Best Security Tips to Secure Your WordPress Website

With a 65.2% share in the CMS market, WordPress is the most popular open-source platform there is. That fact, plus its ease of accessibility, makes it an attractive target for bad actors. When it comes to WordPress security, there are a lot of actions you can take to keep your WordPress site safe from attacks and vulnerabilities. 

Is WordPress secure? The simple answer is, yes. However, a large audience of WordPress users are non-techie, and might not be aware of industry-proven security practices. In this article, I’m going to share tips, strategies and techniques that will help you secure your site from malware attacks.

WordPress Security – At a Glance

WordPress security is important because any cyber attack on your website can damage your business revenue and harm your users’ data. Not only that, but the attackers can install malicious software that could damage your brand’s reputation. You may even have to pay a ransom to hackers to regain access to your website. 

Just as a business owner ensures the safety of their physical store, so digital business owners need to secure their website. This article is intended to help WordPress users work on best security techniques that will help them secure WordPress sites and reduce the risk.

Best WordPress Security Tips 

Some business owners might assume their website does not need security because their web store is not big enough to be hacked. But hackers don’t care how big or small your web store is. They steal your data and make money from it. You do not know when and how your website may be attacked, so it is important to protect your website in the ways described below.

Choose a Good Hosting Company

WordPress hosting service plays an important role in WordPress security. A managed WordPress hosting server has multiple security layers of hardware and software to defend it against physical and virtual threats. A good hosting company continuously monitors its network for suspicious activity. They have the firewall protection to block unwanted incoming traffic and unrecognized sources.

Here at Cloudways, all the hosted servers are protected by OS-level firewalls to protect the application from malicious traffic. The platform is fully protected with end-to-end encryption, ensuring that the data transition is protected and encrypted with HTTPS protocols. 

So, good hosting is very important for WordPress security, and managed WordPress hosting offers many advanced features that are important for your website security.

Update Your WordPress Version Regularly, Plus Your PHP Version, Plugins and Themes 

With each WordPress update comes improvements to security. Whenever WordPress encounters a bug or security threat, the team fixes it and introduces an updated version. If you do not use the updated WordPress version for your site, you will be at risk.

To update WordPress, simply click on the announcement of the latest version that you’ll find on the WordPress dashboard. You can use the update section for all the updates. 

Unfortunately, many websites are running on older versions of WordPress and PHP, or using outdated plugins and themes. And they don’t update the version out of fear of breaking their website. In fact, websites with old versions usually break and face security threats, because it is not recommended by the experts and developers to use outdated plugins, themes, or PHP. 

Did you know that plugin vulnerabilities provide 55.95% entry points to hackers? A Wordfence report shows that plugins are the biggest risk for website security. Make sure all your plugins, themes, PHP versions, and WordPress versions are always up to date. Backing up the website before the update is a good practice that we will discuss further ahead.

Use Strong Usernames and Passwords

Use a strong username and password. Avoid passwords that are easy to break, guess, or steal like ‘12345’, ‘password’, or ‘qwerty’. It is recommended to use an alpha-numeric password with special characters.

Cloudways always generates complex passwords on a new WordPress install – you have to log in to your WordPress site with this complex password for the first time. After that, you can change your password. You should never use the default “admin” username. Create a unique WordPress username for the administrator account.

Install the SSL Certificate – Configure HTTPS for Encrypted Connections

One of the most important ways to harden WordPress security is to install the SSL certificate on your site. The Secure Sockets Layer (SSL) encrypts communication between servers and browsers, allowing websites to be accessed over a secure HTTPS.  

A common misconception is that only ecommerce websites require an SSL certificate. But these are essential for every website as they add security to the site, strengthen communication and prevent hackers from accessing your website. It’s also an SEO ranking factor for Google.

An SSL certificate lets you also gain the trust of your site visitors, who recognize this as an indicator of security. Cloudways offer free SSL certificates with Let’s Encrypt.

Add Two Factor Authentication

Two-factor authentication is an excellent way to protect your website from brute force attacks. It involves two-step verification, with the best method being hardware-based (online + mobile app). Here you need to install a third-party authenticator application on your phone, which generates a time-based one-time password (TOTP) on your mobile app. I recommend Google Authenticator or Authy 2-Factor Authentication.

When you login to your application, you will enter the password and open the authenticator app to see the time-based one-time password (TOTP). It is 100% effective because it is impossible for the hacker to have your password and mobile phone at the same time. Cloudways offers Two-Factor Authentication as you can see here.

