26 WordPress Security tips for 2019

WordPress Security tips 2019

It is concluded that WordPress powers more than 28% of the websites on the internet. This figure alone makes WordPress such a popular target for hackers. And also so many e-commerce websites are also running through WordPress which makes it more appealing for hackers.

Considering the fact it is overly popular, Maintaining WordPress security is a major concern. And it should be updated to prevent hackers from destroying all your hard work, especially for the beginners on WordPress.

WordPress consists more than 56000 plugins with each one having the potential to open up additional vulnerabilities. These statistics might give you the impressions that WordPress is an unsecured platform.

But that would be incorrect. The team at WordPress consider this very sincerely. They have a precise process for controlling potential susceptibility.

you actually think you can handle all the WordPress security without getting bothered???

So I'll be sharing some WordPress security tips for beginners to keep your site from being compromised.

"At the end of the day, the goals are simple: Safety and Security."

1. Install a Security plugin

Most of the new users or beginners usually look for nice themes & other fascinating plugins like social media buttons etc. which only focuses on the appearance of the website. And forgets about security loopholes until they notice someone is trying to access their login page. WordPress offers a quality of option when it comes to security plugins & any beginner can easily install that.

If you haven't installed any security plugins yet, you should get a comprehensive plugin like Wordfence or All-in-one Wp Security. Which protects your site from malware, malicious login attempts at multiple access points.
If any of the plugins need to be updated or if it founds any security issue on your WordPress site, it will notify you. The security plugins are generally available in both free & paid options. But if you can afford premium version, you should consider upgrading to the premium option.

Some of the popular WordPress security plugins that I would recommend are :

  • Ithemes security pro plugin (takes the guesswork out of the WordPress security)
  • Wordfence Security (Firewall & Malware scan)
  • User activity log pro (Monitor your user activities)

These are some WordPress security plugins for WordPress website. You can always search for more; there are many. Such plugins will help you monitor every suspicious activity & protect your website by looking at any vulnerable areas.

2. Choose secure Hosting company for your website

You need to choose the right Web hosting company/provider and consider this very sincerely while looking for it. Because even if you take every precaution to secure your website from your end, there is a slender chance that a refined hacker or program (as in spam/virus) could access through your site and hack it.

This is how an unsecured hosting provider treats your visitors

A good web hosting will save you a lot of suffering. A user is entirely reliant on web hosting to keep their website online 24/7. So avoid using crooked hosting providers that promise you the realm. Now I will be sharing one of the best Hosting providers concerning security, money, support & performance value.
                (If you don't know how to set up a web hosting)

Bluehost - Bluehost is WordPress official best-recommended Hosting providers with many great and reliable services. It provides features like

  • Free custom E-mail
  • Auto updates
  • Free domain
  • Money back guarantee
  • 24/7 Support
  • Free SSL certificate (Know how to have an SSL certificate )


Strong uptime & load time with free site transfer. Also, it provides free domain name and also recommended by WordPress.org itself.


No options to pay monthly, Costly than most of the other hosting providers.

Wp-engine WP-engine claims to be a WordPress specialist, and most of the part is true. Their staff or support system know the platform very well and is also available most of the time. They can answer your queries at any time, especially during business hours.


Unlimited monthly data transfer, Daily backups, Malware scanning, and removal with every plan, custom plans


Slight expensive, limited customer support and services.

 3. Set Up Two-Factor Authentication

Use two-factor authentication to steadily login with two different components. It prevents the brute force attacks which are the most common hack attempts in WordPress.
In simple words, if a hacker tries to access your site through many different username & password combinations.
And if some smart hacker somehow manages to access/hacked your website, it might be possible that you won't be able to restore your website's functionality using a backup. This may sound absurd, but it happens.

To enhance your WordPress security more, you should use two-factor authentication. That using 'Admin' as the username, as it makes it easier to access & it used very frequently. Beginners tend to have this problem more often as in the dawn they mostly think about appearance rather than the security loopholes.

Strong username and password are also not enough. You should use WordPress security plugins like Itheme plugin or Google Authenticator app. So that each time you try to log in you will receive a unique authentication code that you will need to input after you insert the correct username and password.

