WordPress Security: Complete Guide 2021 | 22 Easy Steps

Last Updated on December 28, 2022 by Steve

WordPress security is a hot topic. WordPress is one of the most popular content management systems on the internet and there is a good reason for that. WordPress is easy to use. With the thousands of themes, and plugins available, users can make any type of website they choose with it. That’s the main reason why WordPress powers 35.6% of all websites on the internet.

WordPress is often targeted by hackers as a result of its popularity. According to Sucuri, in 2019, 94% of all website cleanup requests belonged to WordPress, a 4% increase from 2018.

cms infection comparison
CMS Infection Comparison

Whether you have a personal blog, eCommerce site, business portal etc. WordPress security should be a top priority.  When it comes to WordPress security, users usually fall into two camps: the ones who take security seriously and take precautionary measures and those who believe or hope it will never happen to them because their site is not important enough.

Internet Live Stats
Internet Live Stats

Visit the Internet Live Stats  to get a better understanding of the severe security issues associated with websites. There, you can see an exact number of websites hacked each day and even watch the number rising in real-time.

WordPress Security Setup: Step By Step

To prevent your WordPress site from ending up a statistic like the many on Internet Live Stats, follow the steps below.

Use A Hosting Company With WordPress Security Features In Place

The first step towards securing your WordPress website is to invest in a hosting company that implements proper WordPress security features. This includes support for the latest version of PHP, MySQL, and Apache as well as a firewall and 24/7 security monitoring.

If possible, choose a hosting company that performs daily backups and regular malware scans. You can even find hosting companies that employ various DDOS prevention measures.

Your hosting company is usually the first wall hackers have to break through to get access to your site so investing more upfront and purchasing a more expensive hosting plan will definitely pay off.

Use Strong Passwords and Change Them Frequently

Make sure that the passwords for your WordPress website as well as your hosting account area are both secure. Use a mix of uppercase and lowercase letters, numbers, and symbols to come up with a strong password. You can also use a password manager like LastPass to generate and store secure passwords for you.

Do Not Use Admin As Your Username

WordPress used to set the default username as admin and most users never bothered to change it. As a result, admin is usually the first username hackers will try when they launch a brute force attack.

As such, you should never use the admin username for your WordPress website. If you’re recently installed your WordPress website, chances are you have had to set your own username. But if you’re a long-time WordPress user, you might still be using the admin username.

If that’s the case, create a new admin username for your site by going to Users > Add new and choosing a strong username and password. Set the role to the Administrator and then click the Add new user button.

You’ll then login with those new credentials and delete your old admin user. Remember to assign all your content to your new admin user before deleting the old one.

Creating An Administrator Account
Creating An administrator Account

Use a Contributor or Editor Account to Post On Your Site Instead of Administrator

If you want to take the above tip a step further, consider creating a contributor or an editor account to add new posts and articles to your site. Doing so will make it harder for hackers to do damage on your site as contributors and editors don’t usually have administrator privileges.

Backup WordPress With a Plugin

f you’re not backing up your website yet, you need to start right away. A backup system will help you restore your site if the worst happens and your site ends up being hacked.

Use a plugin like UpdraftPlus to create a regular backup schedule for your website and don’t forget to store the backup files offsite to ensure those files don’t end up infected as well.

Check out our tutorials on backing up WordPress using UpdraftPlus or back up WordPress using cPanel for more details on how to do this.

Secure WordPress Admin Area

When it comes to hardening the admin area, you’ll need to change the default admin URL and limit the number of failed login attempts before a user is locked out of your site.

By default, the admin URL for your website will look like this: yourdomain.com/wp-admin. Hackers know this and will attempt to access this URL directly so they can gain access to your site.

You can change this URL with a plugin like WPS Hide Login.

WPS Hide Login Plugin
WPS Hide Login Plugin

For  limiting the number of failed login attempts, you can use Loginizer.

Loginizer Plugin
Loginizer Plugin

Keep WordPress Up To Date

Outdated files pose a security risk because they leave your site vulnerable to other exploits. That’s why you need to install updates as soon as they are released.

While you’re at it, make sure to regularly go through your installed plugins and deactivate and delete the plugins/themes you’re not using anymore.

Protect The Computer You Use To Access WordPress

You might be wondering what does your computer have to do with your website. If your computer is infected with a virus and you access your site or upload files to it, those infected files can infect your website as well. In short, you want to make sure to:

  • Avoid using public Wi-Fi networks to access your site
  • Install anti-virus software and make sure it’s up to date

Change WordPress Database Prefix

Another fact that’s well-known by WordPress hackers is that your database prefix is set to wp. This fact makes it easy for them to guess the table prefix and use automated SQL injections to gain access to your site.

Changing your database prefix is a manual process that involves editing your wp-config.php file and changing the table names using phpMyAdmin. Before making the change, be sure to backup your site as a preventative measure.


You’ll need to login to your hosting account and access your cPanel or whichever control panel your host is using. Then, access the File Manager and locate your wp-config.php file in the WordPress directory.

