How to Hack

10 Security Tips to Secure Your WordPress Site


Security should be of main concern to bloggers or webmasters to protect your website from becoming a hacker’s playground. Especially when your website has a revenue stream, then you should invest some time into managing security. This article features few key security tips for WordPress powered sites.

WordPress is the most popular open source blogging platform available but it is a target of notorious hackers also. It is very important for all webmasters to keep their WordPress blog secure.

Being an open source software, WordPress has many protective plugins, functions and techniques available to save you. These tools can defend your site from various attacks, spam and other threats.

Here are the 10 Security Tips to Secure Your WordPress Site

1. Always Stay Updated

Be Ensure that your wordpress theme, all plugins and WordPress itself updated regularly. The updates actually include latest security patches and fixes vulnerabilities. Most of times notorious hackers gain access to a old versions of WordPress websites very easily because of available security vulnerabilities.


2. Hide Your Login Username

Unfortunately, It’s possible to check out a WordPress user’s login, by viewing the author archive page permalink. As by default, WordPress will show the account username there.

Ex : 

However, the simple solutions to fix this is to use the WP Author Slug plugin.

3. Hide Your WordPress Version

The installed version of WordPress can be easily checked by viewing a page source header. The version number of WordPress is included in the metadata of the WordPress theme. Notorious hackers can easily find the installed version of WordPress and exploit it. As the vulnerabilities of previous releases versions are known to everyone through

To hide your WordPress version number add the following code to your ‘functions.php‘ file:

function wpbeginner_remove_version( ) {

return ”;


add_filter(‘the_generator’, ‘wpbeginner_remove_version’);

4. Don’t Use Default Username

WordPress assigns the administrative account the username “admin” by default. That’s the reason why it’s used on thousands wordpress powered websites and blogs.


But From version 3.0 onwards you’re no longer limited to use the default username ‘admin’. In 2013, hackers launched a series of brute-force attacks at millions of WordPress powered websites, attempting to sign in by pairing the username “admin” with common passwords.

There are two ways you can fix this:

Create New Account – The best and simple way to change default username is to create a new user account and give it admin access, you then delete the old account. It will give you an option to associate all the existing posts to the new account.

Change through PhpMyAdmin– Login to Cpanel and click on PHPMyadmin, then select the database where your wordpress site is hosted, and then navigate to the “wp_users” table. There you can see all the usernames on your site. You can simply change the “user_login” value under the account.

5. Enable Secure SSL Login Pages

Login into WordPress site through an encrypted channel will provide an another layer of security.  Check with your hosting provider to see if you have an SSL certificate, or Shared SSL. Then add this line of code to your wp-config.php file:

define(’FORCE_SSL_ADMIN’, true);

You can use wordpress plugin that allows SSL control of your site: WordPress HTTPS (SSL)

6. Strong Password & Regular Change

About 8% of the WordPress powered sites are hacked due to a weak password.  Passwords consisting of names and correctly spelt words are extremely vulnerable to brute-force attacks.

Password should be strong and which can’t be guessed. For a strong password always use atleast 7 characters containing upper-case, lower-case, Special character and Numbers.  Alternatively  you can use password generator.

7. Limit Login Attempts

It’s possible to block a suspicious IP trying to hack your WordPress website by limiting the login attempts.  This can be possibly done with the help of plugins, like Limit Login Attempts plugin. This plugin automatically blocks an suspicious IP after it exceeds the login limit, and allows admins to specify how long that suspicious IP address remains blocked.

8. Disable Directory Browsing

Directory browsing ( if enabled ) in your WordPress site is very dangerous comparable to keeping your door always open and inviting thief to see and steal your wealth inside house.

A simple way to disable directory browsing in your site is to upload a blank index.html file in all directories and sub directories except the root.

9. Delete Unused Plugins & Themes

Remove plugins & themes which are no longer in use. There’s no sense of keeping them on server as it takes up space on server & increase load.

10. Create Regular Backups

One of the important task but often neglected. Even if you have taken all the appropriate security measures taking regular backups are very important. You can use a WordPress plugin that automates takes the backups–BackUpWordPress.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top

Subscribe For Latest Updates

Signup for our newsletter and get notified when we publish new articles for free!