12 Steps to Boost Your WordPress Site Security

Michael Thomas

Michael Thomas

Are you looking to secure your WordPress site from potential security risks? You’re not alone. Many small business owners, web agencies, and developers are turning to WordPress for their website needs, but they often overlook the importance of securing it properly.

Fortunately, there are a few steps you can take that will help protect your website from many vulnerabilities associated with WordPress security. In this comprehensive guide, we’ll cover why wordpress security is essential, common threats posed by hackers and other malicious actors, how to secure your site without technical knowledge as well as when updates should be made to keep things running smoothly. So if you want peace of mind knowing that your website is safe and sound, read on.

When discussing WordPress security, many things can be done to secure your website and prevent hackers and vulnerabilities from affecting your online presence.

WordPress is one of the most popular platforms for self-hosted blogs and websites and powers over 43.2% of all websites. Even WhiteHouse.gov is using the WordPress platform! So because of its popularity, it may fall victim to attacks by hackers.

With the various themes and plugins out there, it is unsurprising that vulnerabilities exist and continually affect websites.

The last thing you want to happen is to find out one day that your website got hacked. To help you prevent this from happening, we will be sharing multiple tips and techniques you can use to secure your WordPress website and stay protected.

Why is WordPress security important?


WordPress security is an essential consideration for any website owner. Protecting your site from hackers, malicious code, and other security threats that could compromise your data or gain access to confidential information is essential. Brute force attacks, malware insertions, and phishing schemes are all potential dangers to WordPress websites. As such, it’s essential to take the necessary steps to ensure your WordPress site is secure.

To ensure optimal security, it’s essential to keep up with the latest security measures for WordPress websites to avoid potential risks posed by hackers or malicious actors online. Updating plugins regularly can help reduce the risk of exploited vulnerabilities while ensuring all users have unique usernames and strong passwords, adding another layer of defense against unauthorized access attempts into accounts or admin areas on a website. Installing additional security plugins like Wordfence Security Plugin can further enhance these measures while providing real-time monitoring capabilities so you know what’s happening at all times on your website too.

WordPress security is essential for protecting your website from malicious attacks and data breaches. Considering the potential risks that can threaten WordPress sites is imperative, so let’s examine some of them.

What are some common security risks for WordPress sites?


Weak passwords are one of the most common security risks for WordPress sites. Using a simple or easily guessed password can make it easy for malicious actors to gain access to your site and potentially cause irreparable damage. Create complex passwords that combine uppercase and lowercase letters, numbers, and special characters for maximum security. For added security, consider utilizing a reliable password manager such as 1Password or Dashlane to store passwords with greater complexity and randomness.

Another security risk is outdated software, such as WordPress core files or plugins/themes installed on your site. Updating all components to the most recent versions is necessary to prevent hackers from taking advantage of any existing vulnerabilities that may exist in older versions. It’s also important to regularly back up your website to quickly restore any lost data if something goes wrong during an update process.

Common security risks for WordPress sites include malicious code injections, brute force attacks, and unsecured hosting environments.

To guarantee the safety of your website, it is essential to comprehend how to safeguard your WordPress site appropriately.

How can I secure my WordPress site?


It’s super important to remember that WordPress is open-source software. This means that anyone can examine the code that makes WordPress works. Sure, yes, hackers are constantly analyzing this code to find potential exploits. Still, so are the security teams at WordPress, volunteer developers, ethical white hats, and the millions of people who contribute to WordPress for the opposite reason of hackers – to keep it secure and be on the lookout for the community at large. 

Additionally, most security breaches aren’t caused by a WordPress code vulnerability. They happen because people often don’t keep their WordPress site and the plugins installed up-to-date.

If you follow good security practices, your site will be just fine. 

Invest in Rock-solid WordPress Hosting


Every web host out there should take security very seriously. The reason why you must choose a web host you can rely on for your business. The research you do before choosing a web host should include inquiries into how they handle security events. 

