When it comes to WordPress security, we immediately think of whether WordPress is safe or not. According to statistics, WordPress is one of the most attacked infrastructures in 2020. That’s why you should strengthen your site with WordPress security plugins.

In this article, I will try to explain how you can secure your WordPress site based on all my experience and experience so far.

This article will interest you if you have a website built with WordPress content management. Let’s explain how we can make our site more secure without wasting time.

Is WordPress Safe or Not?

WordPress offers a secure infrastructure; security vulnerabilities must be closed. As with any infrastructure, it can be attacked in WordPress. There are many steps you can take to minimize these attacks. Especially the themes and plugins used are the areas with the most security vulnerabilities. Most of my WordPress support clients complain about the security of their sites.

The situation is quite simple. Because WordPress has an open-source code structure, it is vulnerable to any attack. Since this system is so weak, let’s examine together what should be done to prevent it. If your website has a security-related problem, we help our customers with the best WordPress support service.

WordPress Security Precautions

In the rest of the content, I will try to explain all the steps you need to do for your WordPress site. If you want a secure site, the steps you need to take can be listed as follows:

  • Work with an excellent hosting company
  • Install SSL on your site (security certificate)
  • Turn off access to files and folders with htaccess
  • Turn off file editing with wp-config.php
  • Manage permissions of files and folders
  • Always keep your themes, plugins, and WordPress up to date
  • Make sure to delete unused themes and plugins
  • NEVER use unlicensed plugins or themes
  • Use a security plugin
  • Use a unique username and password (avoid the admin username)
  • Restrict entries
  • Hide WordPress admin panel and login link (wp-admin and wp-login.php)
  • Use Google Captcha
  • Close your site to new registrations
  • Use Akismet or turn off your site in the comments

1. Work with a good hosting company

One of the most critical aspects of hacked websites is randomly selected web hosting companies. It would help if you worked with quality web hosting companies that offer honest service and not much advertising. Most users introduced to WordPress are generally unhappy with their first hosting experience. So be sure to read the reviews and customer reviews of web hosting companies you meet with plugins Google.

I have to say that many web hosting companies blame the software used and, therefore, the software developer when sites are attacked. At the top of the features that a good hosting company should have are solid DDOS protection and antispam service. The perception that “the more money you pay, the more secure you will have a site” is entirely wrong. Also, be sure to read customer reviews before purchasing a hosting package.

2. Install SSL on your site (security certificate)

Make sure you use SSL on your WordPress site. SSL (Secure Sockets Layer) certificates are the most crucial part of website security. They are encryption systems that keep an internet connection secure and protect sensitive data sent between two systems.

Many hosting companies offer free SSL services in their hosting packages. You must purchase if your hosting web package does not offer free SSL support. The average SSL price is between $20 — $90 per year. If there is no SSL on your website, there will be the phrase “Unsafe Connection” in the address bar, and this will cause your visitors to panic.

3. Turn off access to files and folders with htaccess

Sometimes, files and folders in your web hosting area become visible when the browser enters. This problem can cause your site to be attacked. Even if your files and folders are not visible, you must add the following code to a suitable place in your htaccess file.

Connect to the leading directory, where your site’s files are located via FTP or CPANEL, to access the .htaccess file. Then select the option to edit the .htaccess file with a post editor. Add the following code to this file and restore it. If you do not know how to do this, be sure to get support from an expert or your web hosting company.

Important: In many hosting companies, access can be hidden, so you should use the show hidden files option.

Options All -Indexes

4. Turn off file editing with wp-config.php

If a hacker has reached your site’s administration panel, they can edit your WordPress files and add malicious code to your site. Block file and folder editing with the wp.config.php file to prevent this. Add the following code at the bottom of the wp-config.php file. In this way, your WordPress files will be closed for editing. It is essential as the previous step.

define('DISALLOW_FILE_EDIT', true);

5. Manage permissions of files and folders

You can make your site inaccessible by editing your WordPress file and folder permissions. All your file permissions should be 644, and all folder permissions should be 755.

The video shows us changing the permissions of the folders. After this process, you need to edit your file permissions to 644. As an alternative to the above process, select all folders and files and make 644 instead of 755. Then start the process by selecting “Apply to files only” instead of “apply to folders only.”

This process is hazardous and if you do not know what you are doing, be sure to get support from an expert or your hosting provider.

6. Always Keep your themes, plugins, and WordPress up to date

WordPress updates automatically most of the time. If it is not updated, you have to do this manually. You can see all updates in the Administration Panel → Start → Updates tab.

Always keep the themes and plugins you use on your site updated. Always remember to back up before updating. Most of the time, updates will work without any problems, but in some cases, design distortions or errors may occur on your site. In this case, restoring the backup you have taken will be easy. In such cases, the hosting company does not accept responsibility. So, if your budget is available, check the packages that support daily / weekly backups when purchasing hosting.

7. Make sure to delete unused themes and plugins

Deleting unused themes and plugins is one of the most critical issues affecting the site’s security and speed.

Most of the time, plugins are disabled and forgotten in the “plugins” tab. The biggest problem with these updated plugins is that they create security problems. Remove all unused plugins and themes from your site to avoid this situation.

