WordPress Security: 26 Steps To Protect Your Website (2021)

by Nikita Shevchenko

WordPress security plays a HUGE role in your website performance.

As you finished website optimization, it gets more popular and automatically attracts attention from hackers.

You will be attacked! Sooner or later.

The real question is: Are you prepared?

This guide outlines ALL the necessary steps you need to make in order to maximize your blog’s safety.

This guide was made specifically for non-techie guys(like me).

Let’s get started!

WordPress Security: Basics

Pure statistics:

Cybercrime damages will cost the world $6 trillion annually by 2021. (Source)

Website security was, is, and will be one of the main concerns all webmasters have to encounter.

The threat is huge and inevitable. You’d better prepare. And you’d better do it right now!

Below are some of the finest techniques that will help you protect your web property and keep it away from “dirty hands”.

Let’s start with the most essential steps EVERYONE should follow.

1. Secure Your Computer

It all starts from the very beginning. Do yourself a great favor from right on and get a decent antivirus and malware scanner.

These tools will make sure that your computer operates correctly without any security issues.

Do the entire computer scanning upon installation and repeat the process regularly.

Tools to consider:

  • 360 Total Security
  • Norton
  • Kaspersky
  • Bitdefender

2. Password Protect Your Laptop

Thousands of laptops are getting stolen each year in the U.S. Information is getting leaked too easily.

Create a difficult password no one but you know. Use it in the laptop activation window.

You never know who wants to check your computer (especially if you have it in the office).

3. Use Password Manager

Here is the thing; you MUST use tons of different, unique, and complex passwords when working with your website.

Yet, it may seem troublesome to remember all of them.

There are two ways to consider:

  1. Write them all down on the piece of paper and NEVER show it to ANYONE.
  2. Use a reliable password manager and thrive!

I personally recommend using LastPass as an all-in-one tool.

It’s one of the most secure and cheapest (24$/year) solutions for password management.

wordpress security password manager

4. Access Your Site From A Secure Location

Wi-fi network through which you access your website matters too. Public internet spots are easily hacked.

It’s been suggested that you use only trustworthy wi-fi spots, ideally, only your owns.

5. Reputable Hosting Provider

As you finished working on your PC security and organized an extensive unique password system, it’s time to indulge your blog with a reputable hack-proof hosting provider that will also make your website speed-optimized.

Among all of the options on the market I would suggest you use the ones below:

Siteground is probably the BEST option for beginner bloggers and websites of 1-5 years of age.

WP Engine would be a great choice for websites with high traffic and a high amount of potential attacks.

I host my blogs on SiteGround and recommend it to all of my readers without any hesitation.

Some of the reasons why millions of bloggers and I choose it:

  1. SiteGround achieved the incredible 98% Client
    Satisfaction rate!
  2. It optimizes the performance of WordPress sites so much that you can see speed gains between 20% and 500% depending on the type of site you run!
  3. SiteGround was extremely successful in keeping clients’ sites well secured.

Sign up to SiteGround right now and forget about the insecure and poor-performing website!

siteground wordpress hosting get started 1 wordpress security

In order to help you out with the registration, I have described the whole process step-by-step.

Check out: How to Start a Blog 

6. Get Your Website Encrypted

Here is the sad truth, any computer in between you and the server can monitor your credit card information, usernames and even passwords(!), unless the pathway is encrypted with an SSL certificate.

It is also one of the most important Google ranking signals!

Cloudflare SSL will encrypt the web traffic to prevent data theft and another tampering.

The best part is that it’s absolutely free of charge.

Note: It will change your site’s URL from http://www.example.com to https:// www. example.com. Make sure you implement an SSL encryption BEFORE adjusting WordPress security settings and downloading any security plugins. It will save you a lot of time, as you will have to use the new URL address quite often.

cloudflare cde wordpress website encryption

7. Change Your Admin Area URL

Normally, your Admin area URL would look like this:

– example.com/wp-login/
– example.com/wp-admin/

Why would you change it?

Because it gives you yet an extra layer of defense against Brute Force Attacks!

