Secure your WordPress website in 7 steps

WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.

If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

1. Integrate Google’s V3 Captcha on login & forms

First & the foremost important thing to do is integrate Google’s Captcha feature on your website forms & login areas. I personally prefer V3 captcha. You can integrate this security tool easily without any coding skills by a plugin called Advanced noCaptcha & invisible Captcha.

2. Customize your default WordPress Login URL

Next step to secure your WordPress website is by changing your default login URL or so called End Point to something else. You can do this by installing & configuring a security plugin called WPS Hide Login. Again no programming knowledge is required for this setup. It is more of a plug and play thing.

3. Activate Loginizer Alerts & Limit Login Attempts

Loginizer is a security plugin that sends regular alerts after every 3 failed login attempts along with the users IP address. It also prevents the attackers IP from logging in for about 15 minutes. This way you can find the hackers IP and simply block it from cPanel or any other hosting management panel.

4. Change your default login credentials to complex

No plugin is required for this step. Simple go to settings>users>select your profile and change the default username from “admin” to something else & password to at least 8 digit including special characters with alphanumeric pattern.

5. Add SSL to your WordPress website

SSL is a security protocol that adds security from man in the middle attacks by advanced hackers. It is a must have thing for any website. SSL is paid and even it is Free. You can start experimenting by getting it free from Let’s Encrypt.

6. Disable File Editing & PHP Execution

For this step you will need to access wpconfig.php file from your hosting file manager & add the following line:

define( ‘DISALLOW_FILE_EDIT’, true );

This code disables the built in code editor in WordPress admin panel. Also you will need to disable the PHP execution in uploads folder by adding following lines into your .htaccess file inside /wp-content/uploads/ folder

<Files *.php>

deny from all


If the file does not exists, create it from your file manager in hosting management panel.

7. Disable XML-RPC in WordPress

Hackers use this technique to since WordPress 3.5. As it is enabled by default to connect your website with mobile apps & deliver data over APIs. In this case attackers are not blocked by Loginizer & they can use system.multicall function to try thousands of password with just 30 to 40 simultaneous requests. All you have to do is paste the following code in the .htaccess file.

<Files xmlrpc.php>

order deny,allow

deny from all

allow from


Share this post: