- Published: Jun 13, 2021
- Last Updated: Sep 18, 2023
- 13 min. read
Sarah BerryWeb Marketing Consultant
- Sarah Berry is a Google Analytics-certified Web Marketing Consultant at WebFX. She’s written over 400 articles on digital marketing, covering topics like SEO, CRO, and Amazon. When she isn’t polishing her Time Magazine Person of the Year Award, she’s spending time with her flock of ducks.
WordPress powers 35% of all websites, which makes WordPress sites a go-to target for hackers. If you’re like most WordPress site owners, you’re probably asking the same questions: Is my WordPress site secure? How do I secure my WordPress site?
While you can’t guarantee site security, you can take several steps to improve and maximize your WordPress security. Keep reading to learn how to make your WordPress site secure! If you need professional help with your website’s security, contact WebFX.
1. Move your WordPress site from HTTP to HTTPS
For users, as well as search engines and web browsers, an HTTP website looks — and is — unsecure. You want to secure your site for users, search engines, and web browsers by moving from HTTP to HTTPS. This process involves acquiring an SSL (Secure Sockets Layer) certificate, which can be free or cost up to $1,500 per year.
Your hosting company may provide you with an SSL certificate for free. Either way, when you get an SSL certificate, you will need to chat with your hosting company. Your hosting company will need to add your SSL certificate to associate it to your domain name.
Once you complete this step, you can secure your WordPress site with one of the following options:
- Use a plugin: A WordPress plugin like Really Simple SSL makes activating your SSL certificate, as well as updating your site to HTTPS, fast and simple. Just download the plugin and follow the instructions.
- Use a developer: A manual approach to moving a WordPress site from HTTP to HTTPS involves the help of a developer. Your developer will need to update your site address and WordPress address (via the General Settings menu) and set up redirects.
If you don’t have any background in web development, use a plugin to secure your WordPress site. Trying to add an SSL certificate yourself can result in duplicate content, which can hurt your site’s visibility in search results on Google. Duplicate content happens because search engines see both versions of your website — the HTTP and the HTTPS version.
A redirect sends all your HTTP pages to their HTTPS version. Creating redirects prevents duplicate content, plus sends users to a secure page. A plugin like Really Simple SSL takes care of this process for you, making your site safe for everyone.
2. Customize your login page URL
Did you know that every WordPress site has the same login URL? The default login URL is wp-login.php or wp-admin, like www.example.com/wp-login.php or www.example.com/wp-admin. This feature (which you can change) provides hackers a convenient starting point for hacking into your website.
That’s why you should customize the URL of your login page. By changing your login page URL, you make your website more secure and more challenging for hackers to crack. A developer or a plugin like Rename wp-login.php or iThemes Security can change your default login URL for you.
With either approach, you want to create a unique URL for logging in to your WordPress site. For example, you may choose “site-access” as your new login URL or “lets-login.”
3. Update your “admin” username
When creating a WordPress site, many users choose the default “admin” as their account username. This decision is a significant concern when it comes to WordPress security because it provides hackers with another piece of information for accessing your account, like your login URL. In this all-too-common scenario, hackers know your login URL and your login username — all they need is your password.
If your account username is “admin,” you can change it a few ways:
- Use a plugin: A plugin like Username Changer makes updating your username fast. Install it and then go to the “Users” menu and select “Username Changer.” You can then select the user with the admin account and update their account username.
- Create a new user: Companies can also create a new user in WordPress that occupies the administrator role. Once you make the new user and set their permissions, you can delete the old user with the “admin” username.
- Modify phpMyAdmin: Via cPanel, a web hosting control panel, you can change account usernames. This fix involves a developer logging into your cPanel, choosing your user table, and adjusting the user login value.
In most cases, your company will want to either use a plugin or create a new user to secure your site.
4. Install WordPress updates
WordPress routinely releases updates, which include new features, fixes, and security patches, that protect your site. If you host your site with WordPress.com, WordPress will apply the latest update for you. Companies self-hosting (via WordPress.org) will need to update manually.