It also helps you hide the fact, that you are actually using WordPress, so the potential attackers would have to figure out other ways.

And finally, it makes your login screen more appealing.

Now, how to change the Admin Area URL?

There are a couple of nice plugins on the market that will help you with this task. You may try WPS Hide Login or Custom Login URL.

website protection by changing admin url

They are both easy to use, all you need to do is type in the new URL and remember it, or bookmark in your browser.

Note: These two plugins were tested on hundreds of websites and work just fine. Yet I strongly recommend doing a website back-up using the reliable WP back-up plugins, prior to the URL change.

8. Create An “Admin” User Name

You should NEVER have a default user name “admin” in your WordPress website.

This is the first user that attackers would try to get access to.

How to create a new admin user name in WordPress?

Step 1: Head over to the Dashboard and click Users-All users:

Dashboard and click Users All users wordpress security
Dashboard user all users click add new wordpress security

Step 2: Click on Add new:

Step 3: Create your own unique name and make yourself an administrator and click on Add New User

wordpress new administrator creation wordpress security

Step 4: Make the “admin” user a simple subscriber with no rights to change the website content and settings.

changing an admin into subscriber wordpress security

9. Come Up With A Strong Password

This step might sound too obvious, yet many new bloggers tend to omit it.

You MUST create a super-duper password that will add a solid layer of security to your website.

WordPress allows you two great options:

– It generates a strong password by itself:

wordress generates strong password wordpress security

– It allows you to create your own

Pro Tip: You may allow WP to generate a unique password for you AND add up some extra digits, signs, or letters to make it even more secure!

You can even use an online tool called Strong Password Generator, it will create a very hard to hack combination.

strong password generator wordpress security

10. Disable Pingbacks And Trackbacks

These rather useless features of WordPress are not helping your website becoming more secure by any means.

The only prominent thing they do is increasing the workload.

You may turn them off in less than 1 min.

Simply go to Admin Panel-Settings-Discussions and uncheck “Allow link notification from other blogs(pingbacks and trackbacks) on new articles”.

disable link notification from other blogs wordpress security

11. Themes And Plugins

When your blog starts attracting new readers you should think about purchasing a premium WordPress theme.

Unreliable WP themes and plugins may cause HUGE problems for bloggers.

They are poorly coded and possess tons of flaws.

Those flaws are the doorways that can give access to potential threats. Some of the torrent FREE themes and plugins are already infected with malware.

One of the best things you can do for your website safety is to get the themes and plugins from dependable resources such as GeneratePress.

Their products are beautiful, fast, and SECURE!

generatepress themes wordpress security

12. Keep Your Website Updated

Having themes and plugins from trustworthy sources is one thing, updating them regularly is another!

New versions of WP products will always help you maintain website security.

Things you should constantly update:

  • WP version
  • WP theme
  • WP plugins

More Updates = More Security!

Note: Though it has little to do with WordPress security. You should never forget updating your old blog posts. Finest copywriting techniques can help a lot.

13. Enable Web Application Firewall (WAF)

WAF will place itself between your site and the rest of the internet.

Every request from now on will go through its system before it reaches your site.

Web Application Firewall companies can perform two amazing tricks:

  1. They can detect bad traffic.
  2. They can reject bad traffic, so it never reaches your server.

All decent WAFs are paid.

Which WAF plugin should you choose?

Later in this guide, I am gonna introduce you a MASSIVE security plugin called Sucuri.

Almost all of its features are absolutely free. One of the paid ones is WAF!

It is powerful, dependable and legit!

Sucuri’s WAF is constantly updated to notice common and emerging attacks.

sucuri website firewall protection wordpress security

This degree of protection makes it super complicated to harm your site.

14. Uncheck Membership Option

Membership option for Anyone can register should be unchecked in General Settings.

You do it for the single purpose of controlling WHO can register on your website.

In case it is checked, you open a doorway for spammers.

Here is how to disallow anyone to register on your website:

Dashboard- General- Settings-Membership(uncheck)

Uncheck Membership Option wordpress security

15. Scan The Site Regularly

Even if everything may seem safe and sound, you totally should do website checkups.

