≡ Menu

Chapter 21: WordPress Basic Site Security

Basic Site Security Tips for WordPress Site Owners


Owning a WordPress website is empowering. This Content Management System helps greatly when it comes to managing your site or blog without much technical knowledge. However, not paying attention to website security may cause trouble.

Wondering what to do?

Here are a few basic WordPress site security tips you must follow:

1.   Update, Backup, and Clean

You must keep your WordPress version, PHP version, themes, and plugins updated. Updates are often useful for fixing security loopholes and preventing hackers from intruding into your WordPress site.

It is also suggested to back up your WordPress data on a regular basis and clean files that are not needed anymore. Keep cleaning unused plugins, media files, incomplete installations, and unwanted files and also your WordPress database. You can clean the plugins and files manually via wp-admin dashboard or via FTP. But to clean up the database it is suggested you not do manually and with risk to delete any database tables or references. So you might want to use the Advanced Database Cleaner , a free plugin while doing so. But you should turn off any backup plugins once they are done, you may use it like once in three months or so, on per request basis. Having them “always on” is not a good idea.

2.   Mask Default Paths and Essential Details

By default, WordPress Admin Dashboard is accessible by visiting ‘www.example.com/wp_admin.’ Leaving this path as is will allow hackers to visit the login page and attempt exploits. So, you can use the WPS Hide Login WordPress plugin to mask this path/URL.

Similarly, letting external users know the WordPress version of your site is also risky, especially when you are using an old version. Hiding this detail from the public is a way to stay away from various threats.

3.   Adopt Strong Security Measures

It’s a rule that applies to every digital and physical asset when its security is concerned. WordPress is not an exception. You must:

  • Choose a unique username;
  • Strong login passwords;
  • Disable password hints;
  • Limit login attempts;
  • Block IP addresses that appear fishy;
  • Monitor your files and see if there is an unexpected change in them.

4.   Settle Down with a Secure Web Host

Your WordPress hosting service provider should be reliable, secure, and customer-centric rather than just being cost-convenient. So, always select a host after proper research. A few recommended hosts in this row are Bluehost, Inmotionhosting, and SiteGround.

5.   Do Not Forget to Secure Your Devices.

One thing that people often miss out during deploying WordPress security measures in securing their personal devices. As you are the admin of your WordPress blog, website, or eCommerce store, a hacker or malicious actor gaining physical or remote access to your website will do massive harm.

To avoid problems:

  • You must scan and check your devices often.
  • If logging in to your WordPress admin dashboard using public wifi or a public system, make sure to log out and clear your data.
  • Check for unwanted software applications, e.g., keylogger, on your system. If found, you must remove the program immediately and reset your crucial passwords without fail.


go to WordPress Training for non-techies main page