This post may contain affiliate links, please read our affiliate disclosure to learn more.
Secure WordPress

How to Secure WordPress (11 Suggestions)

 By Charles Joseph | Cybersecurity Researcher
 Published on November 19th, 2022
This post was updated on November 25th, 2023

WordPress is a content management system (CMS) based on PHP and MySQL for websites and blogs. It’s so ubiquitous that it powers over 35% of all the websites on the internet, making it an attractive target for hackers.

To secure your WordPress website and protect it from potential threats, follow these best practices.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

11 Ways to Secure Your WordPress Site

1. Keep WordPress, Themes, and Plugins Up-to-Date

Regularly update your WordPress core, themes, and plugins to ensure you have the latest security patches and bug fixes.

2. Use Strong, Unique Passwords

Create complex and unique passwords for your WordPress admin account, database, and FTP access. Use a combination of uppercase and lowercase letters, numbers, and special characters.

3. Enable Two-Factor Authentication (2FA)

Implement 2FA for your WordPress admin account to add an extra layer of security. You can use plugins like Google Authenticator, Duo Two-Factor Authentication, or Wordfence Security for this purpose.

4. Limit Login Attempts

To prevent brute-force attacks, limit the number of login attempts for your WordPress admin account. You can use plugins like Login LockDown, Limit Login Attempts Reloaded, or Wordfence Security.

5. Change the Default Admin Username

Change the default “admin” username to a unique and less predictable name to make it more difficult for attackers to guess your login credentials.

6. Install a Security Plugin

Use a reputable WordPress security plugin like Wordfence Security, iThemes Security, or Sucuri Security to help protect your website from common threats, detect malware, and monitor your site for suspicious activity.

7. Implement Proper File and Folder Permissions

Ensure that your WordPress files and folders have the correct permissions to prevent unauthorized access. Typically, folders should have 755 permissions, and files should have 644 permissions.

8. Use an SSL Certificate

Install an SSL certificate on your website to enable HTTPS and encrypt data transmitted between your visitors and your server. This helps protect sensitive information, like login credentials or personal data, from being intercepted.

9. Regularly Back Up Your Website

Create regular backups of your WordPress site, including your database and files, to ensure that you can quickly recover your site in case of a security breach or data loss. You can use plugins like UpdraftPlus, BackupBuddy, or Duplicator for this purpose.

10. Disable XML-RPC

XML-RPC can be exploited to perform brute-force attacks on your WordPress site. If you don’t need this feature, consider disabling it by adding the following code to your .htaccess file:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Replace “” with your IP address if you need to allow access to specific IPs.

11. Hide Your WordPress Version

Remove the WordPress version number from your site’s header and RSS feeds to make it more difficult for attackers to target known vulnerabilities. You can add the following code to your functions.php file:

// Remove WordPress version number
function remove_wp_version() {
    return '';
add_filter('the_generator', 'remove_wp_version');


By following these best practices and maintaining a proactive approach to your WordPress site’s security, you can significantly reduce the risk of cyber threats and protect your website from potential attacks.

How to Secure Your Website From Hackers (Video)

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top