A Beginner’s Guide to Protect Your WordPress Site

WordPress is one of the most popular content management systems.

In fact, this publishing platform is now used by more than 27.5% of the top 10 million sites. Other platforms such as Joomla and Drupal simply pale in comparison. What makes WordPress so widely supported is its ease of use, making it possible to build a fully functional site in a short period of time.

But the fact that WordPress is so widespread also makes it a target for hackers.

Any security vulnerabilities could make your site susceptible to malicious attacks and even compromise user data in the process. This kind of attack can be absolutely devastating for any business.

A compromised site not only reduces trust with your visitors but could also get your pages blacklisted in Google. In fact, one step that Google is already taking towards a more secure web is displaying a warning for Chrome users if they are attempting to visit a potentially unsafe or deceptive site (e.g. phishing or malware).

Anyone visiting your site (if it’s been attacked) could be met with the following:

Protect Your WordPress Site

The importance of website security cannot be stressed enough.

All it takes is a single attack to bring sales to a complete halt and potentially get your site blacklisted in Google. Getting your site removed is certainly possible but you will need to request a manual review which can take several days or even weeks to resolve depending on the issue. A much better solution then is to take steps to protect your site.

Here we take an in-depth look at how you can protect and keep your WordPress site secure.

Keep WordPress Updated

Updates for WordPress are critical.

An assessment of over 11,000 infected sites found that 75% were on WordPress. More surprising though is the fact that over 50% of those websites were out of date. Updating to the latest version not only gives you access to newer features, but also patches known security flaws that attackers could exploit.

In fact, these security vulnerabilities become known when new updates are available. Here is an example of a security log for an updated version of WordPress:

Keep WordPress Updated

This information is openly available as new updates are released. But if you don’t immediately update, you leave your site open to attacks. Always update to the latest version to keep your site secure against newly discovered vulnerabilities. If there are any updates available, you will see a notification at the top of your dashboard:

Keep WordPress Updated

Newer versions of WordPress let you easily update at the click of a button. Bear in mind that your site will be put in maintenance mode for a brief period until the update is complete. Updating only takes a few minutes but once it’s finish you won’t need to do anything else.

Don’t feel like manually updating your site each time?

Notifications can be rather annoying. But updating your WordPress is one of the easiest ways to keep your site secure. If you don’t want to worry about whether your site has the latest version, you can configure automatic updates with a few simple tweaks.

Open the wp-config.php file and add the following line to it:

define('WP_AUTO_UPDATE_CORE', true);

You can also enable automatic plugin updates by adding the following line to the same file:

add_filter( 'auto_update_plugin', '__return_true' );

And add this line to enable updates for themes:

add_filter( 'auto_update_theme', '__return_true' );

Adding these lines will ensure that your site is kept up to date without requiring any other action. If you’re someone who just can’t be bothered with updates or notifications, you’ll definitely want to configure automatic updates to ensure your site is always up to date.

Protect the Admin Area

No matter how secure something is, anyone can easily gain access if they have the right tools or the owners are negligent. With WordPress, the admin area is a prime target for hackers.

Follow these steps to keep this page secure:

Use a Strong Password

If you use a weak password (e.g. “12345”, “password”, etc.), you put your site at greater risk as attackers can use automated scripts to brute force their way in. This means repeatedly attempting a password until one finally works. But using a strong password that contains a combination of numbers and symbols makes it almost impossible for even the most sophisticated programs to crack.

Use a tool such as Strong Password Generator to create a strong and secure password for your WordPress site:

Use a Strong Password

Brute forcing a password like this would take a computer program years or even decades to crack. The downside though is that a strong password is difficult to remember. But the tradeoff is definitely worth it if it means preventing attackers from gaining access to your site. Fortunately, there are a number of password managers available you can use to store your password.

Change Your Username

When you first install WordPress, you’ll be asked to enter in a username.

Change Your Username

Attackers won’t be able to access your dashboard unless they have both your username and password. You can easily block brute force attempts by simply using a more unique username. So don’t use “admin” when choosing a username.

Limit Login Attempts

Limit Login Attempts

As previously mentioned, attackers can use programs to brute force their way into your site. However, there are plugins available such as Login LockDown that let you limit login attempts from a specific IP address. If more than a few attempts are unsuccessful, that user is locked out.

