13 Tips to Use WordPress Security to Keep Out Hackers
  • By Brent Younger
  • October 31, 2017

Our Blog

It seems like everyday there's a new case of hackers breaking into a large company's database. We've all heard about how Target was hacked and WannaCry, the global ransomware attack. With over 1/4 of the top websites on the Web using WordPress, this volume makes WordPress websites a prime target for hackers.

But, WordPress security has made advances to fend off people who want to break into your website. This blog post covers ways to use authentication, permissions, and other security features to secure your website. While no security method is fool-proof, you'll understand website security best practices. Let's dive into security!

WordPress Security Logo

Credit @ The Theme Foundry


13 Ways to Use WordPress Security to Protect Your Website

1. Authenticate your website with WP security keys and salts

WordPress Security Keys Image

Authentication on WP uses keys and salts to encrypt your data. WP security keys are generated as a new set of random variables every time that one of your website pages is refreshed. These keys help encrypt your cookies and passwords as they travel between the browser and web server.

This way, a hacker cannot intercept or listen to data in transit. If you want to learn more authentication on WP, check out this article by Syed Balkhi about WordPress security keys. Another tool to use WP security keys is the Sucuri plugin.


2. Use a secure hosting environment


Choosing a hosting environment goes beyond affordability. After all, what's the point in choosing the cheapest hosting company if your website is constantly hacked? Hosting companies with the lowest rates often leave out support services for your website in the event that is hacked. 

Look for a hosting company that offers services such as backups, firewalls, malware screening, DDoS protection, and automatic WP updates. Also, create two accounts in your hosting environment. The first is a production environment for your live websites and the second is a staging environment to put your work in progress.


3. Keep your wp-config.php file hidden

wp-config file in a directory

This step is a bit technical but bear with me. There is a file in your website repository called wp-config.php. Your website's default configuration relies on this file. We want to make sure hackers can't access your wp-config.php file. Let's add a couple lines to another file in your website repository to ensure this denial of access.

Locate your .htaccess file. In this file, add the following lines of code:

<files wp-config.php>

order allow,deny

deny from all


Easy right? Adding these few lines of code will keep your wp-config.php file hidden from malicious users.


4. Check your file permissions for correctness

User Permissions on a Computer

Pay close attention when you set up your file permissions. An incorrect file permission can create a backdoor for a hacker to access and manipulate your files. Follow these best practices from WordPress to label your files:

  • directories: 750 or 755
  • files: 640 or 644
  • wp-config.php: 600

For more information on changing file permissions, check out this guide on Changing File Permissions from WordPress.


5. Conceal your WP version

WordPress Version 3.5.1

Revealing information about your WP version can tip a hacker to security flaws in your WP website. This is even more important if you don't automatically update your website. So, we want to keep your WP version hidden.

WP Engine has an in-depth article about how to harden the security of your WP website. The article goes over how to conceal your WP version number. The author discusses how your WP version number should be hidden in your generator meta tag, query strings on scripts and styles, and generator tag in RSS feeds. 


6. Secure your data with SSL


SSL, or Secure Sockets Layer, is a certification of security for a given website. A website that is SSL certified will create a secure tunnel that encrypts all data sent to and from your website. This way, hackers are blocked from seeing sensitive user data on your website. 

To find out whether or not a website is SSL certified, simply look at its URL. A website that starts with an HTTPS is SSL certified, while a website that starts with HTTP is not SSL certified. Keep in mind that SSL certificates are a guarantee that you are accessing a secure website that is linked to the appropriate domain or website.


7. Watch out for incoming attacks

Sucuri Security

You have to stay vigilant on your website's security. Attacks can happen at any time and it's important to monitor and respond to potential intrusions quickly. Tools like Sucuri Security and WP Security Audit Log record security attacks on your WP website.

Malware monitoring is crucial to logging incoming attacks. By using tools to scan your website for malware, you strengthen your website security. Also, you'll be quicker to respond to security issues in real-time instead of hours or days after an attack.