That is a good habit that all thoughtful bloggers have mastered a long time ago.

Now the question is:

How to do WordPress security checkup?

There are some services on the market that offer you scheduled website checking.

The only problem is that they may be quite pricey!

So if you are short on a budget one of the best ways would be using WordPress security plugins.

Let’s check them out!

WordPress Security: Plugins

In the previous section, you’ve learned how to create a custom Admin Area URL and create an “admin” username.

Why not put some more extra layers of security to this vital part?

Let me introduce some of the best plugins out there, that will make your admin area bullet-proof.

16. Login LockDown Plugin

Login LockDown plugin wordpress security

Sometimes it happens that hackers try to get in your site by guessing your admin password.

One of the weakest spots WordPress has is that it allows entering passwords as many times as the user wants.

Hackers may use special scripts that automatically enter different combinations until the site is cracked.

The best solution would be using a special plugin. The one that is blocking users with too many failed login attempts (5 or more).

In the Login LockDown plugin you may choose:

  • Number of failed attempts
  • Retry time period
  • Lockout length
  • Lockout invalid usernames

17. WP Security Question Plugin

WP Security Questions plugin wordpress security

This plugin will provide an extra level of security for your admin login page.

The principle is simple.

You create pick up a question from the list or create your own one:

security question setting up wordpress security

Next, you scroll down the settings page and check the “Ask security question on login screen” option.

ask question on login screen 1 wordpress security

Then you head over to Users-All users, click on your username and scroll down to the bottom of the page.

There you will find the field for the answer typing:

security question answer field wordpress security

Every time someone will try to access your site through the login page, they will have to find an answer to the question as well.

security qustion on login screen wordpress security

18. Google Authenticator Plugin

Google Authenticator plugin wordpress security

This quite powerful plugin for WordPress gives you two-factor authentication using the Google Authenticator app for iPhone, Android, and Blackberry.

You will receive a new password on your phone.

The plugin will require typing in the unique digital code in your admin login area each time you want to access the website.

Google Authenticator login screen wordpress security

19. WP Fail2ban Plugin

WP fail2ban plugin wordpress security

This strong, yet simple plugin is one of the most effective security measures you can implement to fight with brute-force password-guessing attacks.

The biggest difference of this plugin from Login LockDown is that you can let implement the immediate banning if the program will spot the brute-force attack.

20. Updraft Plus WordPress Backup Plugin

Updraft Plus WordPress Backup plugin wordpress security

Installing a dependable back-up plugin on your WordPress site is probably one of the best single decisions you can make in order to maintain its security and performance.

Anytime you are doing some changes in the WordPress settings or activate new plugins that you never worked with, I strongly recommend you do backups.

This way you will easily be able to restore the whole information and get your website back to work

Pro Tip: Schedule the regular backups, every day/week/month.

21. Theme Authenticity Checker (TAC) Plugin

Theme Authenticity Checker TAC plugin wordpress security

TAC will assure that the theme you are using on your blog is safe and not infected with a potential thread.

Normally, there is no need in this plugin, if you got your theme from a reputable source.

On the other hand, if you are not ready to invest in a good premium theme and found a nice free one “somewhere”, you need to do a proper check.

If the plugin finds an encrypted code, you may consider contact the theme author or switch to a safer one.

22. Inactive Logout Plugin

Inactive Logout plugin wordpress security

This helpful plugin will make your account secure from snoopers and “friends” to protect your data by assuring auto log out a system within a certain time.

If any users use the same machine as you to access your account it will automatically log you(and them) out.

Lot’s of reputable banks and online businesses use this method to prevent unnecessary users from wandering around.

23. Sucuri Security Plugin

Sucuri Security plugin 1 wordpress security

An AMAZING and super powerful plugin for your WordPress security. It is especially helpful for non-technical guys like me.

The interface is simple, and all settings are done in a couple of clicks!

Download the plugin and activate it. After it’s activated, you need to go to the Sucuri menu – Dashboard.

