemes Security Pro

iThemes Security analyzes the website to detect possible flaws that can be fixed. This plugin also reports file system and database changes that could threaten the security of data on the website. iThemes Security Pro also prevents repeated attacks. For example, if they try to access your site over and over again until they get the combination right and the password is correct, the plugin will block these bots.


A good software to protect your WordPress site is WPScan. It prevents and reports the threats it detects on the website.

WPScan analyzes the vulnerabilities of the website and its theme and plugins. It does a search and lists usernames, checks for weak passwords lists all plugins and simulates attacks.

BulletProof Security

It is a plugin that detects a malware, protects against login attempts, backs up data and notifies us by email when it detects an intrusion attempt by a hacker.

All In One WP Security & Firewall

This plugin checks and filters IPs and blocks hackers and certain locations, blocks successive login attempts, and has a blacklist for suspicious addresses.

Google Authenticator

This is a simple and powerful Google tool that protects your WordPress site. It prevents password theft and protects your page in different ways. In addition, it allows you to recover a password in a completely secure way. Authentication is performed in two steps, preventing fraudulent logins.

Want to learn more about securing your WordPress site?

marketing digital para dentistas

About Luís Horta

He has been a teacher in Portuguese Public Education for over 25 years. So far, he has helped create and develop more than 700 businesses in different areas in his career.

Read More

more articles of interest to you