🏆 Award Winning Web Hosting by People’s Choice – Fully Managed hosting platform with Free Backups and Free Migrations

Blog / WordPress Beginners Guide / How to secure WordPress website

How to secure WordPress website

Table of Contents

If you are web developer or just starting up your own business and working on your site, it is important for you to know how to secure WordPress website. For instance, if you are maintaining multiple websites, there will be times when your clients start emailing or calling you if their website has slowed down or even crashed.

Is WordPress Secure?

This is one of the many questions that people are asking me. For the most part yes. However, WordPress gets bad rap for having security issues, vulnerabilities, and not being a safe platform to use. But, more often those issues are happening when users are following industry-proven security worst-practices on their websites.

Due to outdated WordPress version, using nulled plugins and themes, poor website administration, and lack of web and security knowledge, a lot of users websites gets hacked. Even professionals sometimes don’t use best practices to secure their WordPress websites.

Let’s go over some of the well known vulnerabilities that most of the users experiencing and learn how to secure WordPress website:

WordPress Vulnerabilities

  • Website Backdoor
  • Brute-force Login Attempts
  • Denial of Service (DoS)
  • Phishing
  • Malware
  • Cross-Site Scripting (XSS)
  • Outdated Themes and Plugins

Website Backdoor

A backdoor is a way for a hacker to take a full control over a website by bypassing normal authentication without being detected by the website owner. Often they leave a backdoor to regain access to the website if it was already removed by the owner.

Hackers can use backdoor to upload files or create files in your WordPress site, add themselves as a admin, execute PHP code, collect personal information or send spam emails.

Brute-force Login Attempts

Brute-force login attempts are scripts to exploit weak usernames and passwords, so hackers can gain access to the site. Using two-factor authentication, limiting admin login attempts, monitoring unauthorized logins are part of the WordPress security to keep your website secure.

Denial of Service

Denial of Service (DoS) attack aims to block all website administrators and all visitors from accessing the website. This is done by sending so much web traffic to the targeted domain or hosting server that it crashes completely. In order to gain access to your website and bring it back online you must have a really good hosting provider that can take care of it immediately, or work with your hosting provider.


Phishing gets its name from actual fishing and is an attempt by cyber criminals posing as legitimate links in comments, sending via email, hoping that someone will click on those links for them to obtain sensitive information from targeted individuals.

How to prevent phishing?

WordPress comments are used on blog websites and Woocommerce websites where owners collect reviews. If you are using comments section on your website, make sure that they are not posted automatically. Instead, you can have comments held for moderation where you as a website owner can manually approve only legit comments.

Don’t forget to protect your contact forms on your website. You can do this by installing Google reCAPTCHA. reCaptcha by BestWebSoft plugin is the most popular option, with over 200,000 active installations.


The attack often happens due to outdated plugins and themes that are installed on your website or security holes in their code. Malware attacks are targeting the actual WordPress installation code where hackers are injecting their own code. Average user wouldn’t even notice this at the beginning. By the time you notice any changes on your WordPress code, it might be too late.

How to secure WordPress website and prevent malware attack?

The first thing to do is keeping your WordPress themes and plugins updated, have a strong admin username and passwords. And of course there are malware removal plugins, but not all of them do 100% of the job. The most popular and best malware removal plugin is Wordfence Premium version.

Cross-Site Scripting (XSS)

Cross-site scripting is vulnerability that allows JavaScript code to be installed on a website. Attackers are using cross-site scripting to gain access to the users information, such as billing information, username, passwords. When a user enters their information into a form on your website, that same information is sent to the attacker. This can be difficult for website owners to catch because attacks in a different ways. It’s even harder to catch it if you are running very large website with a lot of plugins installed.

Outdated Themes and Plugins

If you have outdated plugins or theme, or install an outdated plugin or theme, you open yourself up to security risks. As a website owner you should not have any outdated theme or plugin on your website. Most of the vulnerabilities mentioned above, are due to outdated plugins and themes.

