WordPress Security: 14 Steps to Secure Blog From Hackers

Do WordPress Security matters to you?

WordPress users are always on a threat of website or blog being hacked.

The reason being, WordPress is open-source software and hosted on third-party hosting services. Brute Force attacks are quite common and well known among WordPress users.

Strengthen your WordPress Blog Security hosting on powerful and secure oriented Host like SiteGround.

But, thinking of it, will you stop using WordPress?

I am sure you said no. As WordPress has immense robust features that simplify your blogging process and beautify it. So, no one can resist it. Agreed?

Every product or tool has its pros and cons, so do WordPress. There are plenty of ways how you could secure your WordPress blog from hackers.

Now, if you are not taking care of the security measures at all, sorry to say it would be your fault if the blog is being hacked.

How to secure WordPress website from hackers

Intentionally or unintentionally, maybe after creating a blog you forget to apply some security to it, resulting blog hacked.

Instead, cursing on your self later, it’s better to prevent WordPress hack now.

Makes sense?

If it does let jump into and see some awesome WordPress security tips and create a shield out there around your blog.

HEADSUP – If you think these are too many steps to secure your WordPress website or don’t wanna manage your website manually, simply Get Astra Security.

It is a complete and Full Proof solid security system which keeps away from all the DDos attacks, malware injections, in fact any kind of security threats and hacks.

1. Create a Site backup

First things first, it is always advisable before making any changes to your website always make sure that you are taking a backup of your WordPress backup.

Backup WordPress

For doing the same there is plenty of WordPress backup plugin out there you can make use of.

Both free ones and paid are available, few of the recommended ones are,

I assume you have installed one of the backup WordPress plugins and performed a backup. Now you are good to go with the next steps.

I recommend one should schedule their backups after every post published. Or even after making any changes to the posts or to the blog database.

2. Change Your WordPress Username

While creating a blog, you will be having an option called username, which is used to login to your blog or website.

Generally, most of the people keep it as default “admin” and forget to change later on.

Just assume how easy it could be to guess that for even by a mediocre hacker. haha! I had a smile on your face.

You have to make it a unique one, which could not be guessed at all. If you don’t know how to do that, here I have created a guide to change the WordPress username with ease.

3. Change the WordPress login URL

Again by default, WordPress creates a URL for your website to make a login. I hope you have already observed it. It starts some like yourdomainname/wp-admin

This goes common for any of the websites, and easily guessed by hackers too. So rename it sooner as possible and get rid of the sword hanging on your head all the time. Here is the guide to change the WordPress login URL.

4. Don’t Ignore Lockdown feature

Saying Lockdown means, you should set up a lockdown feature for your WordPress blog.


WordPress hacks can be done manually and through bots as well. So, in this case, you should minimize the failed attempts.

That states if someone guessed the wrong username or password, their IP will be locked down for further attempts. And that makes complete sense. Isn’t it?

You will have the full control to assign the failed attempts with the security plugin.

How many attempts should you assign? – It’s completely up to you, generally, it’s wise to keep 3 failure attempts. 2 can also make sense, but don’t make it to 1, as sometimes even you can mistype your username or password. In that scenario, you would be locked down too. haha!

Wordfence and similar many plugins have lockdown feature. And if your security plugin doesn’t have such a feature, then you can always make use of the popular plugin Login Lockdown.

5. WordPress Regular updates

WordPress comes up with regular updates, by adding many bug fixes. A WordPress user should upgrade it frequently, whenever it notifies.

Many frequently updated security features can secure your WordPress website.

These updates can only strengthen the WordPress security process to a further level.

6. Remove WP version

As we have already talked about the WordPress updates. Now it also makes sense, that you should hide your WordPress version to the hackers.

Wondering how they can see the WordPress version which you are using as you have the login credentials?

It’s easy for the hackers to check the WordPress version by the source page. They just need to

right-click( on the webpage) – View Page source –  CTRL F(Search for Version). It will look something like the below tag.

<meta name=”generator” content=”WordPress 4.8.2″ />

7. Two-factor authentication(2FA)

Have you ever use two-factor authentication for your gmails. If you are familiar with that, you might have already guessed what I am talking about.

Two Factor Authentication

Two-factor authentication security is a way to protect the WordPress site from hackers with ease.

If you connect your blog to your mobile phone for two-factor authentication, you will receive an OTP while login. Putting that number in you would be able to log in.

This extends the security to a further level and adds one more layer to it. Here is a quick tutorial on WordPress Two-factor Authentication.

8. Start using an SSL

An SSL Certificate encrypts the data and does the job difficult for hackers. In fact, SSL is useful in many ways.