Find the table prefix line which looks like this: $table_prefix followed by a = sign and the table prefix itself. Replace the default string with your own prefix using a combination of numbers, underscores, and letters like so:

$table_prefix = ‘hgwp_3456_’;

Once you’re done editing the wp-config.php file, exit the File Manager and access the phpMyAdmin so you can change all the table names. Doing this manually can be tedious as there are 11 tables in total that you need to edit. Instead, you can input an SQL query by going to SQL tab

Running SQL Query
Running SQL Query

Then input this:

RENAME table `wp_commentmeta` TO `hgwp_3456_commentmeta`;
RENAME table `wp_comments` TO `hgwp_3456_comments`;
RENAME table `wp_links` TO `hgwp_3456_links`;
RENAME table `wp_options` TO `hgwp_3456_options`;
RENAME table `wp_postmeta` TO `hgwp_3456_postmeta`;
RENAME table `wp_posts` TO `hgwp_3456_posts`;
RENAME table `wp_terms` TO `hgwp_3456_terms`;
RENAME table `wp_termmeta` TO `wp_a123456_termmeta`;
RENAME table `wp_term_relationships` TO `hgwp_3456_term_relationships`;
RENAME table `wp_term_taxonomy` TO `hgwp_3456_term_taxonomy`;
RENAME table `wp_usermeta` TO `hgwp_3456_usermeta`;
RENAME table `wp_users` TO `hgwp_3456_users`;

While the above query should change your database prefix everywhere, it’s a good idea to run another query to make sure any other files using the old database prefix get updated:

SELECT * FROM `hgwp_3456_options` WHERE `option_name` LIKE '%wp_%'
You’ll also want to search for theusermeta and replace any leftover old prefixes with the new one:
SELECT * FROM `hgwp_3456_usermeta` WHERE `meta_key` LIKE '%wp_%'

Secure .htaccess and wp-config.php Files

htaccess and wp-config.php are the most important files in your WordPress installation. As such, you need to make sure they are secure and protected.

Simply add the codes below to your .htaccess file, outside the # BEGIN WordPress and # END WordPress tags to ensure the changes aren’t overwritten with each new update.

<files wp-config.php>

order allow,deny

deny from all


<Files .htaccess>

order allow,deny

deny from all


<Files wp-login.php>

order deny,allow

Deny from all

# allow access from my IP address

allow from


The snippets above will protect your wp-config and .htaccess as well as limit access to the wp-login.php screen.

Lastly, add the snippet below to prevent PHP file execution:

<Files *.php>

deny from all


Check File Permissions

When you’re done securing your .htaccess and wp-config.php file, stay a little longer in your cPanel and check the file permissions for the files and folders in your WordPress website.

File Permissions
File Permissions

For users who do not have access to cPanel you can use File Manager plugin to do this.

File Manager Plugin
File Manager Plugin

According to the WordPress codex, the permissions should be set as follows:

  • All directories should be 755 or 750
  • All files should be 644 or 640
  • wp-config.php should be 600

If your settings are different, hackers could easily read the contents as well as change the contents of the files and folders which can then lead to your site being hacked as well as other sites on the same server being hacked.

Use Two-Factor Authentication

Consider using a plugin like Google Authenticator to set up two-factor authentication for your site. This means that in addition to entering your password, you will also have to enter a code generated by a mobile app to log in to your site. This can stop brute-force attacks so it’s a good idea to set it up now.

Google Authenticator
Google Authenticator

Disable XML-RPC

XML-RPC allows your site to establish a connection with WordPress mobile apps and plugins like Jetpack. Unfortunately, it’s also a favorite of WordPress hackers because they can abuse this protocol to execute several commands at once and gain access to your site. Use a plugin like Remove & Disable XML-RPC Pingback to disable this feature.

Disable XML RPC
Disable XML RPC


HTTPS stands for Hypertext Transfer Protocol Secure while SSL stands for Secure Socket Layers. In a nutshell, HTTPS allows visitor’s browser to establish a secure connection with your hosting server (and therefore, your site). The HTTPS protocol is secured via SSL. Together, HTTPS and SSL ensure that all the information between a visitors’ browser and your site is encrypted.

Using both on your site will not only increase your site’s security, but it will also benefit your search engine rank, establish trust in your visitors, and improve your conversion rate.

Talk to your hosting provider and ask about the possibility of obtaining an SSL certificate or to point you in the direction of a reputable company where you can buy one.

All Best WordPress Solution Hosting products come with free SSL by Let’s Encrypt.

Real Simple SSL is a free WordPress plugin that can make setting up SSL easier and even more secure.

Really Simple SSL automatically detects your settings and configures your website to run over https.
To keep it lightweight, the options are kept to a minimum. The entire site will move to SSL.

Real Simple SSL Plugin
Real Simple SSL Plugin

Disable Theme and Plugin Editing Through Your WordPress Dashboard

Having the option to edit your theme and plugin files right within your WordPress dashboard is handy when you need to quickly add a line of code. But it also means that anyone who logs into your site can access those files.