Reasons why most of the time plugins and themes are outdated:

  • Website owners don’t have any type of support or plan implemented.
  • Plugin or themes are without renewed license keys.
  • Plugins or themes are abandoned by the developers.

I know that not everyone have a technical knowledge or have a time to secure WordPress website, but if you don’t know how or don’t have a time to update themes or plugins on your website, you may consider hiring someone to maintain your website just to keep it secure at least.

WordPress Security Guide 2022

Believe it or not, about 30,000 new websites are hacked every day. That’s why is so important to take some time and go through the following recommendations below on how to secure WordPress website.

  1. Secured WordPress Hosting
  2. Use the latest PHP version
  3. Stronger usernames and passwords
  4. Lock down WordPress admin page
  5. Two-Factor Authentication
  6. HTTPS – SSL Certificates
  7. Disable XML-RPC
  8. Hide WordPress version
  9. Rename theme and plugins
  10. Change WordPress admin URL
  11. Always take website backups
  12. DDoS Protection
  13. Do NOT install File Manager plugin
  14. Delete Unnecessary WordPress Files
  15. Disable file editing in the WordPress dashboard

Secured WordPress Hosting

When it comes down to WordPress security and how to secure WordPress website, there is much more than just locking your website. There is also web hosting security for which your web hosting provider is responsible for it. Here at Brickellhost we are taking security risks very seriously and making sure to provide secure and stable web hosting for our customers.

It’s very important to choose web hosting provider that you can trust with your business and help you when you need a help. If you are hosting your website on a VPS server, then you need technical knowledge to secure your own VPS server. If you are using Managed VPS you will avoid these headaches and learning how to secure your own server, since the hosting provider will take care of that part for you.

Here at Brickellhost we use premium network for all of our customers to provide fast, secure and stable hosting environment. Our shared hosting packages are already hosted on secure servers where we are using two layers of firewall, including Free DDoS for all of our customers and on top of that we partnered up with Imunify360 which is is a comprehensive security suite for web hosting servers that provides Antivirus, Firewall, WAF, and PHP Security for WordPress websites.

Use the latest PHP version

PHP is the backbone of your WordPress website and using the latest version on your hosting it is very important. Every major release of PHP is supported for about two years and during that period there are so many issues fixed and patches applied on a regular basis. As of right now PHP 8.0 and 8.1 are the most secure versions. PHP 7.4 will be supported until November of 2022. So, if  you are still using PHP 7.4 maybe it’s time to switch to 8.0 or 8.1

Here at Brickellhost we already have released PHP 8.0 and 8.1 for all of our customers on shared, reseller and VPS hosting and we recommend everyone should be using the latest version, it’s more stable and secure.

Supported PHP version

Stronger usernames and passwords

If you really would like to learn how to secure WordPress website and have your website on lock down, maybe you should start first from your admin username and password.

I’ve seen some people using administrator usernames such as, admin, demo, administrator, and passwords like password123, 123456, or even using their first and last names. That is not secure at all! It’s easy for hackers to guess your usernames and passwords if they already know your first and last names, of course we are all on social media now days, so shouldn’t be hard right?

Make sure to use strong and clever usernames and passwords to protect your websites. For instance, Nordpass have a free tool where you can generate random usernames for your websites. Lastpass provides free tool to generate passwords with random characters. In my opinion, these two tools should be used by every average WordPress user who want’s to have a secure WordPress website.

Lock down WordPress admin page

Locking down your WordPress admin page, protects your website from Brute-force attacks. Brute-force attacks is the simplest method for a hacker to gain access to your website. They are going to attempt multiple logins with usernames and passwords, over and over until they get in. That’s it’s very important to have a strong usernames and passwords like mentioned previously, but besides that you can limit administrator login attempts. You can install WP Limit Login Attempts plugin so you can limit the number of times a user can attempt to login into your WordPress website. It will slow down brute-force and eventually will keep redirecting them to the homepage.

