An Updated Step by Step Guide to Ultimate WordPress Security

Step by Step WordPress security guide

A Step by Step Guide to WordPress Site Security: Do you ever wonder how to secure a WordPress site from hackers? Well, this is a question that troubles most webmasters.

We must, however, acknowledge that there’s no site that is 100% secure from online attacks. Attack methods are modified each second with the rates of attacks increasing each day.

A recent study showed that online attacks are launched after every 39 seconds. On a separate report, since 2013, over 3.8 billion records are lost daily due to data breaches.

Shockingly, still, the large-scale Distributed Denial of Service (DDoS) attacks steadily increases by 500 percent. This 2018 report showed that the median distributed DDoS attacks increased to over 26GPs, reflecting a 500 percent increase.

Is WordPress Site Security So Important?

Most small business owners fail to secure their WordPress websites due to the belief that they’re too small to be targeted. Most people also falter here due to a lack of awareness of the importance of web security.

Now, your site acts as your ambassador; your brand image. In most cases, your clients will first interact with the site before even contacting you.

Therefore, when your site is not safe, you risk losing critical business deals. Also, note that cyber-attacks come in different forms.

From infecting sites with malware then spreading it to your users or stealing critical visitors’ information like credit card details, emails, and addresses, or hijacking and crashing the site, there are a lot of risks that come with poor site security.

Moreover, Google also blacklists insecure sites. It blacklists over 50, 000 websites each week due to phishing threats and over 20, 000 sites due to malware threats.

This means that there’s no shortcut. You must harden your WordPress website security to ensure business continuity and protect your brand.

How Can I Secure My WordPress Site?

If you’re keen to secure your WordPress website, here is one fact and myth you should know about.

Fact: WordPress is an open-source script. This makes it vulnerable to most online attacks including man-in-the-middle attacks etc.

Myth: WordPress lacks built-in web security. This is not the case as WP is way more secure than most web builders out there.

Nevertheless, you still must make it secure to avoid cyber-attacks like brute force attacks, phishing attacks, man-in-the-middle attacks, and hacking, etc. After reading this piece, you will know;

  1. How to update your WordPress website.
  2. How to modify user permissions and passwords.
  3. How to migrate your site to SSL/HTTPs socket layer.

How Do I Keep My WordPress Site Updated?

It’s essential to keep your WordPress website updated to prevent malware attacks etc. Most WordPress updates come up with new features, which will also help you fix bugs on the site to increase the site’s security.

WordPress releases major updates around three times every year though there are also minor updates that occur by default. You must install the major updates manually. Before updating the site, be sure to back up your database and the website. Here’s how to update the site in two easy steps:

Step 1: Log in to your site’s dashboard.

On top of your admin dashboard, you’ll see a notification of the latest update for the site. You will also see your site’s current version.

If you log in via the ‘admin‘ dashboard, you’ll see an ‘updates’ tab. Under this tab, you’ll find a list of all the latest updates required for the site.

Step 2: Click ‘Updates‘.

When you click here, it’s prudent that you select the option for ‘running single updates at a time and the site’s frontend. This is important because it will be easy for you to diagnose faults in case one of the plugins causes a problem.

Either way, you can also use a few plug-ins to update your site automatically. Most webmasters prefer it because it offers real-time site updates and backups.

How to Modify WordPress User Permissions, Passwords and Actions

It’s important to note that hackers rely on stolen credentials to hack WordPress websites. Your best bet against hacking attempts is to use strong passwords and usernames which are hard to guess.

You should apply this to your admin area, WordPress hosting accounts, PTP accounts, and databases, etc. If you have lots of contributors and authors, you’ll need to define their roles and capabilities.

Here’s a breakdown of permissions and actions you can manage on the site.

Disabling WordPress File Editing

Perpetrators can maliciously edit the built-in code editor for your plugins, themes, and files. You must turn it off to lock out the perpetrators. Here’s how to do it.

  • Open your .htaccess files then add this line of code wp-config.php. Save the changes.

How to Disable PHP File Execution

You should disable the PHP file executions in areas where it isn’t important. It will help you mitigate attacks due to file injections via programming languages like PHP and JavaScript.

Here’s how to do it:

Step 1: Add four lines of code for disabling PHP file execution to your web server’s .htaccess files. It will look like this;

<Files *.php>

Order allow, deny

Deny from all


How to Limit Your Site’s Login Attempts

Limiting the site’s login attempts will help you avoid brute force attacks when hackers attempt to crack passwords to gain unauthorized access to your site.

Here’s a quick way to limit the WordPress site’s login attempts.

Step 1: Download and install then activate the Login LockDown plugin.

Step 2: Set it up via the ‘Settings‘ section.

Turning Off the Site’s Directory Indexing

Disabling your site’s directory indexing will make it difficult for hackers to find vulnerable files on your website. This is how to disable a site’s directory indexing.

Step 1: Connect to your site via the cPanel file manager or FTP.

Step 2: Locate your site’s .htaccess file in its root directory.

Step 3: Add this file; Options -Indexes in your .htaccess file options.

Step 4: Save and upload the .htaccess file to your site.

How to Switch Your Site to HTTPs/SSL Socket Layer

To harden your WordPress website security, it’s recommendable that you switch it to HTTPs instead of the traditional HTTP. The HTTPs protocol works by encrypting communication on the site and securing your primary webserver to the visitors.

The Transport Layer Security (TLS) secures the information shared via the HTTPS protocol to give your site three layers of security, i.e.;

  1. Data encryption. This ensures the data shared on the website are safe from the prying eyes of hackers.
  2. Data Integrity. Data integrity helps ensure that the data shared on your site cannot be modified without notification.
  3. Authentication. This helps ensure the communication on your website cannot be interrupted to avoid man-in-the-middle attacks, something which is crucial in helping you build reputation and brand dominance.

This is how to switch to https from HTTP:

  1. You should first have to buy SSL certificate. Most hosting companies offer free SSL certificates, but you may need to purchase a dedicated one to up your security game. Once you buy an SSL certificate, you need to configure it then you will have a certificate in the zip file that you should install on both your www versions and non-www versions. This will help you maintain your Google rank.
  2. Then update the site URL via Settings >> General there you can update the site URL address field.
  3. In case if the website is existing then set up SSL by redirecting it to HTTPS from HTTP. You need to add the below code in the .htaccess file:
    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
    RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  4. You have now set up SSL and HTTPS on your WordPress site.
Disable Comments on WP blog

Bottom Line

Website security isn’t a one-time task. The golden rule is observing the basics, using dedicated, and relevant SSL certificates, and regularly updating the site.

This post was last modified on December 28, 2021 7:36 AM

Yogesh Patel: Yogesh Khetani is a famous Tech Blogger who loves to be surrounded by tech gadgets. So obviously, we can see his contribution here in that field. He also contributes to Now I am Updated website.