The Ultimate WordPress Security - Step by Step Guide (2021)

Do you want to improve your WordPress security? Read the ultimate WordPress Security guide which contains the top tips and tricks to make your website secured. Learn about the WordPress security best practices, tips and WordPress security plugins that you need to know. How to secure WordPress website from hackers?
For the many pros that come with WordPress websites, one significant con is how easy they can be to hack. If you do not ensure that you have a high level of WordPress website security in place for your site or blog, then you are at risk.

There are ways to make your site significantly more difficult to hack, however.

If a hacker is able to access your site they will likely insert bad-links, steal data, or other various activities that you will want to avoid having to deal with.

To help, we have put together some WordPress security tricks in the following step by step guide which will help you avoid any unwanted guests in your site.
The Ultimate WordPress Security - Step by Step Guide (2019)

Attacks That Pose A Threat 

There is a range of attack styles that your WordPress website security will need to defend, all of which come with a different level of severity. These can include: 
  • Bruteforce logins: This is a widespread technique that simply tries to log in to your site to take possession of your data and admin 
  • SPAM: This attack features bots that leave large amounts of comments which you will not be able to remove due to their sheer numbers 
  • Old plugins: Older versions of WordPress are the most vulnerable 
  • SQL injection: Not as common but by far the most severe, this attack gives access to sensitive information which the attacker can modify 
The good news is, all of these attacks can be prevented. There is also additional protection available from hosting providers which are tailored to a specific CMS. 
Step by step WordPress security tricks 

Let's look at some things you can implement to ensure that your WordPress website security is up to scratch, all of which can provide some necessary extra layers of protection. 

1. Choose a Difficult Password 

We'll get the most obvious one out the way first. It seems simple enough, but you would be surprised how many people do not set a very difficult password. A difficult password is one of the best ways to create trouble for a hacker looking to get into your site. 

If a hacker does guess your password the will immediately change it and start loading the malware, so make your password as complicated as possible. Include: 
  • Uppercase letters 
  • Lower case letters 
  • Random numbers 

2. Updates 

As we mentioned earlier, one of the most significant risks can be outdated plugins, as well as WordPress versions. Running the most up-to-date version is the most secure way to prevent malicious attacks as outdated versions of WordPress are far more vulnerable. 

wordpress update

Hackers and viruses are constantly evolving and adapting, and version and plugin updates work to combat this. Most security updates are automatic, but significant releases often require a manual update, so keep on top of this and perform the updates when they become available. 

3. Logins 

Another great hacker prevention trick is limiting login attempts as this makes the task of infiltrating your site much more difficult for spammers with automated software. It would also help if you set your default membership role to Contributor which means people can submit a blog post for review but are unable to publish.

Limit Login Attempts plugin

For your logins, however, you can use the Limit Login Attempts plugin which performs the function its name suggests. If you have someone attempt to log in to your account with an "admin," they will be blocked for a certain amount of time after a particular amount of logins that you dictate. 

You can also block IP's and run a report to see who is attempting a login that shouldn't be so you can block them. 

4. Usernames 

The default "admin" username should be changed straight away, if not you have already done half the work for the hackers. 

To do this, run the following query in Mysql: 

update wp-users set user_login=’newuser’ where user_login=’admin’; 

You can also create a new account with admin privileges then delete the original admin account, once you have logged in and tested the new one. 

Take note that if you follow this point the "admin" username as mentioned in the last point will also need to change in your login attempt plugin. 

5. SSL Certificates 

A Secure Socket Layer (SSL) certificate gives you a HTTPS link which means your connection is encrypted and therefore, much safer. This also provides a level of comfort for visitors to your site, especially if you are asking for their information, as it shows you run a secure site. 

Secure Socket Layer (SSL) certificate

There is a range of SSL plugins available that can help you with this. 

6. WordPress Themes 

As you may already have realised, there is no shortage of themes and plugins for your WordPress site, but you may not realise that not all of them are safe. Some themes can contain malicious code or security loopholes which is why you need to be careful when making your selections an only choose trusted themes.

