10 ways to help secure your WordPress site.

Jon Haines

Jon Haines

Web developer, helping small to medium businesses stand out online

With around 35% of the internet being powered by WordPress, its easy to see why this CMS (Content Management System) is a prime target for hackers.  Whilst WordPress is always being updated with fixes for the latest vulnerabilities, there are things that site owners can do to further secure their sites.

Here are 10 things you can do today to further secure your site.

Change login url

Changing the login url is a simple way to restrict hackers from trying to access your website.  The default login for WordPress is http://your-domain/wp-admin.  Changing this is a simple little trick to stop any unauthorised users from accessing your login page.  Only users with the exact url will be able to access the page. If hackers don’t even know the login page, they can’t try to brute force their way in.

Change admin username

Although any good host will not do this, sometimes when WordPress is initially installed, the default Administrator user is setup with the username “admin”.  This is a bad idea as this is the first username any hacker will use when trying to access your site.  If they know the username, the only other thing they need to guess is your password.  Setting your username to a random set of characters is a far better option. 

If you find you have an Administrator login with username admin, you could change this in the database, but an easier option would be to create another Admin user in your site and delete the user with username “admin”

Keep themes, plugins and Wordpess updated

WordPress is an extremely flexible Content Management System (CMS) that can be customised with different theme and plugins.  With WordPress itself, the Themes allow you to drastically change the look/feel of your site.  Plugins can help add additional features and functionality.

Keeping all this up to date is important, as with every WordPress update, most good theme/plugin developers with apply the fixes or patches to the latest vulnerabilities.  Not updating to the latest versions allows any hacker to take advantages of this and potentially use this to gain access to your site or inject malicious code into your site.

Use a firewall and security plugin

Security plugins are an essential way to secure your site.  Most premium plugins will come with a Firewall, will scan your site for malware, protect against brute forced attacks, blocks users and much more.  Wordfence is good example of a good security plugin and can also be setup to automatically block users who try to login with the admin username that I mentioned earlier.

These plugins can be configured in great detail, but often the default setup is fine for most sites.

Stop directory listing

If you have directory on your website that doesn’t contain a index.html file, anyone can see everything that is in that directory.  For example if you create a folder called “webdata”, anyone can see a full list of that folders content by typing http://your-domain/webdata

This may not sound that bad, but any hacker can use this simple trick to see the all files in that folder and potentially target them to gain access to your site or inject malicious code.

You can prevent this, simply by adding the below line to your .htaccess file:

Options All -Indexes

Secure your wp-config file

Your wp-config.php file has crucial information about your WordPress site, so securing this is important.  You can do this by changing the read/write permissions of the file to something like 600, or even move the file itself to one folder above your root directory.  Moving the file prevents it from being accessible to potential hackers.

Change table prefix

By default the WordPress database tables have a prefix of wp-.  Leaving this default prefix in place, can mean your database is prone to SQL injection attacks.  A simple measure to protect against these attacks is to rename your table prefix to a unique name, for example newwp-

Ideally this should be done during the installation process, but it can be done after installation with a WordPress plugin or by some security plugins.


SSL (Secure Socket Layer) provides secure data transfer between your browser and the server.  This makes it difficult for hackers to hijack your connection and potentially spoof your information
Adding an SSL is simple and can be done using the free Let’s Encrypt open source SSL certificate.

Using an SSL certificate is not only good practice for site security, but it is also a must for your sites SEO as not using one will affect your Google search ranking.  Google Chrome now highlights if a site isn’t using an SSL in its browser.

Remove WordPress version number

The version of WordPress your site is running can be seen by viewing the source of the webpage.  While you may not think this is a problem, if a hacker can view this, they can use this info to construct a tailored attack on your site.  This is even more of an issue if you are running an outdated version of WordPress, as you won’t have the up-to-date security fixes in place.

Hiding your WordPress version is simple and can be done in most good security plugins, like Wordence for example.  It can also be done manually by adding the below function to your sites functions.php

function wpnumber_remove_version() {

return ”;}

add_filter(‘the_generator’, ‘wpnumber_remove_version’);

Important: Be sure to back-up your site before making any changes to this file.

Putting in place some, or all of the above, is a good step forward in helping to secure your WordPress site.  That said, using strong passwords is obviously a must for any online activity.  Also performing regular backups can ensure you can get your site back up and running in no time, should the worst happen.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on email
Share on whatsapp