8 simple security tips to lock down your WordPress website

Having your WordPress site compromised can be a devastating experience. You may not even realize it’s happened and, once it does, it can be challenging to undo the damage without having to rebuild your site.

Fortunately, there’s a lot you can do to help reduce security vulnerabilities. From keeping files up-to-date to taking advantage of one of the many WordPress security plugins, you have plenty of strategies available to keep your website secure.

In this article, we’ll explain why security is a concern for WordPress websites. Then we’ll share eight simple security tips to lock down your website and keep it safe. Let’s get started!

Why security is a concern for WordPress websites

Since WordPress is an open-source platform, there are a myriad of third-party plugins and themes to expand its functionality. While this is undoubtedly beneficial, these tools can also introduce vulnerabilities. According to the Patchstack Security Whitepaper, over 96 percent of vulnerabilities originate with third-party code rather than in the WordPress core.

You probably have some third-party tools installed on your WordPress site, which can potentially open it to attack. Once a hacker gains access to your site, they can do a lot of irreversible damage.

Spammy links and popups are one tactic hackers may use to redirect visitors from your website to their own. These attackers often take great care to disguise these links so that you won’t realize they’ve been added. 

When a website is hacked, everything on it is at risk of being compromised. For instance, if you collect user information, this data could be collected and sold by bad actors. In this case, it’s likely that your reputation will suffer long after you’ve cleaned your website.

Moreover, if your site is hacked, it may end up being blacklisted by Google. This means that the search engine will flag your content as being unsafe for visitors. While you can remove your site from the blacklist, this takes a lot of time and effort.

8 simple security tips to lock down your WordPress website

While WordPress sites do have some vulnerabilities when it comes to security, you’re certainly not powerless against attackers. Let’s look at some WordPress security tips to help keep your site secure.

1. Perform a security audit

Performing a WordPress security audit is an excellent first step. Start by evaluating any unused plugins or themes you have installed, and deleting them from your site. Each bit of code you remove from your site gives hackers one less opportunity to access it.

If your site is ever hacked, you can save a lot of time by having a recent WordPress backup ready to install. Therefore, you may want to take this opportunity to ensure that whatever backup solution you’re using is performing as expected.

Next, you could have a look at your website’s registered users. You can view the complete list by navigating to Users > All Users from the WordPress dashboard:

WordPress users

Look for any users you don’t recognize, especially if they have the admin user role, and delete them. It’s possible that someone may have gained access to your site and created an admin-level account for themselves. You might also want to weed out any inactive users.

This is also an excellent time to have a look at your website’s analytics, using Google Analytics. If you notice a significant drop in traffic, it could indicate that your site has been blacklisted or your traffic is being redirected elsewhere.

2. Use a WordPress security plugin

You can guard against many WordPress security vulnerabilities by using a plugin. One powerful option is Sucuri:

Sucuri screenshot

Sucuri offers a wealth of features to keep your website secure. This includes various security tests, Domain Name System (DNS) monitoring, and malware scans.

If your site is hacked, Sucuri can help you get back on track. It handles the entire process, from cleaning up any malicious code to getting your website removed from blacklists. You’ll also have access to security experts 24/7. 

3. Pay attention to best practices for passwords

If you discovered some weak passwords during your security audit, now is the time to put some best practices in place. It’s important to ensure that you adhere to the following guidelines when creating passwords:

  • Create long, complex passwords that use a mix of characters.
  • Try to refrain from using the same password for every account.
  • Change your passwords frequently.
  • Avoid using personal information that hackers could easily discover, such as your birthday.

You might also want to consider implementing the principle of least privilege when it comes to accessing your site. This simply means not giving users a higher level of access than they need to perform their job. It can be tempting to grant everyone admin status, but it’s best to take the time and select appropriate user roles.

4. Enable a Web Application Firewall (WAF)

A Web Application Firewall (WAF) is a type of firewall that monitors traffic to your website. If malicious traffic is detected, the firewall can block it. 

With a WAF in place, you can potentially thwart Distributed Denial of Service (DDoS) attacks. You could also block spammy content and other cyber attacks.

You may already have a WAF in place through a Content Delivery Network (CDN), your web host, or another service. If not, Sucuri includes one with all of its plans.

5. Disable file editing

By default, you’re able to edit your theme and plugin files from the WordPress dashboard. However, this can be a security risk, as hackers can easily add malicious code to these files. Again, Sucuri can disable this capability, but it’s also simple to do manually.

To disable file editing, you’ll need to access and edit your wp-config.php file. You can find this file by connecting to your website using a File Transfer Protocol (FTP) client such as FileZilla.

Once you’ve connected to your website, look for the wp-config.php file and right-click on it to download it. Now, open it with your preferred text editor:

wpconfig example

If you scroll down, you should see a line that reads, “That’s all, stop editing! Happy blogging!”. Paste the following code anywhere above that line:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

That’s all you need to do. When you’re ready, save your file and reupload it using your FTP client.

6. Limit login attempts

In a brute force attack, a hacker tries to gain access to your website by rapidly guessing your login details. One way to make this attempt more difficult is to limit login attempts on your WordPress website. 

There are a few plugins that can help you do this, including Limit Login Attempts Reloaded:

Limit Login Attempts Reloaded

Once you have the plugin installed, there are a few settings you may want to tweak. You can find these by navigating to Limit Login Attempts and clicking on the Settings tab:

Limit Login Attempts Reloaded settings

First, if you don’t have a GDPR compliance message in place, you can use this plugin to add one to your login page. The other setting you may want to change is Notify on lockout. By default, the admin is informed when a user is locked out three times, but you may want to increase or decrease this number.

7. Change your login URL

One reason brute force attacks tend to be an issue for WordPress sites is that almost all of them have very similar login URLs. Typically you’ll see or 

Fortunately, you can change your login URL using the WPS Hide Login plugin:

WPS Hide Login

Once you’ve installed the plugin, navigate to Settings > General and scroll down to the WPS Hide Login section:

WPS Hide Login settings

Here, you can customize your login link in the Login url field. Once you click on the Save Changes button, this will become your new login URL.

By default, the Redirection url field will show a 404 error to anyone trying to access your original login URL. You can leave this alone or redirect them to another page if you wish.

8. Keep plugins and themes updated

Developers frequently release updates for the WordPress core, plugins, and themes in order to patch vulnerabilities. If you have an outdated version of any of these files, you’re leaving yourself open to attack. Checking for updates on a regular basis can help you avoid becoming a target.

You can access updates by navigating to Dashboard > Updates. Here, you’ll find information on when your site was last checked for updates. You’ll also see any plugins or themes with outstanding updates, and you can install them right from this screen:

WordPress updates

If you prefer, you can set your themes and plugins to update automatically. While you know the code will always be up-to-date, sometimes new releases do have issues. Therefore, you’ll also want to ensure that you’re backing up your site regularly.


Nobody wants to have to deal with a compromised website, and if you take proper precautions, you may never have to. By remaining vigilant and putting a few measures in place, you can make your website a less attractive target.

If you’re looking for a quick solution, you might want to start by taking advantage of the features Sucuri has to offer. Running regular website security tests can help you ensure that everything is working as it should be. This will also help you keep track of plugins or themes that may need to be updated.

Do you have any questions about mitigating WordPress security vulnerabilities? Reach out to the WordPress security experts.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Related articles