WordPress website security How to secure wordpress website

How To Secure WordPress Website

As WordPress is open-source software so you need to take proper security measures for securing your website and data as hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users., below are some security measures that you can take from your end: –

  • Keeping WordPress up to date:- The most common culprit of a hacked WordPress website is an outdated component. Outdated plugins, themes, and core open the portal for a potentially hacked site. For automatic updates for core WordPress, plugins and themes add the below code in the wp-config.php file:-

For WordPress Use:

define( ‘WP_AUTO_UPDATE_CORE’, true );

For plugins, use:

add_filter( ‘auto_update_plugin’, ‘__return_true’ );

For themes, use:

add_filter( ‘auto_update_theme’, ‘__return_true’ );
  • Secure The WP-Config File:- The wp-config file contains your website’s base configuration details, like database-connection information. To protect your wp-config.php file from intrusion, add the following code to your .htaccess file to deny access to anyone surfing it:
<files wp-config.php>
order allow,deny
deny from all
  • Restrict WP-login:- With this you will be able to access your wp-login from specific IPs.It will reduce the brute force attack on your WordPress website. Add below code in .htaccess file of public_html
<Files wp-login.php>
order deny,allow
deny from all
allow from X.X.X.X
In place of X.X.X.X, just put your static public IP.

NOTE: Apply this only when you have static IP.

  • Block xmlrpc.php:- If this file is enabled 2 different types of attacks can occur i.e brute-force and DDoS attack. Use the below code to block xmlrpc.php:-
<Files xmlrpc.php>
order deny,allow
deny from all
  • Restrictions in the upload folder:- With the upload folder attack can upload malicious code to exploit your website, for reducing that add the below code in the .htaccess file of the upload folder. It will limit the file-formats:-
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
  • Hide WordPress Version:- If you defer WordPress updates, you should consider hiding your WordPress version because it leaves footprints, telling the hacker useful information about your site. There are three areas where your WordPress version number will be hidden:-

The generator meta tag in the header:

<meta name=”generator” content=”WordPress 4.0” />

Query strings on scripts and styles:


Generator tag in RSS feeds:


To get rid of your WordPress version number in all three areas, add this code to your functions.php file:

/* Hide WP version strings from scripts and styles * @return {string} $src * @filter script_loader_src * @filter style_loader_src */

function fjarrett_remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);

if ( !empty($query[‘ver’]) && $query[‘ver’] === $wp_version ) {
$src = remove_query_arg(‘ver’, $src);
return $src;
add_filter( ‘script_loader_src’, ‘fjarrett_remove_wp_version_strings’ );
add_filter( ‘style_loader_src’, ‘fjarrett_remove_wp_version_strings’  );
/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() {
return ‘’;
add_filter(‘the_generator’, ‘wpmudev_remove_version’);

NOTE: You should also make sure yourreadme.html file is removed from your install, as this exposes your version number.

  • Avoid Installing Untrusted WordPress Plugins and Themes:- To detect if a theme or plugin can be trusted or not, first, read its ratings. There you can find clues to whether there have been security breaches or issues in the past, like buggy updates.

You’ll also want to check to see when a plugin/theme was last updated. If a plugin or theme hasn’t received an update in some time (say years), then the inactiveness in that plugin/theme is a sign you should look somewhere else.

  • Don’t Forget to Remove Unused Plugins and Themes: – Getting rid of the unused clusters is likely to make your site run faster as well as remove security vulnerabilities.

If using WordPress multisite, try using a plugin like Plugin Activation Status to perform a plugin audit and detect unused plugins across all sites in the multisite network. For more refer below link:-

  • Install  WordPress security plugins like:-
  • Regular backup of your WordPress site:- Even if you’re taking the above security measures, still you should always take the backup.

NOTE:  Please follow

  • Enforce Strong Username and password:- It will protect your website from brute force attack.
  • Use 2FA for adding an extra layer of security to your login credentials.
  • Change or omit the “ADMIN” username: – Removing or changing the “admin” username is the next step to improving site security. Follow the below steps:
a) Go to the “users” section of the WordPress admin panel
b) Rename or delete the “admin” account or username
  • Limit Login Attempts:- WordPress doesn’t have a limit as to how many times one can guess a password to log in. This presents a problem because determined hackers won’t give up.

To resolve this issue, you should limit login attempts. Here are some plugins built for limiting logins:

  1. Login Lockdown >> https://wordpress.org/plugins/login-lockdown/
  2. Limit Login Attempts >> https://wordpress.org/plugins/limit-login-attempts/
  3. Jetpack Protect >> https://jetpack.com/support/security-features/
  • Monitor Incoming Attacks:- Tools that can help you with malware monitoring:-

Sucuri Security >> https://wordpress.org/plugins/sucuri-scanner/

  • Use SSL:- Enabling SSL is the next crucial step to a more secure site. SSL (Secure Sockets Layer) encrypts all information sent to and from your site. That way the private data visitors share with your site stays private.

For more refer to the below link:-https://www.wordfence.com/learn/wordpress-security-checklist/

NOTE: For code level, perform under the guides of your website developer.

Krishnapriya Neema

Krishnapriya is a Server Engineer at RackBank Datacenters Pvt. Ltd.

How to get traceroute/Trace Path in Windows, Linux, and macOS

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© Copyright 2013-2021 RackBank© Datacenters Pvt. Ltd.

Data Center in India

Rated 4.7/5 based on 31 reviews at Google+