10 Little-Known Tips to Secure WordPress Sites

Getting a blog hacked and losing years upon years of blogging work overnight is a sad reality that people actually have gone through. In fact, research shows that 37,000 websites are hacked every day, and with WordPress powering approximately 25.4% of all websites, you can be sure that a good deal of WordPress blogs are hacked every day.

WordPress security is an entirely different ballgame; once you own a WordPress blog, tips like having a username that is difficult to guess and a password that is as hard as rock is no longer sufficient. A single buggy theme, the wrong plugin, or an incorrectly protected file can result in your blog being hacked overnight.

Whether you’re inexperienced with WordPress, or you’ve been using the platform since its existence, this article has 10 practical and supper effective ways to secure your WordPress blog that anybody can implement. You won’t find most of these tips in popular "how to secure your blog" articles, but they could very well save your blog one day!

60+ Most Wanted WordPress Tricks and Hacks (Updated)

60+ Most Wanted WordPress Tricks and Hacks (Updated)

Have you ever came across a WordPress blog, saw something you liked, and thought; how they did that,... Read more

1. Disable the WordPress Theme & Plugin Editor

WordPress has a handy feature that give site owners more flexibility by allowing them to customize and edit their themes and plugins right from the WordPress dashboard, but this feature has been the undoing of most blogs.

With this feature, a slight error can crash your site and lock you out of your own website. Hackers can easily insert malicious code into your theme to give them backdoor access to your site, or even take over your site completely, by gaining control of an account that has enough privileges to use the theme and plugin editor.

You can protect yourself by disabling the plugin and theme editor, making it impossible to modify your themes and plugins without FTP access.

Do this by adding the following code to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

5 Best WordPress Plugins to Detect Malicious Codes

5 Best WordPress Plugins to Detect Malicious Codes

WordPress is one of the most popular content management systems (CMS) used by people either for simple blogging... Read more

2. Enable Two-Factor Authentication

Two-factor authentication is quickly becoming one of the most reliable ways to protect your online accounts, and most reliable websites will insist that their users enable it.

While WordPress does not necessarily have two-factor authentication built into it, you can enable two-factor authentication on your blog by installing the following plugins:

3. Limit Logins Based on Number of Failed Attempts

There are many ways hackers try to gain access to your blog, and one of the most common techniques used is a bruteforce attack: a hacker tries a combination of usernames and passwords, over and over again, until he/she is able to successfully access your blog.

wp hacked

By default, WordPress isn’t protected against this attack. By installing plugins that limit logins after a certain number of failed attempts from a particular IP, you can make it much more difficult for hackers to gain access to your blog.

The Jetpack Protect Module plugin can also protect you from bruteforce attacks.

4. Regularly Scan Your Blog

Theme files, plugins, links, and other seemingly harmless elements can be used to gain access to your blog. Don’t wait until your website is fully infected before you take measures. Instead, install security scanning plugins to regularly scan your website and notify you if your files changes.

A good example of a security scanning plugin is Wordfence. Besides giving you the option to manually/automatically scan your WordPress blog, it also instantly notifies you when suspicious activity is going on your blog.

It also sends information about potentially malicious comments, and it compares your theme and plugin files with the WordPress repository to let you know if your version of a plugin or theme has been modified and can potentially serve as a backdoor for hackers to your site.

Other security plugins that can help you scan your blog for malware and exploits are:

10 Free SEO Tools For Bloggers and Content Creators (2023)

10 Free SEO Tools For Bloggers and Content Creators (2023)

Discover 10 free SEO tools for content creators. Boost your blog's visibility with Sitechecker, Google Trends, Yoast SEO,... Read more

5. Change Your Host

While this sounds like simplistic advice, it actually has a lot of weight. Research shows that 41% of hacked WordPress websites were hacked through security vulnerability on their hosting platform. This is much more than from other sources, including having a weak password.

Your host can play a major role in whether you will be hacked or not; make sure you only go for reliable web hosts that have stood the test of time and that comply with industry best practices.

