Isn’t WordPress CMS Secured enough?

The answer is YES, but if you do not maintain your WordPress security, you may lose your website forever.

WordPress security is a subject of great attention for every website organizer. Every day, Google blacklists thousands of websites for malware and phishing. If you seriously want to protect your WordPress website, then you may need to pay close attention to this WordPress Security Guide.

In this article, we will help you defend your website against hackers and malware by keeping best security.

wordpress security ultimate guide 2017

While WordPress CMS is secure enough, and updated regularly by a team of dedicated developers, but there is a lot that need to be done to improve your WordPress website security.

We write this step by step guide to help you improve your WordPress security. There is a lot that you can do to improve your WordPress security even if you are not a technical IT person.

We divide WordPress security in to 3 levels to help you navigate easily through our step by step WordPress security guide.


Basic tips on how to secure WordPress website from hackers

WordPress Security step by step for beginners

WordPress Security Advance Level

Why WordPress Security is Necessary?

Using best security measures you can reduce chances of being hacked, as there is no such thing like full proof security.

It also possible, that your competitor hire someone to hack your website, and bring your business down.

Last but not least, you may find yourself paying ransom to hackers just to recover your website.

wordpress security

Adding Malware to website to steal the data or interrupt the competitors business is not a new method. From 1988 till date there are overall 1.7 billion malwares created by different hackers.

Every week, Google blacklists approx. 20,000 malware infected websites and block around 50,000 for phishing.

If you are doing business and getting leads from your website as well, then you may need to pay more concentration to your website security.

Keep WordPress Version Updated

WordPress Version Updates

WordPress is open source CMS which is frequently managed and updated by team of dedicated WordPress Developers. It installs minor updates by default. For new releases and version updates, you need to do it manually.

There are thousands of free plugins and themes that you can install on your WordPress website. These free and paid plugins and themes are maintained by their authors and release updated versions.

These updates are important for the security of your WordPress website. So, always keep your WordPress CMS and Plugins up to date.

Strong Passwords and User Permissions

strong wordpress password

Using common username and password is the simplest method to hack WordPress. So always use unique username and strong passwords. Not just for WordPress Dashboard, but for all of your online accounts.

Keeping so many unique passwords for each account is serious trouble and it is difficult to remember all of them, that is why many people don’t like to keep strong and unique passwords. So keep these passwords somewhere safe in your computer in a text file.

Do not give your WordPress admin panel control with full access to any one unless you absolutely trust them. Also, try to learn and understand user roles and permission in WordPress user tab before adding new users.

Use Secure Web Hosting

Your web hosting service performs the vital role in the security of your WordPress website. A great hosting provider such as Hostgator or BlueHost provides extraordinary security measures to protect their users.

Benefits of Using SSL

SSL or “secure sockets layer” provides a secure connection between web browser and server and encrypts data so no one can steal your credit card or any other type of confidential information over the internet. Some of the main advantages of using SSL are:

  • Encrypts Information
  • Best Security against phishing attacks
  • Better Search Engine Ranking
  • Customer Trust

WordPress Security step by step for beginners

We know that improving WordPress security can be a horrible thought for beginners. But, keep in mind that each hour 30,000 WordPress websites are being attacked. So, follow this guide for beter WordPress security and to avoid being victim of brute force attack.

This guide will help you keep your WordPress website secure with simple and practical methods that anyone can implement without writing a single line of code.

Install WordPress Backup Plugin

wordpress backup

One of the best tips to defend against any WordPress attack is to keep backups of your WordPress website. Remember, nothing is 100% secure. If highly confidential websites can be hacked, so does yours.

Taking backup of your WordPress website is important, because if something bad happens to your website you can quickly restore it using backup.

You can use any type of free or paid WordPress plugin for taking backup. But most importantly your backup files should not be kept on the same server where your website is hosted. It should be stored on a remote and reliable place such as Dropbox.

Our recommended wordpress backup plugins are:

They all are stable, safe and generally easy to use plugins for any WordPress website.

Best WordPress Security Plugins

Nowadays, with rising number of hacking attacks, it is compulsory to have some extra security in your WordPress website. For users who don’t know how to code, using WordPress security plugins are the easiest way to protect their website. Some of them are free, reliable and easily accessible.

WordPress security plugins keep tracking your website and help to reduce the possibility of your website being attacked or hacked.

At Digital Pixels, we recommend some of the best WordPress security plugins that can be used to keep your website secured and fast:


Wordfence security plugin is used in millions of website with rating of 4.8 out of 5. It is one of the best security plugin used by WordPress. Wordfence is used for login authentication, security scanning and suspicious IP blocking. This plugin is also best for previously infected site, you can use it remove malwares and infected files.

If you want use some of the advance features provided by Wordfence you can use the premium version.

Sucuri Security

Sucuri is also a free plugin that is available for WordPress security with users rating of 4.5 out of 5 stars. You can use Sucuri for Security Activity Audit Logging, Security File Integrity Monitoring, Remote Malware Scanning, Security Blacklist Monitoring, Post-Hack Security Actions and Security Notifications.

All In One WP Security & Firewall

All In One WP Security & Firewall plugin is easy to use, reliable and most authentic security plugin for WordPress. This plugin will take your website security to whole new level by protecting your site against “Brute Force Login Attack”.

By activating extra security options, you can increase your security of you website.

BulletProof Security

It is not possible to write down complete list of features provided by BulletProof security plugin, but some of them are:

  • One Click Setup
  • Login Security
  • Database Security and Backups
  • Security Alerts via Email
  • Hidden Plugin Folders

For extra security you can also buy a premium version of this plugin which will provide outstanding security for your website.

