20+ WordPress Security Tips & Tricks For Beginners

 |  |  | No Comments

[bha size=’125×125′ variation=’05’ align=’alignleft’]WordPress Security is a measure issue and it can be controlled if you follow the security Tips. Most of the time developers are installing WordPress Security Plugins but they are not enough to secure your WordPress more. If you think you need to know more about WordPress Security Tips then you must have to read our new article on WordPress Security Tips.

If you are the owner of Company and you are protecting it whenever you are at the company then you trying secure your Company at any condition but when you leave for the day,  you started thinking about security about it.

The same thing is about your WordPress Security. I’m WordPress developer and have been working on WordPress security but mate the hackers. After long time investigation, I found a few more security tips. I have applied it on almost website and got the better result so decided to share my tips with you.

First, You need to know where your site is hacking. There are many ways to get hacked and of them are:

  1. Shared Hosting Platform.
  2. WordPress Themes.
  3. WordPress plugins
  4. Weak login information

We will see all the aspects, possibilities and solution in the detail.

WordPress Security Tips

  1. Use Best Secured WordPress Hosting

You must have to use WordPress Hosting to secured WordPress Hosting.

The major successful attacks have come from the hostings. If you are using shared hosting then immediately start using WordPress Hosting.

See Also: 

You can use these popular WordPress  Hosting.  I will write an article in the detail in the next article.

[bha size=’430×288′ variation=’01’ align=’aligncenter’]


2. Use Secured Link [HTTPS]

It would be great if you use the secured links [https]. It will secure your data but not 100% as per my experience. Our few sites were hacked and they had HTTPS links.  Later on, I found that they were on shared hosting so maybe SSL not worked 100%.

3. Use Different Database Name While creating Database

Few developers have bad habits while creating a database. They are using the same name from Web site’s name or Domain Name for the database. Hackers can guess it easily and try to hack your website. Using Database name  Its easy to guess the database and easily insert malware code.

So please don’t use database name as simple to hack and avoid the same name like a domain name or website name. Make it more difficult for hackers to guess and identify it to keep them out.



4. Change Table Prefix while doing Setup

Never use the default WordPress Table Prefix.

WordPress is providing default wp_ prefix in the wp-config.php file and avoid using it.

With the help of prefix, Hackers easily aware of your table name and can insert malware code easily.

e.g If you use default Table prefix i.e wp_ and we know that WordPress has default users table so hackers easily get your table name i.e wp_users and can insert malware script easily.

5. Change Default Salt From wp_config.php

Wordpress Salt
WordPress Salt

To Protect your Password and authentication WordPress are using the key and they are known as SALT keys.

You will get default salt key in the wp_config.php file and you can change it from the WordPress site.

Do not use default Authentication Unique Keys and Salts.

6. Stay Up-to-date

Latest version plays an important role in the Security Aspect. So your WordPress. Thems. Plugins should be updated.

Try to update whenever latest version is released or you can set auto-updating setting. You can use this plugin Easy Updates Manager.

Few developers have a bad habit to customize the Plugin and parent theme. Please don’t do this as when we update the WordPress, Theme or Plugin then customized data will be lost.

You can use below code in the functions.php file.

define('WP_AUTO_UPDATE_CORE', true);
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );


7. Don’t Use Admin as a Username

Admin is a common username. Most of the time developers are using admin as username which is easily guessable to hackers. They know that first user’s ID is 1 and if your username is an admin then they can hack your admin panel easily.

So do not use admin as a username.  Make sure, your administrator account username is not something easily guessable like admin, yoursitename or yourname. If you already did so or you had installed a WordPress version older than 3.0, you need to change it.

You can remove a user with id 1 or can change the ID. You can change your username from the plugin Username Changer.

8. Hide Your Username from links

Hide your username from the author archive URL.  By default, WordPress displays your username in the URL of your author archive page.

e.g. if your username is joebloggs, your author archive page would be something like http://yoursite.com/author/joebloggs and it’s easy to hackable.

9. Give Limit login while login in the site

Login attacks are the easiest attack in the WordPress which can be easily done with a brute-force attack. It means Hackers are trying to use any username and password on the above points.

In the case of a hacker or a bot attempting a brute-force attack to crack your password, it can be useful to limit the number of failed login attempts from a single IP address.

Limit Login Attempts does just that, allowing you to specify how many retries will be allowed, and how long an IP will be locked out for after too many failed login attempts.

WP Limit Login Attempts plugin will take of this.

10. Disable file editing via the dashboard

In the WordPress, You can edit theme and plugins files from the admin using theme editor or Plugin editor.

You can navigate to Appearance > Editor and edit any of your theme files. The trouble is, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and they can insert malware script easily

So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file.

     define( 'DISALLOW_FILE_EDIT', true );

11. Enable Captcha Anywhere

We need to use a contact form, Login form, comment form, registration form etc. It should have a Captcha.

Contact form 7 have in build in captcha under the integration setting. You can apply it from there.

