For writers, freelancers, and small business owners, WordPress is a godsend. Software production and maintenance may not have to cost thousands of dollars. Anyone can easily learn WordPress using online tutorials and begin promoting their business, products, or services. But what about the protection of WordPress? Sucuri claims that WordPress sites account for 90% (or 9 out of 10) of their overall clean-up requests.

Anyone can build a plugin or theme for WordPress since it is an open-source platform. These plugins and themes may be infected with malware or have a poor security structure. claims to have a total of 21,785 vulnerabilities in their database, with WordPress accounting for 80% of the vulnerabilities, plugins for 17.8%, and themes for 2%.

The irony is that most startups prefer WordPress because they are on a tight budget, don’t know how to code, or want an easy-to-use website. If you’re one of them, you’re probably thinking, “Do I need to hire a techie and spend thousands of dollars to protect my website?” “No,” is the answer.

10 Proven Tricks to Make Yours a Secure WordPress Site

We’ve compiled a list of the best freemium and low-cost security plugins and software that are simple to use and won’t break the bank. These tips can be applied to safe WordPress sites by anyone, even if they aren’t tech savvy.

WordPress Security Tip 1: Block Malicious and Spam Comments

To detect and delete spammy and malicious comments, use plugins like Akismet, CleanTalk, or Antispam Bee.

Why: If you have a forum or discussion section where people can leave comments, you need to be cautious about malicious comments. In order to hack the website or gain access to the WordPress database, hackers leave scripts and codes in the comments. They also have backlinks to their website and unsolicited product/service advertising. To date, Akismet, a WordPress security plugin for removing malicious comments, has blocked over 503 billion spam comments (as of Sept. 24, 2020).

WordPress Security Tip 2: Limit Login Attempts

Install login lockout plugins including Limit Login Attempts, Loginizer, or WPS Limit Login to protect your WordPress account.

Why? By default, all WordPress sites allow for an infinite number of login attempts. That means users can try their user IDs and passwords in the login field as many times as they want before they find the correct credentials. This lack of control appeals to hackers, who can use brute force attacks to take advantage of it.

In this form of cyberattack, hackers use a script or bot to automatically add a database of pre-guessed user IDs and passwords to website login fields before one of the attempts succeeds. A botnet is often used, in which a large number of infected devices launch a brute force attack on a particular login sector.

Limiting the number of login attempts a user can make in a given time is the best way to avoid brute force attacks. The device temporarily blocks the user/IP address after a certain number of failed login attempts (usually 3 to 5).

WordPress Security Tip 3: Regularly Scan Your Website

To detect and uninstall threats, instal WordPress security scanners and firewalls. cWatch, for example, checks the website and produces comprehensive reports on threats and vulnerabilities such as ransomware, brute force attacks, and DDoS attacks. Sectigo’s HackerProof Confidence Mark conducts regular scans of your website to detect vulnerabilities and provide actionable mitigation advice.

Why: Cybersecurity is a continuous process that often includes the identification and removal of malware. A malware scanner and firewall that monitors your website for cyber attacks and malware-related threats 24 hours a day, seven days a week is needed. It must be capable of removing malware, blocking suspicious IP addresses, and preventing a cyber attack in the early stages only to avoid further damage.

WordPress Security Tip 4: Encrypt Website Data Exchanges

Installing an SSL/TLS certificate on your website is the first step. It’s always better to go with a commercial TLS certificate than a free one because free ones don’t come with any kind of service or guarantee if anything goes wrong. Paid commercial certificates are also inexpensive, with many costing less than $10 a year! To make the installation process easier, use the Very Simple SSL plugin.

Why: If you don’t instal an SSL/TLS certificate, all browsers will show a “Not safe” message in the address bar next to your domain name. This message suggests a serious security vulnerability, indicating that data exchanged between your users’ browsers and your server is not encrypted. As a result, if a hacker manages to break into the internet network and gain access to the data, they will be able to read, interpret, alter, and steal it. Man-in-the-middle (MitM) attacks will make your website vulnerable.

The data will be encrypted using public key infrastructure (PKI) processes and technologies by the SSL/TLS certificate. PKI is a mechanism for public-key encryption (asymmetric encryption), a powerful mathematical algorithm that ensures data protection when in transit. It will display a green or grey padlock symbol in front of your domain name instead of the “not safe” alert (depending on your browser).

Note: Once you’ve installed your certificate, you’ll need to keep track of it on a regular basis. If it is revoked or expires, all users will show an error page to your website visitors that says “your link is not private” or “security risk ahead.” Free SSL certificates must be renewed every three months (90 days), and commercial SSL certificates must be renewed every two years (more specifically, 398 days). Free certificates have also had a poor track record of being withdrawn. So, select your SSL/TLS certificate carefully.

WordPress Security Tip 5: Enable 2FA as a Minimum

Two-factor authentication (2FA) tools such as Two-Factor, WordPress 2-Step Verification, Unloq Two Factor Authentication, and others are available. There’s also Google Authenticator, which is both free and easy to use.

Install the Google Authenticator plugin on your WordPress site and the Google Authenticator app on your computer. You must enter a unique code created on your phone using the Google Authenticator app every time you log in to your WordPress dashboard. It may also be used by several site managers, staff, or co-authors.

Note: The terms two-factor authentication and multi-factor authentication are often used interchangeably (MFA). MFA refers to any authentication that involves two or more authentication methods. So, while all two-factor authentication is a type of multi-factor authentication, not all MFA is two-factor authentication. Is that clear?

Why? Because two-factor authentication is more reliable than just using a password. Passwords, after all, can be stolen, leaked, or guessed. According to Verizon’s 2020 DBIR, brute force or the use of missing or compromised passwords account for 80 percent of hacking breaches.

Hackers also use brute-force attacks to find the right user ID-password combinations, as we described earlier. When you allow two-factor authentication, however, no one can break into your WordPress admin dashboard because the unique code, one-time password (OTP), or hidden PINs are only accessible by the person who has the cell phone.

WordPress Security Tip 6: Scan Your Backups Before Storing Them

How: We suggest CodeGuard because it generates an automated backup of your site, checks it for malware, removes anything suspicious it detects, and then stores the clean copy on a third-party website.

Why: We all know that having a current backup is vital to your online business’s health and security. If a ransomware attack has encrypted your website’s files, directories, and databases, you can quickly recover it using your safe backups. However, if an attacker instals malicious code into your website and you take a backup without scanning it first, the malware will be saved in your backups as well. As a result, the backup copy will be useless, and you’ll have to start over!

In other words, all of your backups will fail you when you really need them! As a result, scanning backups before saving them is the safest WordPress security technique. CodeGuard is one of the most effective backup tools, scanning the entire website and databases automatically before taking a backup.

WordPress Security Tip 7: Change Default Settings

Since WordPress has a default layout for URLs, file names, and storage locations, attackers can easily locate and hack important pages and files. These paths and file names should be changed manually to something special so that only you know where they are.

Using plugins like iThemes Protection or WP-DBManager, you can perform the tricks listed below.

1. Change your file and web page names. 

WordPress has default admin page URLs,

  •, or

Change the URL of your admin page to something special, such as or, for example.

Why: If you use the default admin page URL, anyone can easily access the admin login page and launch a brute force attack using bots. However, if your admin URL is special, only the person who knows the exact URL can log in.

2. Don’t use the default admin user ID of “admin.”

Instead of using “admin,” use an email address or some other specific term as your admin user Name. You can also do it from your hosting account.

Why: When you instal WordPress on your hosting site, you will be given the option to set the user ID to “admin.” Hackers are well aware of this. The user ID and password should fit in a brute force attack. When your user ID is admin, the hacker’s task is made 50% simpler. They just need to try various passwords for the user ID “admin” now.

3. In your WordPress database, you can change the table name.

A table’s prefix is set to wp-table by default. Replace it with a special name such as summerwp-, coolwp-, somethingnewwp-, and so on. To replace the prefix with a unique name, follow this guide: In WordPress, here’s how to modify the table prefix.

Why? Because these tables store all of your login credentials, user information, transaction details, audit logs, and so on. As a result, it’s very common among hackers. They search and break into this database with bots.

4. Copy the wp-config.php file from the root directory to a new location.

A hacker can access your wp-config.php file since it is located in the root directory by default. Remove the wp-config.php file from the root directory and place it in any folder above it. Follow the steps below: Change the wp-config file’s place.

Why is the Wp-config.php file essential? It contains details about your website’s important settings, configurations, WordPress authentication keys, and databases. When you store files in well-known locations (such as the root directory), attackers will use URL access vulnerabilities to compel you to browse. As a result, the wp.config.php file must be transferred to a protected location.

WordPress Security Tip 8: Require Strong Passwords

To ensure that all of your users generate strong passwords, use plugins like Password Policy Manager or Force Strong Passwords.

Why: WordPress does not require users to create a strong password by default (one uppercase, one lowercase, one digit, and one special character). Not all of your co-authors, employees, or consumers will take password security as seriously as you do.

The average user has 70-80 passwords, according to NordPass. Since remembering 80 different passwords is difficult, people frequently use weak passwords or reuse their passwords throughout several accounts. According to Avast, 83% of Americans have poor passwords, and 53% of them use the same password to secure several accounts. That is why, when users register or build an account on your website, you must use plugins that compel them to create strong passwords.

WordPress Security Tip 9: Block Image Hotlinks

How: To protect your WordPress site from image hotlinking, we suggest using one of three methods. You have the option of selecting one of them.

1. Use a Firewall

Image hotlinks can be blocked by certain well-known firewall plugins (such as All in One WP Security and Firewall). Simply go to your firewall’s settings, look for the image hotlinks section, and turn it on.

2. Enable Hotlink Protection via cPanel

Go to the security section of cPanel, find Hotlink Safety, and click it. Select Allow on the next tab.
An image of a mobile phone Automatically generated description

3. Insert Code Into Your .htaccess File:

Go to cPanel> File Manager> public html>.htaccess in your cPanel.
Select View/Edit from the context menu by right-clicking.

Copy the following codes and insert them at the bottom of the page:

In the position of, type the URL of your website.

The third line, where “” is written, shows that Google is authorised to use your images. If you want other websites, such as LinkedIn, Facebook, and Twitter, to access your website’s images, use the same code line.

For instance: Why: Image hotlinks are when third-party websites connect to your photos’ URLs directly from their own. People hotlink images because it is fast and convenient, and it removes the need for them to host the images on their server, which can take up a lot of room. Hotlinks consume bandwidth on your website, slowing down the pace and output of your sites. They also put unnecessary pressure on your server while offering little or no benefit to you.

WordPress Security Tip 10: Keep All WP Components Updated

How to: As soon as new versions of WordPress apps, themes, and plugins become available, instal them. Updates can never be delayed or overlooked because they are important for WordPress protection.

Why: Updates aren’t just about improving the software’s appearance and features. In general, older versions have security flaws that attackers can use to hack your WordPress site or inject malware into it. The publishers fix the old versions’ security bugs and release the patched edition. As a result, make sure that all of your WordPress components are up to date.

Last Words on WordPress Security

Because of its ease of use and free elements, WordPress is truly a technological revolution. However, as a technological platform becomes well-known by millions of people, it draws cybercriminals’ attention.

Needless to say, the demand for WordPress protection will continue to rise. This is why it’s important to make sure your WordPress site is secure (as much as possible, at least).

Between August 14 and September 14, 2020, Wordfence, a leading WordPress protection company, blocked a total of 3,818,725,238 cyber attacks and blacklisted 202,650 malicious IPs. These statistics suggest that it is past time for WordPress security to be taken seriously. You can improve the security posture of your WordPress site by following the ten tips mentioned above.

Categorized in: