Uptime Web Solution

Top 15 WordPress Site Security Tips


If your online business depends on a WordPress site, it’s crucial to keep that site secure. After all, you don’t just want people to access your site you want them to be able to buy from it without losing their credit card numbers or seeing the pages crash. With that in mind, here are 15 WordPress security tips that will help you create a secure and stable website for your business:

1. Don’t Use The “Admin” Username

  • Avoid using the default username for your WordPress installation.
  • Make sure you use a strong password and keep it a secret!
  • Use a password manager to generate strong passwords and store them securely.
  • If you ever get locked out of your account, don’t use the “admin” username to recover it!

2. Use Strong Passwords

Passwords are the first line of defense against hackers and should be strong. When creating a password, consider using a combination of upper and lowercase letters, numbers, and special characters. The longer your password is (at least 12 characters), the better it will be at protecting your site from hackers who have stolen database information from other sites and use it to try out millions of combinations to gain access to WordPress sites with weak passwords that match their database information.

It can be difficult for some people to remember complex passwords like these every day especially if they’re using different ones for each site or service! This is why it’s important not just that you have strong passwords on each site but also that you don’t use any single one on multiple sites or services without changing them regularly. If possible, use different variations of one strong password across all accounts so that if someone does manage to crack one account’s security system they won’t find another identical one waiting for them down the road somewhere else too!

3. Use A Security Plugin

The first step is to install a security plugin. You can find hundreds of options to choose from, but it’s best to go with the most popular ones like Word Fence or Sucuri.

Once you’ve installed the plugin, activate it and enable its security features by checking the settings in your WordPress dashboard.

After this, update your plugins regularly to make sure they’re up-to-date and running smoothly. If you’re using a premium version of one of these plugins, know that you may need an upgrade as well (usually for $50-$100/year).

If you don’t think this plugin will work for your site or if there’s something else holding back malware attacks on your website like poor coding practices you should delete this plugin altogether and move on to another option until you figure out what’s causing all those issues in the first place!

4. Keep WordPress Core, Themes, and Plugins Updated

  • WordPress core, themes, and plugins should be updated regularly.
  • WordPress core, themes, and plugins should be updated to the latest version.
  • WordPress core, themes, and plugins should be updated to the latest stable version.
  • WordPress core, themes, and plugins should be updated to the latest minor version.

5. Add Two-Factor Authentication to Your Site

Adding two-factor authentication to your site will give you an extra layer of security. The use of this added security measure can be beneficial to anyone looking to prevent unauthorized access to their WordPress site, as well as protect their data if they are using a shared hosting server.

To add two-factor authentication, click the ‘Tools’ menu in the dashboard and then select ‘Security’. From here scroll down until you see Two Factor Authentication (2FA) settings and click it. You will now be taken to a page where you can enable 2FA for your site. Click Enable 2FA on This Site and follow the instructions provided by WordPress for setting up an authenticator app on your phone for Google Authenticator or another popular app such as Duo Mobile or Authy.

6. Limit Login Attempts

It’s important to limit the number of attempts a user can make to log in. This helps prevent brute-force attacks and keeps your site secure by reducing the amount of time an attacker has access to your server. WordPress, Cpanel, Plesk, Webmin, and Softaculous all allow you to set up a limit on how many times a user can attempt to log into their account. To set up this security feature on WordPress:

  • Log into your website via FTP as an administrator.
  • Navigate to wp-admin/options-general.php and then scroll down until you find the “Require Password Reprompt” option under the Security heading.
  • Set Require Password Reprompt option equal to 1 (i.e., checked).

7. Disable File Editing In WordPress Dashboard

Allowing users to edit files in your WordPress dashboard is a security nightmare. Hackers can hide malicious code in the files that you allow users to edit and then use it to execute their code on your site.

