Open In App
Related Articles

Making your WordPress Website More Secure

Improve Article
Save Article
Like Article

Why security is Needed? 

Blogging now a days has become a hobby of so many people and WordPress is the most opted platform for the same.By default, wordpress blogs employ a minimal level of security and also its files and/or plug-ins may often be outdated. These files are traceable and vulnerable to be hacked easily. Internet is not a secure  place to work and one must be aware enough about how to be secure.

This article deals with some of the simple tips & techniques which can be implemented by the beginners in order to ensure security of their blogs and the information stored on WordPress.

Tip #1  Use a Unique, Secure Username and Password

  • Avoid using the default admin
  • The user can also create a new user with admin rights and remove the old ‘admin’ username.
  • A WordPress Plugin such as Username Changer can also be used to change a username to something more secure. Try avoiding using common usernames like your name or ‘administrator’ which can be guessed easily.
  • Choose a complex password comprised of letters, numbers and characters. Don’t choose a password that’s similar to the username, website name or a simple word with a few changes.
  • Preferably use of a random string of characters is recommended.

 Tip #2  Enabling Two-Step Authentication

  1. The user needs to have a WordPress Account which can be created by clicking here. If the user already has a WordPress account skip this step.
  2. Click here to enable the two step verification. User is redirected to following page.


  1. After clicking Get Started following screen appears2
  2. Choose Verify via SMS option.
  3. The WordPress shall send a verification code via SMS which the user is required to enter for verifying the number.
  4. Enter the code sent to your mobile correctly. Then a bunch of backup codes shall be provided which can be used as an alternative way to access the site if the mobile gets stolen or lost or situation in which phone can’t be accessed to get the code. Save these codes in a text file.
  5. You have now enabled two step verification.3

 Tip #2  Using a Plugin

To protect from Brute Force attack, there are two great plug-ins

  • The All in One WP Security & Firewall plugin has an option that simply changes the default URL (/wp-admin/) for that login form. This plugin also helps in limiting the number of attempts to login from a certain IP address.
  • Another one is BruteProtect. That plugin has recently been acquired by Automattic, the creators of WordPress. The plugin  automatically takes care of protecting the users login form from IP addresses that tends to make many login attempts

Tip #3  Move wp-config up one directory and lock it down

  • Users can move thewp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.
  • This is how the wp-config looks like:4

If the server being used comes with .htaccess, add this piece of code to the top of the file that shall deny access to anyone surfing for it:

<files wp-config.php>

order allow,deny

deny from all


Tip #4 Keep  WordPress Updated

Assuming that the user has Wamp server installed:

  1. Start the wamp server
  2. Open the WordPress site using localhost
  3. Under the dashboard section click on Updates5
  4. In my case I have already updated my WordPress. So for me it is showing that ‘You already have the latest version’.6
  5. For those who do have the latest version , there will be an option to update. Click on it. Done!!

Tip #5 Changing file permissions

Users that have shell access to the server, file permissions can be changed recursively with the following command: For Directories: find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \; For Files: find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Tip #6 Schedule Regular Data backups

  • Back up data regularly, including your MySQL
  • Data integrity is very important for trusted backups.
  • A good backup plan could involve keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location.

Tip # 7. Delete the readme and any unnecessary files.

  • WordPress has a default readme.html, and many plugins and themes that comes along with it.
  • They should be deleted as they can be used for fingerprinting or general snooping and often contain version info.
  • Remove any junk files from the folder.

Tip #8 Enabling SSL Login

·        If the site has an SSL certificate, SSL login can be enabled. ·        To enable SSL your site must be reachable by using https.

  • Add the following piece of code to the wp-config file
  define(‘FORCE_SSL_LOGIN’, true);// For login only
define(‘FORCE_SSL_ADMIN’, true);//For whole admin

 Tip  #9: Ask Apache Password Protect

  • This plugin provides users more control over their blog in terms of security
  • Users can protect your site with 401 authorization in easy steps.

The plugin can be downloaded from  here. References:–wp-22446 Article By Mudit Maheshwari: A 3rd year B.Tech IT student from VIT University, Vellore having keen interest in coding , learmuditning about new technology and developing softwares . Besides being passionate about coding, he also loves playing guitar and singing. Currently staying in Chennai. You can reach him at If you also wish to showcase your blog here,please see GBlog for guest blog writing on GeeksforGeeks.  

Last Updated : 19 Jan, 2023
Like Article
Save Article
Similar Reads
Related Tutorials