You should look for a host with the following essential services:

  • Up-to-date server software stacks. Whether they use LiteSpeed, NGINX, Apache, or IIS, they should run the latest, patched versions.
  • If they’re still offering PHP 5, you should probably look elsewhere. The earliest version of PHP they should be offering is PHP 8. 


The same goes for other software, like MySQL, MariaDB, cPanel, Plesk, and the server operating system.

  •  Firewalls and other security defenses. There are hundreds of ways your hosting provider can keep their servers secure. If they own their servers and are co-locating them, for example, putting strict controls on the ways someone can physically access that server, for example, is something they should be doing. They should also use firewalls and other defense mechanisms, like intrusion detection, to keep unauthorized users out. 
  • Malware monitoring and/or removal apps – You should select a host that tries to detect and prevent malware infections and possibly offers full-service malware scanning and removal. When doing your research, you should inquire what the policy is when the host spots an account infected with malware, whether they offer such services, and if so, what their costs are. 

ChemiCloud uses cloud infrastructure for all of our WordPress Hosting customers to keep their data safe. By distributing data across redundant servers, the information hosted in the cloud is always protected against hardware failure.

In addition to this, our servers run on CloudLinux OS, which allows us to use a virtualized file system for each account and completely isolate it. A significant advantage is that if one user account becomes compromised, the malware infection does not spread to the other accounts hosted on the same server. Moreover, we’ve partnered with Imunify360 to provide a secure and reliable WordPress Hosting service. Its multi-layered defense architecture ensures precision targeting and eradication of malware and viruses.

Through these services, we add additional layers of protection to your website. 

Install & Use a (Good) SSL Certificate


An SSL or Secured Socket Layer Certificate encrypts the data transmitted between the user and your website. This is CRUCIAL to websites where your users are customers, and they are submitting payment information to acquire items from your store. 

Sure, if you’re running a blog and not selling anything, you can get away with a Let’s Encrypt SSL Certificate, which is free. But if you’re taking payments, you need an SSL. Using an SSL means you use https:// in front of your site instead of seeing a red “Not secured” notification in the address bar. 

SSL Certificates have engrained trust in the populous because of their security, and even more so with the famed Green Bar SSL, aka an EV SSL Certificate, because they know those companies are verified and authenticated by a trusted security provider.

If you are on a WordPress host that uses cPanel, you can easily install a Let’s Encrypt SSL Certificate

Always Keep Your WordPress Version + Plugins Up To Date


See this? This is scary. That’s a user who doesn’t care about their site right there. 10 updates, including a WordPress version update. 

WordPress Updates

An outdated WordPress site, plugin, or theme is a potential wide-open gateway to your website. Let’s review some recent WordPress stats. 

  • 62% of websites had an SEO spam infection during our cleanups. Database spam was the most dominant form of infection. Our remediation team often found database infections without backdoors, which may be related to SQL injections and reflective of our user base.
  • 47% of all infected websites contained one or more backdoors, allowing attackers to maintain access to compromised environments after the initial infection.
  • In 2022, over 30% of all WordPress applications were out of date at the point of infection. 

Fortunately, a recent update in a major release of WordPress enabled us to use the GUI to automate things like automatic updates for themes & plugins and WordPress itself. Previously you needed to be somewhat savvy and edit your wp-config.php file by hand to add some lines of code for these things. 

How to Enable Auto-Updates for Plugins


Enabling automatic updates for plugins couldn’t be easier!

Step 1: Log in to your wp-admin. By default, wp-admin can be accessed by entering https://www.yourdomain.tld/wp-admin into your browser, where “yourdomain.tld” would replace your domain name.

Step 2: Locate the Plugins option on the left.

WordPress Dashboard Plugins

Step 3: In the far right column, click “Enable Automatic Updates” for each plugin you want to be able to update itself automatically.

WordPress Dashboard Plugins Enable auto updates

That’s all you have to do! Now, your plugins will update themselves automatically when the developer publishes a new version.

How to Enable Auto-Updates Updates for Themes


Step 1: Click Appearance in the menu on the left side of your WordPress Admin Dashboard.