IThemes is also a free security plugin that provides users with over 30 unique ways of protecting their websites and increasing their online security. Itheme plugin pro secures your website after limited incorrect login attempts & ban user even to try again and comes with more additional features.

4. Get plugins from Recognized resources only

One of the great edge of using the WordPress that it has the colossal retail of plugins. WordPress has 56,016 plugins in its storehouse, which is massive. But can you actually purchase things from all these marketplaces? NO, because that would be an unfortunate decision. Because on the one hand, you get these overriding themes from trusted as well as certified developers. And on the other side, there are some who just try to make easy money. When you try to buy any plugins from these websites, it might be possible that you are getting something useful or nothing or maybe even worse.

Always remember to trust only known or reliable marketplace to purchase or even it is for free, it is always necessary to check support, comment & the developers. Because the plugin may come as a trojan for your website & discard the functionality of your website.

 5. Keep Your WordPress Website Updated

Keep your WordPress updated. These updates are crucial for the security and stability of your WordPress site. If you are managing your own website/blog, there are specific tasks need to be done regarding WordPress security.

WordPress comes with constant updates, as soon as it finds a security bug or wants to modify/add features. If you are using an outdated version of WordPress, plugin or themes, there is a chance that your website might not be safe.
But before updating keep in mind to Run your backup first, this is important because it allows you to restore your WordPress site if the update might not be compatible or need to be fixed.

You might have installed themes and plugins too on your website, these plugins are released by third-party developers and comes with regular updates as well.
Unless the version details specifically say Security update, you should wait one full week before updating the plugin. In this time, all errors usually get caught, reported, and fixed.

I know these update notifications might be irritating sometimes but consider them seriously & update it. Setting automatic updates is quite easy, but compatibility issues can give you problems. Hence we suggest you to keep updating your WordPress website manually.

6. WordPress Malware

In March 2016, Google reported that over 50 million website users have been receiving warnings that websites visited were either trying to steal data or install malicious software. Google currently blacklists/close ~20000 websites a week for malware and ~50000 a week for phishing.

Malware is an umbrella term used to refer to a variety of forms of hostile or intrusive software, including computer viruses, worms, Trojan horses, spyware, adware, and other malicious programs.

Malware is often disguised as, or embedded in non-malicious files.

The top reasons for hacking to take the site down are to use the site as spam, SEO spam, and malicious redirects. Some basic rules to avoid this are:

  • Review who is an admin on your site
  • Always upgrade WordPress to latest non-beta version-You can see the current version on the desktop, and you also get notifies to upgrade to a newer version
  • Delete or move any old themes (these can be hacked too)
  • Closely monitor comments or turn it off
  • Use a 3rd party forms application that is hosted off-site.
  • Use malware toolbox.

You can always use plugins to help you out:

  • Wordfence Security- Firewall and Malware Scan
  • Sucuri –Website Security, CDN, DDoS Protection
  • Anti-Malware Security and Brute Force Firewall.

7. Set up SSL and HTTPS

SSL (Secure Sockets Layer) encryption will keep sensitive information from being captured. SSL is the protocol used to secure and encrypt communications between computers.

It basically encrypts whatever communication happens between your website visitor and your website.

SSL certificate is majorly required if you are going to receive or take any kind of payments for anything you sell directly on your website. This will help you securely run your website as well as, SEO benefits that Google has said if you are running your site on an SSL Secure Connection.

Google made it clear to mark SSL lacking websites as insecure officially. It could decrease the time consumers spend on the site, the bounce rate and click rate on the SERPs. All of these aspects would contribute to reduced Search engine rankings.

You can contact your web host and basically say I need to add an SSL certificate on my website, most of them provide this for free but some web host like to ask for money, but I’m sure it is worth every penny.(it should be free if your host has something called let’s encrypt)

Why you need SSL??

  • You are accepting transmitting information, such as credit card details and need to keep them safe
  • If you want to show your visitors secure logins and signups on your website
  • Want your users to trust your website
  • You have an e-commerce website and need to make it secure for your customer to trust and buy.

How do I install an SSL Certificate??

  • Host with dedicated IP. To implement the best security, The SSL certificate requires your website to have its own dedicated IP address.
  • Buy a certificate
  • Activate the certificate
  • Install the certificate
  • Update your site to use HTTPS

8. Assign Appropriate roles for Users

If you want to take your WordPress to the next level, for example, you want to add authors, contributors, members, editor, and contributors to add or submit content.

But you also want to give them a limited amount of permissions that will facilitate them to do their respective job only. And avoiding the possibility of them, doing any type of harm to your website.

Just go to the Dashboard<Users<Add New User, Now a form will appear to add the user.

If you scroll through, you will see a role button will appear where you can assign a specific role to the user (for ex-subscriber, participant, Moderator, author, contributor etc.)

You can also create custom User roles on your WordPress site

Make sure to take advantage of the user roles and give a thought about how you can get many users involved in your site to keep your site up.

9. Remove\Delete Inactive Plugins and themes

This is a little-noted WordPress security tweak that all WordPress user should be doing, it is very easy to use & it protects your site from potential hackers.

Some people might not know, but even if your old plugin/theme are deactivated and if they have security vulnerabilities, a hacker may still get access to them and eventually access to your website.

So you want to make sure to delete inactive themes and plugin.

To do this, Go to Dashboard<appearance<themes on the next page you can see various themes where you can also see deactivated themes.

To delete a theme, just click on theme details, and you will then see a small delete link in the bottom right to delete. There is no mark and delete option you have to go through each one.

To delete a plugin you can have to do almost the same. Go to Dashboard<plugins<installed plugins.

There you can see all the updates available for your plugins and also the Inactive once (Upper brackets).

Click the checkbox, and select bulk actions menu choose to delete and apply, on the next page list the plugins you are removing and choose Yes, delete these files and data options and update the other plugins as well.

Just delete the inactive ones because they potentially have security vulnerabilities sooner or later.

10. back-up often

Let’s say

you keep modifying your site, and one day suddenly it stops working.

What do you do in the situation?

How do you recover your site?

If you have a back-up and you restored it again, your site will be working exactly as it was when making the backup.

So I highly recommend you to back up your website. “So that you never lose your work.”

You can also use auto-backup so that you don’t have to backup manually. You can also choose many options to choose where to store your site’s backup (Dropbox, Google Drive etc.)

“Backups are your website insurance”

Back-up can be expressed as saving a copy of your website on a particular date. To back up your site, you need to:

  • Install and activate a backup plugin (know how to configure Updraft plus)
  • Under the plugin options, click settings<backup now(default way to use most plugins). Make sure all the options in the dialogue box are selected and click backup. (after that you have taken a backup)
  • Go to the existing backup options in the backup plugin settings to see your backup and restore it.

What if ​​​​my site is crashed?

  • Remove the old WordPress installation
  • Install fresh WordPress on the same domain
  • Restore the files using drive (or wherever you stored your site’s backup)

11. hide or remove wordpress version number

Having this particular information publicly available makes it easy for attackers to misuse any known vulnerabilities in a specific version.
To remove the WordPress version number add the following function to your theme functions.php file or Use the Code Snippets plugin and add the code as a snippet.

function wpversion_remove_version() {
return '';
add_filter('the_generator', 'wpversion_remove_version');

12. Limit login attempts

The easiest way to stop a hacker attempting to guess your username and password is to use a plugin that limits the number of login attempts.

Also, we recommend changing your administrator username to something other than Admin.

You need to install and activate the plugin for login lockdown (Wp Limit Login Attempts).

After that, you need to visit Settings<Login Lockdown (plugin installed) Page to configure the plugin settings.

You can then define how many login attempts can be made. You can also lockout Specific IP address and more.

By default settings, WordPress lets the user know whether they entered an invalid user id or password, you can also hide this by clicking yes under mask login errors option.

Remember to check the update settings button to store your changes.

13. Only give access to the people you trust

This is a fundamental thing to know about, but don’t let any intruder burst into your admin account with full access.

I know we trust a lot of people, but a lot of damage can be done in a short period.

Remember to delete support user account, whom you have given access to your site that is no longer needed.

Assign limited user access and create a new username and password for them.

Remember providing too much user access is also risky.

14. pre-login CAPTCHA

Captchas aim to block spam and attacks, protect sensitive information and restrain access to vital features of your website.

captcha isn’t very much of full security, but it helps to enhance your site’s safety and user experience.

  • To add Captcha, you need to install and activate All-in-One WP security & Firewall plugin. (many other options are available as well)
  • Under the Wp Security menu select Brute Force.
  • Select Login captcha from the top menu
  • Put a checkmark next to the option where it says Enable Captcha on the Login page
  • Click the Save settings button.

And you’re done here, log out and log in again to test the feature.

Many other plugin options are available as well to install captcha on your website.

15. lockout specific IP address

There are many reasons you might want to do this, but typically it is to keep away those who want to access or harm your site.

WordPress saves the IP addresses of users that leave a comment on your website. You can easily see their IP address in the comments section under the Dashboard menu.

To completely block a specific IP address from even accessing your website from hacking attempts and DDOS attacks.

Just log in to the cPanel dashboard of your hosting account. Then scroll down the security section and click on the IP Deny manager. 

Now an IP address denies manager toolbox will appear here you can add the IP address you want to block.

You can add a single IP address or an IP range then click on the add button.

To block/unblock an IP address anytime you can come back to the same page.

16. hide the login page uRL

Why should you hide your login page?

Well, if your site allows basic user login, malicious login attempts and brute force attacks are certain. Hackers basically try to guess your username and password over and over.

To hide the login page, go to the Dashboard<plugin<add new, and search for WPS hide login. Install and activate it.

Once activated go to Dashboard<settings<general. Scroll down where WPS hide login option is available.

Under the login, URL tab changes the login page as of how you want it and go to save changes and you are done.

Logout and login again with new URL to check.

17. Disable info in wordpress login error message

Here you can see, login error clearly displays that the username is correct, so the only problem left is to guess the password. Which makes it for hackers.

The login error message should be like:

You can do that using login_errors filter hook.


function login_error_message($error){   
//check if that's the error you are looking for   
$pos =  strpos($error, 'incorrect');   
 if (is_int($pos)) {  
  //its the right error so you can overwrite it      
  $error = "Wrong information";
   return $error;

Just paste this code in my themes' functions.php file without changing anything with the .po file.

There are also some plugins available to simplify this task.

18. Add security keys and salts

WordPress keys and salts introduced in ver. 2.6. These play an essential role in securing site cookies and preventing hackers from accessing your site.

Security keys are made up of four authentication keys(i.e., AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY) and four hashing salts(AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT).

You can add and configure them in the wp-config.php file

By default WordPress automatically generates these like:

The advantage of these keys is that by deleting or resetting them, WordPress admin can force all logged in users

You can configure the keys like this or as you like it to be.

19. Use latest PHP Version

This is often something WordPress users should know if they want to speed up their website or to make sure that their website is not running on a really old version of PHP.

You need a cPanel (the majority of  hosting platform use this)

All you need to do is log in to cPanel for your hosting plan and then scroll down to the PHP version manager and click on it. And then click into the domain that you want to edit the PHP version on.

Now you can see a list of PHP versions. Just check mark the version you want to upgrade to and click on save button.

Keep in mind before updating your PHP version, make sure that your website is compatible with the new version of PHP. You either duplicate your website on a domain that’s not public and then upgrade the PHP version and see if anything breaks (switch back to the old ver) or if it works okay you can improve the PHP version on your main website.

Whatever you do regarding upgrade remember to make a full-backup your website.

20. Disable Directory Browsing

If you type your websites address/WP-includes. Do you see a bunch of files that look like this

If yes that means directory browsing is enabled on your website it also means that hackers can easily take benefit of those files to look around the structure of your website.

On a security standpoint, no one wants that.

To disable this, you need to go to cPanel<filemanager<.htaccess click on edit, then a new file will open. Go ahead and copy everything and save it elsewhere so if you may need it later you can revert it.

Go back to cPanel, go all the way to the end of the file and on a new line type Options All –Indexes save the file from the upper right corner.

Now if you search again (websites address/WP-includes), you will see an error message as No result found.

21. disable theme and plugin editor

Malicious hackers usually start a brute force attack against a WordPress website, and if they guessed your password of the WordPress admin account.