Using forms, Hackers can easily insert malware script through forms  Fake boat also generate scripts and inert trough forms so to avoid this we need to apply Captcha on all the form.

12. Always use and recommend Strong Password

Any site must have a strong password and should be containing a special character.

A weak password can be guessed easily so use strong Password and on the registration page, you must force the user to create short Password.

13. Two-factor Authentication

Two Factor Authentication is an extra step for login. Here the user has to prove that they are human and not a fake boat.

Here are some plugins that let you implement two-factor authentication:

14. Go for best and Trusted Plugins and Themes.

WordPress plugins and theme are free and easily available on the wordpress.org site but most of the themes and plugins are getting hacked even they are from WordPress.org site.

While download checks the rating, total downloads, and reviews. It will help you to determine whether the theme is popular or not.

Try to use premium themes from Themeforest always as they are secured than free themes and you can get a support from them.



15. Always use Child Theme

Always use a child theme.

Most of the premium theme has the child theme and if you are not using a child theme then you can create a child theme from plugin or PHP code.

 WordPress Plugins:

16. Deny access to your Plugins and other directories

To Security aspect, Most of the blogger are denying Plugin and theme directories because they know that if someone got the files name then they can hack it easily.

What I mean by this is that if you go to the www.your-domain.com/wp-content/plugins/ from a browser, it shows all the plugins that blogger/developer are using.

Many WordPress plugins can have vulnerabilities which the attacker can use to harm your blog or any website. So, it’s a good idea to block access to these directories.

In another end, A lot of bloggers are allowing access to their WordPress plugin, theme, and other directories.

You can use a .htaccess file or just upload a blank index.html file to that directory to block access to these directories. (download a blank index.html) or create a .htaccess file in the folder and add this code.

Options –Indexes

17. Prevent PHP files from executing

WordPress sites are allowing to upload the content/Images/Folder from admin. For this, WordPress upload directory needs to be writable. To such an extent, your wp-content/uploads directory should be considered a potential Malware entry point.

The biggest potential threat is the uploading of PHP files. WordPress won’t allow users to upload PHP files within its administrative console, however, it may be the case that a plugin or theme allows file uploads without using the designated WordPress APIs for doing so.

This could result in a malicious PHP file being uploaded and consequently executed on the server.

The best approach to mitigate this potential security risk is to deny the web server from serving any PHP files in the wp-content/uploads directory using the following rule.

<Directory "/var/www/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All


18. Remove WordPress Version

If you take a look at your source code then you will realize that WordPress is adding its version number at the ending of script and CSS.

Hide your wordWordPresssion number from ending to know other which version you are using.

Add this code in your Child Theme’s functions.php file.

// remove version from rss
add_filter('the_generator', '__return_empty_string');

// remove version from head
remove_action('wp_head', 'wp_generator');

// remove version from scripts and styles
function UnityBlogger_remove_version_scripts_styles($src) {
    if (strpos($src, 'ver=')) {
        $src = remove_query_arg('ver', $src);
    return $src;
add_filter('style_loader_src', 'UnityBlogger_remove_version_scripts_styles', 9999);
add_filter('script_loader_src', 'UnityBlogger_remove_version_scripts_styles', 9999);

19. Change Login Page Link

Everyone knows that WordPress has the default login URL i.e. wp-login.php file. If you change it then you will save fake logins.

20. Use Best of Best Security Plugins

After doing all these things, now you need to add security plugins. Security plugins are free and premium and its depend upon you which you want to use.

In the last article, We have written the best security plugin so you read them here.

21.. Keep Your Computer / Laptop and FTP Secure

We are using File Zilla to upload files from Computer. If your computer is not secured then malware code can be pushed into the files using Filezilla.

Add antivirus software like Norton, Kaspersky, Avast etc. to secure your Computer/Laptop.

22. Disable Outside Script Injections

To avoid outside injection,  you need to disable it using below code in the .htaccess file.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

23. Allow Admin Access to Specific IP Address

If you are an admin and don’t want to give access to all users then use below code to allow admin access to Specific IP Address.

ErrorDocument 401 default
ErrorDocument 403 default
<Files wp-login.php>
Order deny,allow
Deny from all
Allow from xxx.xxx.xxx.xx


24. Always Take a Backups

Backup is one of the needs for any website. If your site is hacked today then you can take a backup from old days.

Your Server is also providing daily backups accordingly to your plan.

Here is the list of Backup Plugins.

  1. VaultPress (with Jetpack)
  2. Akeeba Backup
  3.  All-in-one Wp Migration Plugin
  4. BackupBuddy

What Else?

If you still hacked, Install Anti-Malware Security and Brute-Force Firewall plugin and scan the whole public_html folder.

I hope you got the best WordPress Security Tips. Please do let me know if you have secured your website or facing issues in the security.


Leave a Reply

Your email address will not be published. Required fields are marked *

six + 13 =

You May Like Also