Step 2: Select Enable auto-updates for your theme.

Note: You will need to do this for each of your themes. Also, as of this writing, not all WordPress themes have been updated to support this feature, and as such, you may not see the option to enable auto-updates for your theme until the developer provides an update.

If you’re more hands-on and don’t trust automation, no worries; this release hasn’t forgotten about you! Feel free to turn off those automatic updates, and when you’re ready to update a theme or plugin, upload it as a ZIP file, and voila! It’s updated! 👍

Use Smart Usernames and Smarter Passwords


Regarding user security, using reasonable security practices is key to keeping your login credentials secure. Avoid using a username as “admin,” and always choose a complex password.

Instead of using Admin for the WordPress admin, use your name, or a variation of it, or a random username altogether. Actually, here’s a list of usernames you should definitely avoid.

  • Admin – This used to be the default username for WordPress and is, therefore, one that will definitely be tried in a brute force attack.
  • Your real name or nickname – This is both public information and as easy to guess as “admin”. In addition, it can make sense to create a separate profile without administrator’s right to publish content. That way, the username of the main login does not appear on the website. Don’t use variations of your name either. If your name is John Jacob Jingleheimer Schmidt, don’t use jjjschmidt as the username. 
  • Any personal information – Including birthdays, etc. Only use a personal detail if it’s something no one could ever know.
  • The title of your site, or something obviously related to it  – “Kittens” for a cat adoption agency, etc…

Make sure to choose a complex password. Google has some great tips on how you can choose a secure password. You should be using a password manager, like 1Password or Bitwarden

If you are managing multiple WordPress sites, it is prudent to use different passwords. One way to generate random passwords.

If you want to store your passwords locally, on your computer, then you can use a free tool such as KeePass.

Use Two-Factor Authentication


Take advantage of Two-Factor Authentication to completely secure your WordPress login. Two-Factor Authentication involves a second step in the login process. It is a text (SMS), or time-based one-time password (TOTP) required to log in. Two-factor authentication is a 100% effective way to prevent brute-force attacks on your WordPress admin panel.


We prefer using the free Google Authenticator plugin, as you can use it for unlimited users. Just install the plugin and click on a user account. You can then set up two-factor authentication by creating a new secret key or by only scanning the QR code. Then make sure to mark it “Active.”

With 2-Step Verification enabled, you will be asked to enter a six-digit code on your login page after you provide your username and password. If you do not provide this six-digit number, you cannot log in, even if you have the correct username and password.

Disable The Plugin Editor


WordPress comes with a set of the very easy-to-reach plugin and theme editors. These editors, while super handy if you want to edit your theme/plugins in the same wp-admin you do everything else in, allow direct access to your site’s code. If someone compromises a user account of sufficient privileges, they would have easy access to make some malfeasant changes on your site. 

Most WordPress users will never need to touch the plugin and theme editors. If you are the user who likes to tinker and do some custom coding, re-enabling the plugin and theme editors is just as easy as disabling them.

It’s one line of code in your wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Doing this won’t be the end of stopping a hacker, but it will confuse less experienced hackers and stop them in their tracks. And at the very least, it will make doing something on your site that much more challenging and give you time to sort out what’s gone wrong. 

Lock Down Your WordPress Login URL


If you want to make it even harder for hackers to find certain backdoors, you are less likely to be the target of an attack. Locking down your WordPress admin URL and login is the right way to increase your login security.

The default WordPress site’s login URL is domain.com/wp-admin. One of the problems with this is that all of the bad bots, hackers, and scripts out there also know this. By changing the URL for your WordPress admin panel, you can make yourself less of a target and better protect your site against brute-force attacks.

Out of the box, anyone can access your wp-admin page simply by visiting https://yoursite.com/wp-admin. You can (and should) use a plugin to stop them in their tracks, such as the free WPS Hide Login plugin. This plugin allows you to rename the /wp-admin to anything you want, like /login, or even something like /mywordpressadminloginpageishere if you wanted to.

