How to Secure Your WordPress Website

Millions of websites get hacked every year and many people consider WordPress as a vulnerable CMS(Content Management System). This creates the need by many people to secure your WordPress website.

It’s obvious to feel scared because no one wants to lose his/her years of hard work. If you use LinkedIn, you may easily find people asking for help related to website security.

It’s because most of the WordPress users are non-techie. If you’re also a non-technical person, you may resonate with the fear of losing your website.

One of the biggest mistakes is to blindly trust your web hosting company. It happens every day that people complain of getting their website hacked because the web hosting companies promised to handle everything.

Just to clarify, a web hosting company does the best but it can’t apply the security levels you should. The company does its job and you should do yours.

Only you can secure your WordPress website. Does this ring a bell to you? It should.

Now you may be wondering how a person without any coding skills can handle a website and secure it. I have an answer for that.

Go through the checklist and tell me later.

The Important Things You Should do to Improve Your Website’s Security

You’re going to read the basics as well as the advanced level of security levels. Stay connected and read carefully.

#1. Don’t use the default username

I deal with a lot of clients and most of them keep the default “admin” username. When you install WordPress, the CMS gives you the freedom to choose your username but most of the people ignore it.

They keep the default username which can be hacked. Everyone knows that “admin” is the default username.

Nowadays, the web hosting companies have started offering an option to add the username while using the one-click WordPress installation.

#2. Change the default database tables prefix

Not everyone knows that the default prefix for all the database tables is “wp_” but hackers know it. It’s always recommended to change it.

If you’re building a new WordPress website, you can see an option to choose the custom database prefix while installing WordPress. But if you already have a website, you can change it either using a plugin or manually.

For the non-techie people, the manual method isn’t feasible. They can use a plugin for this. Most of the security plugins allows you accomplish this.

#3. Disable WordPress directory browsing

If you add /wp-includes/ at the end of your website’s URL and you see a few files, it means your website is insecure. Anyone can see the whole file structure and easily inject a code.

For example, you open

And you see these.

  • Parent directory
  • Admin directory
  • Text

This simply means that when you click on these folders, the data of your website will get revealed. To block this, you need to add a code to the .htaccess file of your website.

Options -Indexes

After adding this, when you open the same URL, you will see a 403 Forbidden Error. It means no one has the authority to access those directories.

#4. Password protect your admin directory

WP-ADMIN is the folder which is really important for your WordPress website. If your admin directory is vulnerable, hackers can easily break into your website and take control.

The common word when someone someone breaks into your website through the login page is brute force attack. It’s recommended to password protect this directory.

Before even opening the WordPress login page, an extra layer will be added which will require a password. There are two ways to accomplish this.

  • Using a plugin
  • Manually using the cPanel

#5. Limit Login Attempts

To secure your WordPress website, you should save it from brute force attacks. Many hackers use different usernames and password combinations to log into a website.

If you limit the login attempts, the IP will get blocked after the limited number of attempts. Let’s say you limit it to 3 attempts and someone keeps using the wrong login credentials, that particular IP will get blocked.

Now you may be wondering how to accomplish this. Most of the special plugins to limit login attempts are outdated so you can use a security plugin.

#6. Disable PHP Execution

As you know, WordPress code, its plugins, and themes have the PHP code and that hackers inject this similar code to a website.

But if you disable the PHP execution, no extra code will get added to any of the WordPress files. Many people complain about their WordPress theme getting hacked, it’s because of the PHP files.

You can stop it by adding a small code to the .htaccess file of your WordPress website. You have to use the FTP or the cPanel to do so

This file is hidden, so make sure you enable to see the hidden files in the file manager.

<Files * .php>

deny from all


Open the file, add this code, and save.

#7. Using a Custom Login Page URL

You can open the login page of your WordPress website by adding /wp-login.php/ at the end of the main URL. Rather, you can use /wp-admin/.

Have you ever thought of using a custom login page URL of your own choice? You may use something only you can remember.

For example:


It’s your choice. This can be done using a security plugin.

#8. Don’t forget to update WordPress, its plugins, and themes

When you use the older version of WordPress, any plugin or the theme, the vulnerability increases. It’s because the hackers may have already found a way to hack into the old versions.

#9. Use a security plugin

To secure your WordPress website, it’s really important to have a security plugin installed. If you have noticed, in almost every point mentioned above, you read the use of a security plugin.

It’s because not everyone is a technical person to accomplish adding the security layers manually. So choose a security plugin which allows you to do those from your WordPress admin dashboard.

Choose any of these top security plugins.

  • All In One Security and Firewall
  • Wordfence
  • iThemes Security
  • Sucuri

I prefer the first plugin because it’s lightweight and has all the options I mentioned above.

#10. Using strong passwords

This is not something you should be told every time you read about security but it’s a must-have thing to keep in your mind.

It’s so lame that people use their name, surname, their dog’s name, lover’s name as the password. The password should be a combination of capital letter, small letter, numbers, and special characters.

Try to mix everything up and generate the strongest password you have ever used.

Let me show you some examples.

  • G*ob%^v0s@?NQ)@2
  • (#)Tn72^#*C2Xo%y8

You may be wondering as if how you can remember such password. It’s simple, make a pattern of your own and use the different keys to transform your simple password to the strongest password.

Do You Think You Can Secure Your WordPress Website

After applying all the above security layers, your website will be secured. But it doesn’t mean it can’t be hacked. It’s really important to have a reliable web hosting company because all the data of your website is on their server.

If the server gets hacked, your all the security layers will do nothing. And of course, it’s very important to keep the backup of your website and its database.

Now you may say that your web hosting does that for you. Well, if the server gets hacked, it means the backup is also hacked.

So, it’s necessary to keep the multiple copies of the backup. You can use Dropbox, Google Drive, your hard drive to store the backup.

If you can’t do it every day, at least do it once in a week.

I hope these tips will help you secure your WordPress website. If you still have any questions, feel free to drop a comment.


Check out the top 3 WordPress hosting services:

$2.49 /mo
Starting price
Visit HostArmada
Rating based on expert review
  • User Friendly
  • Support
  • Features
  • Reliability
  • Pricing
$4.00 /mo
Starting price
Visit Kamatera
Rating based on expert review
  • User Friendly
  • Support
  • Features
  • Reliability
  • Pricing
$2.00 /mo
Starting price
Visit Hostens
Rating based on expert review
  • User Friendly
  • Support
  • Features
  • Reliability
  • Pricing

How to Install Google re-CAPTCHA on Your Wordpress Site

In this guide, we will show you how to install re-CAPTCHA on your WordPress site
3 min read
Avi Ilinsky
Avi Ilinsky
Hosting Expert

How To Edit Your WordPress Website's .htaccess file Using cPanel

There are many files and folders present in the WordPress direc
4 min read
Michael Levanduski
Michael Levanduski
Expert Hosting Writer & Tester

How To Password Protect the wp-admin Directory Using cPanel

One of the biggest fears is to lose the website you have devote
4 min read
Avi Ilinsky
Avi Ilinsky
Hosting Expert

How to Disable Directory Listing in cPanel

In this article, we will show you how to disable directory indexing or browsing
1 min read
Idan Cohen
Idan Cohen
Marketing Expert provides professional web hosting reviews fully independent of any other entity. Our reviews are unbiased, honest, and apply the same evaluation standards to all those reviewed. While monetary compensation is received from a few of the companies listed on this site, compensation of services and products have no influence on the direction or conclusions of our reviews. Nor does the compensation influence our rankings for certain host companies. This compensation covers account purchasing costs, testing costs and royalties paid to reviewers.