how to secure wordpress website

The Ultimate WordPress Security Guide – Step by Step (2020)

0 comment

Google blacklist around 10000+ websites every day for malware, fishing, virus, etc. Website Security is an important topic for every website owner. One should need to pay attention to WordPress security best practices. In this guide, I will show you tips to secure WordPress sites that help you protect your website against hackers and malware.

A hacked site can cause serious damage to your business and reputation. The hackers can steal any confidential information from the hacked site. They can install malicious scripts, malware, virus, etc.

WordPress security is about risk elimination, not risk end. Since there will consistently be danger of attacks, making sure about your WordPress site will stay a constant cycle, requiring successive appraisal of these assault vectors.

How To Secure a WordPress Site

To secure WordPress sites you don’t need to be a techy guy. There are a number of actionable steps that you can take to protect your website against security vulnerabilities.

1. Basics Of WordPress Security

Add SSL Certificate

SSL  (Secure Sockets Layer) encrypts the data which is transferred to the user as well as it encrypts the connection of site to the user. It authenticates the identity of the website. SSL allows to switch the connection from HTTP to HTTPS.

There are 6 types of SSL Certificates

  • Extended Validation Certificates (EV SSL)
  • Organization Validated Certificates (OV SSL)
  • Domain Validated Certificates (DV SSL)
  • Wildcard SSL Certificate
  • Multi-Domain SSL Certificate (MDC)
  • Unified Communications Certificate (UCC)

SSL which have lowest encryption is DV. Mostly all DV Certificates are free. Hosting panels like cPanel, Cyber panel, etc provides Lets Encrypt SSL Certificates for free. If you are running Ecommerce websites then you must not use this SSL for security reasons you need to go with paid and high encrypted SSL like OV and EV.

Regularly Update Themes and Plugins

As cyber attacks is increasing day by day, hackers find their way to exploit themes and plugins. So, themes and plugins owners releases new version by adding patch to the vulnerability and also by adding new functionality to it. Therefore, it is necessary to keep your WordPress Versions, Themes and Plugins updated. One can also turn on/off auto updates of plugins from the Installed Plugins page.

Remove Unused WordPress Plugins & Themes.

When it comes to unused plugins, less is more. Keeping unwanted plugins in your WordPress installation increases the chance of a compromise, even if they are disabled and not actively being used in your installation. Removing unused plugins and themes helps improve security and protects sites from being compromised.

Keep WordPress Updated

Whenever a new WordPress update is available, you’ll be notified in the WordPress Dashboard. You should always apply updates as soon as possible to keep your WordPress site safe & secure. Logging into your site on a frequent basis will ensure that you’re aware of updates as they are released.

To set up automatic updates in WordPress:

  1. Log into your server via SFTP or FTP (If you are using Hosting Panel you can also open File Manager).
  2. Locate the wp-config.php file, normally located in the public_html folder.
  3. Add the following code to the file: define( ‘WP_AUTO_UPDATE_CORE’, true );
  4. Save and Exit.

To manually apply updates in WordPress:

  1. Log into WordPress as an admin (you may see a prompt to update the WordPress Version).
  2. Click on Update WordPress.
  3. Once the database has updated, navigate to Dashboard > Updates.
  4. Apply any missing updates.

Now, moving towards Advance Security of site.

2. Limit Access To WordPress Sites

Install Wordfence Security Plugin

Security plugins plays crucial role in improving site stability and health. Wordfence is the best plugin to monitor your site thoroughly. It consist of function like limit login attack, auto block brute forcer’s ip address, Virus and Malware Scanner and Removal tool, restricting access to website files, Crawler block, etc. You must scan your website regularly, by doing this, it will help you to monitor and find out new vulnerabilities to your website and make it secure via one click repair button.

limit login attempts

WordPress permits users to attempt a login limitless times, but this leaves your site helpless against brute force attacks as hackers attempt to try different username and password combinations.

You can add an additional layer of security by restricting the quantity of login in Brute Force Protection Section of Wordfence plugin.

Use Strong Username and Password

Hackers try to bruteforce your site by using default credentials like username: admin and password: 1234567 this type of easy login credentials makes your site more vulnerable and easy to hack in just few seconds. Therefore, it is necessary to use different username and strong passwords with combination of special characters, numbers and alphabets. You can also block attackers on using wrong username for login.

Enable 2FA for user logins

2 Factor Authorization also adds extra security to the user logins. It is same as login to Facebook and it requests otp which arrives in our email. by enabling this hackers will not be able to login even if our user credentials gets compromised.

3. Hardening your website

Following steps will allow your website to mitigate ddos and file access attacks.

Add a CDN

Content Delivery Network is designed to optimize the security, performance, and reliability of the Web Server.  CDN is easy to setup. When visitors request some websites which are using CDN then the request will go to the nearest CDN server and that server will respond to the visitor (see below figure).

CDN is also used to protect websites from attacks like Distributed Denial of Service (DDoS). CDN blocks all unnecessary and bad requests generated by attackers.

We Personally recommend using Cloudflare CDN, Fastest Global Content Delivery Network.

.htaccess Rules

Certain rules should be added in .htaccess file present in your wordpress installation directory (public_html folder) to obtain secure connection of your website.

In .htaccess file add following rules.

Http to Https Redirection

RewriteEngine On
RewriteCond %{HTTPS}  !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

Prevent Directory Browsing

# Prevent directory browsing
Options All -Indexes

Protect wp-config.php

# Protect wp-config Apache 2.2
<files wp-config.php>
order allow,deny
deny from all
#Protect wp-config Apache 2.4
<Files "wp-config.php">
Require all denied
Require ip

WordPress Rules

# BEGIN WordPress
# Rewrite rule
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

4. Backup Your WordPress Site Regularly

Backups are the one thing everyone knows they need but don’t always take. Most of the recommendations above are security measures you can take to better protect yourself. But no matter how secure your site is, it will never be 100% safe. So you want backups in case the worst happens. Mostly hosting panels like cPanel, Cyber Panel, etc have backup services where you can also set daily auto backups cronjob.

Most hosting providers now provide backups. provides free backup services which will help you to gain your old website back if lost or hacked.


WordPress site can be successfully secured by using Using clever passwords, keeping core and plugins up to date, applying Content Delivery Network (CDN), Web Application Firewall (Wordfence), SSL,  etc. For many of you, your WordPress site is your both your business and income, so it’s important to take some time and implement some of the security best practices mentioned above, sooner rather than later.

There are also other steps in Server Side Security where you can protect your server side attacks by applying Firewall Rules, Intrusion detection and prevention tools. This all can be done via hiring Cyber professionals. We recommand you to visit evilcybersecurity (our parent company) for more security solutions.

Related Posts

Leave a Comment