Sarcasm aside, you should use a path that isn’t obvious. I use this plugin on my own site, and while I won’t tell you what the path is, it’s something you wouldn’t guess but is still easy to remember. 

You should also install a plugin that limits the number of attempts a user has to log in before they’re blocked. The aptly named, Limit Login Attempts plugin (also FREE) gives users several attempts to login before they are locked out. The plugin can also cleverly detect and redirect bots away from your login page. 

If you want to go the extra mile, you can enable Cloudflare Rate Limiting to further control access to your site. Using the Cloudflare network, this tool automatically detects brute force attacks and DDoS attacks and blocks those offending IP addresses. 

How to Change Your WordPress Login URL


We recommend using a free plugin called WPS Hide Login to change your WordPress login URL.

This plugin lets you quickly and safely change the URL of the login form page to anything you want. It renames or changes files in the core, nor does it add rewrite rules. It merely intercepts page requests and works on any WordPress website. This way, the wp-admin directory and wp-login.php page become inaccessible.

Once installed, go to General Settings of your WordPress dashboard and set your admin panel URL.

WPS Hide Login

Deactivating this plugin brings your site back precisely to the state it was before.

Harden Your wp-config.php File

The wp-config.php file stores all the necessary details for an intruder to access your site’s database. It is one of the most critical files in your entire WordPress install.

Deny Access to the wp-config.php File

You can prevent the file from being accessed by adding the following code to your .htaccess file.

<Files wp-config.php>
order allow,deny
deny from all

Anyone that tries to access your site’s wp-config.php will receive a 403 Forbidden error. Neat trick, eh? 

Disable directory listing

By default, when your web server does not find an index file (index.php or index.html), it automatically displays an index page showing the files and folders in that web directory.

This could make your site vulnerable to attacks by revealing the critical information hackers need to take advantage of a vulnerability in a WordPress plugin, theme, or your server in general.

How to disable directory browsing in WordPress

Just add the following line in the site’s .htaccess file located in the root directory of your website.

Options -Indexes

If you are a ChemiCloud customer, we have you covered. By default, the directory listing is disabled on our servers.

Disable PHP Execution in WordPress Directories

Most of the time, hacked WordPress sites usually have backdoor files. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders.

An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.

Create a blank .htaccess file and paste this code inside it:

<Files *.php>
deny from all

Then upload this file to /wp-content/uploads/ and /wp-includes/ directories.

Prevent Hotlinking

Hotlink Protection will prevent other websites from directly linking to files on your website. An example of hotlinking would be using a <img> tag to display an image from your site on some other site on the internet. This will result in the other site stealing your bandwidth.

How to Prevent Hotlinking

To prevent hotlinking insert the following code into your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Perform regular backups

Backing up your site is about creating a copy of all the site’s data and storing it somewhere safe. That way, you can restore the site from that backup copy in case anything wrong happens.

Most hosting providers now provide backups. ChemiCloud WordPress Hosting has free automated backups, that are stored offsite, allowing it to be quickly restored so that you can rest easy knowing your data is safe!

WordPress Backup Plugins

If your host doesn’t have backups, there are some popular WordPress backup services and plugins which you can use to automate the backup task.

  • Duplicator
  • WP Time Capsule
  • BackupBuddy
  • UpdraftPlus
  • BackUpWordPress
  • BackWPup
  • WP BackItUp

Hide Your WordPress Version


Another good practice is to hide your WordPress install version. Anyone that checks the source code of your site can quickly reveal what version of WordPress you are running, and if you aren’t good at staying up with the latest updates, this can be a welcome sign for intruders.

Simply add the following code to your functions.php file:

function wpversion_remove_version() {
return '';
add_filter('the_generator', 'wpversion_remove_version');

Please note that editing the source code of the WordPress functions.php file could break your site if it is not done correctly. If you feel uncomfortable doing this, please check with your web developer first.

Can I secure my WordPress site without technical knowledge?


Securing your WordPress site without technical knowledge is possible. In today’s digital world, protecting yourself and your website from potential security risks is essential. Fortunately, various methods and services can help safeguard your WordPress website with minimal effort from you.