WordPress Themes

A good way to ensure the theme is safe is by reading the reviews before downloading and only use trusted theme directory sites like MyThemeShop or Elegant Themes

To really play it safe, only search for themes through the WordPress Free Themes Directory and check the developer’s site. After installing the theme, run a WordPress Exploit Scanner plugin which will ensure there is no suspicious code. 

7. Access Settings 

You should limit access to the important linking pages of your site. 

Use the encrypted passwords of Secure FTP (SFTP) or Secure Shell access (SSH) as opposed to Simple FTP when adding files as this will make things significantly harder for hackers. 

Delete your FTP account altogether if you are not using an FTP connection for sharing files, and if you are running your site on Linux, you have the ability to choose who can access which data. Keep your settings relatively locked down, especially for important folders. 

Further to this, the folders which contain valuable data should be given a strict privacy setting and unique password. You can do this via the control panel under Security > Password protect directories. This will show you all of your folders, and you can select the ones you deem the most important. 

Set a username and password then under security settings check the box “Password Protect this directory.” 

8. Site Backup 

It is vital that you always have your website backed up. This is handy not only in the case where it may get hacked but also if you are making changes in the software or updating things. Having an original copy website can prove invaluable. 

By having all the database and files, you can regenerate your site and recover all the data in the case of hacking which requires you to delete and start fresh. Always ensure that you regularly update the copy of the backup as you make changes to your WordPress site. 

Backup your site in the cloud or on your OS but be aware if using email or cloud that getting hacked means they may also get access to these places as well. 

9. Using Two Factor Plugins 

You can add another layer of security to your WordPress plugins with a range of plugins that will prevent logged in users from making any changes until they have verified via a second factor of authentication. 

This involves the user, once having logged in, being emailed a code, different every time, which is validated with a cookie added to the user’s session which removes itself once they have logged out. 

10. Database Maintenance 

There are some simple changes you can make in your WordPress database to make things more difficult for hackers. For example, the default name of every table will start with wp_, but this can be changed. By making this simple change, you are taking a certain level of information away from the hacker and placing an infinite number of new possibilities in front of them to make it harder for them to gain access. 

The name of your database will also have a default ending which can also be changed so decoding it is made tougher. The more unique wording you use in these areas, the harder the shell will be to crack, it's as simple as that. 

If You Are Hacked 

All of the above advice is preventative, but what happens if the unfortunate occurs and you are hacked? The first thing you should do straight away is an attempt to reset your admin password, and scan your website for malicious content. You can also contact your host for assistance. There are various online services that can help you remove malware and repair any damage. 

Any layer of security that you can add to your WordPress site is worthwhile. Your hosting provider has a level of responsibility in the configuration of the server to ensure the necessary security measures are in place, but you also must be diligent and ensure you keep everything up-to-date. 

The extra effort you spend securing your website today can save you significant headaches tomorrow! 
James Silverwood
He is the digital marketing manager for Perpetual Strategic Services which is the fastest growing Website Design Company in Jeddah . He helps clients grow their web visibility through all aspects of digital marketing.

You may like these posts


  1. Great Post. I use different username, strong password, update regularly. protecting folders is new information for me. Thanks.
  2. Is therer any way to stop it after few seconds?
  3. i've applied this tricks ,but warning message not removing from last two days , what should i do now ?
  4. 30 hash tags Para - found hastags spelling mistakes. Good info. Thanks
  5. Thanks for the info. I have updated the content with correct spelling.
  6. We are very glade to hear that. Thanks for your valuable feedback. Keep in touch.
  7. Hi Ashutosh Dubey
    Just check your blog with below URL

    replace with your blog URL

    just type this code in your browser and if you can see your AdSense publication ID then it is working.

