WordPress Security: How to keep your site safe?


how to keep Wordpress site safe
Home » Articles » Wordpress » WordPress Security: How to keep your site safe?

If you are managing a business WordPress website, it would be a disaster if one day it gets hacked. Your website is essentially your shopfront, and without one then you may lose customers. The security of a website is of utmost importance. If you are a marketing manager or a business owner, this article will offer some tips of how to keep WordPress site safe.

How to keep your WordPress site safe

Updating WordPress version 

Some people hesitate to update their site out of fear that it might cause issues. However, updating the site does not just help fix bugs or give you access to new features – it also helps address core vulnerabilities. Vulnerabilities are essentially errors within the code that can have unintended consequences from a security perspective, they aren’t placed intentionally, they just occur naturally as part of the software development process. When developers are working on software like WordPress they likely have the best intentions, but when adding new features it can be very easy to open up the code in a way that can be exploited by hackers. Luckily people dedicate their time to investigating and identifying these risks, and they try to do so before hackers take their chance. When an issue is identified the “patching”process can take just a few days or hours, but if you haven’t updated your site then you might still be vulnerable.

Therefore it’s important to keep an eye on WordPress releases and keep your site up to date.

Automatic minor updates

Luckily WordPress normally applies minor security updates automatically. So you won’t have to lift a finger, but it’s always a good idea to check if this is working on your website, as your site may have been configured previously so skip minor updates.

How to check if minor updates are enabled and working in WordPress

There are two options that you can try. First check the current settings in the WordPress admin panel. Go to the Dashboard and look for the Updates section.You will see if there is an option to enable automatic updates for minor core releases.

Another way is check wp-config.php. You need to access your site’s files via FTP or file manager in your hosting account. Then, look for the `wp-config.php` file in the root directory. Check if there is a line of code mentioning automatic updates. It should look something like this:

define( 'WP_AUTO_UPDATE_CORE', true );
How to enable minor updates if it is disabled

If your automatic update is disabled, you should  access your site’s files via FTP or file manager in your hosting account. Next, go find the `wp-config.php` file in the root directory. Copy and paste the above code to enable minor updates:

If you’re unsure about how to update WordPress, follow the methods below. Please ensure that you have a backup of your website before proceeding.

Manually updating via the dashboard

Updating WordPress to the latest version is crucial to ensure the security and stability of your website. You can either set up automatic updates or manually update WordPress. These updates patch security vulnerabilities, introduce new features, and improve performance. We would recommend enabling automatic updates for minor versions.

how to update wordpress version

Secure your WordPress login

Step 1, visit: yourwebsite.com/wp-login.php

Step 2, enter username “admin” and your password”.

Sound familiar?

Hackers know that your WordPress website will be: example.com/wp-login.php so they target their attacks there. They can also guess that your username might be “admin”. Don’t make it easy for them, change the login url and change your username to something more complicated.

How to make a custom login URL

Jump to the plugin method.


Kahunas advises against making such changes as it requires experience and knowledge of coding. Altering the WP path will involve adjustments on your website, including in the .htaccess file and several other core WP files. It’s crucial to highlight that if you lack expertise or coding skills, it’s advisable to seek guidance from web development experts regarding this matter.

Moreover, the drawback of manually changing the login URL is that the process may get overridden during a WordPress update. The only method to prevent this is by crafting a new login page and utilising a child theme.

However, if you are adamant about making these changes, here is what you should do.

If you wish to change the /wp-admin path to /custom-login-url, you will need to modify three files: wp-config.php, functions.php, and the .htaccess file.

1. Edit wp-config.php file:

   – Access cPanel > File Manager > Navigate to /public_html directory > Open wp-config.php file.

   – Right-click and select Edit > Find the line define(‘WP_DEBUG’, false).

   – Add the following code above it:

define('ADMIN_COOKIE_PATH', '/custom-login-url');

2. Edit functions.php file:

   – Navigate to /wp-content/themes/your-theme-name/functions.php.

   – Right-click > Edit > Paste the following code:

function custom_login_page() {
    global $pagenow;
    if ($pagenow === 'wp-login.php' && $_SERVER['REQUEST_METHOD'] === 'GET') {

add_action('init', 'custom_login_page');

3. Edit .htaccess file:

   – Access cPanel > File Manager > Navigate to /public_html directory > Open .htaccess file.

   – Change it to

RewriteRule ^custom-login-url/(.*) wp-admin/$1?%{QUERY_STRING} [L].

After making these adjustments, you can access the login page using the link: yourdomain/custom-login-url.

At times, a custom login URL may cease functioning if you manually alter the address. Editing the WordPress login address typically includes the following steps:

1. Creating a new login page to substitute wp-login.php.

2. Editing your active theme’s functions.php file to acknowledge the new login page.

WordPress might remove the new login page you inserted into the root directory. Alternatively, if you fail to employ a child theme and update the active theme, any modifications made to its functions.php file will be overridden.

WordPress Security Plugins

If you lack expertise in programming or WordPress, simply install the plugin, and you can swiftly modify the wp-admin path.

You don’t need to fret about dealing with code or support files; you can install, activate, and configure the suitable plugin for changing the wp-admin path.

There are both free and paid WordPress security plugins accessible, depending on your budget that you can choose from.

Here are some plugins you should contemplate installing to alter your WordPress admin path:

  1. AIOSEC – WP Security
  2. SolidWP
  3. WPS Hide Login.

Changing your admin username

To secure this, here is what you should do:

If you’re using the “admin” username, then follow these steps to update it. Unfortunately you cannot change WordPress usernames retrospectively (at least not easily). So you’ll need to create a new user – and then delete your old one (remember to assign any content to another user when you delete your old one, or you may lose content like posts and pages attributed to the old user account).


1. Access your WordPress Dashboard.

2. Navigate to Users and click on Add New.

3. Create a new user and grant it Administrator privileges.

4. Log back into WordPress using the new credentials.

5. Remove the old admin account.

Use a secure password

A complex password also significantly contributes to WordPress security. It’s challenging for brute-force attacks to succeed if your password includes lowercase and uppercase letters, numbers, and special characters. Tools like PassGen can help generate complex passwords. Additionally, if you need to log into your WordPress admin area using an insecure network (like at a café, library, airport, etc.), remember to secure your login with a VPN to protect your login information.

Check and remove strange admin account

You should review user accounts in WordPress by accessing the Users > All Users page. Look for any suspicious user accounts that shouldn’t be there. As soon as you notice any suspicious user accounts, you should delete them.

Additionally, if your website doesn’t require users to create accounts, you should go to Settings > General and make sure that the checkbox next to the “Anyone can register” option is unchecked.

how to manage user in wordpress
Consider F2A Authentication

There are several ways of adding F2A Authentication to your site. One way you can try is WordPress Secure Sign On. 

First step, you need to active WordPress.com Secure Sign On by following these step: 

1. Install and activate the Jetpack plugin on your site.

2. Locate the WordPress.com Secure Sign On feature within Jetpack and follow the on-screen instructions to enable it.

3. Register or log in to your self-hosted WordPress.org site securely using your WordPress.com credentials.

Next, you need to set up Two-Factor Authentication (2FA) with Jetpack:

1. Visit the WordPress.com Two-Step Authentication page.

2. Choose to verify your identity via SMS or an authenticator app like Duo, Authy, or Google Authenticator.

3. If verifying via SMS:

   – Enter your phone number to receive a seven-digit code.

   – Input the code in the login form and click Enable.

4. If verifying via an authenticator app:

   – Scan the QR code displayed on-screen with your authenticator app.

   – Use the six-digit code generated by the app to enable 2FA.

5. Save a copy of your backup codes provided after enabling 2FA. These codes can be used in case of app malfunction or lost device.

