Website Security: Making Your WordPress Site More Secure

By: Nick Harrison
Last Updated: June 6, 2019

Website security is not something to take lightly. Having your WordPress site hacked can be devastating and end up costing you and your company a lot of time and money to fix.

Hackers are getting smarter and smarter at figuring out how to break into websites. WordPress being the number 1 CMS (content management system) on the planet, receives the most hacking attempts by far. While you may think that nobody would want to hack your site, the truth is, most hacking attempts are bots, programs that scour the Internet attacking sites for the sole purpose of causing mayhem across the Internet. An attempt on your site is usually one of three things.

  1. DDoS: Denial of service attack is when your website is purposely flooded with so many requests that your network and server can’t keep up and the intended users can’t access the site.
  2. Malware: Malware is essentially malicious code, a bug, that is injected into your website code and/or database that can wreak havoc on your site. They are used for various reasons from attempting to take your site down, to trying to harm your users, to changing your content. The scary thing about these parasites is that your site might be infected and you don’t even know it. Malware can affect your search ranking and even worse, your site can show up on thousands of security websites, browser plugins and computer software telling your user not to trust your site. When that happens, it’s not something that is fixed overnight as a lot of times all of those places need to re-evaluate your site (which can take forever).
  3. Spam: Not the delicious salty meatish product that’s consumed like water in Hawaii. Bots spend their day and evenings trying to inject their content into your forms, comments. If one of your comments has a link to a site that is deemed malicious, the same thing as above could happen where you are essentially blacklisted until it’s removed and until your site is re-scanned by everyone.   

WordPress, like all CMSs, is subject to these various attacks. Because CMSs like WordPress use a database to deliver your website content as well as make your website functional to both you and your users, there is a lot more vulnerability than say a site that only uses static HTML pages.

While no website is 100% secure, the below security tips will make your WordPress website substantially more secure and much harder for a hacker or bot to penetrate your site.

Creative Usernames

To login to the admin area of a WordPress site, you need a username/email and password. If you use a username like Admin or let’s say Nick, it’s much easier to be hacked because it’s common. If my username was let’s say Nharr5283 it would be much more difficult for someone or something to access my admin account because first they would have to figure out my username and then my password.

Change Database Prefix Names

By default WordPress uses table names like wp_options. Having table names that are common to WordPress leaves your site’s database more vulnerable. It’s a great practice to change the prefix from wp to something like 295839w_options. You can’t inject something into a table that you don’t know the name of. Here is an article by WP Beginner on how to do it.

Database Name and Access

The name of the database that is hosting your WordPress site as well as the username and password to access the database should be very hard to figure out, and use letters, numbers and special characters. You will find your database login credentials that you’re using in your wp-config file in the root of your WordPress installation. The username and password can easily be changed in most cases in your Cpanel if your hosting company gives you access.  

Security Plugins

These are very helpful with securing your website. Most security plugins will block suspicious bots or people trying to access your website and will blacklist the IP addresses that are being used. They also run scans to determine if there is any malware or security flaws. The one we use is Wordfence.


I’ve mentioned Cloudflare in previous articles. It’s a CDN (content delivery network) that helps increase the speed of your website. What makes Cloudflare even more special than your average CDN, is that your website traffic travels through their servers. It acts as a DNS proxy. What is great about this, is it goes through their very capable firewalls and stops almost all DDoS attacks from taking your site down. The best part is it’s free. They have more advanced premium options as well.

File Editing

First of all, you should never, ever edit your WordPress template files via the admin section. Ever! By default, WordPress gives admin users the ability to edit theme template files. Why is this bad? If someone or something gains access to an admin account, with these files they could do pretty much whatever they wanted to do with your site and your database.

This is really easy to stop. Just add this define ( ‘DISALLOW_FILE_EDIT’, true ); to your wp-config file.

Change your login page location

The common areas to access your login page are /login and /wp-admin. This makes it much easier for hackers and bots to attempt accessing your site since they already know the login location. I wouldn’t suggest manually doing this, this plugin makes it easy to do.

Limit login attempts

How hackers and bots attempt to hack into the admin area of your website is by using up to millions of combinations until access is granted. If you limit access to 3 or 4 times, it makes the security of your login significantly more secure. The plugin above also includes a free extension to limit the login attempts.

Two-factor login

As an extra layer of security, consider using two-factor login. Two-factor authentication adds a second layer of protection to your WordPress site. There are plenty of free plugins available that do this.  

Htaccess and wp-config

Accessing htaccess and/or wp-config leaves a website extremely vulnerable.

Update WordPress and WordPress plugins

WordPress is constantly patching holes and upgrading their core security features. A lot of WordPress plugin developers do as well. It’s vital to always keep both the CMS and your plugins up-to-date.

Update MYSQL and PHP

Your ability to do this will depend on your hosting company. Just like updating your computer software or WordPress itself, using the latest versions will include security patches.

Have a competent web developer

That old saying, “you get what you pay for.” Yes….

WordPress security keys

Security keys are located in your wp-config file. They improve the encryption of things like passwords that are stored in your user’s browser cookies. Go here to get your unique set.  

Do they need to be an admin?

You will make admin users for several reasons. Check your users and make sure nobody has access to your site that isn’t currently involved with it. Often times I will look at the admin area of a website and see that past employees are still admin users.

Website Security Conclusion

Making your site secure should be a priority of every website owner. It’s not that difficult to lock-down your site and make it incredibly hard to break into. I’ve dealt with websites that have been hacked before and it can be an absolute nightmare. There is never a guarantee that your site won’t be hacked. Even companies who spend millions of dollars using website security experts get hacked. Following these tips will improve the safety of your website substantially and they are all easy to do.