How to secure your WordPress Websites

WordPress is the most popular blogging and CMS system, which makes it a favorite target for Hackers. Having a WordPress site means that you have to make some extra effort in order to protect you and your visitor’s data and their privacy.

As I am a Freelance WordPress developer, I should remember the security measure to protect the client’s websites. So, if you decide to make or host your website on the WordPress platform, you first follow below some procedure to securely develop your WordPress websites.

Ethical Hacking Training in India

As I do follow these steps:

Keep your WordPress site and Plugins up-to-date always

It is really important to keep your core WordPress files and all of your plugins updated to their latest versions. Most of the new WordPress and plugin versions contain security patches. Even if those vulnerabilities cannot be easily exploited most of the times, it is important to have them fixed.

For more information on that matter, check our tutorials on how to update WordPress and how to use WordPress auto updates.

Protect your WordPress Admin Area

It is important to restrict the access to your WordPress admin area only to people that actually need access to it. If your site does not support registration or front-end content creation, your visitors should not be able to access your /wp-admin/ folder or the wp-login.php file. The best you can do is to get your home IP address (you can use a site like for that) and add these lines to the .htaccess file in your WordPress admin folder replacing with your IP address:




<Files wp-login.php>

order deny, allow

Deny from all

Allow from


In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another Allow from statement on a new line.

If you want to be able to access your admin area from any IP address (for example, if you often rely on free Wi-Fi networks) restricting your admin area to a single IP address or too few IPs can be inconvenient. In such cases, we recommend that you limit the number of incorrect login attempt to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password. For such purposes, you can use a plugin called WP Limit login attempts.

Don’t use the “admin” or “site name” as a username

Most of the attackers will assume that your admin username is “admin”. You can easily block a lot of brute-force and other attacks simply by using a different admin username. If you’re installing a new WordPress site, you will be asked for the admin username during the WordPress installation process. If you already have a WordPress site, you can follow the instructions in our tutorial on how to change your WordPress username.


Secure your WordPress website by protecting the login page and preventing Brute Force Attacks

All know the standard WordPress Login page URL. The backend of the website is accessed from there, and that is the reason why try to brute force their way in. Just add /wp-login.pph or /wp-admin/, even some tools also available to automate the stuff and find the Admin Login Page, at the end of your domain name.

What I recommend is to customize the Login page URL and even the page’s interaction. That’s the first thing I do when I start securing my Client’s websites.

Some Suggestion is below:

1.Use 2-factor authenticator


Introducing a 2-factor authentication (2FA) module on the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, or more popular, the Google Authenticator app, which sends a secret code to your phone. This way, only the person with your phone (you) can log in to your site.

I prefer using a secret code while deploying 2FA on any of my websites. The Google Authenticator plugin helps me with that in just a few clicks.

Cyber Security Company in delhi




2.Use your Email to login exclude your username


By default, you have to input your username to log into WordPress. Using an email ID instead of username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is created with a unique email address, making it a valid identifier for logging in.

Several security plugins allow you to set up login pages so that all users must use their email addresses to log in.

3.Rename the Login URL to secure Website links


Changing the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via wp-login.php or wp-admin added to the site’s main URL.

When hackers know the direct URL of your login page, they can try to brute force their way in. They attempt to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations).

At this point, we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.

This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it. Again, the iThemes Security plugin can help you change your login URLs. Like so:

  • Change wp-login.php to something unique; e.g. my_new_login
  • Change /wp-admin/ to something unique; e.g. my_new_admin
  • Change /wp-login.php?action=register to something unique; e.g. my_new_registeration


4.Automate the log idle users out of your site

Users leaving your WordPress site open on their screens can pose a serious security threat. Any passerby can change information on your website, alter a person’s user account, or even break your site altogether. You can avoid this by ensuring that your site logs people out after they have been idle for a certain period of time.

5.Setup a website lockdown feature and ban users


A lockdown feature for failed login attempts can solve the huge problem of continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.

I found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. Along with over 30 other awesome security measures, you can specify a certain number of failed login attempts before the plugin bans the attacker’s IP address.

Now, secure your WordPress website through the Admin Dashboard


6.Protect your wp-admin directory


The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached, then the entire site can get damaged.

One possible way to prevent this is to password-protect the wp-admin directory. With such a security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other secures the WordPress admin area. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts while locking the rest.

7. Use always SSL to encrypt the Data

Remember always, SSL is used to encrypt the channel through which the data is travel to your websites. Implementing an SSL certificate (Secure socket layer) is one smart move to secure the admin panel. SSL ensures data transfer between user browsers and the server, making it difficult for hackers to breach the connections.

Getting an SSL certificate for your WordPress is simple. You can purchase it from where you are Hosting your Website or some vendors are available which give the best SSL certificates.

It also helps in Google ranking for your websites and makes a trust between users and websites.

8. Monitor Your files

Best Company in IT Security

If you want some added security, monitor the changes to your website’s files via plugins like Wordfence, or iThemes Security is available.

9. Set the strongest passwords for your Database


A very strong password for the main database user is a must, since this password is the one WordPress uses to access the database. I must recommend using a combination of Alphanumeric and Symbols combination passwords. Also use Uppercase and Lowercase too.

A free and quick tool for making a strong password is the Secure Password Generator.