10 Important Factors to Consider Before Choosing A Web Host

10 Important Factors to Consider Before Choosing A Web Host

This guide will help you make that decision by showing you how to compare apples to apples. By... Read more

6. Hide Your WordPress Version Number

By default, WordPress displays your WordPress version number; this makes it easy for WordPress to keep track of how many WordPress blogs are active worldwide. However, this can also be a huge source of problem; hackers and bots can scan the web for blogs using a WordPress version number with a known vulnerability, making you an easy target.

You can easily solve this problem by hiding your WordPress version number. To hide your WordPress version number, simply add the following code to your functions.php file:

add_filter( 'the_generator', '__return_null' );

How You Are Helping Hackers Steal Your Data

How You Are Helping Hackers Steal Your Data

Learn how to keep your online data safe with these tips and tricks. Protect your personal information from... Read more

7. Disable PHP Error Reports

When a plugin or theme isn’t working well on your WordPress blog, PHP error reports can help by showing you a message that reveals the cause of the error. However, in this advantage lies a disadvantage: when PHP error is being reported, it includes the full server path of the error, revealing information that hackers can use against you.

You can protect yourself by disabling PHP error reporting. Simply add the following code to your wp-config.php file:

 @ini_set(‘display_errors', 0);

8. Work on Your WordPress File Permissions

When it comes to preventing your WordPress site from security exploits, it is essential to ensure that you have the right file permissions. This makes it difficult for a hacker to manipulate plugins, themes, or files on your server to take over your website.

Make sure that WordPress folder permissions are set to 755 or 750; file permissions are set to 640 or 644; and that wp-config.php permission is set to 600.

WordPress Coding Standards: A Guide for Developers

WordPress Coding Standards: A Guide for Developers

The reason that we have coding standards at all (not just for WordPress) is to create a familiar... Read more

9. Ensure Regular Backups

Even big websites with a team of security experts and consultants get hacked, and while following best practices can make your website stronger than 99.9% of websites, things can still break.

computer token

The best security you have against WordPress hack attacks is a good backup; make sure you’re making backups of your site on a regular basis – if possible, daily. This way, if your website is hacked you have your files in place and can restore things immediately.

Here are some of the best WordPress backup plugins:

WordPress Database and Files Backup Solutions – Best of

WordPress Database and Files Backup Solutions – Best of

There are a lot of ways to strengthen your Wordpress blog's security but we still think one of... Read more

10. Limit Access to Your Login Page

When push comes to shove, you just might have to take some drastic action. A very reliable way to protect your blog from hack attempts is by entirely blocking access to your wp-admin and wp-login.php page.

This is only recommended if you use one IP address that doesn’t change (you don’t want to lock yourself out of your blog!). You can still use this option if you use more than one IP address but keep track of those addresses.

To limit access to your login page, add the following code to your .htaccess file:

 <IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteCond %{REMOTE_ADDR} !^Your IP address 1$
 RewriteCond %{REMOTE_ADDR} !^ Your IP address 2$
 RewriteCond %{REMOTE_ADDR} !^ Your IP address 3$
 RewriteCond %{REMOTE_ADDR} !^ Your IP address 4$
 RewriteCond %{REMOTE_ADDR} !^ Your IP address 5$
 RewriteRule ^(.*)$ - [R=403,L]

Be sure to edit Your IP address 1 through to Your IP address 5 with the different IP addresses you want to give access to; you can simply add or remove a line to allow or prevent more IPs from accessing your site.

How to Deploy SSL & HTTPS in WordPress for Free

How to Deploy SSL & HTTPS in WordPress for Free

Deploying SSL will provide several advantages to your website. Aside from improving website security, SSL would also help... Read more


Of course, you shouldn’t ignore basic security tips like not using a predictable username, having a strong password, updating your WordPress installation regularly, etc. However, the above are some little-known, often-ignored security tips that can make your WordPress blog just a bit more secure.