Find Content

16 ways to secure your WordPress site

16 ways to secure your WordPress site


WordPress is by far the most popular CMS.This is because its easy to use, thousands of themes and plugins are available for it and its secure.Yes i said its secure-it only pays the price of its popularity(Its often targeted by hackers). When it comes to WordPress security, users usually fall into two categories: the ones who take security and precautionary measures seriously and those who believe or hope it will never happen to them because their site is not important enough..really? Take a look at the number of Websites hacked today. In this post, i will be showing you 25 ways to add an extra layer of security to you WordPress site.

1. Use HTTPS and SSL

+An SSL Certificate is so important, not just for a WordPress site but for every other site. HTTPS stands for Hypertext Transfer Protocol Secure while SSL stands for Secure Socket Layers. In short, HTTPS allows visitor’s browser to establish a secure connection with your hosting server (and therefore, your site). The HTTPS protocol is secured via SSL. Together, HTTPS and SSL ensure that all the information between a visitors’ browser and your site is encrypted. SSL certificates also help you with SEO.

2. Choose a Host company with Security Features

The first and most important step towards securing your WP site is by choosing a good web hosting company (Like Zimwebtech) which implements proper security features like supporting the latest version of PHP, MySQL and Apache etc.

3. Use strong passwords

You obviously know that already but what makes a strong password? A strong password contains Uppercase and Lowercase letters,symbols and numbers.Its not easy to remember these kind of passwords-Make use of password managers/write it down somewhere.

4. Don’t use the ‘Admin’ username

I have been using the Wordfence plugin to secure some of my WP sites for some time now. 70% of the login attempts have ‘Admin’ as the username.If you use the Admin username, you just made it easy for hackers-all they have to do guess your password.

5. Never use nulled themes

Before you use a nulled theme, think about this: Who is making them and why? Nulled themes come bundled up with malicious code which will provide them access to hijack your account/add themselves as admins/serve ads on your site/simply lock you out.Mostly these hackers would love it if your site remains fully functional for as long as possible, their changes cannot but reflflect badly on you, and if they are not detected fast enough, destroy your site in the end.

6. Disable Plugin and Theme editing through your admin dashboard.

Having the option to edit your theme and plugin files right within your

WordPress dashboard is handy when you need to quickly add a line of code. But it also means that anyone who logs into your site can access those files and edit them. To disable this, simply add the following line in your WP-confifig.php fifile.


// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true );

7. Logout idle users


Idle users can pose a security risk to your site. All you have to do is use a plugin like inactive logout which automatically terminate inactive sessions.

8. Disable XML-RPC

XML-RPC allows your site to establish a connection with WordPress mobile apps and plugins like Jetpack. Unfortunately, it’s also a favorite of WordPress hackers because they can abuse this protocol to execute several commands at once and gain access to your site.You can use a plugin like WP Hide to disable XML-RPC.

9. Use 2FA (Two-Factor Authentication)

Using 2FA means that in addition to entering your password, you will also have to enter a code generated by a mobile app to log in to your site.Its a very good idea to set it up. You can make use of plugins like Wordfence or Google Authenticator.


10. Secure the admin area.


This includes changing the admin url and limiting the number of failed login attempts.By default, the admin url of WP sites looks like this: A lot of people know this and they attempt to login once they find the admin login area.To change the admin url, simply use a plugin like WP Hide or WPS Hide Login.To limit login attempts, you can use a plugin like Wordfence or Security Malware Firewall.


11. Move WP-confifig.php fifile to a non www directory

Your WP-confifig.php fifile is the most important fifile in your WordPress

installation. It contains your DB username and password among other

important information hence, you need to protect it by moving it to a non www accessible directory. All you have to do is:

1.Cut the contents of your original WP-confifig.php

2.Create a new WP-confifig.php in a non www accessible directory

3.Paste the content you have cut on 1

4.Go back to your old WP-confifig.php and add the following line of code



The path might vary depending on where you created the new WP-confifig.php.


  1. Change your WP security keys

Security keys are responsible for encrypting the information stored in the user’s cookies. They are located in the WP-confifig.php fifile and look like this:

define(‘AUTH_KEY’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);

define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);

define(‘NONCE_KEY’, ‘put your unique phrase here’);

define(‘AUTH_SALT’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);

define(‘LOGGED_IN_SALT’, ‘put your unique phrase here’);

define(‘NONCE_SALT’, ‘put your unique phrase here’);

13. Disable error reporting

Error reporting is essential when debugging or trying to determine which plugin is causing an error on your WP site. However, once the system reports an error, it will display your server path as well. Needless to say, this is a perfect opportunity for hackers to discover how and where they can take advantage of vulnerabilities in your site. Add the following code to your wp-config.php fifile to disable error reporting:



@ini_set(‘display_errors’, 0);

14. Change your Database prefix 

Hackers know that WordPress Database prefix is set to wp by default hence they try to exploit this by guessing the table prefix and use automated SQL injections to gain access to your site. Before changing your WP Database prefix, be sure to backup your site in case something goes wrong. First of all, open your WP-confifig.php and find the table prefix line which looks like this: $table_prefix followed by a = sign and the table prefix itself. Replace the default string with your own prefix using a combination of numbers, underscores, and letters like so:


$table_prefix = ‘hfjs_4452_’;


Once you are done, access your phpMyAdmin so that you can change table names.There are 11 tables that you need to edit in total. To make this easier, you can input an SQL by going to SQL and then input something like this(According to the table prefix you have set in WP-confifig.php. In this case its hfjs_4452_):


RENAME table `wp_commentmeta` TO `hfjs_4452_commentmeta`;

RENAME table `wp_comments` TO `hfjs_4452_comments`;

RENAME table `wp_links` TO `hfjs_4452_links`;

RENAME table `wp_options` TO `hfjs_4452_options`;

RENAME table `wp_postmeta` TO `hfjs_4452_postmeta`;

RENAME table `wp_posts` TO `hfjs_4452_posts`;

RENAME table `wp_terms` TO `hfjs_4452_terms`;

RENAME table `wp_termmeta` TO `hfjs_4452_termmeta`;

RENAME table `wp_term_relationships` TO `hfjs_4452_term_relationships`;

RENAME table `wp_term_taxonomy` TO `hfjs_4452_term_taxonomy`;

RENAME table `wp_usermeta` TO `hfjs_4452_usermeta`;

RENAME table `wp_users` TO `hfjs_4452_users`;


While the above query should change your database prefix everywhere, it’s a good idea to run another query to make sure any other files using the old database prefix get updated:


SELECT * FROM `hfjs_4452_options` WHERE `option_name` LIKE ‘%wp_%’

15. Don’t display WordPress version number

Anyone who inspects your WordPress site can tell which version of WordPress you are using.Since each WordPress version has public change-logs that details the list of bugs and security patches, they can easily determine which security holes they can take advantage of.To fix this, simply put the following code in your theme’s functions.php


//Remove WordPress version number

remove_action(‘wp_head’, ‘wp_generator’);

16. Keep your WordPress files up-to-date

Outdated WordPress files refer to the WordPress version, theme and plugin files. They pose a security risk because they leave your site exposed to other vulnerabilities such as backdoor exploits,pharma and wp-vcd hacks.


Leave a Reply

Your email address will not be published. Required fields are marked *