8. Set a limit on login attempts

Limit Login Attempts in WordPress

It makes sense to limit the number of times that a user can attempt to login to your website. By limiting the number of login attempts, you make it harder for a Brute-Force attack to hack your website. Since these attacks target your login form, you can use WP plugins to limit the number of login attempts from each IP address.

You can choose from a variety of WP plugins to set a limit on login attempts to your website. Find the plugin that works best for your needs. Also, remember that hackers may use multiple IP addresses to attempt to login to your website. Choose a tool that can monitor and report on this suspicious type of behavior.


9. Get rid of the admin username

WordPress Admin

If you're using admin as a username, then a hacker already is halfway to breaking into your WP website. Be smarter and use a different username. You can give this username the same administrator permission as the previous admin user. First, create a new user in WP using Users > New User. Then, delete the admin user.

You'll be prompted by WP to either transfer the content assigned to admin to the new user or delete all content. You can easily transfer the data to the new user, which will complete the process of creating a new admin user with a different name.


10. Apply Two-Factor Authentication (2FA)

Two Factor Authentication

Yes, Two-Factor Authentication is a hassle. But, this added layer of security better protects your website. You already use Two-Factor Authentication in popular software like Gmail, Lyft, and Amazon Web Services. Since these large companies use 2FA, it's not too big of an issue to follow their lead. There are plugins that you can use to implement 2FA. Google Authenticator is a popular WP tool to implement 2FA. 


11. Use passwords that are sophisticated

Password Generator

Chances are that your password is less secure than you think. A strong password has length, uniqueness, and complexity. It uses a combination of letters, numbers, and other symbols to create a password that is hard for a hacker to guess, even using a Brute-force method.

Use Strong Random Password Generator to generate strong passwords. It's better to invest more time in creating a strong password then to create a password that can be hacked. Also, consider changing the password to your WP website on a regular basis. This strategy makes it difficult for someone to break into your website.


12. Keep your WP website regularly backed up


Even with other security precautions, it's smart to backup your website. Backing up your website means that you'll be able to rollback your website in the case of an invasion. Plugins such as BackUpWordPress enable you to easily backup your WP website with no setup. Make sure to schedule regular backups for your website.


13. Set up a WP security plugin


If you want to secure your WP website, installing a WP security plugin is a no-brainer. There are two major factors to consider when choosing the best WP security plugin for your website. These factors are rating and compatibility. Let's go over briefly cover each of these factors. 

Every WP plugin has a star-rating on a scale from 1-5. Target a WP security plugin that has a rating of 4-stars or higher and at least 500 ratings. Also, check if the WP plugin is compatible with your WP website version. Avoid plugins that haven't been updated for several months; these plugins may have glaring security flaws.


This is just the tip of the iceberg when it comes to WP security. Let's take a look at the different pieces of advice that we covered in this post.


What We Learned

In our era of cybersecurity breaches, keeping your website secure with WordPress security is crucial. Through authentication, permissions, plugins, and other technical tips, you can make your website harder for hackers to break into your website. Remember no security plan is fool-proof; the key is to use multiple layers to be secure!

Looking for WP security plugins to patch up your website security gaps? Find out the top WordPress plugins with 1+ million installs that you're missing out on.


Download our B2B Website guide to see how our years of WordPress expertise can help you create a responsive, secure website.

Click to Download Our  B2B Website Redesign Guide

What plugins or other WordPress security advice have you found helpful? Share your insights in the comments section below.




Webbege is a leading San Diego B2B website design and digital marketing agency that provides a suite of marketing automation tools. Our clients range from small businesses to Fortune 500 companies. Let's team up and grow your business.

Brent Younger
Brent Younger
Brent joined in late 2016. He loves to share content to help educate our community about digital marketing. In his free time, Brent is an avid power-walker and writer of stories. He tries (but fails) to teach his old cat new tricks.