Updating your WordPress site with the most up-to-date release will help keep your website secure. You can stay in the loop about WordPress updates by signing up for email notifications. In addition, you can visit WordPress.org website to read and download the latest patch.
Your WordPress dashboard will also alert you to updates. While you can handle WordPress patches yourself, it’s helpful to have a developer do it. Most WordPress sites feature plugins, which can cause problems when updating to the latest version of WordPress.
For example, an out-of-date plugin can break site features, open vulnerabilities, and even make your website inaccessible. A developer can help you avoid these headaches. Besides updating your WordPress site, you should also update your plugins to patch any vulnerabilities.
Find the latest release for your plugins by following these steps:
- Log in to your WordPress account
- Click “Plugins” from the left-hand sidebar
- Select the “Update Available” filter
You can then review the available updates. Before upgrading your plugin, check for any reported bugs. New releases can often come with issues that the plugin developer will then patch.
Waiting a week or two after the update’s release can help you avoid these bugs while also keeping your site secure.
5. Hide your WordPress version number
“Anyone can view your WordPress version number by viewing your site’s source code.”
Your WordPress version number is another helpful piece of information for hackers. When a hacker knows which version of WordPress your website uses, they can tailor their attack to it. Anyone can view your WordPress version number by viewing your site’s source code.
Depending on the version, they can even take advantage of specific vulnerabilities. For example, if you’re running an older version of WordPress, a hacker may target a vulnerability that a later version fixed. Hide your site’s version number by using a WordPress security plugin, like Sucuri Security or iThemes Security.
You can also approach the problem manually, having a developer modify your functions.php file to stop your WordPress version number from appearing in places like an RSS feed.
6. Create your password with a password generator
You can also improve your WordPress security with a password generator. Easy-to-remember passwords, like your dog’s name or your child’s birthday, are often weak and easy for hackers to crack. If you want to maximize your WordPress security, then you need to adopt a password generator.
A password generator, like from LastPass, helps you create original, hard-to-crack passwords. It also saves you from the hassle of meeting password requirements, like capitalized letters, numbers, or symbols. You can tell LastPass to include (or exclude) any of these features.
Go ahead and update all your user passwords, especially if you created them without a password generator. If you’re worried about forgetting your passwords, you can use LastPass (for free) to store your login information safely.
7. Lock down your wp-admin directory with a password
“The wp-admin directory contains all the files that power administrative functions on your WordPress site.”
While aggressive, password-protecting your wp-admin directory is an effective way to secure your WordPress site. When you password-protect your wp-admin directory, you make users enter two passwords: One to login to the WordPress dashboard and a second to access the WordPress admin area. Hackers that gain access to your wp-admin directory can make any change they want to your website.
That’s because the wp-admin directory contains all the files that power administrative functions on your WordPress site. If you decide to secure your wp-admin directory, you will need to work with your developer. Your developer will have to log in to your cPanel and update your directory function protections.
Don’t try to modify your wp-admin directory if you’re not familiar or comfortable using cPanel. Incorrect changes to your wp-admin directory could result in a broken site, lost settings, and more.
8. Use two-factor authentication (2FA)
Two-factor authentication (2FA) is becoming a popular WordPress security solution. With 2FA, users must enter or provide two pieces of information to log in to your WordPress site. For example, they may supply their username and password, and then answer a security question or approve their login on a second device, like their smartphone.
Requiring two forms of authentication works extremely well for WordPress security. Even if a hacker gains access to a team member’s username and password, 2FA prevents them from logging into your site because the hacker cannot provide that second form of authentication, like answering a security question via that team member’s smartphone. Without 2FA, however, that hacker could log into your website in an instant.
If you want to try two-factor authentication, you can use the Google Authenticator plugin.
9. Boot idle users to keep your WordPress site secure
Leaving yourself logged into your WordPress account while away from your computer or laptop can cause security issues fast. If you’re traveling, for example, and leave your laptop unattended (or forget it), someone can easily access and change your WordPress site. That’s why you want to boot idle users.
For instance, maybe after 15 or 30 minutes of inactivity, you log users out. Whatever duration you set, you can use this feature to improve your WordPress security and protect your site. Plugins like Inactive Logout can help you set up and use this security measure.