8. NEVER use unlicensed plugins or themes

One important consideration is to use illegally distributed themes and plugins. Based on my experience, I have to say that unlicensed themes and plugins cause all security problems.

Malicious people especially add infected files into these illegally distributed themes and plugins. These infected files infect other files of your site at certain times, giving advertisements to sexually explicit sites. You can both be ashamed of your users and be deleted entirely from Google. It is a precarious situation, and please make sure that the web designers you work with do not use illegal products.

9. Use a WordPress Security plugin

Another way to keep your WordPress site safe is by using a security plugin. If you do not have an expert, you can get support; you can use some plugins to detect problems on your site. My recommendation to you is the Wordfence Security plugin. The most prominent features of this plugin can be listed as follows:

  • Web Application Firewall identifies and blocks malicious traffic. A large team created it focused on WordPress security, which continues to improve.
  • [Paid] Real-time firewall rule and malware signature updates via the Threat Defense Feed (free version is delayed for 30 days).
  • [Paid] Real-Time IP Blacklist prevents all requests from the most malicious IPs and protects your site while reducing the load.
  • It protects your site and provides deep integration with WordPress. Unlike cloud alternatives, it does not break encryption, and it cannot be bypassed or leak data.
  • The integrated malware scanner blocks requests that contain malicious code or content.
  • Protection against brute force attacks by limiting login attempts.

This plugin is the most significant help in detecting viruses on my customers’ websites. I see the locations of the virus infected on the site using the “SCAN” feature. In addition, you can directly delete or quarantine detected viruses with this plugin. Look at the table below for an example:


10. Use a unique username and password (avoid the admin username)

The most popular hacking method for WordPress sites is the “Brute-Force” application. Hackers detect users’ usernames on your site and try to access your site’s administration panel with the password combinations they have with Brute-Force.

This is the easiest username to identify since WordPress is installed with the default username “admin.” If you are building your site from scratch, do not use the “admin” username. Instead, choose an email or a unique username.

In addition, according to statistics, the passwords used by users worldwide are generally similar. It should not be challenging for malicious people to detect your date of birth today, which is quite common on social media. So do not create your password from repeated numbers or simple, predictable passwords such as your date of birth.

11. Restrict entries

Another effective method is the “WP Limit Login Attempts” plugin. This plugin is the most important solution to prevent Brute-Force hacking attempts. You can limit login attempts to your WordPress dashboard with this plugin. For example, a user can make a maximum of 4 shots, after which you can put a 20-minute restriction on that user’s IP address.

If too many login attempts continue, you can prevent the hacking attempt by automatically redirecting login attempts to the home page.

12. Hide the WordPress admin panel and login link (wp-admin and wp-login.php)

You can take high-security measures for your website with the “Titan Anti-spam & Security” plugin, which is free. The most prominent feature of this plugin is that you can change the names of the links that can access your site’s administration panel, such as wp-admin and wp-login.php.

The most important thing to be aware of here is that you do not forget this name after changing the administration panel address. Because if you ignore this name, you may not be able to access your site’s administration panel. Take a look at the image below for example usage:

You can also benefit from the anti-spam firewall feature of this extension. I recommend you to visit the “Site Checker” tab to detect infected files on the site equivalent to the Wordfence plug-in.

13. Use Google Captcha

Another essential plugin is the “Simple Google reCAPTCHA” plugin. With this plugin, you can add the Google reCAPTCHA feature to all forms on your website. In this way, you can easily prevent possible hacking attempts. As with other parts of Google, this plugin is 0 free, and you can use it in commercial and personal projects.

14. Close your site to new registrations

If you have a corporate website or a personal blog and no other author is recruiting from you, you can close your site for new registrations. This will usually fix the problem radically. One of the most effective methods I have applied in all my work is to close my site to new registrations.

Please note: This is not for you if you own an e-commerce site.

Uncheck the “anyone can register” tab in the WordPress Admin Panel → Settings → General → Membership Area.

15. Use Akismet or turn off your site in the comments

Another hacking attempt is made with spam comments left on your site. If you only sell services and do not expect comments on your site, closing your site for complete statements would be an effective method. If you want to comment on your site, you can install the Akismet plugin, the most significant friend of WordPress users. To completely close your site to comments, follow the steps below:

WordPress dashboard → Settings → Discussion → Default post settings → Allow people to comment on new posts

If you uncheck the allow people to comment on new posts button, the comments will be closed on your site. Also, if you want, you can turn off this setting on the text and page you wish to and comment on the relevant page.

Akismet detects nasty comments on pages and blog posts on your site and automatically moves them to the spam folder. Then Akismet regularly cleans these comments from spam and prevents thousands of spam comments from coming to your site without your knowledge. Akismet is the official WordPress spam comment blocking plugin.

You need a WordPress.com account to use Akismet. After logging into the Akismet page with an account, you can get the API code for free and integrate it into your site.


In this post, I tried to discuss how you can fix WordPress security issues in 15 steps. You can apply all the steps above to your site or take the steps you need. WordPress security is a very complex task. Your site will be essentially free of malicious people if you know what you are doing and how.

If you found this helpful article for WordPress security, I would like you to support me in your social media accounts. Also, if there is something I am missing, or if you have anything to add, please join me in the comments field.

Leave a Reply

Your email address will not be published. Required fields are marked *