    If you can't see the script then go to your blogger dashboard and from Settings -> Search preferences enable the custom Custom ads.txt

    sometime it automatically disabled the feature, so you must enable it.
  8. I've done all this, u can check it -
    After https applying ,in robots.txt, it's begain,
  9. Hi Abhishek Prajapati,
    Unfortunately there is not any option available to stop the fireworks. But you can control the fireworks speed and color.
  10. Great! It is now working
  11. Working but from last 2 days in adsense dashboard this message is coming.
    Earnings at risk - One or more of your sites does not have an ads.txt file. Fix this now to avoid severe impact to your revenue
  12. Hi
    If your AdSense email different than blog email then it can be happen. But warning message will vanish within 2 days.

    If you are using different email for your adsense then add your blog email into your adsense account as administrator.

    From AdSense account dashboard

    click Settings -> Access and authorization -> User management

    now invite your blog email.

    Another thing you can do-----------

    remove the previous code and Disable the custom ads.txt

    and again add the code and enable the custom ads.txt

    wait for 24 hours and see the outcomes.
  13. Ok ,I will try, but in adsense forum, a lots of people complaining about this issue
  14. You can also add reseller code with direct code. Add same id as pub-ID., pub-xxxxxxxxxxxxxxxx, DIRECT, f08c47fec0942fa0, pub-xxxxxxxxxxxxxxxx, RESELLER, f08c47fec0942fa0
  15. will it not harm adsense account, as same id ?
  16. Not at all. This is just declaration. If you use with AdSense then you can also use below codes with AdSense on custom ads.txt, 8CUC64AF2, DIRECT, 19398, DIRECT, 0bfd66d529a55807, 19398, RESELLER, 0bfd66d529a55807, 157599, DIRECT, 5d62403b186f2ace, 157599, RESELLER, 5d62403b186f2ace, 537100188, RESELLER, 6a698e2ec38604c6, pub-7439041255533808, RESELLER, f08c47fec0942fa0, 100600, DIRECT, 17054, RESELLER, 156181, RESELLER, 211156, RESELLER, 7842df1d2fe2db34, 211156, RESELLER, 7842df1d2fe2db34
  17. May it because of https migration of blog ?
  18. i've applied it ,let's see what happen .
  19. For HTTPS migration your traffic will drop significantly and your AdSense income also.
  20. Sir, earning at risks message has not been disappeared yet, what should i do now ?
  21. I think your theme script resisting to detect the AdSense code. You can follow the below tutorial to speedup your adsense loading speed.

    add the below script above closing in your theme

    first disable and then enable custom ads.txt

    let me know the result.
  22. I am using mag one blogger template from theme forest.
    You can see here
  23. If some one desires expert view concerning running a blog afterward i suggest
    him/her to pay a visit this blog, Keep up the good job.
  24. I think this is among the most important information for me.

    And i am glad reading your article. But should remark
    on some general things, The site style is great, the articles is really nice : D.
    Good job, cheers
  25. Hi. Thanks for this piece.
    I want to ask what happens to those with more than one ads partner. For example I use both Adsense and Mgid on my site, Should I add mgid information too?
    I'm asking because i saw more than google ID on your ads.txt.
    Thanks again.
  26. Please, What's the difference between direct and reseller.
  27. Hi. I have both adsense and mgid on my site. Should I do same process for mgid on the site?

    What is the difference between direct and reseller?

    Thanks so much.
  28. Hi Femi
    Yes you have to add ads.txt code of both ads network. I am using AdSense and so for

    AdSense Code------------, pub-6974692108879141, DIRECT, f08c47fec0942fa0, 8CUC64AF2, DIRECT, 19398, DIRECT, 0bfd66d529a55807, 19398, RESELLER, 0bfd66d529a55807, 157599, DIRECT, 5d62403b186f2ace, 157599, RESELLER, 5d62403b186f2ace, 537100188, RESELLER, 6a698e2ec38604c6, pub-7439041255533808, RESELLER, f08c47fec0942fa0, 100600, DIRECT, 17054, RESELLER, 156181, RESELLER, 211156, RESELLER, 7842df1d2fe2db34, 211156, RESELLER, 7842df1d2fe2db34

    To get the magid ads.txt code you have to follow the tutorial from below URL

    difference between direct and reseller?