10. Change your wp- table prefix to prevent SQL attacks
Like login page URLs, WordPress uses a default database prefix: wp- A default database prefix can cause problems because it makes your site vulnerable to SQL (Structured Query Language) injection attacks. Hackers know that every website (unless changed) will use this database prefix. That’s why you want to change yours.
A few examples of alternatives include:
Updating your database prefix will either require a plugin, like iThemes Security, or a developer.
11. Move your wp-config.php file
Your wp-config.php file offers a quick way to make your WordPress site secure. A wp-config.php file contains vital WordPress installation information. When it comes to your website’s root directory (or / ), it’s the most critical file, so you want to protect it from hackers, especially in the event of a security breach.
Protecting your wp-config.php is a quick fix — move it. Move your wp-config.php file to a level higher than your root directory, which will make your wp-config.php file almost impossible for hackers to access. Relocating the file will require a developer’s help.
While WordPress will have easy access to your wp-config.php file, hackers won’t.
12. Invest in protection against DDoS attacks
Distributed Denial of Service (DDoS) attacks happen to anyone. While you usually hear about DDoS attacks happening and taking down big brand websites, like Target or Sony, they happen to smaller businesses, too. A group of hackers, for example, could launch a series of attacks on WordPress.
That’s why it’s worth considering DDoS protection. Go-to DDoS protection providers include Sucuri and Cloudflare. These companies will help you spot and block DDoS attacks, which will prevent your site from going offline.
If you decide to invest in DDoS protection, you will have to pay for the service.
13. Back up your WordPress site regularly
A good answer to, “Is my WordPress site secure?” is “Never.” While you can take proactive steps to protect your website, you will never achieve 100% in WordPress security. Hackers will continue to uncover vulnerabilities and develop ways to break a site’s security. That’s why website backups are a must.
A backup of your WordPress site provides you with the latest secure version of your website. In the event of a security breach, you can use that backup to restore your site. You’d have the most up-to-date version of your website and skip the process of re-doing all your past work.
It’s a small win during a stressful time. You can back up your WordPress site with plugins or manually. Plugins, like VaultPress, allow you to back up your website automatically on a routine basis.
For example, you could have a plugin back up your site every month, day, or week. In most cases, these plugins will require a paid plan.
Is your WordPress site vulnerable? WebFX can help!
Website security is a critical issue for any site owner.
If you operate a business, it’s essential to provide users with a safe website. Even if you don’t accept and process online payments, you want a secure, SEO-friendly WordPress site to make users comfortable when browsing your website — and to improve your rankings in search results on Google. WebFX can help make your WordPress site secure.
With our web design and website maintenance services, as well as our in-house team of developers, we offer the services and know-how to maximize your WordPress security. Learn why more than 90% of our clients stick with us by contacting us online or calling us at 888-601-5359!
Sarah Berry is a Google Analytics-certified Web Marketing Consultant at WebFX. She’s written over 400 articles on digital marketing, covering topics like SEO, CRO, and Amazon. When she isn’t polishing her Time Magazine Person of the Year Award, she’s spending time with her flock of ducks.
WebFX is a full-service marketing agency with 1000+ client reviews and a 4.9-star rating on Clutch! Find out how our expert team and revenue-accelerating tech can drive results for you! Learn more
- 1. Move Your WordPress Site from HTTP to HTTPS
- 2. Customize Your Login Page URL
- 3. Update Your “admin” Username
- 4. Install WordPress Updates
- 5. Hide Your WordPress Version Number
- 6. Create Your Password with a Password Generator
- 7. Lock Down Your Wp-admin Directory with a Password
- 8. Use Two-factor Authentication (2FA)
- 9. Boot Idle Users to Keep Your WordPress Site Secure
- 10. Change Your Wp- Table Prefix to Prevent SQL Attacks
- 11. Move Your Wp-config.php File
- 12. Invest in Protection Against DDoS Attacks
- 13. Back Up Your WordPress Site Regularly
- Is Your WordPress Site Vulnerable? WebFX Can Help!