Limit Login Attempts

Hackers attempt to use multiple password combinations to access your website because, by default, WordPress allows users to log in as many times as they want. By limiting the login attempts, you’ll be able to prevent your site from vulnerable brute force attacks. 

You can use the ‘Login LockDown‘ plugin to limit failed login attempts. It records the IP address and timestamp of every failed login attempt. When it detects a certain number of attempts within a certain period of time from the same IP range, the login function is disabled for all requests from that range.

Go to the Plugin > Add New, search for the Login LockDown plugin, then install and activate the plugin. Visit Settings > Login LockDown page to setup the plugin.

Change Your WP-login URL

By default the WordPress site’s login URL is The problem is that all the bots and hackers also know this. WP-login URL change is not a fixed solution but a small trick that can definitely help you to prevent attacks.

I recommend the ‘WPS Hide Login’ plugin that lets you easily and safely change the URL. The plugin has a simple input field where you can change the login URL by entering the new unique login URL name.

Hide Your WordPress Version

If your site is running on an outdated WordPress installation, it could invite intruders. The WordPress version is visible in the header of your site’s source code. That’s why it is recommended to always use the updated version. 

You can use the Sucuri plugin to hide your WordPress version. Simply install and activate the Sucuri plugin, and it will automatically hide WordPress version information. Go to Sucuri Security > Settings, and click on the Hardening tab. Here you’ll see the removed WordPress version.

Change WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all the database tables. If you site using the default prefix, then it will be easy for the hackers to guess the table names. That is why it is recommended to change the WordPress database prefix for better security.

Here is a complete guide on How to Change Database Table Prefix in WordPress, but this requires coding skills, because it breaks your site if it is not done properly.

Use WordPress Security Plugins

Certain plugins are designed to secure sites from hackers. The following security plugins are free and easy to use, and don’t require any development skills for configuration. 

The following list includes security plug-ins:

Here are some useful features of these security plugins:

  • Anti-brute force login
  • IP whitelisting
  • IP blacklisting
  • Security alerts
  • Malware scan
  • Block country by geolocation
  • Protection of security keys
  • Block visits from bad bots
  • Vulnerable plugins & themes detection
  • Post-hack security actions
  • File integrity monitoring
  • Two-Factor Authentication (2FA) 
  • reCAPTCHA 

Check File and Server Permissions

File permissions are high-priority for WordPress security, on both your installation and web server. These are basically a set of rules that determine ‘who’ can access ‘what’ on your WordPress site. Loose permission could be an invitation to the hackers to access the files, and strict permission could be a reason to break the functionality on your site. So it is important to set the correct permission.

There are three levels of permissions you can grant to users:

Read (R) – To view a file

Write (W) – To Edit the file

Execute (X) – To run scripts and programs

The recommended permissions that you can set for your WordPress site are given below:

File Permission
wp-admin 755
wp-content 755
wp-content/themes 755
All other files644

See the WordPress codex article on Changing File Permissions for more explanation.

Backup Your WordPress Website

While most people know how important backups are for WordPress security, too many fail to prioritize it. If your website is malfunctioning or attacked, it is important to have a backup so that you can restore your old website. No matter how secure your website is, it’s still not 100% secure, so you should have a backup for the worst situation.

Most managed WordPress hosting providers offer automated backups. Cloudways also offers hourly backup options & time-specific restore points, so you can also schedule your backups and restore them with a single click.

See the Cloudways article on creating backups of WordPress websites for an in-depth explanation and understanding. Here is a list of 10 best WordPress backup plugins, check out the plugins that offer a simple backup solution.

DDoS Protection

DDoS (Distributed Denial of Service) attacks involve the use of multiple systems to target a single system by sending out loads of requests. This makes the target system too busy to respond to any other requests, your site will be down for a few hours or days.

Protection against DDoS Attacks

You can use software-equipped intelligent routers and network hardware to identify bogus IPs and block them. You don’t need to invest in the hardware if you are using managed WordPress web hosting, because their reputable data centers are equipped with high-end networking hardware that provides security against DDoS attacks.

Cloudways have partnered up with DigitalOcean, Linode, Amazon, Vultr, Google because their data centers are capable of DDoS prevention. These data centers are fully maintained and equipped with intelligent hardware.

I would recommend using the Cloudflare and Sucuri premium services for your online business. If you’re hosted on Cloudways, you don’t need to worry about setting up DDoS protection by yourself.

Wrapping Up!

I have explained the best security tips to secure your WordPress website, most of which are free to use and don’t require much technical knowledge. According to a Forbes survey, an average of 30,000 new websites are hacked every day. Make sure to secure your sites from the attacks, so you’re not among them.


TBN Editor

Time Business News Editor Team