And these days its quite easy to get one at a very reasonable cost from well know brands.

Start using SSL

It also increases the trust of the visitors to buy a product from your website by making an online transfer. As their data would be safe with an SSL, which keeps the information safe.

SSL makes sure that the transfers between the browsers and the servers are absolutely safe and secure. And there is no leak in between.

It’s wise to go with it, even if you don’t sell anything on your WordPress website as well.


As Google has already mentioned SSL as a ranking factor on their official blog along with their many other factors.

Furthermore, not having SSL also affects user experience. Popular security tools such as browser VPN extensions and HTTPS Everywhere software discourage their users from using unsecured websites. The two factors combined can significantly impact your traffic.

9. Choose the best Security plugin

Apart from adding many layers of security, it’s good to go with an awesome security plugin.

Security Plugin

There are plenty of good security plugins in the WordPress repository, though I can list a few of the best ones.

These plugins are available for free, with quite decent security features. Though, you can upgrade to their pro version for more extended features.

A security plugin does a lot of blocking jobs in the backend.

It keeps the spam away and blocks the IP’s throttled for accessing your WordPress blog quite frequently. Scan your website for any malicious threats.

Set a decent firewall against the brute force attacks and DDO’s attacks and much more. So, don’t avoid installing a security plugin and protect the WordPress site from hackers.

10. Create Strong Passwords

Strong Password

You might do a lot of stuff to secure your WordPress website, but seldom folks avoid to keep the basics right. 🙂

As you do it for other social profiles and email accounts as well, creating strong passwords.

Similarly, it’s important to follow the same for your WordPress site, as WordPress sites get hacked like anything. Now it doesn’t matter what the blog size is. Hackers find interest in all. LOL!

Saying a strong password meant, don’t use anything which is related to you. Avoid almost everything, Name, Birthdate, Employee ID, girlfriend name, haha anything which could be guessable.

generate secure password

Having trouble coming up with great ideas for your passwords? You can always take the help of some online password generators tools, I use LastPass Password Generator to create a secure password.

Alternatively, you can also use the below tools,

There are plenty of ways to change the WordPress login passwords. Like from your WP Dashboard or from WordPress database PhpMyAdmin as well in case no access to WordPress dashboard.

Simple way – Quickly hop into WordPress DashboardUsersYour Profile and scroll a bit down to see the New Password button in the Account Management Section.

Hitting the button will give you a unique strong password and finally hit the Update profile button to save the changes.

Your WP login password has been changed, hoping you have copied that new password with you or else we need to reset the password from the database.

11. Change Database Table Prefix

While installing WordPress on your servers, you might have already observed a dialog box asking for a certain prefix to start something like wp_. That means. This is basically for your WordPress database. The folder starts with wp_.

wp table prefix

No wonder, whatever is common, can be guessed by the so-called hackers. So it’s also advisable to change the prefix of something of your own. You can add anything mywpsite_, friendswp_ and so on.

I can easily be done by getting into your website database. But, if you are not that familiar with all the techie stuff, plugins are always there.

Quickly install WP-DB Manager, to get this job done.

12. Don’t use Null themes and Plugins

WordPress theme hack is quite known. Say a big no to themes, this is one thing which doesn’t need any effort to hack by the third person. You are doing it you’re self if used null themes or plugins.

There are many blogs offering some free themes and plugins saying as a giveaway. Installing those could be dangerous from the perspective of WordPress security.


The codes might be already injected into those to extract the data from your website.

I am not saying all the website does such things. But, it’s always wise to give a try to those plugins or themes on your demo site. Makes sense?

Try it for a while to check how legit those products are. Never install those on your WordPress website which is already live.

So be wise while installing Plugins or themes. WordPress repository offers all the checked themes and plugins. But, if you are buying it from third-party websites, do check up once.

13. Protect WP-config.php file

WP-config is an important part of your WordPress website. All the sensitive data gets stored over there. It can be located in the root directory public_html, where all your WordPress files are.

This is the file if accessed can expose your complete website. I am sure none of the WordPress users want that.

Trust me, if you hide this file in some other directory, it could be really head-scratching for the hacker to step into.

Note: Don’t worry even if you change the location of it, the site won’t break, check out the below steps, how you could Change Wp-Config location.

How to protect WP-config.php file

There are few ways to do so via .hta access and through your file manager as well.

The most easier way would be through the file manager, assessing the root directory public_html.

Find your WP-config file there and move it to the up level. That’s it. Now, it won’t be accessible at all. Your WP-Config file is secure now.