Two-Factor Authentication

Maybe you did not know that you can use Two-Factor Authentication on your WordPress admin page? Yes you can and Two-Factor Authentication plays a big role when you are trying to secure WordPress website. Duo Two-Factor Authentication it’s a reputable company that provides Two-Factor Authentication almost for all online applications.

Just sign up for Duo’s service and install the plugin. Then you can set which user roles you want to enable Two-Factor Authentication for—admins, editors, authors, contributors, and/or subscribers. They have their own app that you can install on your smartphone where you can choose an authentication method, such as Duo Push, call, or passcode. Easy to use plus it’s free!

HTTPS – SSL Certificates

Still wondering how to secure WordPress website even better? SSL is one of the most overlooked ways to secure WordPress website and run your site over HTTPS (Hyper Text Transfer Protocol Secure) where your browser securely connects with a website.

SSL isn’t important only for ecommerce websites, SSL it’s important for all websites now days. Plus, Google has officially said that HTTPS is a ranking factor.

Here at Brickellhost we offer unlimited and Free SSL certificates for all of our customers, included in all hosting packages. Once you sign up for a hosting, it will be automatically applied on your domain name. When it’s time to expire, it will be renewed automatically.

Disable XML-RPC

XML-RPC enables communication between WordPress and other systems using HTTPS and XML as the encoding mechanism. For instance, XML-RPC was used for the mobile application. In early versions this was disabled by default, but since version 3.5 XML-RPC is enabled. Recently XML-RPC become a target for Brute-force attacks, like attackers trying to gain admin access.

Since version 3.5 there is no option in WordPress to be disabled, instead stays enabled by default. However, there are plugins that allows Enable/Disable option on XML-RPC, so you can prevent Brute-force attacks. If you wish to disable XML-RPC on your WordPress website, you can use Disable XML-RPC plugin.

Hide WordPress version

Disabling your current WordPress version is another extra security layer. The less people know about your WordPress configuration the better. Having outdated WordPress version it’s like a welcome sign to attackers. By default WordPress version it’s visible in the header. E.g. If you right click on your browser and then click on “View page source” you can see your current WordPress version. So, let’s remove that from your website. There are two methods to do this, by using plugin or manually.

Method #1
This method requires you to add code in your website. Adding a custom code in header or footer in WordPress can be easily done with WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager free plugin.

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />


Method #2
This method is easier and recommended for all users plus doesn’t require code editing or adding extra code to your website. I recommend using Sucuri Security plugin because automatically hides WordPress version information and offers other more advanced security features.

Rename theme and plugins

By hiding the theme name, you actually increase the security of WordPress. Because no one can find out that you are using this CMS for the website and it decreases the chance of hackers to hack the website as well.

If you right click on your browser and click on “View page source”, on the top of the header you can see that there is visible your theme and plugins names. They are located in wp-content/themes and wp-content/plugins folders. There is a way to rename them all so attackers won’t be able to find out what plugins are installed.

You can rename them all with WP Hide & Security Enhancer which offers a ton of features and options. By using the WP Hide & Security Enhancer you can hide core files, file path, and most importantly the theme name from the public eye.

Change WordPress admin URL

As we all know by default WordPress is using /wp-admin/ slug in the URL. Attackers are always trying to target this page first when they want to gain access to your website. There is a way to change this slug to something else for example to /administrator-login/ and set error 404 page on /wp-admin/ and login.php slug.

To change your admin URL, you can do it with WP Hide & Security Enhancer the same plugin that is used to rename WordPress core folders, theme and plugin names. We can achieve this with WPS Hide Login plugin as well. If you install WPS Hide Login plugin, navigate to Settings > General and on the bottom you have two fields that needs to filled with the new URL:

Change WordPress admin url

Always take website backups

Everyone knows that they have to take a website backups at least once in a day, but a lot of users are skipping this part. Websites are not a 100% safe and secure and never will be. Having a backup of your website it’s a lifesaver, trust me. There are multiple ways to setup website backups on your WrodPress website as a additional security step.

