8 Ways to Secure Your WordPress Website

Heads Up! There will be no TL;DR on this article solely because security is something that you shouldn’t skim through.  Security is important,  especially for your website. WordPress has gone through great lengths over the years to make sure their framework is reliable and trustworthy. But it is always a great idea to add a […]
Free Web Page AuditSet up an Appointment


Website Design


Heads Up!

There will be no TL;DR on this article solely because security is something that you shouldn’t skim through. 

Security is important,  especially for your website. WordPress has gone through great lengths over the years to make sure their framework is reliable and trustworthy. But it is always a great idea to add a little bit more security to your WordPress website

Fair warning, some of these will be easy to do while others will require a deeper knowledge of the inner functions of WordPress but these are the steps that are worth taking to protect your sites from hackers and Brute Force Attacks.

First off! Stay up to date!

One of the greatest advantages to WordPress is that developers are looking through the code every day making sure that the platform is secure and stable. And what also makes WordPress better is that independent developers create Themes and Plugins that help users shape the functionality of their website to meet the user’s needs. But this can present a problem when the independent developers stop improving the code within the plugin and theme.

This is why it should be common practice to update your Themes and Plugins. Doing this will help prevent leaving your site vulnerable to Cross-Site Scripting (XSS) attacks as well as when out of date code stops working, parts of your website will start to display code in plain text and that does not look professional.

On a side note, when picking a plugin or theme, it is always a good idea to check to see if it is updated regularly. Normally, we always make sure that Plugins never go more than 6 months without being updated.

Just in case you need a quick walkthrough on where to find the update page in the dashboard, here is a quick look.

When you are at the main Dashboard, click “Updates” in the top-left of the Dash Navigation.
It will take you to the Update page and it will let you know if there are any updates. Very Easy!

Never use “Admin” as a user name

Never use “Admin” as a user name
WordPress no longer uses Admin as a default username, however, it is still used by users who don’t understand the security issue that follows using Admin as a username. Hackers commonly use the username “Admin” when they do a Brute-Force Attack.

A Brute-Force Attack is an event where a hacker will use a bot to submit usernames and passwords into a login menu over and over until the right username and password are found and the scary thing is you will never know this is going on.

Speaking of Brute-Force Attacks, this brings us to the next two points.

Limit Login Attempts and Unique Passwords

Limit Login Attempts

The most annoying part about getting stuck in traffic is the constant stop-go-stop motion.

This is the same with hackers. Limiting your login attempts will stop the Brute-Force bot from entering usernames and passwords because your site will disable the login page after several attempts.

Limiting the login to 3 attempts means that the bot will only enter the username and password 3 times before WordPress temporary locks the hacker out. No hacker would wait around for the login menu to reactivate.

Various plugins that allow you to add this safety feature, for example, Loginizer and Limit Login Attempts Reloaded.

Unique Passwords

This should be a given. Never have the same password. I understand its hard to have a different password, especially when the suggested passwords look like this “lkas-dhjfgo-saijg”.

Some apps can be used to store your passwords if they are ever needed. The one we use is Encryptr, but people have different opinions on what app is the best one to use, we have never had a problem. Just be careful because the app does not have the “Forgot Password” option so when you lose the one password that you have to remember, you are going to be on the phone with SpiderOak for a while. 

Move your configuration file

By default, the wp-config.php file is located in the root of your website. So for this step, you have to be comfortable with logging in via FTP (File Transfer Protocol) or have access to the file manager in your Cpanel.

If using FTP, they are various tools that can be used to do this. On Mac, FileZilla and Cyberduck are the most common. For Windows, Filezilla seems to be the most popular.

But for this example, I will be using my local folder. 

I am using my local environment to show the example, which is why it will look different. But you can typically drag-and-drop the file or relocate it entering the destination(this is typical if you are using the file manager in your Cpanel.)
All you have to do is make sure that you move the file within the same level as your root folder, in this case, the “public” folder.

Now you may be asking yourself 

“Why is this important?” 

If for any reason your server stops functioning, you run the risk of your config page being viewed in plain text. This is a huge problem because your config page holds sensitive information like your username and password of your database and public and private keys.

As mentioned previously, I am using a locally hosted website so none of the information is sensitive but your file will have sensitive information within the red box.

Changing Your Table Prefix

Depending on your hosting, you should be able to change the prefix at the moment of installation. When you have the opportunity to choose the prefix, use the abbreviation of the website, especially if you will be hosting other WordPress websites on your account. Then you will be able to differentiate what database goes to what website.

If you need to change the prefix, here is a great article on how to change the prefix after the WordPress installation.

Customize Content Directory 

Note: Be sure to back up your website before attempting this step!!

WordPress is an open-source platform, which means the code and its structure is open to the public. This is awesome because it allows you to build a theme from scratch or allows you to heavily modify themes and the code from within your site. The cons to this are because it is open-source, anyone can create scripts and run those scripts in an attempt to gain entry into your website.

WordPress has made it a priority to find ways to build defenses against attacks like these but it is always a good idea to improve the security of your site so it makes it a challenge for those bad guys.

Not only can you modify files but you can rename files/folders which is what we are going to show you.

When you via FTP or go into the file manager through the cpanel, find the config.php file. Open the file so you can add the following code at the very top of the config.php file.

/** the your_new_name is the name you create for the wp-content folder **/

define ('WP_CONTENT_DIR',__DIR__ .'/your_new_name');
define( 'UPLOADS', 'your_new_name/uploads' );

Like so…

Save the file. Now find the wp-content folder and rename the folder to the name chosen. save and exit. If you are currently logged in to your WordPress account at the time of changing the folder name, which you should not be, it may log you out in which you just log back in.

This may not be for everyone and we do not use plugins for this but a popular plugin is called Hide My WP Ghost. It has a really good rating on WordPress.

Forcing SSL on Login and Admin

This step will require you to enter the config.php file. This is also assuming that you have SSL and https: set up on your WordPress website.

To force SSL on login and admin, enter the config.php file and enter the following code. 

define('FORCE_SSL_ADMIN', true);

Save, exit, that is all.


There are so many more ways to secure your WordPress website, but this is will defiantly deter hackers and scripts from finding a way to get in. Websites are not.