How to Increase Security on your WordPress Website

How to Increase Security on Word Press

You built your website yourself – how can you be sure it is secure?

You are not alone in your quest to keep hackers and malware off your website. But knowing just what you can do to be more secure is not always an easy process for the new website builder or business owner.

Maybe you just got a website designed by someone and you have no idea what they setup – you need to be sure you are protected.

Maybe you built your website and you learned how to do it on YouTube – you need to be sure you are protected.

Maybe your website has been plugging along for years and now you’ve been blacklisted because of malware – you need to get your site back and up and KEEP it protected.

I’ve seen so many instances where people think it is safe and they just don’t know what they don’t know about website design and the WordPress platform.

So today, let’s help you find out 10 things you can do to increase your WordPress website security.

How to Increase Security on your WordPress Website 

1. Keep Your Website & Plugins Up To Date

Do you have themes you installed years ago but never really used hanging around on your website? Do you install a plugin only to decide you weren’t really going to use it? But then you never removed it? Now is the time to clean up your website. Get rid of files that aren’t being used and only keep current themes and plugins.

AND keep those you do have up to date. A good rule of thumb is to update at least monthly. Put it in your calendar if you forget things like this so it always stays up to date and current.

Just don’t forget step #10 before and after you update to be sure you have a copy at all times of your website in it’s most current form.

2. Install a Security Plugin and Optimize It

Our favorite is Wordfence but there are a few others out there like Sucuri or Loginizer that work well for others – we’ve used the free version of Loginizer but again prefer the added layers Wordfence offers clients. We just like the control and alerts Wordfence offers. Even with their free version, if you optimize the installation you will be far and away better off than having no security alerts on your website.

What we love about Wordfence is:

  • It can help you setup 2 Factor authentication very easily
  • Block IP’s that aren’t playing nice on your website
  • Blocks visitors who use usernames such as admin, your website, etc. that are common for hackers to attempt (because a lot of users don’t think to make strong usernames – see our next point)
  • Get notifications when users are locked out or using brute force to attempt to get on your site
  • Get reminders about plugin and file updates when they are available
  • Monitors your site for malware
  • And so much more but those are our favorites.

No matter which one you choose – again, be sure to optimize it. You can’t just install and activate the plugin, you have to set it up to work properly for you.

3. Use Common Sense When Setting Up Your Username & Passwords

Still using admin or administrator for your login name??


Using a strong password people can’t guess will go a LONG way in securing your website. We won’t make you raise your hand if you did this but we know from experience with clients this happens ALL THE TIME, so go fix that right now – seriously if you have a username like this stop reading and go setup a new one and delete the old one!!

And same thing goes for your password. If you are using the same simple password on all your logins or even using Password1 for your password because you were too lazy to come up with something original and then never fixed it – change that! Get creative with your passwords and use a variety of symbols, numbers, and letters both upper and lower case. Make it your goal to have a 100% strong password.

Have a hard time remembering passwords? Use Lastpass or something like it to save and protect yourself. You’ll never be left wondering what your password was again.

4. Hide Your Login Page

Can you guess the login page for friends website?

Most likely too many of you are using the standard login page – this is another area you need to go change today!

A great plugin to do this quickly and easily is – WPS Hide Login

Make the last bit anything you wish – but don’t forget what you changed it to so you can get back on your website! Bookmark it – set it up in LastPass, just don’t lose it! (Seriously, write it down, put it into a document, something – you will thank me later!)

Hackers will have a hard time finding a login page if you do this and will instead get a 404 error page when they attempt going to the standard WP login page. #BusinessOwnersWinning

5. Hide Your Dashboard From Non-Admins

Unfortunately this isn’t something that is automatic in WordPress – maybe in the future but as of right now, if someone had contributor status and logged into your website they would see the navigation of your dashboard just like you do. The problem with that is they then could figure out what plugins you use, certain aspects about your security and much more. While they can’t navigate to those areas 1) it looks unprofessional for them to see it and 2) you want to keep as much data about your website as you can private.

Use the plugin – Hide Admin Bar from Non-Admins – it does just what it implies (you have to set it up of course but it is easy to do).

6. Disable Directory Browsing

Add the following line at the end of the .htaccess file (In Your CPanel):

Options -Indexes

This blocks visitors from viewing your file directory. Trust me it’s a good thing! You want to put as many barriers as possible between your website files and hackers.

7. Run a Malware Scanner

One of the sad parts of malware is it can spread so quickly. And sometimes website owners getting on their website are spreading the infection unknowingly. Use malwarebytes or another Malware scanner to check your own computer and see if you have any issues with malware that could be part of the problem.

Using plugins like Wordfence and having it scan (that’s one of the settings that you need to be sure you do setup) your website for malware will alert you early on their is a problem before you get blacklisted.

8. Turn off File Editing from the Dashboard

Once you have dealt with malware it is your goal to never deal with it again! Often php files are where they attack so we want to be sure to turn off standard editing to as many places as possible!

From your CPanel – Add this code to the wp-config.php file:

define(‘DISALLOW_FILE_EDIT’, true);

Doing this will be sure that someone couldn’t get on your admin account and make changes from the file editor within the WordPress Dashboard.

9. Be Sure to Change your display name from your username

If you don’t set a Nickname or change the display name from the default (your username) when you do a blog post you will be sharing your username with the world! Don’t do that! Go in and make this easy change now!

Go to Users –> Pick your user account, then be sure there is a display name listed other than your username.

We recommend you take this even one step further and change your “Nice-Name” to something completely different from your username from within your “MYPHPADMIN”  area on your hosting platform.

10. Be Sure You Are Backing Up!

When you first start your site, make a backup.

Whenever you make major changes, Backup!

If your site isn’t new but doesn’t have malware – backup!

Backup Monthly.

Backup – Backup – Backup!!

Having clean backup files means you can restore instead of starting over if you do get malware.


A few bonus changes we’ve found helpful is changing file permissions in your Cpanel.

Make sure that your wp-config.php file and .htaccess files are not writable. Permissions should be 444.

And lastly – Disabling Xmlrpc.php Manually or with a plugin

If you don’t want to utilize a plugin and prefer to do it manually, then follow this approach. It will stop all incoming xmlrpc.php requests before it gets passed onto WordPress.

Open up your .htaccess file. You may have to turn on the ‘show hidden files’ within file manager or your FTP client to locate this file.

Inside your .htaccess file, paste the following code:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from


How Do I Know If My Website Has Been Attacked?

If you are using a reputable hosting company they will notify you when you have malware or your security scanner will.

If you have been hacked – you can clean it yourself or hire others to do it for you. We recommend working with a professional if you have never dealt with it before.


How to Remove Malware & Clean a Hacked WordPress Site

Having problems with WordPress security on your website? Contact us and let’s see if you’ve got as many safeguards in place as possible.

Share This Post

More To Explore

Let's Get Started

Give us a call or send us a message, and we will be happy to schedule a free consultation if we would be a good fit for your project.

We endeavor to answer all inquiries within 24 hours on business days.