WordPress Security Guide - Step by Step (2021 Updated)

WordPress Security Guide - Step by Step (2021 Updated)
WordPress Security Guide - Step by Step (2021 Updated)

Security is an extremely important topic for every WordPress website owner, and Google blacklists about 10,000 websites a day for malware and about 50,000 websites a week for phishing.

Although the WordPress kernel is very secure and is regularly reviewed by hundreds of developers, there is still a lot you can do. Security isn't just about eliminating risk, it's also about reducing risk, and there are a variety of viable steps you can take as a website owner to ensure your website is protected from security breaches.

A compromised website can seriously damage your business revenue and brand reputation. Hackers can steal user information, steal financial data, plant back-end code, or even distribute malware to your users. Worse, you may have to pay extortion fees to hackers just to regain access to your website.

In March 2016, Google reported that more than 50 million users have been warned that the websites they visit may contain malware or steal information. Similar to protecting a brick-and-mortar store is the responsibility of the business owner, as an online website owner, it is your responsibility to maintain the security of your website.

Keep WordPress updated

WordPress is an open source software that is regularly maintained and updated, with minor updates installed automatically by default, but for major versions you need to do it manually. In addition, you have access to thousands of themes and plugins that are maintained by third-party developers that also release updates regularly.

With so many updates critical to the security and stability of your WordPress site, you need to make sure that all cores, plugins and themes are up to date.

Strong passwords and user permissions

Password theft is a favorite attack method used by hackers, and you can solve this dilemma by using strong passwords unique to your website, not only for WordPress dashboards, but also for FTP accounts, databases, web hosting, and email addresses for your own domain.

Many beginners don't like to use strong passwords because they are hard to remember. The good news is that you don't actually have to remember these complicated passwords at all, a password manager can help you with that.

Another way to reduce risk, don't grant anyone access to your WordPress administrator account unless absolutely necessary. If you have a large team or guest authors, then make sure you understand all the role features in WordPress before adding an account for them.

The role of web hosting

Your web host (or VPS) plays the most important role in WordPress website security, and premium hosting providers like BlueHost, SiteGround, Kinsta and others take extra measures to protect their servers from common threats, and here are the main ways they protect websites and data in the background.

  1. Constant monitoring of suspicious activity in the network.
  2. Providing appropriate tools to prevent large-scale DDOS (distributed denial of service attacks).
  3. Keeping server software and hardware up to date to prevent hackers from exploiting known vulnerabilities in older versions.
  4. Deploy disaster recovery and incident plans so you can protect your data in the event of a major failure.
  5. In shared hosting plans, you share server resources with many other customers, which brings the risk of cross-site contamination and hackers can use neighboring sites to attack your website. Using a dedicated WordPress hosting service can provide a more secure platform for your website. They take care of tasks such as automatic updates, automatic backups, and security configurations to protect your site in all aspects, and we recommend using Kinsta or WP Engine as your preferred hosting provider.

Easy WordPress Security

Improving WordPress security can be a scary thought for beginners -- you're not alone, we've helped thousands of newbies strengthen their site security. Next, we'll show you how to do this at the click of a button, without any coding experience.

  1. install backup solution

Backups are the first line of defense against any cyber attack, and remember that nothing can be guaranteed to be 100% secure. If government and bank websites can be hacked, so can yours. Backups allow you to quickly restore your WordPress site just in case.

You can use many WordPress backup plugins to ensure data security. One thing to note about backups: regularly save site-wide data to a remote location (not a hosting account), Amazon S3, One Drive, Dropbox and other cloud services are good choices.

Depending on how often your website is updated, the ideal setup is to back up once a day or in real time, and you can do this easily with plugins like UpdraftPlus, VaultPress, etc. They are safe, secure and simple to use.

  1. The best WordPress backup plugins recommended
  2. the best security plug-in

After backing up, the next thing to do is to set up a review and monitoring system that will allow you to keep track of everything that happens on your website. This includes file integrity monitoring, failed login attempts, malware scans, etc. Fortunately, the best free security plugin, Sucuri Security, can take care of all of these issues.

