The Ultimate WordPress Security - Step by Step Guide (2022)

Do you want to improve your WordPress security? Read the ultimate WordPress Security guide which contains the top tips and tricks to make your website secured. Learn about the WordPress security best practices, tips and WordPress security plugins that you need to know. How to secure WordPress website from hackers?
For the many pros that come with WordPress websites, one significant con is how easy they can be to hack. If you do not ensure that you have a high level of WordPress website security in place for your site or blog, then you are at risk.

There are ways to make your site significantly more difficult to hack, however.

If a hacker is able to access your site they will likely insert bad-links, steal data, or other various activities that you will want to avoid having to deal with.

To help, we have put together some WordPress security tricks in the following step by step guide which will help you avoid any unwanted guests in your site.
The Ultimate WordPress Security - Step by Step Guide (2019)

Attacks That Pose A Threat 

There is a range of attack styles that your WordPress website security will need to defend, all of which come with a different level of severity. These can include: 
  • Bruteforce logins: This is a widespread technique that simply tries to log in to your site to take possession of your data and admin 
  • SPAM: This attack features bots that leave large amounts of comments which you will not be able to remove due to their sheer numbers 
  • Old plugins: Older versions of WordPress are the most vulnerable 
  • SQL injection: Not as common but by far the most severe, this attack gives access to sensitive information which the attacker can modify 
The good news is, all of these attacks can be prevented. There is also additional protection available from hosting providers which are tailored to a specific CMS. 
Step by step WordPress security tricks 

Let's look at some things you can implement to ensure that your WordPress website security is up to scratch, all of which can provide some necessary extra layers of protection. 

1. Choose a Difficult Password 

We'll get the most obvious one out the way first. It seems simple enough, but you would be surprised how many people do not set a very difficult password. A difficult password is one of the best ways to create trouble for a hacker looking to get into your site. 

If a hacker does guess your password they will immediately change it and start loading the malware, so make your password as complicated as possible. Include: 
  • Uppercase letters 
  • Lower case letters 
  • Random numbers 

2. Updates 

As we mentioned earlier, one of the most significant risks can be outdated plugins, as well as WordPress versions. Running the most up-to-date version is the most secure way to prevent malicious attacks as outdated versions of WordPress are far more vulnerable. 

wordpress update

Hackers and viruses are constantly evolving and adapting, and version and plugin updates work to combat this. Most security updates are automatic, but significant releases often require a manual update, so keep on top of this and perform the updates when they become available. 

3. Logins 

Another great hacker prevention trick is limiting login attempts as this makes the task of infiltrating your site much more difficult for spammers with automated software. It would also help if you set your default membership role to Contributor which means people can submit a blog post for review but are unable to publish.

Limit Login Attempts plugin

For your logins, however, you can use the Limit Login Attempts plugin which performs the function its name suggests. If you have someone attempt to log in to your account with an "admin," they will be blocked for a certain amount of time after a particular amount of logins that you dictate. 

You can also block IP's and run a report to see who is attempting a login that shouldn't be so you can block them. 

4. Usernames 

The default "admin" username should be changed straight away, if not you have already done half the work for the hackers. 

To do this, run the following query in Mysql: 

update wp-users set user_login=’newuser’ where user_login=’admin’; 

You can also create a new account with admin privileges then delete the original admin account, once you have logged in and tested the new one. 

Take note that if you follow this point the "admin" username as mentioned in the last point will also need to change in your login attempt plugin. 

5. SSL Certificates 

A Secure Socket Layer (SSL) certificate gives you a HTTPS link which means your connection is encrypted and therefore, much safer. This also provides a level of comfort for visitors to your site, especially if you are asking for their information, as it shows you run a secure site. 

Secure Socket Layer (SSL) certificate

There is a range of SSL plugins available that can help you with this. 

6. WordPress Themes 

As you may already have realised, there is no shortage of themes and plugins for your WordPress site, but you may not realise that not all of them are safe. Some themes can contain malicious code or security loopholes which is why you need to be careful when making your selections an only choose trusted themes.

WordPress Themes


A good way to ensure the theme is safe is by reading the reviews before downloading and only use trusted theme directory sites like MyThemeShop or Elegant Themes

To really play it safe, only search for themes through the WordPress Free Themes Directory and check the developer’s site. After installing the theme, run a WordPress Exploit Scanner plugin which will ensure there is no suspicious code. 

7. Access Settings 

You should limit access to the important linking pages of your site. 

Use the encrypted passwords of Secure FTP (SFTP) or Secure Shell access (SSH) as opposed to Simple FTP when adding files as this will make things significantly harder for hackers. 

Delete your FTP account altogether if you are not using an FTP connection for sharing files, and if you are running your site on Linux, you have the ability to choose who can access which data. Keep your settings relatively locked down, especially for important folders. 

Further to this, the folders which contain valuable data should be given a strict privacy setting and unique password. You can do this via the control panel under Security > Password protect directories. This will show you all of your folders, and you can select the ones you deem the most important. 

Set a username and password then under security settings check the box “Password Protect this directory.” 

8. Site Backup 

It is vital that you always have your website backed up. This is handy not only in the case where it may get hacked but also if you are making changes in the software or updating things. Having an original copy website can prove invaluable. 

By having all the database and files, you can regenerate your site and recover all the data in the case of hacking which requires you to delete and start fresh. Always ensure that you regularly update the copy of the backup as you make changes to your WordPress site. 

Backup your site in the cloud or on your OS but be aware if using email or cloud that getting hacked means they may also get access to these places as well. Check out the sftp programs and find out how cloud file transfers stay secure at GoAnywhere.

9. Using Two Factor Plugins 

You can add another layer of security to your WordPress plugins with a range of plugins that will prevent logged in users from making any changes until they have verified via a second factor of authentication. 

This involves the user, once having logged in, being emailed a code, different every time, which is validated with a cookie added to the user’s session which removes itself once they have logged out. 

10. Database Maintenance 

There are some simple changes you can make in your WordPress database to make things more difficult for hackers. For example, the default name of every table will start with wp_, but this can be changed. By making this simple change, you are taking a certain level of information away from the hacker and placing an infinite number of new possibilities in front of them to make it harder for them to gain access. 

The name of your database will also have a default ending which can also be changed so decoding it is made tougher. The more unique wording you use in these areas, the harder the shell will be to crack, it's as simple as that. 

If You Are Hacked 

All of the above advice is preventative, but what happens if the unfortunate occurs and you are hacked? The first thing you should do straight away is an attempt to reset your admin password, and scan your website for malicious content. You can also contact your host for assistance. There are various online services that can help you remove malware and repair any damage. 

Any layer of security that you can add to your WordPress site is worthwhile. Your hosting provider has a level of responsibility in the configuration of the server to ensure the necessary security measures are in place, but you also must be diligent and ensure you keep everything up-to-date. 

The extra effort you spend securing your website today can save you significant headaches tomorrow! 
James Silverwood
He is the digital marketing manager for Perpetual Strategic Services which is the fastest growing Website Design Company in Jeddah . He helps clients grow their web visibility through all aspects of digital marketing.
Go Up