14. Disable Directory browsing via .htaccess

This is another, step in which a webmaster looks into. Which is not well known when it comes to securing the website.

Disable directory browsing

But if the browsing of your root directory is not disabled. A reader, visitor or hackers make access to the files like the themes, plugin, image and much more.

Here is the step by step how you can disable directory browsing in WordPress via .htaccess.

Final Words on Securing your WordPress Blog

An approach towards Securing your WordPress blog might take some time, but once and all.

And it’s worth it. Before spreading the news on social media “my website got hacked.” It’s wise to take care of some security measures, as your hard work on your blog matters.

And make sure you have given a great shed for your blog to live.

As per experience, I found SiteGround host to be one of the best in terms of powerful and optimized performance and security.

You Turn, Are you ready to prevent website hacking?

Consider sharing, if this helps. Thanks!

Affilaite Disclaimer - The post you are reading might contain few affiliate links, that states if you buy any product clicking on those links I may receive a small commission out of it, no additional cost to you at all. This way you are helping me running this site effectively. I share unbiased view-point from my personal experience. Full Disclaimer

Man Behind the Blog - Navin Rao

Blogger | WordPress Savvy

Navin Author
A WordPress Savvy, Content Strategist and creator of this blog. At QuestionCage we talk about Technology, SEO, WordPress to make your blogging venture much successful and eventually let the passive money to flow in.

Along with QC, I maintain my personal blog NavinRao.com as well, where I share my experiences and tips only on WordPress.

22 thoughts on “WordPress Security: 14 Steps to Secure Blog From Hackers”

  1. Hi Navin

    You have shared an amazing guide on WordPress security.

    We get so many tips through your article


  2. Hi Navin

    You have shared an amazing guide on WordPress security.

    Is there any tool to check the website for malicious code with ease?


  3. Hey,
    Been following your website for quite some time. Wondering how it’s efficient when you are with managed hosting. However, I use All In One Security plugin and looks like it is working great.


  4. This is so amazing. I am considering applying this to sites I handle (personal and employer’s client’s). But it’s a long list will take time to practice them all. Great article.

  5. Hello Navin Bro,

    Thank you for this wonderful article on WordPress security. Many of us just think it is not important and neglect them. We realize the importance only when something happens to the site.

    One of my clients’ website was hacked recently, forcing us to pay nearly $70 to get it recovered from a Fiverr guy.

    I will definitely share this useful guide with my client.

    • Thank You, Gururaj. Securing the WordPress website should always be a priority, most of the times only a hacked web owner realized this.

      As he/she had worked hard on their blogs quite hard and someone just snatched it over. Sorry to know about your client’s site.

  6. Hello Navin,

    Wonderful and very informative post. In this technology driven world, we cannot ignore the security. Hackers and fraudsters are always try to sneak into your website and steal your data. These are some of the proven ways to secure your WordPress blog.

    Vishwajeet Kumar

  7. A well-written article, Navin. I think backup is the topmost priority so that we can at least make sure whatever happened, we can at least get back the website. 🙂

    • Absolutely taking regular backup of your website is the basic and important thing to do. Although other security aspects shouldn’t be ignored at all, investing little time in it is completely worth it, instead of cursing ourselves later on.

  8. Hi Navin,
    This is really great post i say, This is very useful for who are using WordPress. The tips which you have written in the article is really useful. I am new to blogging, i have learned a lot form your articles. Thanks Navin. Impressive post.

  9. I am really impress with your blog so 3 words for your website, unique information, good selection of topic and quality. Great tips to secure the wordpress site.

  10. Ita really super and awesome article man. Really a fantastic job Navin. I have become a super fan of your posts. Those are informative and supportive. I will definitely collaborate with you in near future for my upcoming projects. Keep up the good work man. Really appreciate your quality of work.

  11. Hello Navin,

    Awesome post bro. WordPress is very popular CMS among bloggers and the fact is that it is vulnerable to hacking and spamming. I am using All in one WP Security plugin on my blog and it works great for me and secure my site. These are some of the practical and effective ways to secure your WordPress blog. Thanks for sharing these great tips here.

    Have a Great Day 🙂

    • Hi Viswajeet, Go to see you again at QuestionCage. Yes, all in one WP security is a great plugin, to keep the momentum of the security carried on.
      Thanks for your kind feedback. Do subscribe to the blog with more updates.

      Have a great day ahead!


Leave a Comment

QuestionCage Logo Main

Better Security for your WordPress Blog

Get rid of all the Malware injections and stay away from vulnerabilities. Spend a few minutes and sleep tight. Enter your email and get acess to the article.

You have Successfully Subscribed!