security cameras

10 WordPress Security Tips to Defend Your Site from Hackers

Security is always one of the most important parts of a website that is more often than not being neglected, until such time that these websites become victims of hacking. Before that happens, here are 10 WordPress security tips that you can act on today, to ensure that your website will not be an easy target for malicious hackers.

1. Use Unique Usernames and Passwords

Choose a unique username and password to access your WordPress website. If you are running on an older installation, it is important to know that WordPress used the username admin as the default username for the primary administrator account. This makes it easy for hackers to get into your website using a Brute Force attack, since they only need to work out the password for the administrator account.

If you happened to set your name to admin, you can change it by using a WordPress Plugin such as Username Changer or you can create a new user and give that user Administrator rights. For the password, it is important that it is complex and long enough, comprised of alphanumeric characters and symbols, or you just create one using a password generator.

2. Limit Log-in Attempts

Brute force attacks are one of the many ways hackers use to gain access to your WordPress admin area. Aside from using a unique username and password, you can also strengthen your log-in form by installing plug-ins such as Login LockDown to limit the number of login attempts from a given IP range. The All in One WP Security & Firewall plugin also has an option that will simply change the default URL (/wp-admin/) for the login form.

3. Use Two-Factor Authentication

WordPress, by default, does not yet have two-factor authentication built into it. Installing authentication plugins such as Google Authenticator will make it more difficult for hackers to gain access to your website through brute force attack. This method is the recognised standard today for enhanced security at your access points.

4. Choose a Reliable Hosting Company

Research conducted by WP White Security reported that 41% of websites were hacked through a security vulnerability on their hosting platform. Having said that, choosing a reliable hosting company to host your website is one of key factors to keep those hackers at bay. According to wpmudev, a good hosting company gives emphasis on security and has:

  • Support for the latest versions of PHP and MySQL.
  • Is optimised for running WordPress.
  • Includes a WordPress optimised firewall.
  • Malware scanning and intrusive file detection.
  • Trains their staff on important WordPress security options.

5. Hide Your Log-in Page

You can login to a default installation of WordPress at yourwebsite/wp-admin and yourwebsite/wp-login.php. Make it harder for hackers to perform brute force attacks to your website by moving the location of your login files. You can do this by installing plugins which will allow you to conceal and change the name of your login page, admin area, logout page and forgotten password page. Some of the plugin solutions available are: Rename wp-login.php, Hide Login+, and Lockdown WP admin.

6. Disable File Editing

The WordPress plugin and theme editor allows authorised users to modify your theme and your installed plugins. This feature itself is one that hackers use to crash your website by simply injecting malicious code into your theme to give them access to your site. Luckily, you can disable this feature by adding this line of code to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

Doing this will make it impossible to modify your themes and plugins without FTP access.

7. Hide Your WordPress Version

Some versions of WordPress are known to possess more vulnerabilities than others. Having said that, WordPress by default also places a meta tag within your source code that displays your WordPress version number. This bit of information is useful to hackers, especially if your version number states that you are not keeping up with the latest updates. To solve this, you can add the following code to the top of your themes functions.php file:

remove_action('wp_head', 'wp_generator');

In addition to this, you also need to delete the readme.html file located in the root of your WordPress Install because this also contains the version number of your WordPress installation.

8. Use Security Plug-ins

If you are not that knowledgeable on how to tweak the code within WordPress, you can strengthen your website using plugins that offer all-in-one security solutions. Some of the great all-in-one WordPress security plugins are:

  • Sucuri– Scans your website and detects PHP mailers, injections, malicious redirects, phishing attempts, and also includes one-click hardening options such as protecting your uploads directory, removing the WordPress version number, disabling theme and plugin editors, and restricting access to wp-content and wp-include directories
  • iThemes – Monitors core files for any changes, hiding both the login and admin pages, two factor identification, limits login failed attempts, forces use of secure passwords for specific roles and file permissions
  • Wordfence– Scanning for file changes, Blocking IP addresses, two factor authentication, country blocking redirects, and custom alerts

9. Use Correct File Permissions

On computer filesystems, different files and directories have permissions that specify who and what can read, write, modify and access them. Ensuring that you are using the right file permissions and ownerships will not only allow you to keep your WordPress website updated, it also prevents hackers from exploiting poor file security and taking control of your website. Make sure that your WordPress folder permissions are set to 755 or 775; file permissions are set to 664; and the wp-config.php permission is set to 600 or 664. You can check out the Changing File Permissions guide on for more information on how to change file permissions.

10. Stay up to Date

According to a study, 56% of WordPress installations were running out of date core versions. In addition to this, the same study shows that a very large percentage of the website hacks came from out-of-date versions of plugins. Having said that, always make sure to keep your WordPress core up to date as well as your plugins. You can always download the latest version of WordPress from An updated version will lessen your website’s vulnerability to hackers.

As you can see, there are many ways to harden your website’s WordPress security. Take your website’s security seriously and follow the aforementioned tips to make sure it’s secure from intruders and hackers.

Exclusive 7 Day Course

Defend your site from hackers, improve your website speed, get free uptime monitoring and learn tactics used by WordPress experts

Many thanks for subscribing.

Something's not right.

About Steven Watts

Steven WattsSteven is the founder of Newt Labs. He's a WordPress specialist with an interest in building the most effective websites possible. Since 2010, he's been helping businesses with their online goals.

Exclusive 7 Day Course

Defend your site from hackers, improve your website speed, get free uptime monitoring and learn tactics used by WordPress experts

Many thanks for subscribing.

Something's not right.