WordPress Security Advance Level

If you apply everything to your WordPress site that we have specified above, then your website is secure enough.

But there is always room for improvement.

Some of these advance level steps need WordPress Core Files and Coding knowledge.

Change default WordPress Username

Up till WordPress version 3.0, “admin” was the default username used for WordPress Admin Panel. This default username make it simpler for hackers to perform “brute force attacks”.

But now WordPress add new options and requires you to select a unique and custom username at the time of WordPress installation.

WordPress do not allow you to change usernames once you select, but still you can username by following methods:

  • Add new user with unique username and delete the previous one.
  • Use Username Changer for changing username.
  • Update username in Database using phpMyAdmin

Note: Soon I write detailed articles on how to change your default WordPress username.

Disable WordPress File Editor

WordPress file editor is a great tool specifically for small changes in CSS file, but if you or one of your authors is not code expert might create a big trouble for you. By default WordPress users can mess with theme and plugins files, which is a big security risk that is why we suggest you turn it off.

But that’s not only the case, WordPress file editor is a gateway for hackers. Let suppose, your website is hacked and now hackers have full access to your WordPress website. Where would they go achieve their target? Obviously… the WordPress file editor. The WordPress file editor will permit them to run malicious scripts, upload harmful files, steal your users or client’s emails, access your database etc.

Disable WordPress File Editor

You can disable WordPress file editor by simply adding the following code in your wp-config.php file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Disable PHP File Execution in Specific WordPress Directories

Sometimes the reason behind hacked WordPress websites is usually the backdoor files. A simple method to improve and upgrade your WordPress website security is by disabling PHP files execution.
Create “.htaccess” file and paste this piece of code in it:

<Files *.php>
deny from all

Now upload this file using FTP on following directories:

Disable Directory Browsing in WordPress

By default every web server has directory browsing enabled. This means that everyone can check directory structure of your website. Hackers can also find potential information easily.
You can disable directory browsing in WordPress by opening a text editor like Notepad and paste this code:
Options -Indexes
Next, name this file as “.htaccess” and click save, after saving upload it to following directories on your website using FTP.

Restrict and Limit Login Attempts

By default, there is no restriction on login attempts in WordPress site, users can try as many time as they want. Limiting failed login attempts not only stops brute force attacks on your website but it also helps you identify IPs that needs to be blocked.
However, to protect your login page from brute force attacks and failed login attempts you just need to install and activate Limit Login Attempts
After installing and activating this plugin, go to Settings » Limit Login Attempts to adjust settings.

limit login attempts settings
Note: check above image and apply this setting.

Disable Unauthorized External Access to .htaccess File

.htaccess file is used for reshaping website functionality and performance. Protecting .htaccess files is most important to protect and maintain your website. Luckily, disabling access to your .htaccess files is very easy, simply add following code to your .htaccess file:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Secure wp-config.php (WordPress Configuration) File

Protecting wp-config.php file in WordPress root directory is most important for your website security. This file contains very confidential information of your website, such as the WordPress database and how to connect to it and WordPress security keys. To disable unathorized access to your wp-config.php file, simply put this code in your root directory .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

Protect Your WordPress Login Screen from Unauthorized IP

If you check WordPress core file, you will come to know that there is only 3 main directories names as:


we already disable directory browsing on wp-content and wp-includes, to secure your WordPress login screen simply limit access to selected IP addresses only. Copy this code into your .htaccess file:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Panel"
AuthType Basic

order deny,allow
deny from all
# whitelist Alex IP address
allow from **.**.**.***
# whitelist David's IP address
allow from **.**.**.***
# whitelist John's IP address
allow from **.**.**.***
# whitelist Office IP address
allow from **.**.**.***

Remember, replace **.**.**.** with your personal IP addresses. You can use more than one IP address as well.
Write “What is my IP” on google search screen, to check your IP.
Note: make sure your internet IP is static, and do not keep changing every day.

Password Protect WP Admin Directory

password protected admin

First you need to create a .htpasswds file. You can easily create one by using this online generator.
Upload this .htpasswds file outside your publicly accessible web directory or /public_html/ folder. A good path would be:
Now you need to create a new .htaccess file and add this code:

AuthName "Admins Only"
AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any

Important: Don’t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username.
Upload this .htaccess file to your wp-admin folder. That’s all, your WordPress admin folder is now password protected and only you or the users you allow will be able to access it

Disable XML-RPC in WordPress

XML-RPC is easy and simple method to make remote connection over HTTP. It can be used with PHP and other programming languages. After WordPress 3.5 XML-RPC is enabled by default because it helps your WordPress to build remote connection with web and mobile apps.
The most powerful feature of XML-RPC is that you can access the system.multicall method to pass multiple commands inside a single HTTP request.
Normally if a hacker wants to hack your website he have to pass out the above challenges you applied for him in your website, first of all he will be blocked to reach WordPress login page. But with XML-RPC enabled hacker can use the system.multicall method to try thousands of different passwords in a single HTTP request.
This is why we recommend you disable XML-RPC if you are not using it on your website.
In order to disable XML-RPC in WordPress, please follow our step by step instructions on how to disable XML-RPC in WordPress.
Add this code at the bottom of .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from


Securing and maintaining WordPress website is a time consuming and tough job. We advise you to hire a specialist. They will improve website security for any future attacks.
If you enjoy this article, please share it as well. Also, please subscribe to our newsletter for future updates. You can also connect yourself with us on Facebook and Twitter.