To prevent this, you should disable file editing in four different places:

  • File editing in WordPress dashboard (wp-admin) to disable file editing, go to Settings > Writing and make sure that “Display error messages from other plugins” is unchecked. If it’s checked, make sure that there aren’t any errors or warnings being shown as this may be an indication of a security exploit present elsewhere on your website. If these options don’t exist for you, then update the version of WordPress that runs on your site or install a plugin like Disable Edit Files or Disable File Editing.
  • File editing within wp-includes/js/TinyMCE directory – To prevent hackers from adding malicious JavaScript scripts into the wp-includes/js/TinyMCE directory via PHP exploits (which they could do by uploading them as image files), we recommend disabling image uploads altogether by disabling attachments under Settings > Media > Attachment Display and set “Enable multi-file upload” option to No Multipart Uploads Only’.

8. Use A CDN and Server-Side Caching

CDNs (Content Delivery Networks) are a way to speed up the loading of web content, especially images and other media files. With server-side caching, you can store some files on your server so they don’t have to be re-downloaded each time they are viewed. For example, if someone visits your website for the first time and downloads an image file, it will be stored locally for later use. When that same visitor returns to your site, he won’t need to download that image again it will already be in his browser cache! This speeds up page load times significantly because it reduces how often your web host has to send files across their network connection (and thus lowers bandwidth costs).

9. Monitor Your Site

  • Monitor Your Site For Hacks And Restore The Backup Immediately If You Find One.

If you are looking for hacked sites, Google has a tool that can find them. Just enter your domain name and you will see all the places where search engines show your URL as spam links or pages with malicious code on them.

That is why it is important to monitor your site for hacks and restore the backup immediately if you find one. The sooner you restore it, the more likely it is that Google won’t take too much notice of the hack because there isn’t much time between when it happened and when you restored it.

10. Restrict Access to WP-Admin

The wp-admin folder is where you’ll find all your WordPress files. It’s important to make sure that only people who should be able to access it, do so. There are two methods for doing this:

  • Use the .htaccess file or a plugin.
  • Use a security plugin

11. Scan for Malicious Files

Scan your site using antivirus software. As stated above, it’s a good idea to scan your site for malicious files on at least a weekly basis. You can do this by installing an antivirus plugin onto your WordPress website and running a scan from there. Of course, the downside of this is that some antivirus software will slow down your hosting speeds so much that it becomes unusable (I know because I had this problem when I first started). If you want an alternative solution that doesn’t involve slowing down hosting speeds, try scanning with Sucuri Security instead! They offer both an antivirus plugin as well as a service to manage any issues that might arise with security on your WordPress website.

12. Use the Latest Version of PHP

If you’re using PHP, make sure you have the latest version. The current release is PHP 5.6 or 7.0, but we recommend using 5.6 since it was released in 2014 and has a more stable code base than 7.0, which was released just last year.

13. Delete Unused WordPress Themes and Plugins

Delete Unused WordPress Themes and Plugins from Server Regularly

It is always a good idea to delete unused themes. Since WordPress is open-source software, there are a lot of free themes available on the web. Some website owners install these free themes just to try them out, but they never use them again. In this case, you should remove these unused themes from your server regularly.

If you have installed many plugins on your website or if you have added lots of widgets in your sidebar widget area using the default settings, then it may be possible that some of these plugins or widgets are not getting used by anyone at all including yourself! In such cases also it makes sense to remove those unused plugins/widgets from your site because they will consume valuable resources like memory space as well as CPU cycles without offering any additional benefits like increased traffic etc, which can reduce its performance considerably.

14. Notify Hosting Provider about Known Vulnerabilities on Server

If you are on shared hosting, notify your hosting provider about known vulnerabilities on the server so that they can apply necessary fixes fast.

15.These Simple Steps can Help you Protect your WordPress site from Hackers and Spammers
  • Create a strong password.
  • Install a WordPress security plugin such as Wordfence or Sucuri (both free).
  • Update your core themes and plugins regularly.
  • Use two-factor authentication to your site (if possible).
  • Limit login attempts on your WordPress site so that hackers can’t brute force their way in overtime by guessing passwords.
  • If you need to allow users to edit files via FTP, make sure you have disabled file editing in the WordPress dashboard first.


Implementing these 15 WordPress security tips is a great start to securing your website. However, it’s not uncommon for some websites to require extra security. For example, membership sites will need to securely manage user details and password hashes. It’s always best practice to keep up to date with the latest security patches and make sure your site is updated regularly.