A common approach to safeguarding WordPress sites is using a security plugin. Security plugins offer features such as two-factor authentication, malware scanning, password strength enforcement, and more. They also provide an easy way for non-technical users to monitor their website’s security status and take action when necessary. Popular security plugins include Wordfence Security, iThemes Security Pro, Sucuri Security – Auditing & Malware Scanner, All in One WP Security & Firewall, and BulletProof Security.

Another way to secure a WordPress site without technical knowledge is through a WordPress hosting service that offers built-in security features like malware scans or automated backups. Many hosting services provide these security measures as part of their packages, eliminating the need to configure any extra software or plugins on your server independently. 

In conclusion, protecting one’s WordPress website no longer requires technical expertise due to its growing popularity among online entrepreneurs, bloggers, and small business owners who may not possess such skills yet still wish to ensure their sites remain secure from cyber threats. With options ranging from utilizing specialized plugins and services provided by reliable third parties through managed hosting solutions offered directly by leading web host companies, there is now an abundance of opportunities for users to take advantage of.

WordPress Security FAQs


Does WordPress have security issues?

Yes, WordPress does have security issues. The open-source nature of WordPress makes it prone to malicious attacks, notwithstanding its standing as one of the most secure content management systems around. To ensure the utmost security, users should regularly update their WordPress installations, use strong passwords, and consider two-factor authentication or additional security measures. Additionally, plugins should be checked regularly for any vulnerabilities, and additional security measures such as two-factor authentication can also help reduce risks associated with using WordPress.

Does WordPress have good security?


Yes, WordPress has good security. It offers multiple layers of protection, including regular updates to ensure the latest bug fixes and security patches are applied. Its built-in user authentication system is robust and secure. At the same time, its extensive plugin library provides additional features like two-factor authentication for extra safety. Furthermore, it can be further secured by using a web application firewall or an SSL certificate for encryption. All in all, WordPress provides a secure platform for websites.



Learning about potential risks, implementing best practices for securing your WordPress site, and regularly updating plugins can help protect you from many vulnerabilities. With some knowledge and effort, you can ensure that your WordPress site remains secure against threats so it continues to serve as an effective platform for years.

Take the steps necessary to secure your WordPress website today and ensure it reaches its highest potential. With our comprehensive web hosting tutorials, helpful tips & resources, you can be confident in the security of your site.

If you know any other WordPress security tips that may help, please let us know in the comments area.

4 thoughts on “12 Steps to Boost Your WordPress Site Security”

  1. Just a quick question. If I am using your wordpress hosting, is it necessary to add a security plugin, such as Ithemes Security or Sucuri? I ask this because your article does not mention this.
    Also, you wouldn’t happen to have a list of essential, light weight plugins that won’t affect speed or security do you? I have been wading through so much and so far have come up with a shortlist including RankMath, MonsterInsights, Anti-spam bee, Mailerlite, WP Mail Smtp, Optimole/imagify/ and others. I am a little stuck on which form to use (I prefer a free one).
    I don’t want to use a page builder tbh and prefer to keep it simple. I have got the Generatepress theme.
    I know this is a bit off topic (sort of), but if you have got any articles about this.. Boy would I be grateful :). Tough going when you have to learn it all from scratch and figure out what is good and what is bad. And thank you for this really helpful post.

    1. Hey Maria, this is a great question and we have some new content in the works that will really help answer your question. We really recommend WP Hide Login as a great starter plugin to secure your WordPress installation. If you have any other questions, feel free to stop by our live chat!

  2. Hi there!
    What a great read this is. I learned quite a lot by reading this information masterpiece on WordPress security. The 2-FA is by far one of the must-take measures to ensure one’s website is safe. I will be definitely implementing some of the measures you have mentioned.

Leave a Comment

Your email address will not be published. Required fields are marked *

Web hosting without headaches

Get up to 70% Off web hosting plans + free domain & SSL!

Related Articles

Share via