A Foolproof Guide To WordPress Security

6 min readJan 29, 2020


Often, an open-source script is vulnerable to hacks and security threats. This includes WordPress websites too. Most of the WordPress website owners keep complaining about security threats. So, here we present a no-confusion guide to WordPress security for newbie WordPress developers! This will help them pay more attention to WordPress security and help to protect their website against hackers and malware attacks. Keep reading!

Prevent Brute Force Attacks and enhance WordPress Security

A brute force attack is a hacking technique with huge security concerns. Every person knows that the standard WordPress login page URL is accessed from the backend. Hence, in order to do a brute force attack, they directly add “/wp-login.php” or “/wp-admin/” at the end of your domain name to easily access the backend.

To avoid this, customize your default login page URL for WordPress security.

Tips to secure WordPress Website

1. Modify the WordPress Database Table Prefix to secure login page

Wp is the default table prefix used by WordPress database tables. You can modify it to “my-wp”, ‘I-wp”, “xyz-wp” or with any random prefix that is easy to remember and difficult to hack. Either modify it at the time of installing WordPress or later on while configuring.

2. Rename login URL slug to secure login page

When hackers know the direct URL of the Login page or access it through wp-login.php or wp-admin.php, they attempt to brute force attack your site. Also, they may try to access websites by randomly applying commonly used usernames and passwords. So, change the login URL and make it unique rather than common.

3. Set strong, long and complex passwords to secure login page

It is a no brainer activity to set complex passwords, but it can secure your WordPress site to a great extent. Set a strong password and change them frequently to secure your WordPress website. You can have a mix and match of special characters, uppercase, lowercase and numbers to set unpredictable complex passwords. Such patterns of passwords are impossible for hackers to predict.

Further, someone who has the exact URL can harm your WordPress security. Hence, applying this little strategy blocks access to the login page to an unauthorized individual.

  • Change your wordpress wp-login URL slug to set something unique; e.g. my_custom_login
  • Change your wordpress /wp-admin/ URL slug to set something unique; e.g. my_custom_admin
  • Change your wordpress /wp-login.php?action=register to set something unique; e.g. my_custom_registeration

4. Use two-factor authentication to secure login page

Two-factor authentication is one of the best solutions for security measures. So, introduce the 2FA module to the login page. The website owner can take a call on what are those two factors to be set for users. Normally, over and above a regular password, people set a second authentication factor in the form of a secret question, a secret code, a set of characters, or more popular usage of the Google Authenticator app, which sends a secret code to your mobile.

We prefer to use <a href=”https://wordpress.org/plugins/miniorange-2-factor-authentication/">
Google Authenticator</a> plugin which will help you to set two-step authentication.

5. Use the email address to log in to secure login page

When you log into your WordPress site, by default it enables you to insert your username. However, using email ID to login is a more secure approach as compared to username. People can predict usernames but predicting email IDs can be a challenge. Creating a WordPress account with a unique email address makes it a valid identifier for logging in.

6. Idle users auto-logged out of your WordPress site

Users leaving your site’s wp-admin panel accessible on their screens can present a serious security threat. Anyone can access it at any time. To avoid unwanted access on idle screens, better set auto-logout functionality for the users that have been not active for a certain period of time say 15 minutes for example.

You can set idle user log out of certain time using

<a href=”https://wordpress.org/plugins/bulletproof-security/" target=”_blank” rel=”noopener noreferrer”>BulletProof Security</a> plugin.

This plugin enables you to set a specific time limit for inactive users, after which they will be signed out automatically.

7. Monitor your files with security plugins

The below TWO plugins are highly recommended for WordPress security.

  • <a href=”https://wordpress.org/plugins/wordfence/">Wordfence </a > is a free plugin available on wordpress plugin directory.
  • <a href=”https://ithemes.com/security/">iTheme Security Pro is available on pro version.</a> Both are plugin provide security against Brute Force Attacks, SQL Injection, Cross-Site Scripting (XSS).

8. Take regular backups

In case you have a backup of your hacked or lost site, you can easily restore it. Hence, ensure you are taking backup regularly; preferably on a daily/weekly basis. This helps in case of any virus or any SQL injection attacks.

Have this FREE plugin installed to your WordPress site for security:

<a href=”https://wordpress.org/plugins/updraftplus/">Updraftplus</a>

This WordPress backup plugin provides the functionality of taking backup automatically. And, it stores that backup data directly to the cloud, Google Drive, Dropbox, email, Rackspace Cloud, Amazon S3 (or compatible), and similar others. The paid version of this plugin also backs up to Microsoft Azure, Google Cloud Storage, Microsoft OneDrive, Backblaze B2, SFTP, SCP, and WebDAV.

9. Protect the wp-admin directory and set directory permissions

The wp-admin directory is the core of your WP website. Therefore, if this core element of your site gets burst, your entire site can be harmed. The secure wp-admin area with TWO passwords. The first one protects the login page and the second one secures the dashboard admin area.

In addition, set directory permissions to ensure WordPress security. Modifying permissions to files and directories is a good move towards security. Setting the directory permission to “775” and files to “644” protects the whole file system — directories, subdirectories, and individual files.

You can do this via FTP or file manager from your hosting control panel. or through the terminal and use the “chmod” command. here you can check how to set <a herf=”https://wordpress.org/support/article/changing-file-permissions/">file permissions</a>

10. SSL (https) cryptography to encrypt data

If you have yet not implemented an SSL (Secure Socket Layer) certificate to your WordPress site, do it today only. It is one of the steps to move to secure your admin panel area. SSL certificate secures data transfer between browser and server. And, it makes it difficult for hackers to breach the connection or parody information about your website. You can buy the SSL certificate from a third-party company or check with your hosting company if it provides a free SSL for your website.

11. Disallowed or restricted file editing

Anyone who has admin access to your WordPress dashboard can edit any files, including themes and plugins. It can hamper security at times. To strengthen WordPress security, if you disallow file editing, no one can edit or modify any of the files. Not even a hacker — even if a hacker even if s/he obtains admin access to your WordPress dashboard.

Apply this code to the wp-config.php file to disallow file editing: “define(‘DISALLOW_FILE_EDIT’, true);”

12. Disable directory accessing list in .htaccess

.htaccess file is located on the WordPress root directory. If you create a new directory (or folder) on your website and do not put an “index.html” file in it, you may be surprised to know that your website visitors can get a directory listing of all the files in that folder. For example, if you create a folder called “masterdata”, you can see everything in that directory simply by typing “http://www.example.com/masterdata/" in your browser. No password or anything is needed.

You can avert this by adding the following line of code in your .htaccess file: “ Options All -Indexes.

Final thoughts — Stay up to date and regularly update your WordPress site for security

Considering the security aspects of your WordPress site, you need to regularly update WordPress, themes and installed plugins. Especially, in case of the plugins, you need to update them manually by visiting Plugins in your dashboard. When a plugin has a new version, it notifies you and provides a link to update now.

Signing off for now, these tips and tricks will work for non-technical website owners too! In case of any query, any dilemma on how you can secure your WordPress website, feel free to drop a line. We are here to serve you. Share your WordPress security challenges now, if any.

Originally published at https://www.zealousweb.com on January 29, 2020.




Helping businesses Solve The Unsolved with a tech-first approach to expedite digital transformation.