You will see the request to Generate a free API key.

generate api key sucuri wordpress security

Fill in the required fields, then click on 1, 2, and 3.

sucuri security api registration process wordpress security

When the key is generated, go to the Hardening tab in Sucuri Settings.

hardening option wordpress security

The plugin will offer you a Hardening feature for all weak spots of your website.

Click on the “Apply Hardening” button for all of the options

apply hardening buttons wordpress security
  • Remove WordPress Version
  • Block PHP Files in Uploads Directory
  • Block PHP Files in WP-CONTENT Directory
  • Block PHP Files in WP-INCLUDES Directory
  • Information Leakage
  • Default Admin Account
  • Plugin and Theme Editor

The Scanner feature will allow you to scan your website for potential threads.

All of these options if applied will help to keep your blog much more secure.

Note: You can revert hardening options anytime you want.

In this section, I’ve shown you some of the finest security plugins on the market.

The next section will get you even further on the way of your WordPress security optimization.

WordPress Security: Bonus Tools

In this section, I am gonna reveal some of the most efficient online tools that will help you check your website security issues and maintain its safety.

Even if you have implemented all the strategies above, you may still want to do an extra scanning that will help you find out the blog’s vulnerabilities (if there are any).

Let’s check some of the finest online security scanners:


wpscans online wordpress security scan wordpress security

This scanner is one of the most comprehensive WordPress vulnerability scanners online.

Some of the main features are:

– Deep scan technology
– Instant scans
– Automatic scans
– All-in-one dashboard
– Push notifications
– Advanced reports

Simply put your website URL into the tab, click on the “START SCAN” button, and get your scan results!

25. Sucuri SiteCheck

Sucuri Online Scanner free website malware scanner wordpress security

Apart from an awesome security plugin, Sucuri offers the clients a free online website malware and security scanner.

The one thing you need to do is to enter your website’s URL and click on the Scan Website button.

Sucuri SiteCheck will scan the website for website errors, blacklisting status, known malware, and out-of-date software.

26. Virus Total

Virus total free online virus malware and URL scanner wordpress security

A handy online tool that allows you to analyze suspicious URLs and files then facilitates the quick detection of worms, viruses, trojans, and all sorts of malware.

Type in your website’s URL, click on Scan it, and get an instant result:

virus total nikitashevchenko.com website result wordpress security

How to Fix a Hacked Website?

If you happened to be one of those people who start praying only when they hear the storm thunder, then basically you have two options:

  1. Fix the broken site yourself(Requires big knowledge and high skills)
  2. Let the professionals do the job.

The first option would be suitable for those who feel comfortable with WordPress Security issues and code.

The second one would be a great choice for those who would rather allow masters to do their job and make sure there are no backdoors left in your site.

Recovering the website may cost you thousands of dollars if you hire a solo professional.

Sucuri(which I’ve already mentioned a couple of times) guarantee they will clean the whole website and make sure you are safe and sound for FREE!*

*You should be one of their paid customers.

Don’t forget that it’s better to be proactive than reactive!

Use this link to sign up.

How long do you think it will take you to follow all the steps above?

Leave your thoughts and questions in the comment section below.

Also, add me on LinkedIn or follow me on Quora, I share some useful info there 😉

What to do next?

Do you want to receive Exclusive SEO Tips that will help your website rank high on Google?

It’s free. No spam ever. Interested?

Just enter your email address below and click “I am in!”

2 thoughts on “WordPress Security: 26 Steps To Protect Your Website (2021)”

  1. Nice article indeed. I am already aware of most of the steps you mentioned but a couple of them were some new knowledge to take. I’ve already executed them on my website. You did a great thing putting it all together!

    The question is, are you positive that it is required a certain skill set to fix a hacked site?
    I mean I’ve seen the DIY guides for beginners on how to perform it and the process doesn’t seem to be that hard.
    What’s your take about it?

    • Hello Tracy! Glad you found some time to compose an insightful comment. The guides you are talking about are time savers and possess certain value. My personal point is that you never know the level of damage those mean people caused to your website(backdoors and stuff). These guides may help or may not. You never know. So I would still recommend you contact a competent specialist and ask to audit the website. Alternatively, you can use services like Sucuri. Cheers!


Leave a Comment