Rename Your Login Page

Finally, another way to protect the admin area is to move the login page altogether. The dashboard is typically accessed from www.yoursite.com/wp-admin. One glaring problem though is that hackers know that simply appending “/wp-admin” to a WordPress site will give them access to the admin page.

Rename Your Login Page

Protect WP-Admin solves this problem by allowing webmasters to customize the admin panel URL:

Protecting the admin area by following these steps can greatly reduce and block automated attacks to your site.

Enable two-factor authentication

Two-factor authentication adds an additional layer of security by making it even more difficult for attackers to gain access to your account. Logging in not only requires a username and password, but also an additional authorization code that is typically sent via SMS to a mobile device.

Even if an attacker somehow guesses your username and password, they would be unable to login to your account without the authorization code. Download and install the Google Authenticator plugin to easily setup two factor authentication on your site:

Enable two-factor authentication

In addition to being able to use the Google Authenticator App for verification, the plugin also offers additional options for two factor authentication such as email and phone call verification. Two factor authentication can also be used if your site has multiple users.

Use .htaccess to Limit Access to Crucial Files

You can further harden the security on your WordPress site with the .htaccess file. This file is mostly used in WordPress for website optimization such as rewriting URLs to be more user and search engine friendly. But it can also be used to improve your site’s security.

The .htaccess file is typically found in the root folder and can accessed either through an FTP client or cPanel. There are also several plugins available including SEO by Yoast which allows direct access from the dashboard.

Here are several ways to protect your site using the .htaccess file:

Hide wp-config.php

The wp-config.php file is standard with every installation but it also contains sensitive information such as the security keys and database connection details to your site. These are details that you certainly don’t want in the wrong hands. The best solution then is to hide this file entirely and make it inaccessible.

Hide the wp-config.php file by adding the following code to .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
Prevent directory browsing

Because of how WordPress implements its file structure, it’s entirely possible for visitors to access your site’s folders and files by simply navigating to yoursite.com/wp-content/uploads. So you’ll want to prevent directory browsing as attackers could use this information for nefarious purposes.

Add the following line to your .htaccess file:

Options All -Indexes

PHP files are incredibly important to protect as hackers can use these files to inject malicious code to infect a site. Add the following code to your .htaccess file to prevent access to your plugin and theme’s PHP files:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

Just adding these changes to your .htaccess file will improve your WordPress site’s security and make it even harder for attackers to gain access to your site. Regardless, there is no such thing as a site that is completely secure as new vulnerabilities are constantly being discovered and exploited.

Which is why you need to have a backup plan in the event that things take a turn for the worse.

Regularly Backup Your Site Maintain Regular Backups

No matter how many safety measures you take, your site could still be vulnerable.

Even though WordPress has been around for well over a decade, the development team is constantly identifying and fixing security issues. Not to mention that any new themes or plugins you install could also have exploits that have not yet been fixed.

Which is why it’s a good idea to regularly backup your site. That way you can quickly restore your site and minimize any losses if your site is taken down from an attack.

You’ll want to make sure that your site is backed up on a regular schedule and also saved to the cloud. If your computer is compromised, you’ll be able to access that backup and restore from another device. We recommend using an automated solution such as BackupBuddy.

Regularly Backup Your Site Maintain Regular Backups

Most backup solutions require a paid subscription. But if you rely on your website for your business, paying is well worth it for peace of mind alone. In the event that your site is taken down due to an attack, you can work with your hosting provider and easily revert your site to a previous version with a backup.


While WordPress itself is relatively secure, adding themes, plugins, and custom code increases the likelihood of a security vulnerability which hackers can (and do) exploit. Unless you take certain security measures right now, your site could be a potential target.

It’s important to note that no system is completely secure. But there are precautions you can take that will greatly reduce the chances of being affected by a malicious attack.

Follow the steps as outlined here to harden your WordPress site’s security.

Like the article? Share it.

LinkedIn Pinterest


  1. I am expecting more interesting topics from you. And this was nice content and definitely it will be useful for many people.

  2. Good information..Thank you!!

Leave a Comment Yourself

Your email address will not be published. Required fields are marked *