6. You have successfully set up 2FA on your WordPress account for added security.

Secure your web hosting 

When hosting your WordPress site, it is essential to consider that some business owners may prioritize cost-efficiency, opting for free, unlimited, or cheap hosting options. However, it is crucial to understand that there is no foolproof hosting solution that is immune to hacking. You might spend ages securing your WordPress website but then hackers gain access via your web host instead, due to a simple password, or social engineering. When choosing a web hosting service, ensure it meets the following checklist:

– SSL Certificates

– Firewall Protection

– Regular Backups

– DDoS Protection

– Server Monitoring

– Secure Data Centers

– Regular Updates

– Two-Factor Authentication (2FA)

– Strong Password Policies

Protect your site from brute force login

Brute force login – when a hacker repeatedly tries your login form. They keep trying until they find the correct password. To protect against this, use a complex and lengthy password that would be difficult to guess. Additionally, prevent the same IP address from attempting to log in multiple times. For instance, employ a plugin that bans access to the website for 30 minutes after 3 failed login attempts. This will significantly impede hacking attempts.

Use WordPress themes or plugins the right way

The correct approach involves what we say is the “right way,” including.

Don’t use free, nulled ones 

There are thousands of nulled plugins and themes floating around the internet. However, most of these contain malicious code, some even embedded within seemingly secure WordPress security plugins. Worse yet, some may contain SEO links from black hat hackers that can prevent your website from ranking well. Installing these on your hosting means your WordPress website is entirely insecure, exposing it to vulnerabilities created by hackers from within.

Ceasing the use of nulled plugins and themes today is one of the best ways to secure your WordPress website. Not only does it violate copyrights, but it also significantly impacts WordPress security. You might end up paying more to programmers to clean up your website than you would by purchasing necessary themes or plugins.

Monitoring themes and plugins regularly 

Outdated plugins account for 92% of vulnerability reports in WordPress. Cleaning up your WordPress site and removing unused plugins or themes is also a good way to enhance security. Hackers can scan outdated themes and plugins (including official WordPress plugins) to access the Dashboard and upload malware to your server. By deleting plugins and themes you haven’t used (or updated) for a while, you reduce the risk of being attacked and help make your WordPress site more secure.

Turn off file editing in WordPress

To disable file editing in WordPress, you can add the following code snippet to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

By incorporating this line of code into the wp-config.php file, you prevent users from editing themes and plugins directly from the WordPress admin dashboard, thereby enhancing security and reducing the risk of unauthorized file modifications by potential hackers. This measure helps safeguard your WordPress site by limiting access to critical files within the admin area.

Configure .htaccess for enhanced security

The .htaccess file is used to configure how WordPress links function. Without the correct directives in .htaccess, you may encounter numerous 404 errors.

Many people are unaware that .htaccess can bolster WordPress website security. For instance, with .htaccess, you can restrict access or disable PHP execution in a specified directory. Below are ways to leverage .htaccess to enhance WordPress security.

Note: Before you begin editing the .htaccess file, we recommend backing up your old .htaccess file.

Block access to the WordPress admin page

The code snippet below helps you block access to the WordPress Administrator and only allows certain IP addresses specified in the allow section:

<Files wp-login.php>
    order deny,allow
    Deny from all
    # Enter your IP address below
    allow from xxx.xxx.xxx.xxx

Note: Replace XX.XX.XX.XXX with your IP address. You can check your current IP at http://whatismyip.com/. If you wish to use multiple connections to manage your WordPress site, ensure all admin IPs are added (you can add as many lines as needed). It’s not recommended to use this script if you have a dynamic IP address.

