WordPress Security Guide

The Ultimate WordPress Security Guide 2022 [18 Security Hacks]

Last update on:

This ultimate WordPress security guide is intended to help you secure your WordPress blog from hackers and other online threats. Here, I will show you how to secure your blog from the most common online threats. This guide is for both new and experienced users of WordPress.

If you are a newbie, then this post will help you prevent common mistakes that can lead to a hacked website. Even if you are an experienced user, there are a few things that can help improve the security of your blog.

You should also take some time to learn about these things so that you don’t forget them later on. This will help you avoid making mistakes in the future which may cost you dearly.

Note- If your site has a malicious or vulnerability issue, I will not be responsible for resolving it. The purpose of this post is to share a guideline on how to keep WordPress sites secure. There is no guarantee that all methods will work on your site since several factors exist.

However, follow this guide to protect your site from unwanted viruses, malicious and suspicious activity, or prevent hacking.

Why WordPress Site Is Hacked?

The first thing you need to know is why WordPress sites are hacked? Not all websites are indeed hacked for a variety of reasons. Therefore, if you uncover these reasons or weak points of a site, you will be able to prevent a hacking attempt.

Hackers attack a website for specific reasons. However, especially for WordPress sites, the hacking process is more straightforward.

WordPress hacking report

The majority of the hacking process is automated. Hackers use specific vulnerabilities in WordPress to spread viruses or malicious code. For this reason, attacks are almost automatic.

Hackers attack many sites using the automated process, significantly increasing their chances of success. WordPress security is all about being proactive. Proper security measures can prevent a site from being hacked.

Basics of WordPress Security

Previously, I have discussed many cases of WordPress websites being hacked. Below are the main weaknesses that hackers exploit.

(1) WordPress Admin Password

Your WordPress site may be hacked if the admin password is weak. Hackers attempt to discover the admin password to complete the hacking process. If they find your password, they will be able to access the admin area and will be able to carry out unusual activities. As a result, your website data will be lost. Admin password hacking is one form of site owner transfer.

How to fix: Do not use a weak password, instead use 10-15 character password combinations with numbers, uppercase & lowercase. You can create strong passwords using the Strong Password Generator.

(2) WordPress Custom Admin Login URL

This is another primary step in the hacking process. Hackers can quickly inject malware if you do not secure your site with a custom admin login URL. The default WordPress login slug is /wp-admin, which is already known to hackers. They attempt to inject malware or viruses using this slug.

WordPress Custom Admin Login URL

How to fix: keep your site safe from brute force attacks or manual attacks using the URL for the admin panel. You can change this using a plugin. You can use the free plugin WPS hide login. You can also set a custom login URL using the iThemes Security plugin.

(3) Keeping WordPress Updated

WordPress is a content management system regularly updated and maintained by a team of WordPress experts. WordPress automatically updates minor versions, but you will need to update it manually when a major update of the latest version is released.

The platform is open-source, which means there are numerous plugins and themes available from third parties. Plugins and themes should be updated regularly to fix bugs or malicious code. Thus, if you do not update the latest WordPress version, third-party plugins or themes can harm your website. It may even display fatal errors when it attempts to open.

How to fix: keep your WordPress version up to date. Check it regularly or run it as soon as possible when an update is available. You can also enable the automatic update of your plugins and themes.

(4) Default “Admin” Username

If you do not change your username during the first time installation, your username will be ‘admin,’ which is the default username of WordPress. Unfortunately, the default username can be harmful to WordPress sites.

Hot to fix: Change the default administrator username as soon as possible. You usually cannot modify it if you do not set a custom username during the initial installation. To change the username, you can use a WordPress plugin.

You can read how to modify the default admin username from cPanel.

(5) Web Hosting:

According to WP White Security, 41% of WordPress websites have been hacked because of the security vulnerability of the hosting environment.

In general, a good WordPress hosting service provides adequate security for WordPress websites. In addition, several hosting providers, including Bluehost, Nexcess hosting, and WPX, offer extra security layer protection to help protect a site from common threats.

Hosting is one of the essential elements of WordPress security. Carefully select a web host that has a high level of protection.

  • PHP and MySQL latest version
  • Optimize for running WordPress version
  • WordPress optimized firewall
  • Has malware scanning and intrusive file detection.
  • Expert support team, which always try to improve security

An excellent website hosting provider protects sites in the background. They take care of all your data.

  • They continually monitor their networks for suspicious activity.
  • An excellent hosting company will have several virus removal tools at its disposal. They will also protect your website from DDoS attacks.
  • They keep their servers up to date, effectively preventing sites from suspicious activities.
  • They protect your data from malware or other suspicious activity. They keep a daily backup of data to prevent unwanted disk damage.

A shared hosting plan cannot fully protect sites from hackers and other suspicious activities. The main reason for this is that many users share the same server. This allows a hacker to access your site by exploiting another site hosted on the same server. Therefore, you should avoid shared hosting.

For its high level of security and daily backup capabilities, I recommend Bluehost WordPress-managed hosting. It is the most popular managed hosting provider among bloggers worldwide and is recommended by WordPress.

(6) Limit Login Attempts

To hack a WordPress site, hackers always use brute force methods. Usually, they use random usernames and passwords. Therefore, enabling limited login attempts is the most effective way to prevent brute force attacks on WordPress sites.

limit login attempts reloaded

How to fix: To prevent hacker logging attempts, you can install Limit Login Attempts Reloaded. This plugin blocks users or hackers from specific IP addresses.

(7) Remove the WordPress Version Number

It is another essential factor for WordPress hackers when hacking into a website. Hackers always pay attention to which WordPress version you are using. By default, WordPress displays the default version on your site’s code?

<meta name=”generator” content=”WordPress 3.9.1″>

Sadly, this information is beneficial for hackers, as they will quickly determine which version you are using. For example, if you use an earlier version of WordPress with a security hole, hackers can quickly determine your current version of vulnerabilities.

How to fix: To resolve this problem, you should remove the WordPress version from your active WordPress site. You can remove the WordPress version in several ways. First, the following code can be placed at the top of the theme’s funcation.php file to disable the WordPress version.

remove_action(‘wp_head’, ‘wp_generator’);

On the other hand, if you don’t want to add the code, you can remove the WordPress version number by installing the plugin Version Info Remover.

(8) Disable File Editing

When a hacker or spammer hacks your site, they can damage or change files. So to keep your WordPress secure, you should disable file editing.

How to fix: If you want to protect your WordPress file from being hacked or edited by an unknown person, you may add the following code to wp-config.php.

define(‘DISALLOW_FILE_EDIT’, true);

You can use a security plugin. I highly recommend iTheme Security pro.

(9) Consider Two-Factor Authentication

Two-factor authentication is a high-level security measure for WordPress sites. Adding two-factor authentication will enhance your site’s security.

You will need to enter a verification number for each login if you enable this service. So a hacker cannot hack a website if it is enabled.

WordFence Two-Factor Authentication

How To Fix: Use a 2 step verification plugin. WordFence is the top choice for website security and 2SETP verification.

(10) Change Regularly WordPress Salts & Keys

Cookies and browser cache are used to verify the identity of logged-in users and commenters. WordPress stores these cookies to enhance the security of the login information.

WordPress includes secret authentication keys and salts in the wp-config.php file. Therefore, these secret authentication keys and salts are a type of strong password that is more complex and random.

Change Regularly WordPress Salts & Keys

Some plugins allow you to change the WordPress salts and keys. One of the best plugins for changing WP salts and keys is iTheme Security.

(11) Use Secure File Permissions

Suppose someone gains access to your server directory file and writes to it. How will you prevent this from occurring? Directory rewriting is another method of hacking WordPress sites.

For example, of directory files are 

  • Directory – 777
  • File – 666

How to fix: How can you prevent files from being changed from server to server based on directory permissions? Yes, you can disable directory permissions through your host control panel (cPanel) or FTP client.

You can change those files from 777 to 400 or 666 to 444, but it is hard to block WordPress directory permissions manually. Thus, you can use iThemes security plugin, which allows you to block all types of directory permissions with a single click.

(12) Use sFTP Whenever Possible

Use sFTP or FTP when editing files on a website. Hackers are more intelligent when hacking a website through the network. Let me clarify.

Both SFTP and FTP are secure methods of transferring data. File transfer protocols transfer data between two remote connections in plain text only.

When a user launches a regular FTP session, the entire transmission is handled between the host and the user. The result is that anyone with a basic understanding of networking can read the whole data, including the password information.

SFTP provides greater security than FTP. sFTP delivers a higher level of protection to your data when using the SSH2 protocol to transfer data privately.

If you use the SFTP protocol instead of FTP, all data related to the session will be encrypted after the session has ended. Thus, your password information will be more secure and difficult to discover by unauthorized users.

Download sFTP & FTP Software for Windows

(13) Use SSL of Your WordPress Site

What does SSL stand for? SSL stands for Secure Sockets Layer when you visit a website and see a padlock icon (green or black) before the left side of the https or www sign representing an SSL certificate.

SSL encrypts the connection between your web server and your visitors’ web browsers. If you don’t use SSL on your site, then you won’t be able to secure your connections, which can compromise your site’s security.

Note: Nowadays, SSL is the most important Google ranking factor.

secure non secure ssl example

Hot to Fix: You can use an SSL certificate for your WordPress site. Secure Socket Layer establishes a secure connection between your server and the browser of your web visitors that helps prevent sites from being hacked.

I recommend Namecheap SSL service which is more secure and reliable.

(14) Use Automatically log out System

Sometimes logged-in users are away from the computer screen. During this period, someone can change their password, hijack their session and change their account.

Therefore, it is very harmful to the security of WordPress sites. To prevent such an occurrence, you should implement an automatic logout system.

How to fix: You will need to install the Inactive Logout plugin. Then, go to WordPress settings > Inactive logout and set your idle timeout upon activation. You are now done.

Automatically log out System

You can also activate the ‘Popup Background’ option to hide after logout. Activating this option will remove the transparency.

(15) Add Security Questions To Login Screen

You can use security questions on the WordPress login screen. This is one form of two-factor authentication. Adding a security question to the login screen makes WordPress more secure.

Security Questions To Login Screen

How to fix: To add security questions to the login box. Firstly Install WP Security Question plugin. Next, go to WP Security Question > Click plugin settings, then enter the security question. Finally, you can remove questions by clicking on the Remove text button.

WordPress Security Without Coding

(16) WordPress Backup Solution

I have previously discussed many reasons why a website might be hacked. When your site is hacked, what can you do about it? First, you should restore the site as soon as possible by using a WordPress backup plugin. Without this, there is no way to restore the site.

Several backup plugins are available, but I recommend Updraft plus, a free backup plugin for WordPress users. Keep backups of your files on your computer drive manually or from remote locations such as Dropbox, Amazon S3, etc.

Also, I recommend backing up your website files on a daily basis rather than on a weekly or monthly basis. Set a backup schedule daily or for a predetermined time.

 Updraft plus backup plugin

The plugin is simple to use and does not require any coding skills. An alternative is available. Click here for more information about the best WordPress backup plugin.

(17) Best WordPress Security Plugin

It is always necessary to use plugins since we do not know how to code or design after successfully backing up files. In addition, you should install or setup a monitoring system to keep track of unwanted activities from different sources.

A good monitoring system continuously monitors file integrity monitoring, failed login attempts, malware scanning, etc.

In terms of security, why are you not using a security plugin? A good security plugin can help prevent sites from being hacked and reduce the time required to analyze security levels or threads.

iTheme Security

I recommend iTheme Security and Sucuri, which are premium WP security plugins. Both offer free versions that cannot fully protect your site from hackers and suspicious activities. However, you can use the free version for some security benefits.

(18) Enable Web Application Firewall

The easiest way to secure WordPress sites is to use a good web application firewall that will take care of your WordPress security needs. The best web application firewall will block all malicious traffic before reaching your website.

Sucuri Firewall

My recommendation is Sucuri web firewall, the best-rated web firewall on the market. Your site will be protected from a variety of angles, including DNS-level website firewalls, application-level firewalls, network firewalls, and more.

In addition, it will provide you with real-time data monitoring directly to your e-mail account. So before something terrible happens, you can be aware.

Sucuri Web Firewall

Sucuri guarantees malware cleanup and blocklist removal. Moreover, they ensure that once your site is hacked under their supervision, they will fix your hacked website free of charge.

Usually, fixing a hacked website costs $250-300 per hour. Professional developers generally charge this amount. Alternatively, you can use the Sucuri web application for only $199 per year, which is quite affordable.

Improve your Advanced WordPress Security with the Sucuri Firewall »

Last Advice

Finally, I hope this WordPress security guide will assist you in improving the security of your WordPress websites. Please use the plugins I recommend and follow the instructions I have tested.

If you have any questions regarding WordPress security, please comment below. Also, if you find this guide helpful, please share it with your friends & colleagues.

What’s your Reaction?


  • Palash Talukder

    Palash Talukdar is a digital marketer & the founder of WP Basic Pro. He has been building and managing WordPress websites for 5+ years. He loves to write about WordPress, SEO, marketing, productivity, and web performance.

    https://bd.linkedin.com/in/palashpro [email protected] Talukder Palash
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Saeed Khosravi