Disable this feature by adding the following code to your wp-config.php file:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Move The wp-config.php File To A Non-WWW Directory

The wp-config.php file is one of the most important files in your WordPress installation. Make it harder to access by moving it from the root directory to a non-www accessible directory.

A. For starters, copy the contents of your wp-config.php file into a new file and save it as wp-config.php.

B. Go back to your old wp-config.php file and add the line of code below:

C. Upload and save the new wp-config.php file to a different folder.

Change Your WordPress Security Keys

WordPress security keys are responsible for encrypting the information stored in the user’s cookies. They are located in the wp-config.php file and look like this:

define('AUTH_KEY', 'put your unique phrase here');

define('SECURE_AUTH_KEY', 'put your unique phrase here');

define('LOGGED_IN_KEY', 'put your unique phrase here');

define('NONCE_KEY', 'put your unique phrase here');

define('AUTH_SALT', 'put your unique phrase here');

define('SECURE_AUTH_SALT', 'put your unique phrase here');

define('LOGGED_IN_SALT', 'put your unique phrase here');

define('NONCE_SALT', 'put your unique phrase here');

Use the WordPress Salts Key Generator to change them and make your site more secure.

Disable Error Reporting

Error reporting is useful for troubleshooting and determining which specific plugin or theme is causing an error on your WordPress website. However, once the system reports an error, it will display your server path as well. Needless to say, this is a perfect opportunity for hackers to discover how and where they can take advantage of vulnerabilities in your site.

You can disable this by adding the code below to your wp-config.php file:

@ini_set(‘display_errors’, 0);

Remove the WordPress Version Number

Anyone who takes a peek at the source code of your website will be able to tell which version of WordPress you’re using. Since each WordPress version has public changelogs that detail the list of bugs and security patches, they can easily determine which security holes they can take advantage of.

WordPress Version
WordPress Version

Luckily, there’s an easy fix. You can remove the WordPress version number by editing your theme’s functions.php file and adding the following:

remove_action('wp_head', 'wp_generator');

Use Security Headers

Another way to secure your WordPress website is to implement security headers. Typically they are set at the server level in order to prevent hacking attacks and reduce the number of security vulnerability exploits. You can add them yourself by modifying your theme’s functions.php file or by using free HTTP Headers Plugin

HTTP Headers Plugin
HTTP Headers Plugin

Cross-scripting attacks

Add the following code to whitelist allowed content, script, styles, and other content sources:

header('Content-Security-Policy: default-src https:');

This will prevent the browser from loading malicious files.

Iframe clickjacking

Add the line below to instruct the browser not to render a page in a frame:

header(‘X-Frame-Options: SAMEORIGIN’);X-XSS-Protection and X-Content-Type-Options

Add the following lines to prevent XSS attacks and tell Internet Explorer not to sniff mime types

header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');

Enforce HTTPS

Add the code below to instruct the browser to only use HTTPS:

header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');

Cookie with HTTPOnly and Secure flag in WordPress 

Tell the browser to trust only the cookie set by the server and that the cookie is available over SSL channels by adding the following:

@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);

If you don’t want to add these headers manually, consider using a plugin like Security Headers.

Security Headers Plugin
Security Headers Plugin

This plugin has not been updated for a few versions of WordPress but still works. Regardless of which method you choose to implement the security headers, be sure to test them using Security Headers website and entering your site’s URL.

Secure WordPress Against Hotlinking

Hotlinking is not a security breach per se but considering it refers to another website using your site’s URL to point directly to an image or another media file, it is considered theft. As such, hotlinking can lead to unexpected costs not only because you’ll have to deal with legal ramifications but also because your hosting bill can go through the roof if the site that stole your image receives a lot of traffic.

Add the code below to your .htaccess file if you’re using the Apache server and replace the dummy domain with your actual domain name:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Alternatively, if you’re using NGINX servers, you’ll want to modify your config file with the following:

location ~ .(gif|png|jpe?g)$ {

valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;

if ($invalid_referer) {

return 403;



Log Out Idle Users

Inactive Logout Plugin
Inactive Logout Plugin

The last tip in this guide for increasing your site’s security is to log out idle users after a period of inactivity. You can use a plugin like Inactive Logout to automatically terminate inactive sessions.


WordPress is a powerful and popular CMS that makes it easy for anyone to create a website. But because it’s so popular, it’s also a favorite target for hackers. Luckily, there are a number of steps you can take to protect your WordPress site and if you follow the tips in this article, you’ll be well on your way to having a secure WordPress website. WordPress security should be a number one priority. Don’t let all of the hard work you put into designing and maintaining your site go to waste by allowing a would be hacker access.


  • Steve

    I have been in the information technology field since I left the United States Army over twenty years ago. Skills and experience include a Bachelor's degree in Computer Information Systems with a Specialization in Databases and a Master's in Computer Information Systems Management.

    I fell in love with WordPress over 10 years ago and spend most of my time designing, building and administering WordPress based sites. I am fluent in multiple programming languages including Python, PHP, SQL, Java and C#.

Leave a Comment

%d bloggers like this: