Best WordPress Security Guide 2020: Secure your WordPress site

Home - WordPress Security - Best WordPress Security Guide 2020: Secure your WordPress site
wordpress security guide

Best WordPress Security Guide 2020: Secure your WordPress site

Among the most famous CMS (Content Management Systems) available in WordPress for a good reason. It is easier to use, you can build any kind of website with it, and thousands of WordPress themes and plugins are available for use with wordpress security guide. Because of this, then it is no surprise that over 35% of the entire websites in the internet get powered by WordPress.

However, there is a greater cost for this popularity. Most often, hackers target WordPress websites for their malicious activities. As per the findings of Sucuri, in 2018, WordPress had 90% of complete website cleanup requests. This was a 7% increase from 2017. Here we will  discuss about Website Security In this WordPress Security Guide!

From that, then one thing in to do list should be secure your WordPress site, if it is an online store, a business website, or a personal portfolio.

In regards to WordPress security guide, the users can be grouped into two: those who take security with all seriousness and implement safety measures, and those that hope this will hit their websites.

Security issues connected to websites are severe, and you can confirm that by visiting Internet Live Stats page. You will see the number of sites that get hacked every day.

wordpress security guide 2020

How to secure your wordpress website from hackers

Securing your WordPress website is essential. This WordPress Security guide will tell you all the necessary steps which you can take to strengthen your website's security. Here is the detailed list of all the steps which you can take to improve your website's security and protect your website from hackers-

1. Choose a Hosting Provider with Security Features

Investing in a hosting provider that establishes wordpress security best practices feature  is the starting step for secure WordPress website. Examples of security features are firewall, 24/7 security monitoring, and supporting the recent version of Apache, MySQL, and PHP.

In fact, you should try to select a hosting provider that offers daily backups and often malware scans. Also, you can search for hosting providers that use different DDOS prevention measures.

You should remember that your hosting provider is the first barrier that hackers break through to access your website. Thus, investing in a reliable and expensive hosting plan pays in the end. 

2. Create Strong Passwords

First of all we must have to know about how to protect your wordpress site. In this WordPress Security Guide you can learn our website Security tips. Firstly, ensure the passwords for your hosting account and secure your WordPress site .and improve security lowercase and uppercase letters. Besides that, you can utilize a password manager such as LastPass to make and store safe passwords on your behalf. 

3. Avoid the Admin Username

Some time back, WordPress used to create a default username like admin to its users. Unfortunately, most WP users did not change the name. In turn, the first target for hackers when launching a brute force attack is the username.

For this reason, you should avoid using the default admin username on your WordPress site. If you have been using WordPress for long, you may be using the same admin username. However, if your WordPress website installation is recent, then may be you created your own username.

In case you are using the default username, then make a new admin username. To do so, go to Users>> Add New. Choose a strong and unique username and password. Next, assign the role to the Administrator, and finally click the Add New User button.

After that, login to your WP admin dashboard using your new credentials, and then delete your older admin user. Also, ensure you have assigned all your content to your recent admin user prior to deleting the older one.

4. Post on Your Website Using an Editor or Contributor Account

To enhance step 3, you should create either an editor or a contributor account for adding new articles or posts on your website. As a result, it becomes difficult for hackers to run damage on your website because editors and contributors lacks the administrator rights, this improve wordpress security.

wordpress security guide

5. Have a Backup Plugin

Do you have a backup for your website? If not, you should start doing so.  In case something bad happens in your site, a backup system helps you restore your entire site.  Therefore, it is important to have a good backup plugin. Also read the complete list of WordPress security plugins.

Consider using a good plugin, such as UpdraftPlus to make a regular backup plan for your website. Also, remember to keep the backup files offsite to avoid infection of the files.with the help of this backup plugin you can improve wordpress security.

6. Tighten the Admin Area

To tighten the admin area, you should modify the default admin URL as well as limiting the number of failed login trials before one get locked out of your website.

Naturally, the appearance of your admin URL is All hackers know this, and thus try accessing this URL direct to access your website with ease.

However, you can use a plugin such as WPS Hide Login to change this URL.

wordpress security guide

To limit the number of unsuccessful login attempts, use the Login Lockdown Plugin.

7. Update Files

As stated earlier, outdated files are a security risk as they make your website vulnerable to other exploitations. Therefore, you should install updates within a short time after their release.

In addition, ensure you check your installed plugins often. Either deactivate or delete all plugins you no longer use/need.

8. Secure Your Computer

Are you wondering how your computer is connected your site? In case a virus infects your computer and you use it to upload files or access your website, it might be infected. You must:

  • Install an updated anti-virus software in your PC.Avoid accessing your website using public Wi-Fi networks.
  • Avoid accessing your website using public Wi-Fi networks.

9. Change the Prefix of Your Database

Similar to your Admin area, WordPress hackers understand that the prefix of your database is set to WP. Thus, guessing the table prefix is easier for them, as well as the use of automated SQL injections for accessing your website.

The process to change the database prefix is manual. The process involves the editing of your WP-config.php file, and the use of phpMyAdmin to change the table names. However, prior to implementing the change, ensure you have backed up your website. One of the best preventive measures.

To do so, login to your hosting account>> cPanel/ control panel>> File Manager>>WP-config.php file in your WordPress directory.

Here, look for the table prefix line that appears as $table_prefix= prefix table. Use your prefix (letters, underscores, and numbers) to substitute the default string.

For example $table_prefix= ‘hgwp_3456_’,

Next, exit the File Manager after editing the WP-config.php file, and then access your phpMyAdmin to change the table names. Since you need to edit 11 tables, doing so manually is tedious. Therefore, you can avoid the manual process by going to the SQL tab and input an SQL query.

After that, input this:

RENAME table 'wp_commentmeta' TO 'hgwp_3456_commentmeta';
RENAME table 'wp_comments' TO 'hgwp_3456_comments';
RENAME table 'wp_links' TO 'hgwp_3456_links';
RENAME table 'wp_options' TO 'hgwp_3456_options';
RENAME table 'wp_postmeta' TO 'hgwp_3456_postmeta';
RENAME table 'wp_posts' TO 'hgwp_3456_posts';
RENAME table 'wp_terms' TO 'hgwp_3456_terms';
RENAME table 'wp_termmeta' TO 'wp_a123456_termmeta';
RENAME table 'wp_term_relationships' TO 'hgwp_3456_term_relationships';
RENAME table 'wp_term_taxonomy' TO 'hgwp_3456_term_taxonomy';
RENAME table 'wp_usermeta' TO 'hgwp_3456_usermeta';
RENAME table 'wp_users' TO 'hgwp_3456_users';

The above query is supposed to change your entire database prefix. However, it is advisable you run another query to ensure any other file that uses old database prefix is up to date.

SELEC T * FROM ' hqwp_3456_options '  Where  'option_name ' LIKE  ' %wp_% '

In addition, you should look for the username and substitute any leftover prefixes using the new one:

SELEC T * FROM ' hqwp_3456_usermeta '  Where  'meta_key ' LIKE  ' %wp_% '

10. Tig​​​​hten Your .htaccess and wp-config.php Files

The most essential files in your WordPress installation are wp-config.php and .htaccess. Thus, you should ensure they are safe and protected.

To do so, add the following codes to your .htaccess file, out the #BEGIN WordPress and # END WordPress tags. This ensures your changes are not overwrites with every new update.

<files wp-config.php>
order allow , deny
deny from all

<Files .htaccess>
order allow , deny
deny from all

<Files wp-login.php>

order deny , allow
Deny from all

#allow access from my ip address
allow from


Furthermore, the snippets above protects your wp-config and .htacess, and limit user access to your wp-login.php screen.

To block PHP file execution, add the following snippet:

<Files * .php>

deny from all


11. Examine and Change the File Permissions

After securing your wp-config.php and .htaccess file, go ahead and examine the file permissions of files and folders of your WordPress site.

WordPress codex says that the permissions settings should be:

  • WP-config.php be 600.
  • All files be 640 or 644.
  • Directories be 750 or 755.

In case your settings are different, then hackers will find it easier to read and modify the content in your files and folders. As a result, your website and other websites using the same server can be hacked.

12. Apply the Two-Factor Authentication

You should set up a two-factor authentication for your WordPress website using an ideal plugin like Google Authenticator. Thus, apart from entering your password, you must enter a specific code generated by a mobile app for you to log in your website.

Besides that, this may stop brute-force attacks.

13. Disable XML-RPC

XML-RPC enables your website to start a connection with WordPress plugins like Jetpack and mobile apps.

By bad luck, it is a darling to WordPress hackers as they are able to abuse this protocol to implement various commands at once to access your website. To deactivate this feature, consider using a plugin such as Disable XML-RPC plugin.

14. Apply SSL And HTTPS

The benefits of HTTPS protocol and addition of SSL security certificates on your website is all over the internet in articles and blog posts.

HTTPS is abbreviation for Hypertext Transfer Protocol Secure. On the other hand, SSL is an abbreviation for Secure Socket Layers. HTTPS enables the browser of a visitor to start a safe connection with your server and website. In addition, the HTTPS protocol protection is through SSL. They both ensure there is encryption of information between your website and the browser of a visitor.

wordpress security guide

Therefore, the use of both HTTPS and SSL on your website enhances the security of your site, as well as your search engine ranking.  In addition, they create trust to your visitors, leading to increased conversion rate.

15. Use Your WordPress Dashboard to Disable Theme and Plugin Editing

​​​​​​​​The option of editing your theme and plugin files in your WordPress dashboard is important when you want to add a line of code within a short time. However, it means anyone person who logs in your website will access those files.

Thus, you must disable this feature through addition of this code to your WP-config.php file:

// Disallow file edit

define( 'DISALLOW_FILE_EDIT', true );

16. Migrate the WP-config.php file to a non-www directory

As started earlier, among the most essential files in your WordPress installation is the wp-config.php file. Therefore, our WordPress Security Guide advises make its access much harder by moving it to a non-www accessible directory.

For beginners, copy the contents of your wp-config.php file in a new file and then save it as wp-config.php.

