How Can You Improve WordPress Security?

WordPress (WP) is a popular open source content management system that is why it seems ripe fruits for attackers as they always in search of bugs and vulnerabilities. Security of WordPress is an essential aspect of your organization IT department. Whether it is plug-in, themes or blog, you will have strong security for all of them. And for that you should consider security measures listed in this article that will help to boost WordPress security.

WordPress Security

Image Credti: Pixabay

Now, let’s know about WordPress hacking facts:

Facts about WordPress Hacking:

However, it is essential to know how the facts about WordPress site. Below is an infographic that easily give an idea about it.

  • Nearly 8% websites are hacked because of weak passwords.
  • There are 41% websites become vulnerable due to outdated web host servers.
  • 22% websites are hacked because of outdated and unwanted plug-ins.
  • Around 29% websites are exploited due to outdated themes.
  • Every five seconds, one WP website is hacked.


Proactive Measures for WordPress Security:

From the above facts, we can ascertain that there should be proactive security measures every enterprise and individuals should take to avoid further threat and vulnerabilities. Few of WP security measures are as under:

1.   Change username and password

You should have to change default Admin account of WP website and create a new user with admin rights. Because default Admin user account can be easily exploited by hackers. Allocate all blogs and pages to the new admin user and delete old account from WordPress. Then it would be not easy for hackers to guess your username and password. While keeping password for new admin, consider strong password including symbols, numbers and minimum 15 characters. Most users keep “12345”, “qwerty” password, which hackers easily know and break. You can take help of password generator that will generate strong and long passwords.

2.   Report WordPress bugs and security issues

WordPress is a popular content management system that is installed on number of PC across the world. Hence, it may possible that frequent issues or bugs emerge on WordPress. If you come across a bug or issue, you should report it among such large community of WordPress so other can benefit of it.

3.   Close old comments

It is wise to remove old comments earlier than 30/60 days as sometime hackers can inject spam comments. Thus, it will reduce ratio of spam comments. Besides, there are many tools available to filter spam comments and one of them is Akismet. This plug-in also highlights hidden links in comments. Moderators can see the approved comments for each user.

4.   Lock file permissions

For a better WP security, lock your file permissions and write access. You can lock down file permission either by changing cPanel setting of web host or by specific plug-in. In case, if you are not sure about the process, it is better to deal with your web host provider to get proper help.

5.   Remove login link

If the WordPress login screen has login link, attacker can easily click to access the login page. By removing such link, you can reduce chance of entering attacker on WordPress site. It is not a complete solution, but is a small but important step towards protecting your site.

6.   Avoid third party plug-ins

Use WordPress repository for downloading plug-ins, as there are more than 40K plug-ins available. However, many users prefer other source for downloading plug-ins like Code Canyon, Mojo Code etc. . Further, remove unused plug-ins from your website as they may be not in use and not updated since long time. You should consider user reviews, comments, free support or paid support before downloading plug-in.

7.   Update WordPress

When a new version of WP version is available, it generally pops up on screen. Keep your website updated along with all files, which is also an ideal way to enhance security. Update plug-in, themes, or core files via dashboard or FTP. WordPress team always issue patches to fix security hole of earlier version on regular base therefore, it is wise to update WP to its latest version. It is sensible to have backup of your WordPress files and database before applying any update.

8.   Use two-factor authentication

Two-factor authentication is an ideal solution for login security and there are few plug-ins named “Rublon” and “Clef” that can be used for two-factor authentication. Such strong authentication saves your website against botnets. For example, Rublon two-factor authentication saves your website against botnets as botnets once entered, it can infect visitors with malware as a result, and many search engines would delist your website. Instead of simple passwords, two-factor authentication provides more reliability. 

9.   Evaluate backup

Regular backup of your WP site should be kept offsite instead of keeping it on the same server. Because in the event of hacking, the files kept on the same server will also be infected. If you have no backup then you may lose data and files so it is important to have daily or weekly backup of your website. You can find take regular backup manually using cPanel > Backups tools where you can make full cPanel backup.

10.  Avoid directory browsing

A web server sometime fails to find index.php/index.html file and thus, it shows content of such directory. This information contains data related plug-ins, themes and other important data. For security purpose, it is sensible to disable directory-browsing feature as hackers can capture the data. To disable directory browsing, you can create new folder including plain text file and browse directory via browser. If the browser displays a text file link, then directory is enabled but if the browser shows “Page Not Found” page then it means the directory is disabled.

11.  Enable SSL

SSL is a protocol that secures travelling information between the server and the browser. To enable SSL on WordPress site, you have to add below commands into wp-config.php file:

define( 'FORCE_SSL_LOGIN', true );

define( 'FORCE_SSL_ADMIN', true );

It will forcefully redirect all URLs to HTTPS instead of HTTP and will give you optimum security to your website. SSL makes it tough for intruders to eavesdrop on the communication. In case, if you run ecommerce website or payment related website, SSL will help a lot in securing ongoing information.

12.  Remove WordPress version

Remove WordPress generator data as it reveals the current version of WordPress. Hackers can get idea of WP version and find loopholes of the version to exploit the website. To remove WP version, you can delete the readme.html file from WordPress installation directory. This will not show WP current version to the public.

13.  Check host speed, stability

It is believed that hosting provider is counted for around 40% of security issues therefore; it is wise to check features like speed, stability, uptime, security standards that a web host provider assures you about them.

Tips For Computer And Network:

Keep your computer and network clean from malware, spyware and virus. It can infect WP sites easily if the computer is infected.

  • Many people use free Wi-Fi available at coffee shop, public place and send sensitive information over unsecured Wi-Fi. Such Wi-Fi hotspot can be dangerous as hackers can target your device or PC.
  • Use strong and long password for WordPress, emails and other login forms. Use mixture of capital and small characters and symbols.
  • Take help of content distribution network firewall to prevent hackers. Such firewall also reduces the website loading time and provides additional protection layer.
  • Use security plug-ins like iThemes security, Bulletproof security, Sucuri scanner for protection of your WordPress site. It is sensible to choose a single security plug-in as there may be compatibility issues.


WordPress security is always been a neglected task for many users. Hence, keeping your website secure should be the most essential aspect on your list and it is an ongoing process. The above tips will keep your WordPress website secure against vulnerabilities and considerably drop chances of being hacked.