After installing and activating the plugin, you will need to go to the Sucuri menu in your WordPress dashboard and first generate a free API key in order to enable logging review, integrity checks, email alerts and other important features.

Next, click on the Hardening tab from the Settings menu, traverse through all the options, and then click on the All Apply Hardening button on the right.

With the help of these options, you will be able to lock down the critical areas used by hackers in their attacks. The only hardening feature of the paid upgrade is the application firewall (Website Firewall Protection), which we will explain in the next step, so we will skip it here for now. After the hardening section is set up, the default plug-in is sufficient for most websites and there is basically no need to make any other changes.

  1. The best WordPress security plugins recommended
  2. Enable the web application firewall

The easiest way to protect your website and feel confident about WordPress security is to use an application firewall (WAF), which will block all malicious traffic before it reaches the site.

  1. DNS-grade web firewalls: routing your web traffic through their cloud servers, sending only truly valid traffic to your web hosting servers.
  2. Application level firewall: checks traffic after it reaches your server and before loading most WordPress scripts. Compared to DNS firewalls, application firewalls are not effective enough in reducing server load.
  3. We used Sucuri and selected it as the best firewall for WordPress applications, you can read the detailed review here.
  4. The best thing about Sucuri is that it comes with a malware removal and blacklist removal guarantee, basically, if you get hacked under their monitoring, they guarantee (no matter how many pages you have) to fix your site. This is a very strong promise because fixing a hacked website is very expensive and security experts usually charge $250 per hour while you are able to get the entire Sucuri security stack for $199 per year.
  5. Migrate your website to SSL/HTTPS

SSL (Secure Sockets Layer) is a protocol that encrypts the transmission of data between a website and the user's browser. This encryption makes it difficult for third parties to sniff and steal information. When SSL is enabled, your website will use HTTPS instead of HTTP and a logo will also be displayed next to the address bar of your browser.

SSL certificates are usually issued by professional digital certificate authorities and range in price from $80/year to $10,000/year. Due to the added cost, many website owners choose to continue using the insecure HTTP protocol. To solve this problem, a non-profit organization called Let's Encrypt decided to offer free SSL certificates and their project was soon supported by Google, Facebook, Mozilla and other companies.

Today it is easier than ever to use SSL on your WordPress website, and many web hosting companies offer free SSL certificates.

  1. How to install a free SSL certificate in WordPress

Further enhance WordPress security

So far, if all the above things have been done, then your site is in good shape. However, as always, there are additional steps you can take to further enhance WordPress security, some of which may require coding knowledge.

  1. change the default admin username

The default WordPress administrator username is admin, and since the username makes up half of the login credentials, it is much easier for hackers to brute force. Fortunately, many web hosting providers have changed this to allow you to customize your username when installing WordPress.

However, some one-click installers still set the default administrator username to admin. Since WordPress does not allow username changes, you can curve the adjustment using three methods.

  1. Create a new administrator user and delete the old
  2. Using the username change plugin
  3. Change username via phpMyAdmin
  4. Disable file editing

WordPress comes with a built-in code editor that allows you to edit theme and plugin files directly in your dashboard, but this feature can pose a security risk if used improperly, and we recommend you turn it off.

You can do this by adding the following code to the wp-config.php file.

// Disable file editing

define( 'DISALLOW_FILE_EDIT', true );

Alternatively, you can use the Hardening function in the free Sucuri plugin mentioned above to do this with just one click.

  1. Disable PHP file execution in some WordPress directories

Another way to strengthen WordPress security is to disable PHP file execution in unneeded directories (e.g. /wp-content/uploads/). You can do this by opening a text editor (e.g. Notepad) and pasting the following code.

deny from all

Next, save the file as .htaccess and upload it to the website's /wp-content/uploads/ directory using an FTP client. Alternatively, Sucuri also allows you to do this operation with one click.

  1. Restrict login attempts

By default, WordPress allows users to make multiple login attempts, which makes your site vulnerable to brute-force attacks. To avoid this problem, you need to limit the number of attempts a user can fail. If you use Sucuri's built-in application firewall, you will not need to do anything and the plugin will handle it automatically.

However, if you do not have a firewall, please install and activate the Login LockDown plugin, and then visit the Settings → Login LockDown menu to set up.

  1. Add dual authentication

Dual authentication authentication technology requires users to sign in using a two-step verification method, the first step is a username and password, and the second step requires you to authenticate using a separate device or app. Most top online sites such as Google, Facebook, and Twitter can enable this feature for your account, and your WordPress site can do the same.

First, install and activate the Two Factor Authentication plugin, then click on the Two Factor Auth menu in the WordPress dashboard at

Next, you need to install and open the authentication application on your smartphone, of which there are several available options, such as Google AuthenticatoriOSAndroid, AuthyiOSAndroid or LastPass AuthenticatoriOS.

In this article, we use Google Authenticator as an example by opening the application on your phone and clicking on the button in the bottom right corner.

The system will ask you if you want to scan the barcode or enter the secret key. Select the scan barcode option and then point your phone's camera at the QR code displayed on the plugin's settings page. After successful scanning, an item will be added to your authentication APP, and the next time you log in to the website, you will need to first enter your password, and then enter the verification code on your mobile app at

  1. Change the WordPress database prefix

By default, WordPress uses wp_ as the prefix for all tables in the database. If your WordPress site uses the default table prefix, hackers will easily guess all table names. To improve security, you can change the table prefix of your database using MySQL client.

Note: If the operation is done incorrectly, your site may not open. You should only perform this operation if you are comfortable with your coding skills.

  1. Disable directory indexing and browsing

Hackers can use directory browsing to discover if you have files with known vulnerabilities and then use those files to gain access. Others can also use directory browsing to view static files, copies of images, directory structures, and other information, so we strongly recommend that you disable the ability to index and browse directories.

Use FTP or cPanel's file manager to connect to your website, find the .htaccess file in the root directory, and add the following line at the end of the file.

Options -Indexes

  1. Disable XML-RPC

Since WordPress 3.5, XML-RPC is enabled by default because it helps connect WordPress sites to web and mobile applications, but because of its power, it is an easy target for brute force hacking. For example, traditionally, if a hacker wanted to try 500 different passwords on your site, they would have to make 500 separate login attempts, but with XML-RPC, a hacker can try all the password combinations in just one request.

There are 3 ways to disable XML-RPC.

Paste the following code into the .htaccess file

  1. order deny,allow
  2. deny from all
  3. Paste the following php code into the global settings
  4. add_filter('xmlrpc_enabled', '__return_false');
    1. Install Clearfy or Disable XML-RPC plugin
  5. Automatic logout of logged-in idle users

Sometimes, logged-in users may leave from in front of the screen, which poses a security risk that others can hijack their session, change their password or reset their account. For this reason, many banking and financial sites automatically log out inactive users, and you can implement a similar feature on your WordPress site.

Simply install and activate the Inactive Logout plugin, then go to Settings → Inactive Logout to configure the plugin settings:.

  1. Add security questions to the login page

Adding security questions to the login page will make it more difficult for others to gain unauthorized access, and you can install the WP Security Question plugin to do this.

Affiliate Marketing FAQ

Fastest Shared Web Hostingers

But if you no with the use of free CDN, Advance cashing now a days we no need to worry about service provider uptime

Fastest Dedicated Server Hosting

But if you no with the use of free CDN, Advance cashing now a days we no need to worry about service provider uptime

Fastest VPS Hosting

But if you no with the use of free CDN, Advance cashing now a days we no need to worry about service provider uptime

High-speed hosting for small busines

But if you no with the use of free CDN, Advance cashing now a days we no need to worry about service provider uptime

How to improve website loading speed

But if you no with the use of free CDN, Advance cashing now a days we no need to worry about service provider uptime

How to Speed Up WordPress Website

But if you no with the use of free CDN, Advance cashing now a days we no need to worry about service provider uptime

How to Score a Perfect 100% on Google PageSpeed Insights

But if you no with the use of free CDN, Advance cashing now a days we no need to worry about service provider uptime

Best CMS Content Management Systems to Make Your Website Load Faster

But if you no with the use of free CDN, Advance cashing now a days we no need to worry about service provider uptime


The only question is, which side are you going to pick?

Let me know in the comments.