10. Monitor your audit Logs

when you’re running WordPress multisite or handling a multi-author website, it’s essential to understand what type of user activity is going on. Your writers and contributors might be changing passwords, but there are other things you might not want to happen. For instance, theme and widget changes are obviously only reserved for the admins. When you check the audit log you’re able to make sure that your admins and contributors are not trying to change something on your site without approval.


The WP Security Audit Log plugin provides a full list for this activity, along with email notifications and reports. At its simplest, the audit log could help you see that a writer is having trouble logging in. But the plugin might also reveal malicious activity from one of your users.

11.Disallow file editing


If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.

If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at the very end):

define(‘DISALLOW_FILE_EDIT’, true);

12.Always disable listing with .htaccess


If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.

For example, if you create a directory called “data”, you can see everything in that directory simply by typing in your browser. No password or anything is needed.

You can prevent this by adding the following line of code to your .htaccess file:

Options All –Indexes

13.Protect your website against DDoS attacks


A DDoS attack is a common type of strike against your server bandwidth, where the attacker uses multiple programs and systems to overload your server. Although an attack like this does not jeopardize your site files, it’s meant to crash your site for a long period of time if not resolved. Usually, you only hear about DDoS attacks when it happens to large companies like GitHub or Target. They’re conducted by what many refer to as cyber-terrorists, so the motive might simply be to wreak havoc.

That said, you don’t need to be a Fortune 500 company to be at risk.

If this worries you, we recommend signing up for the Sucuri or Cloudflare premium plans. These solutions have web application firewalls to analyze the bandwidth being used and block out DDoS attacks entirely.

14.Remove your WordPress version number


Your current WordPress version number can be found very easily. It’s basically sitting right there in your site’s source view. You can also see it on the bottom of your dashboard (but this doesn’t matter when trying to secure your WordPress website).

Here’s the thing: if hackers know which version of WordPress you use, it’s easier for them to tailor-build the perfect attack.

You can hide your version number with almost every security plugin that I mentioned above.

For a more manual approach (and to also remove the version number from RSS feeds,) consider adding the following function to your functions.php file:

15.Disable PHP execution in Some WordPress Directories


Sometimes hackers break into a WordPress site and install a backdoor. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes or /wp-content/uploads/ folders.

An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.

You will need to create a blank .htaccess file on your computer and then paste the following code inside it.

<Files *.php>

deny from all


Save the file and then upload it to your /wp-content/uploads/ and /wp-includes/ directories. For more information check out our tutorial on how to disable PHP execution in certain WordPress directories.

16.Protect Your WordPress configuration wp-config.php file


Probably the most important file in your WordPress website’s root directory is a wp-config.php file. It contains information about your WordPress database and how to connect to it.

To protect your wp-config.php file from unauthorized access, simply add this code to your .htaccess file:





<files wp-config.php>

order allow, deny

deny from all



17.Setting up 301 Redirects through .htaccess file


Using 301 redirects is the most SEO friendly way to tell your users that content has moved to a new location. If you want to properly manage your 301 redirects on posts per post basis, then check out our guide on how to set up redirects in WordPress.

On the other hand, if you want to quickly setup redirects, then all you need to do is paste this code in your .htaccess file.



Redirect 301 /oldurl/

Redirect 301 /category/television/


18.Ban Suspicious IP Addresses


Are you seeing unusually high requests to your website from a specific IP address? You can easily block those requests by blocking the IP address in your .htaccess file.

Add the following code to your .htaccess file:






<Limit GET POST>

order allow,deny

deny from

allow from all


Don’t forget to replace xx with the IP address you want to block.

19.Disable Image Hotlinking in WordPress using .htaccess


Other websites directly hot linking images from your site can make your WordPress site slow and exceed your bandwidth limit. This isn’t a big issue for smaller websites. However, if you run a popular website or a website with lots of photos, then this could become a serious concern.

You can prevent image hotlinking by adding this code to your .htaccess file:







#disable hotlinking of images with forbidden or custom image option

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

This code only allows images to be displayed if the request is originating from or Don’t forget to replace with your own domain name.

For more ways to protect your images see our guide on ways to prevent image theft in WordPress.

20.Blocking Author Scans in WordPress


A common technique used in brute force attacks is to run author scans on a WordPress site and then attempt to crack passwords for those usernames.

You can block such scans by adding the following code to your .htaccess file:







# BEGIN block author scans

RewriteEngine On

RewriteBase /

RewriteCond %{QUERY_STRING} (author=\d+) [NC]

RewriteRule .* – [F]

# END block author scans

For more information, see our article on how to discourage brute force attacks by blocking author scans in WordPress.


I hope this article helped you to learn the most useful tricks to secure your WordPress Security. If you are a beginner then that was a lot to take in. However, everything that I mentioned in this article is a step in the right direction. The more you care about your WordPress site security, the harder it gets for a hacker to break in.


If you have any questions on how to secure your WordPress website, let us know in the comments and we’ll answer them!

About the Author: Cryptus Team

CRYPTUS CYBER SECURITY is an Cyber Security Training and penetration testing Company in New Delhi, India. We have been delivering advance it security training and services with upgraded technology contents to IT Professionals. Our goal is to sustain performance level producing sterling results. We Stands Up to our commitments which are comiitted by Our Team.

Leave a Reply

Your email address will not be published. Required fields are marked *