We hope you enjoy reading this post.

If you would like our team to work for you, click here.

How Can I Keep My WordPress Site Safe & Secure?

WordPress is the most widely used Content Management System (CMS), powering over 30% of all websites. However, as it continues to rise in popularity, hackers have taken notice and are beginning to target WordPress sites explicitly. Your website is likely not an exception, regardless of the type of content you publish on your WordPress site. You might be at risk of being hacked if you do not take necessary safeguards. You should check the security of your website, as you do with anything technology-related.

In this post, we’ll go through our top eleven tips for keeping your WordPress site safe and secure.

1. Update your WordPress core files

It is a good practice to maintain your WordPress up to date in order to keep your website secure. Developers make changes with each version, and security features are frequently updated. By keeping your software up to date, you may help protect yourself from becoming a target for pre-identified gaps and exploits that hackers can use to get access to your website.

It’s also crucial to keep your plugins and themes up to date for the same reasons.

WordPress downloads minor updates automatically by default. Major adjustments, on the other hand, must be made directly from your WordPress admin dashboard.

2. Choose a strong password

Passwords are a critical component of website security that is all too frequently disregarded. If you’re using a simple password like “123456, abc123, password,” you should change it right away. While these simple generic passwords might be simple to remember, they are also really simple to guess for potential hackers. Nefarious users will be able to easily crack your password and gain access to your account without too much difficulty.

It’s critical to choose a difficult password, or better yet, one that’s generated automatically using a mix of numbers, upper and lower case letters, illogical letter combinations, and special characters like @ or #.

3. Use a WordPress security plugin

Regularly checking your website security for malware is time-consuming, and unless you keep your understanding of coding techniques up to date, you may not even realise you’re looking at malware written into the code. Other people, thankfully, have recognised that not everyone is a developer and have created WordPress security plugins to assist. A security plugin looks after your site’s security, scans for malware, and keeps an eye on it 24 hours a day, seven days a week to see what’s going on.

Wordfence is our favourite WordPress security plugin

Wordfence offers a built-from-the-ground-up endpoint firewall and malware scanner to secure WordPress. Wordfence gets the latest firewall rules, malware signatures, and malicious IP addresses from our Threat Defense Feed, so it can keep your website safe. Wordfence is the most comprehensive security solution available, with a range of additional features. And best of all, there’s a FREE version that you can use to give you some form of security for your website.

4. Use a reputable hosting company

Choosing a reliable hosting service that has numerous levels of security is something you should consider to keep your site safe.

It may sound appealing to choose a budget hosting provider; after all, saving money on website hosting allows you to spend it elsewhere in your company. This path, however, should not be taken. It can, and frequently does, lead to major headaches in the future. Your stored files could be wiped from your hosting server, and your url could start referring visitors to a different location.

When you pay a little more for a good hosting company, you get extra levels of security automatically applied to your website. Additionally, another advantage is that you may substantially speed up your WordPress site by choosing reliable WordPress hosting.

The internet is saturated with numerous hosting companies to choose from, WPEngine is one of our favourites. They offer a variety of security features, including regular virus scans and access to assistance 24 hours a day, 7 days a week, 365 days a year. Ionos (formally 1&1) is also another favourite of ours, offering SSL Certificates, DDoS protection, Auto backups and malware protection as options.

5. Stay away from nulled themes

Premium WordPress themes are way more professional looking and offer a truck load more customisation options than free themes. However, it may be argued that you get what you pay for. These premium WordPress themes are built by expert developers and are tested vigorously to pass many WordPress checks right out of the box. Customising your theme is completely unrestricted, and you’ll get full support if something goes wrong with your WordPress site. Most importantly, you’ll receive regular updates to your theme.

There are, however, a few websites that offer nulled or cracked themes. A nulled or cracked theme is a paid theme that has been hacked and made available through illicit means. They are also quite hazardous to your website. Those themes often contain hidden harmful code that could cause your website and database to crash or can even log your admin credentials.

While you might be tempted to save a few quid for your business by using nulled themes in the short term, you’ll most certainly pay the price down the road.

6. SSL certificate installation

SSL, or Secure Sockets Layer certificates, are now widely used for all types of websites. Initially, SSL was required to make a website safe for specific processes, such as payment processing. Today, however, Google has realised its significance and gives SSL-enabled websites a higher ranking in its search results.

SSL certificates are required for any site that handles sensitive data, such as passwords or credit card numbers. All data between the user’s web browser and your web server is transferred in plain text if you don’t have an SSL certificate. Hackers may be able to read this. Using an SSL encrypts important information before it is sent between their browser and your server, making it more difficult to read and increasing the security of your site.

The average SSL certificate pricing for websites that accept sensitive information is roughly £50-£150 per year.

7. Disable file editing function

While you are setting up your WordPress website, you will find a code editor option in your WordPress dashboard which allows you to edit your theme and plugins. It’s located in the dashboard menu under Appearance>Editor. You can also locate the code editor in Plugins>Editor.

We recommend that you turn off this function once your site is live. If hackers obtain access to your WordPress admin panel, they can infiltrate your theme and plugin with subtle, malicious code.

Often, the code is so subtle that you won’t realise anything is wrong until it’s too late.

Simply copy and paste the following code into your wp-config.php file to prevent plugin and theme editing.

Copy to Clipboard

8. Change your login URL

The address for logging into WordPress is “yoursite.com/wp-admin” by default. If you leave it as is, you risk being the victim of a brute force attack aimed at cracking your username/password combination. You may receive a large number of spam registrations if you allow users to register for subscription accounts. Change the admin login URL or add a security question to the register and login page to prevent this.

Changing your WordPress login URL does not require any financial investment. Using a reputable WordPress plugin can accomplish it for free.

You can also make the adjustment manually if you don’t like utilising plugins.

However, you should not do so.

You can screw up your site’s login page and potentially lose access to your WordPress dashboard unless you’re an experienced coder or WordPress expert who understands the risks of fiddling with code.

Using a trusted WordPress plugin to change your WordPress login URL is a less dangerous option. WPS Hide Login is a simple plugin that allows you to change the url of the login form page to whatever you want, quickly and safely. It doesn’t update or rename files in core, and it doesn’t add rewrite rules. It works on any WordPress website by intercepting page requests.

9. Limit the number of login attempts

WordPress allows users to try to log in as many times as they like by default. While this may if users have forgotten their password for your WordPress website, it also exposes you to brute force attacks.

By restricting the number of login attempts each user can try until they are temporarily blocked. You are also ensuring that any person attempting a brute force attack on your website is locked out before they can execute it.

A simple resolution to this issue is to use a plugin which restricts the number of login attempts per user. We recommend the free Limit Login Attempts Reloaded plugin. Limit Login Attempts Reloaded limits the number of times you can attempt to log in. By limiting the amount of login attempts that are available through the standard login, as well as XMLRPC, Woocommerce, and custom login pages, this plugin prevents brute-force assaults and improves site performance.

10. Hide your .htaccess and wp-config.php files

While hiding your site’s .htaccess and wp-config.php files to prevent hackers from accessing them can be a more technical task in regards to boosting your site’s security, it’s a smart practice if you’re serious about keeping your WordPress site secure.

It’s definitely worth asking experienced website developers to take care of this for you, as it’s critical to take a backup of your site first and proceed with caution. Any error could render your website inaccessible.

After you’ve made a backup, there are two things you need to perform to hide the files:

To begin, copy and paste the following code to your .htaccess file:

Copy to Clipboard

Secondly, to hide access to your wp-config file, copy and paste the following in to your wp-config.php file:

Copy to Clipboard

Although the process is straightforward, you should make sure you have a backup plan in place before you begin in case something goes wrong.

11. Enforce the use of ftp

For sites that install plugins frequently, preventing users from installing and upgrading plugins and themes might be restrictive and even impracticable. Furthermore, updating themes and plugins is critical for a site’s security. Forcing users to submit ‘FTP’ data is an alternate method of ensuring that the plugins are being installed by an authorised user. Hackers can’t install a rogue plugin without your FTP credentials, even if your Admin Panel is hacked.

To enforce the use of ftp for the installation and upgrade of themes and plugins, take the following steps.

Include the following line in your wp-config.php file:

Copy to Clipboard

Add the following line to the wp-config.php file if your web host or server supports FTPS:

Copy to Clipboard

Add the following line if your web host or server supports ‘SFTP’:

Copy to Clipboard


One of the most important aspects of a website is its security.

Hackers can easily attack your site if you don’t keep your WordPress security up to date. Maintaining the security of your website is simple and may be done for free. Some of these solutions listed are intended for experienced users, but if you have any questions, get in touch with the team here at eWebz.

Looking for WordPress security?

Share This Article, Choose Your Platform!

We hope you enjoyed reading this post.

If you would like our team to work for you, click here.

Leave A Comment

WP Rocket - WordPress Caching Plugin

Get 20% Off


Call Today
Call Today

Get 20% Off