They can log in to the WordPress dashboard from where they can use the theme and plugin editor to access and modify the files of your activated theme or plugin accordingly.

To avoid this open your wp-config.php file and paste the following:

{code type=php}

22. change your wordpress database table prefix

Why change the WordPress table prefix??

This way, if an attacker has access to your site’s database via SQL injection, you can prevent them from accessing your data by renaming your tables to some unique prefix.

Before changing it is highly recommended that you create a full backup of your WordPress database.

Now, open up your wp-config.php file, scroll down till you find table prefix line, i.e. $table_prefix = ‘wp_’; and replace the wp_ with something random like ‘my_.’

Remember you are only allowed to use letters, underscores, and numbers.

Now, Go to the WordPress database through phpmyadmin and rename all of the table prefixes to the one specified in the wp-config.php file. There is a total of 12 default tables. Run SQL command from MySQL manager and use these commands to make changes faster.

To minimize the risk, it is a great idea to rename all your database table that begin with the default prefix to something random

Renaming the Wp_fields in database

Aside from tables, there are two more options (my_options and my_usermeta) by default that has a name that starts with wp_.

Use the following queries; you can change the prefix of those fields containing a wp_ prefix.

UPDATE `my_options` SET `option_name`=REPLACE(`option_name`,'wp_','my_') WHERE `option_name` LIKE '%wp_%';

UPDATE `my_usermeta` SET `meta_key`=REPLACE(`meta_key`,'wp_','my_') WHERE `meta_key` LIKE '%wp_%';

If you don’t want to go through all this stuff, you can always install the plugin for straight features. But more the plugins are, more vulnerabilities your site will face.

23. Disable PHP error reporting

The PHP errors indicate the correct path where they occur. If a hacker finds these errors, then he might be able to get an idea about your directory structure and other useful paths for their own. Error information is always helpful for a hacker, so it is better to disable error reporting from your website.

To turn off or disable PHP errors, open wp-config Scroll down to

  • define('WP_DEBUG', true);

It might be possible, that this line is already set to false. Then you will see the code like this

  • define('WP_DEBUG', false);

In both cases, you need to replace the line with the following code:

  • ini_set('display_errors','Off');
  • ini_set('error_reporting', E_ALL );
  • define('WP_DEBUG', false);
  • define('WP_DEBUG_DISPLAY', false);

24. Prevent hotlinking

Each time someone views a hot-linked image on a different website, it is still loading from your server. This also means that they are consuming your bandwidth without even visiting your site. That makes your site slow.

By entering the text written below in the .htaccessfile, you can prevent hotlinking to your website.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?emysite.com/.*$
RewriteRule \.(gif|jpg)$ http://www.mysite.com/hotlink.gif [R,L]

In the example above, replace ‘mysite.com’ to your website’s URL. This leads to any hotlinked image to fail to load. You can replace the line to point to any image you want to. This image should describe that got linking is disabled on your server.

25. dDoS protection

The DDoS attack is equal to tons of fake customers to gather on a traditional shop at the same time. These types of attacks don’t usually harm your website but will simply take your site down.

To simply prevent this:

  • Update Passwords, plugins and logins
  • Disable PHP error reporting
  • Prevent brute force attacks
  • Change the login error message
  • Use security plugins

26. Disable Script Injection

To prevent script injection simply copy the code below to your .htaccess file

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

27. disable XML-RPC in wordPress

The XML-RPC is used as an intranet notification system for WordPress. It is now usually work in a way to remote post to WordPress from mobile. And also it allows the application to pass multiple commands within one HTTP request.

In short, This kind of attack doesn’t get caught by any limit login attempts filter, as it only uses a single HTTP request.

To disable this simply rename the default XML-RPC.php file to something else.

Overall, it may be said...

It is a complex task to ensure your WordPress security completely with a little or no specialized knowledge. But these tips include impressive and smooth ways to minimize the potential risk of cyber attacks or data breach.

Following these security practices will help you ensure to keep your website up-to-date and increase the overall security of your website.
Getting hacked is disastrous. To keep preventing this from happening, You need to keep reviewing and update your security plugins or other measures periodically.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.