    1. Direct means that the publisher works directly with the AdSense vendor to sell its inventory.

    2. Reseller means tha…
  29. I believe other website proprietors should take this internet site as an model, very
    clean and wonderful user pleasant design.
  30. Its like you read my mind! You appear to know a lot about
    this, like you wrote the book in it or something.
    I think that you can do with a few pics to drive the message home a little bit,
    but other than that, this is fantastic blog. An excellent read.
    I'll definitely be back.
  31. Thanks,
  32. Thanks so much.
    Please can you show me an example of or how mgid ads.txt looks like?
  33. Hi Femi
    Ofcourse you can add ads.txt code from other publisher. This is not only applicable for Google AdSense rather if anyone wants to use any ads network they must declare about the direct seller and reseller.

    If you are using Blogger Platform then you are allowed to add upto 500 ads.txt code.
  34. Ads.txt problem evolve from Google. Ads.txt is not working with Many site's. I have found it in AdSense forum.

    If you can see that your ads are generating income then don't worry about alert.
  35. after following your advice ,ads.txt error has disappeared .thank u very much .
  36. I am very glade to hear that, your problem has been solved.
  37. Hai Rabbi, we have a long time to say, the problem I'm concerned with is that I've added the ads.txt file here for a few days, but I still see the message.

    Today seeing your article under, pub -.............................., DIRECT, f08c47fec0942fa0
    I added, pub -...................., RESELLER, f08c47fec0942fa0
    Did I do it right? what else can happen

  38. Yes vaggelis
    The code is ok. But the problem is occurring from AdSense. It takes longer time than expectation to detect the ads.txt

    Generally it will take 10 to 20 days to detect. So after enabling the ads script don't edit the script.

    If you see that your AdSense is generating income then it is ok. Don't worry. Warning banner will disappear automatically.
  39. Thank you, Rabbi. I'll wait. However, since the message appeared, profits are too low compared to before.
  40. Just check that your ads.txt is working

    if it is working then everything is ok.
  41. Thanks so much.
    You've been helpful.
  42. Hi Rabbi, Unfortunately, I still wait and the message is not gone. But I found something that seems to be the problem. For example, if I type the message is displayed correctly, but if I type then it does not get me the text of ads.txt but I see my website, while he would normally have to redirect at

    Do you have any idea what it can do?

  43. Hi Evaggelos
    on 4th June 2019 I have changed my Ads.txt for removing others ads network's ads.txt code. After that the warning message become visible in my AdSense account.

    Today is 16th June 2019 and the warning message disappeared. So in my case it has taken almost 22 days.

    Just check your script. It it is showing then warning message will disappear soon.

    AdSense earnings varies on blog Niche and keywords. To increase income write long article and tailor with high CPC keywords.

    You can check the blog nice based AdSense's probable income by visiting page.

    Thank you.
  44. I am not real superb with English but I line up this real easygoing to interpret.
  45. It's awesome designed for me to have a web site, which is good in support of my know-how.

    thanks admin
  46. I?m amazed, I must say. Seldom do I come across a blog that?s both equally educative and engaging, and let me tell you, you have hit the nail on the head.

    The issue is an issue that not enough people are speaking intelligently about.

    Now i'm very happy I came across this in my search
    for something relating to this.
  47. Hello.This article was extremely interesting, particularly
    since I was looking for thoughts on this issue last Sunday.
  48. I really prize your work, Great post.
  49. Awsome site! I am loving it!! Will be back later to read
    some more. I am taking your feeds also
  50. What's up, its nice article concerning media print,
    we all know media is a enormous source of facts.
  51. What a information of un-ambiguity and preserveness of valuable knowledge on the topic
    of unpredicted emotions.
  1. To insert a code use <i rel="pre">code_here</i>
  2. To insert a quote use <b rel="quote">your_qoute</b>
  3. To insert a picture use <i rel="image">url_image_here</i>
Go Up