You can install and setup WordPress plugins that can take daily backups of  your website. Most of the plugins offers offsite backups where you can use Google Drive, DropBox, FTP setup or keeping them on your hosting account storage. Keeping backups on the same hosting account or server where your website is, it’s not really safe. For instance, if something happens to your website and attackers have access to the root folder of your hosting account, basically they can do whatever they want to.

I personally recommend using UpdraftPlus WordPress Backup Plugin. This plugin have so many features with the free version. You can setup multiple website backups within a 24 hour period, have them stored externally like on a Google Drive or DropBox, plus it’s easy to use.

Here at Brickellhost we offer free daily and weekly backups that are store on offsite servers, and they do not take a part of your hosting account storage. We are taking full cPanel account backups, that can be easily restored by the user with a single click. Do you want to learn more? Let’s get in touch and talk to our team.

DDoS Protection

DDoS attack is a type of attack where multiple systems are attacking single website or server and causing Denial of service (DOS). DDoS attacks are nothing new, they’ve been happening since 2000’s. DDoS attacks does not hack your website or server, instead they are taking it down and is not accessible for couple of hours or even days.

What can you do to protect yourself?

It’s always recommended to look for a hosting provider that offer DDoS attack protection in their packages, even in the basic package. Here are Brickellhost all of our hosting plans and servers are fully covered and protected from DDoS attacks on a server level. Also, you can always use 3rd party CDN such as Cloudflare which is reputable service when it comes to DDoS attack protection. If you are running serious business, make sure to invest in their premium plans because they offer a lot more limits and other features.

Do NOT install File Manager plugin

If you need to learn a little bit more on how to secure WordPress website, this might be helpful too. As some of you may know that there are 3rd party plugins that offers access to your hosting and WordPress installation root files where you can edit, download and upload default WordPress files. This way might be easier for you to access your WordPress files directly from your admin dashboard and not logging to your hosting account, but… if attacker gain access to your WordPress admin then automatically they have open door to your hosted files as well.

Back in 2018/2019 a lot of File Manager plugins had security breaches and a lot of websites were hacked. To prevent this on your website, do not install any File Manager plugin that gives you access directly to your hosted files.

Delete Unnecessary WordPress Files

Additionally to secure WordPress website, you can delete few WordPress files after the installation. They are not required for your functionality, plus they reveal the WordPress version you are using, which could tip hackers off to any security vulnerabilities on your site.

The first of those files is readme.html, which provides basic information about installation, upgrading, system requirements & resources.This file also displays the WordPress version you are using, which can be used by hackers to exploit vulnerabilities. You should delete this file.

The second file is wp-config-sample.php which is found in the root of your WordPress installation.If your hosting provider offers one click installation, you will have both wp-config.php and wp-config-sample.php files. You should delete wp-config-sample.php file, but DO NOT delete wp-config.php because this file contains your database information for your WordPress website.

Disable file editing in the WordPress dashboard

By default WordPress allows you to edit the code of the files directly with code editor in WordPress admin dashboard. This gives attackers easy way to gain access to your files. If some of the installed plugins hasn’t already disabled this feature, you do some light coding and disable it by yourself. Add the code below in wp-config.php via FTP:

// Disallow file editsdefine( 'DISALLOW_FILE_EDIT', true );

Don’t take security for granted

Cyber criminals are constantly trying new ways to gain access to any websites out there and web developers are always developing new methods to stop them. Always keep yours and your clients websites secure and safe, so you have one less thing to worry about. I hope this article helped you understand better how WordPress security works and what are the most important things that you need to do to prevent anything bad happening.

5 2 votes
Article Rating
Notify of
Inline Feedbacks
View all comments

Related posts