Disable PHP execution in a specified directory

Attackers often upload malicious scripts to WordPress directories. By default, these directories are used to store media files, so they should not contain PHP files. You can easily disable PHP execution by creating a .htaccess file in the /wp-content/uploads/ directory with the following commands:

<Files "*.php">
    deny from all

Protect the WordPress wp-config.php file

The wp-config.php file contains core WordPress settings and detailed MySQL database information. Therefore, it’s one of the most critical WordPress files and a primary target for hackers attempting to attack WordPress. However, you can easily protect this file with the following command in .htaccess:

<files wp-config.php>
order allow,deny
deny from all

If connecting to your server, don’t use plain old FTP. Use FTP over SSL/TLS or SFTP/SSH instead

When using plain old FTP to connect to a WordPress site, the password is transmitted to the server without encryption, making it susceptible to interception. Instead you should use a method which encrypts your credentials such as FTP over SSL/TLS or alternatively the SFTP/SSH protocol.

Most clients support this out of the box but you might need to get new credentials to access via this method or configure some settings via Cpanel or another server management platform provided by your web host. If you are uncertain about the differences between these protocols, refer to the table below.

Security Aspect FTP SFTP/SSH FTP by SSL/TLS
Authentication Credentials sent in plain text Credentials encrypted Credentials encrypted
Data Encryption Data transferred in plain text Data encrypted Data encrypted via SSL/TLS
Secure Connection No secure connection Secure connection via SSH Secure connection via SSL/TLS
Vulnerability to Attacks Prone to eavesdropping and hacking Less vulnerable to attacks Less vulnerable to attacks
Protection from breaches Higher risk of unauthorized access Lower risk of unauthorized access Lower risk of unauthorized access
Mitigation of Risks Limited protection against attacks Strong protection against attacks Strong protection against attacks

Setting your file permissions correctly 

Incorrect file permissions in WordPress can lead to unauthorized access, malware injection, data loss, and other security vulnerabilities that can compromise your website’s integrity and expose sensitive information.

To set file permissions correctly on WordPress, follow these steps:

1. Access your WordPress file director: 

Connect to your website using an FTP client or a file manager in your web hosting control panel.

2. Locate the WordPress root directory: 

This is typically the folder where your WordPress files are installed. Commonly named `public_html`, `www`, or `htdocs`.

3. Set correct permissions:

   – Folders: Set permissions to 755. This allows the owner to read, write, and execute while others can only read and execute.

chmod 755 /path/to/folder

   – Files: Set permissions to 644. This allows the owner to read and write while others can only read.

chmod 644 /path/to/file

4. Update wp-config.php: Set permissions to 600 to protect sensitive information.

chmod 600 wp-config.php

5. Secure wp-content/uploads folder: Set permissions to 755 for the `uploads` folder to allow WordPress to upload files. Create a `.htaccess` file in this folder with the following content:

# Deny direct access to files
Options -Indexes
Deny from all

6. Check your WordPress site: Ensure that everything works as expected after setting the permissions.

When should you perform a WordPress security check?

You should conduct a WordPress security check at least once a quarter. This helps you stay on top of the situation and address any security vulnerabilities before they become a problem.

However, if you notice anything suspicious during the operation of your website, such as the following, immediately perform a WordPress Security Audit to ensure the safety of your site:

  • Your website suddenly becomes slow and unresponsive.
  • The traffic to your website decreases.
  • There are suspicious new accounts, password reset requests, or attempts to log in to your website.
  • Suspicious links appear on your website.


The advice listed above can help assist in how to keep WordPress site safe. Unfortunately no technical solution can be guaranteed as 100% secure, because of the complex web of dependencies that each website relies upon – it’s impossible to truly vet everything that makes the web work line by line, or at the very least it’s a life’s work. We have to rely on the contributions and vigilance of the web community in order to strengthen the code that underpins our websites, and on top of this we need to take practical steps to protect ourselves from simple mistakes like using simple passwords or installing and activating code from sources we don’t fully trust. Our general advice is don’t make yourself an easy target, take steps today to protect your WordPress website, and call in the experts when you need them.

Ready to improve your website?

Add Kahunam to your team. We'll help you build a new website that helps you crush your goals. Or we'll take your existing website and help you take it to the next level — leaving your competitors in the dust.