WordPress is a popular content management system (CMS) used by 64% of all websites. Even though WordPress is open-source, it has great security as its developers regularly release updates to add new features or fix major and minor security issues.

That being said, implementing proper WordPress security practices is still crucial for WordPress website owners. Lacking security measures can cause the WordPress site to be vulnerable to cyberattacks.

Therefore, this article will cover ten best practices for keeping your WordPress website secure. Let’s get started.

1. Implement Two-Factor Authentication

Two-factor authentication (2FA), also known as two-step verification, adds an extra security layer or method to the login step. Users have to verify their identity via another device, so unauthorised users can’t easily gain access to your accounts.

2FA is important for WordPress security as it helps reduce the success rate of cyberattacks like brute force attacks. You can add 2FA to your WordPress account by installing a plugin like WP 2FA via the WordPress dashboard.

Once installed and activated, follow the steps below to enable 2FA:

  1. From the WordPress dashboard’s sidebar, navigate to Users -> Profile.
  2. Scroll down until you find the two-factor authentication settings, and click Configure 2FA.
  3. There will be a pop-up window to pick the 2FA method. Choose whether you want to use an authenticator app or email to generate the authentication code. Then, click Next Step.
  4. Configure the 2FA method of your choice by clicking I’m Ready.
  5. Enter the authentication code from an authenticator app or email, and click Validate & Save Configuration.

2. Invest In Secure WordPress Hosting

Every website owner needs a web hosting service to host their site and store its files. At the same time, many web hosting companies offer various security features to ensure that websites are protected. Therefore, choosing a reliable web hosting provider is crucial for securing your WordPress site.

Most web hosting companies, like Hostinger, offer different types of hosting services, such as shared hosting, Virtual Private Server (VPS) hosting, and WordPress hosting. Each web hosting service has its benefits, including various levels of security features.

For example, Hostinger’s WordPress hosting provides Cloudflare protected nameservers to secure your DNS from Distributed Denial-of-Service (DDoS) attacks. It also enables SSH access to secure your communication with the remote server. Additionally, the WordPress Multisite feature makes it easier for site owners to secure multiple websites using the same WordPress installation.

3. Update Your WordPress Version Regularly

According to WordPress, around 46% of websites are running on older WordPress versions. Meanwhile, 54% of websites have already installed the latest version – WordPress 5.9.

Updating the WordPress version is crucial to keep your website secure. By default, WordPress enables automatic background updates on the WordPress core file, plugins, themes, and translation file. Even though you can disable the automatic update, we don’t recommend it for security reasons.

You can check the current WordPress version from your WordPress admin area. Navigate to Dashboard -> Updates on the left sidebar. The WordPress Updates screen shows you the latest information about the WordPress version, plugins, and themes.

4. Modify the WordPress Login Page URL

All WordPress sites have the default login page URL – the domain name followed by /wp-admin. For instance, yourdomain.com/wp-admin.

This default login URL can be an easy target for hackers to gain access through brute force attacks. Therefore, we recommend changing it to a custom login URL using a plugin like Change wp-admin login or WPS Hide Login.

Install one of these plugins from the WordPress dashboard. If you’re using the WPS Hide Login plugin, navigate to Settings -> WPS Hide Login. Create a new login URL and click Save Changes. Then, test the custom login URL by typing it into the browser’s address bar to see if it works successfully.

5. Perform Regular Site Backups

Regularly backing up your WordPress website has various benefits. For instance, it helps your site recover quickly if you experience incidents like cyberattacks, data loss, or server failure.

You don’t need to back up the installation files individually, as WordPress site backups already include the website database and the WordPress core files.

Performing WordPress website backups can be done using the All-in-One WP Migration plugin. Here are the steps for making a backup file using this plugin:

  1. Install and activate the plugin via the WordPress dashboard.
  2. Navigate to All-in-One Migration -> Backups. Then, click Create Backup.
  3. There will be a pop-up window showing the progress of the backup process. Wait until it is complete.
  4. Once finished, you will see a download button for the backup file. Click it to save the file on your local computer.

6. Install an SSL Certificate

Having a secure sockets layer (SSL) certificate installed on your WordPress site enables a secure connection with visitors’ browsers. So, instead of using the default HTTP, your website’s URL will use HTTPS.

SSL encrypts the transferred data between the web server and users’ browsers, making it difficult to track or hack. Installing an SSL certificate also benefits your search engine optimisation (SEO) effort, as both search engines and customers will more likely trust your site, leading to more traffic and an overall better ranking on search engine results pages (SERPs).

Many web hosting providers include a free SSL certificate as a security feature. If it’s not enabled by default, you will need to do it manually. First, log in to your web hosting control panel and navigate to the Advanced section. Then, select SSL. After that, install the SSL certificate on your domain name by clicking Install SSL.

7. Update Your WordPress Plugins and Themes Regularly

Using an outdated WordPress plugin can make your site vulnerable to cyberattacks, as many cybercriminals attempt their attacks through plugin vulnerabilities. For example, Wordfence found cross-site scripting vulnerabilities in the Elementor plugin 2021.

WordPress will frequently inform you of any available updates for your existing plugins. If you decide to add new plugins, we recommend checking the plugin’s last update first before installing it.

For instance, avoid installing plugins that haven’t received any updates in the last three months. It is also important to uninstall unused plugins since they might weigh down your site load speed and lead to WordPress security risks if you forget to update them.

8. Use Strong WordPress Admin Login Credentials

Passwords are a standard security tool to prevent unauthorised users from accessing accounts. Therefore, in addition to modifying the WordPress admin page’s login URL, creating robust passwords is a crucial step to prevent hacking.

A quick tip to create secure passwords is to avoid using common patterns like qwerty or 123456. Other useful tips for creating strong passwords include:

  • Using a combination of symbols, numbers, and lowercase and uppercase letters.
  • Ensuring that the passwords have at least eight characters.
  • Utilising a password generator, such as LastPass or 1Password.

We also recommend changing your passwords regularly and utilising a password manager to store and manage all your passwords.

9. Limit Login Attempts

WordPress allows you to make unlimited login attempts by default, which might make your site vulnerable to brute force attacks. Limiting login attempts is therefore an excellent way to address this and monitor suspicious login activities on your website.

Limit Login Attempts Reloaded, Loginiser, or Limit Attempts by BestWebSoft, are several popular WordPress security plugins you can use.

For example, here’s how to configure the Limit Login Attempts Reloaded plugin:

  1. Go to Limit Login Attempts on the left control panel of the WordPress dashboard.
  2. Navigate to the Settings tab and scroll down to App Settings.
  3. From here, set the authorised number of retries and lockout time.
  4. Click Save Changes.

10. Disable File Editing

WordPress has a built-in file editor for editing PHP files. Although it’s a useful feature for site owners, it can cause serious problems if hackers gain access to your WordPress account. With this in mind, we recommend turning off file editing for security reasons.

To do that, you need to access the wp-config.php file via a file transfer protocol (FTP) client, such as Filezilla, or your web hosting’s file manager.

Open the wp-config.php file using a text editor, scroll down to the bottom line, and add the following code to disable the file editing feature:

define( ‘DISALLOW_FILE_EDIT’, true );

Save the changes on the wp-config.php file. Then, go to the WordPress dashboard to check whether the file editor is successfully disabled.


In conclusion, implementing the proper security measures is crucial for every WordPress site. It helps prevent cyberattacks while keeping WordPress websites secure.

In this article, we have gone over ten WordPress security tips to keep your website safe. Here’s a quick recap:

  1. Implement two-factor authentication.
  2. Invest in a secure WordPress hosting service.
  3. Update to the latest WordPress version.
  4. Modify the WordPress login URL.
  5. Perform regular site backups.
  6. Install an SSL certificate.
  7. Update your WordPress plugins regularly.
  8. Use strong admin login credentials.
  9. Limit login attempts.
  10. Disable file editing.

We hope you can build a secure WordPress site environment by following these WordPress security tips. Good luck!