After that, get back to your old wp-config.php file, and then add this line of code:



Finally, upload and save your new wp-config.php file in a different folder.

17. Change the Security Keys of your WordPress

To improve wordpress security keys,do the encryption of information kept in the user’s cookies. These keys are in the wp-config.php file, and they appear as below:

define ( 'AUTH_KEY' , 'put your unique phrase here' );

define ( 'SECURE_AUTH_KEY' ,  'put your unique phrase here' );

define ( 'LOGGED_IN_KEY' , 'put your unique phrase here' );

define ( 'NONCE_KEY' , 'put your unique phrase here' );

define ( 'AUTH_SALT' , 'put your unique phrase here' );

define ( 'SECURE_AUTH_SALT' , 'put your unique phrase here' );

define ( 'LOGGED_IN_SALT' , 'put your unique phrase here' );

define ( 'NONCE_SALT' , 'put your unique phrase here' );

To change these keys and make your website more secure, consider using the WordPress Salts Key Generator.

18. Deactivate Error Reporting

Error reporting is vital for troubleshooting and deciding the particular theme or plugin that is causing an error on your WP site. Nevertheless, after the system reports an error, it shows even your server path. Unfortunately, this is an ideal chance for hackers to know how and where to utilize the vulnerabilities in your website.

To avoid such, disable error reporting by adding this code on your wp-config.php file:

error_reporting (0);

@ini_set ( ‘display_errors’, );

19. Delete your WordPress Version Number

Anyone who views the code source of your site is capable of telling your WordPress version. Every WordPress version has public changelogs that detail all security patches and bugs. Thus, hackers can decide the security holes to utilize with ease.

<meta name= "generator" content = "WordPress 5.3" />

However, this has an easy fix. All you need to do is deleting your WordPress version number through editing of the functions.php file of your theme, followed by addition of this:

remove_action ( ' wp_head ' , ' wp_generator ' ) ;

20. Apply Security Headers

Another step in WordPress Security Guide is Implementation of security headers is also vital in protecting your WordPress website. The security headers get set at the server level to block hacking attacks. Moreover, to minimize the number of exploitations through security vulnerabilities.

In fact, you add the security headers by changing the functions.php file of your theme.

Here is how to do it:

  • Cookie with HTTP only and secure in WordPress

You can inform the browser to trust just the cookie set by the server, which is available over SSL channels. You need to add this:

@ini_set ( 'session.cookie_httponly' , true );

@ini_set ( 'session.cookie_secure' , true );

@ini_set ( 'session.use_only_cookies' , true );

  • Enforce HTTPS

To command the browser to use only HTTTPS, add this code:

header ( 'Strict-Transport-Security:max-age=31536000 ; includeSubdomains; preload' );

  • X-XSS-Protection And X-Content-Kind-Choices

To avoid XSS attacks and command Internet Explorer to avoid sniffing mime kinds, add these lines:

header ( 'X-XSS-Protection: 1; mode=block' );
header ( 'X-Content-Type-Options: nosniff' );

  • Iframe Clickjacking

To tell the browser not to provide a page in a frame, add this line: header (‘X-Frame-Options: SAMEORIGIN’);

  • Cross-Scripting Attacks

To whitelist-authorized styles, script, content, and other content sources, add this code:

header ( 'X-XSS-Protection: 1; mode=block' );
header ( 'Content-Security-Policy: default-src https:' );

This code prevents the browser from loading harmful files.

21. Avoid Hotlinking

Hotlinking involves another site using the URL of your site to directly point to a media file or image. Although not considered as a security breach, it is termed as theft.

For this reason, hotlinking may lead to unplanned costs, as you must deal with legal ramifications. Furthermore, your hosting bill can increase if the website that stole your image gets high traffic.

For those using Apache server, you can prevent hotlinking by add this code to your .htaccess file. After that, use you real domain name to substitute the dummy domain.

RewriteEngine on

RewriteCond  %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Alternatively, if you’re using NGINX servers, you’ll want to modify your config file with the following:

location ~ . (gif|png|jpe?g)$  {

valid_referers none blocked *;
if ($invalid_referer) {

return 403;

22. Log Out all Idle Users

This is one of the essential step in WordPress Security Guide. As means of enhancing the security of your site, you should log out all idle users after a duration of inactivity. You can automatically terminate all inactive sessions using a plugin such as Inactive Logout

This step is vital for all site owners. What can happen if you want to add a new blog post, then another task disrupts you? A hacker who then uses the chance to infect you website might hijack your session. In fact, you should terminate all inactive sessions if you many users on your website.


WordPress is both a popular and powerful CMS, which is easier for everyone to use in making a website. However, due to its popularity, it is a major target for hackers. By good luck, you can use the above tips to secure your WordPress website from attacks. This WordPress security guide will be helpful to secure your website.

In this WordPress Security Guide you can learn how to secure your WordPress Website from hackers!

Are you facing any WordPress security issues? Consult best WordPress Security Services by WordPress Support Agency.

If you have any comment, suggestion, or question, use our comments section.


Leave A Comment


Stay Connected: