11 Proven Ways to Secure WordPress Website


11 Proven Ways to Secure WordPress Website

The WordPress platform is one of the top, most user-friendly Content Management Systems (CMS) available to website owners. It has been deployed in large and small organizations. With its popularity, it has become a popular target for hackers and spammers.

According to WP White Security, more than 70% of WordPress installations are vulnerable to attacks. And each year thousands of WordPress websites are getting hacked like in 2013 approximately 90,000 WordPress websites were hacked. And every year these numbers are increasing. Most of the time the purpose of these attacks are not to hack your site and steal your data or delete crucial files,  but the main purpose of the crackers are that they want to take over the server so they can use it for their malicious purpose like sending spamming mail, or make a part the botnet, etc.

How WordPress websites get hacked?

Well, there are many ways hackers can hack WordPress websites most common ways are

  • Because of the security vulnerability on the hosting platform. Vulnerability in hosting platform could allow crackers to attack by many techniques like using a URL parameter to route an SQL injection.

  • Some coding issues in the theme or plug-in, that website owner were using. If your plug-in or themes are not updated then they can use available exploits to hack you or they can also create a backdoor on your website.

  • Because of default admin page name and weak password also. If you are using a weak password then they can brute force to gain access.

Following security measures can be implemented on any host and will greatly increase the security of your WordPress installations.

  1. Always run the latest version of WordPress software. Because latest version always comes with new features and latest bug fixes and security fixes.1

  2. Never forget to update plugins and WordPress themes because most of the WordPress attacks are possible just because of outdated plugins.  One of the safest ways to keep your WordPress site safe is to make sure your files are always updated to the latest release. So whether you are using Akismet, woo commerce, all in one SEO pack or any other plugin always update them. It doesn’t matter that you are using popular or big companies plugin, they can also be compromised so always check and use the latest version of every plugin and theme you use. Also remove unused plugins


  3. Changing default "wp_" Prefixes like “wp_admin”. You should always change defaults because if you are using a weak password and using “wp_admin” for your login page then, crackers can easily go to your login page “www.example.com/wp_admin” and use brute force to crack your password. So always change default settings and page prefixes. So use “iThemes Security” plugin to change your default login URL. Example: Here we changed “wp-admin” to “cesnevorp”. Now it is be difficult for hackers to know my login page5

  4. Pick a strong password and change default username. A strong and safe password will protect you from any kind of password attack. For starters, it should consist of more than 12 characters with the combination of numbers and alphabets in lower and upper cases. Here is a very good article on how to generate strong password: https://pentestmag.com/modern-passphrase-security/ Then change default username. A typical installation of WordPress comes with a default user named "admin". If you are using default user name then you are already making hacker’s life 50% easier. A safer approach to securely logging into your admin dashboard is to create a new user account with administrator privilege and have user "admin" removed. And here’s how you do it:  

    - Login to WordPress admin panel 
    - Go to Users -> Add New 
    - Add a new user with Administrator permission; and use a strong password.
    - Log out of WordPress, and then re-login with your new admin user 
    - Go to Users Remove "admin" user
    - If "admin" has posted, remember to attribute all posts and links back to the new user.

  5. One of the big security vulnerability is having your directories exposed and easy to get to the public. Directory listing occurs when the web server does not find an index file that is an index.php or index.html. Here you can check your website by this method Just enter the following URL in browser: http://www.domain.com/wp-includes/ If you directory is protected then you will an error like this or you will be redirected to your homepage else you will your content of the directory. 6To prevent access to all directories, place this code inside your .htaccess file. 

    # Prevent folder browsing Options All –Indexes 

  6. Defend the interaction with the server by creating and using SSL/TLS certificates. TLS, or SSL, because it is often said, provides websites and web applications with encryption of information being transmitted and authentication to verify the identity of a bunch. HTTPS is typically synonymous with searching carts and web banking; however truly, it ought to be used whenever a user is passing sensitive data to the online server and vice-versa. WordPress provide an easy way to implement TLS/SSL on sensitive pages like wp-login and wp-admin pages but first generate, use and configure the TLS/SSL on the server and then following constants set to true in wp-config.php file. To make sure that login credentials and sensitive data like session cookies are fully encrypted when we interact with the web server or admin panel, add the following code to wp-config.php file:

    define('FORCE_SSL_LOGIN', true); 


    define('FORCE_SSL_ADMIN', true);

  7. Often, an honest place to begin once it involves website security is your hosting surroundings. Today, there are a variety of choices offered to you, and whereas hosts provide security to an exact level, it’s vital to know wherever their responsibility ends and yours ends. Here may be a sensible article explaining the difficult dynamic between internet hosts and therefore the security of your website. A secure server protects the privacy, integrity, and accessibility of the resources below the server administrator’s management. Qualities of a right internet host would possibly include: 

     - Readily discusses your security considerations and that safety features and processes they provide with their hosting. 

     - Provides the foremost recent stable versions of all server code. 

     - Provides reliable ways for backup and recovery.

     - Decide that security you would like on your server by software and data that has to be secured.

  8. Using Complex security keys. WordPress makes use of a collection of long, random and sophisticated Security Keys. These keys encompass a variety of encoding keys moreover as cryptological salts. Security Keys guarantee higher encoding of data holds on within the users’ cookies. There are complete eight security keys that WordPress uses – AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, AUTH_SALT, SECURE_AUTH_SALT, LOGGED_IN_SALT, and NONCE_SALT. A Security Key functions equally to a really robust word or passphrase and will contain components that build it more durable to get enough choices to crack. WordPress Security Keys additionally build use of cryptological salts to more strengthen the protection of the generated result. You can either build your own random keys, otherwise, you will use WordPress’ on-line key generator to try and do this for you. Merely copy and paste the keys generated by the generator into your wp-config.php file.

  9. Disable XML-RPC in wordpress. Since WordPRess 3.5, XML-RPC has been enabled by default. The feature permits you to remotely connect via clients. It’s additionally used for trackbacks and pingbacks. Sadly, hackers are famed to use the file for DDoS attacks. You can use a plugin like Disable XML-RPC Pingback and Disable XML-RPC and cut back the modification of your web site being attacked.

  10. The main thing to protect WordPress from hacking is to prevent WordPress username and WordPress version enumeration. In several WordPress blogs, it’s possible to enumerate WordPress users via an author’s records page. This works if WordPress permalinks are enabled and if the user has revealed one or a lot of posts. You can examine WordPress Username Enumeration in bigger detail within the article WordPress Username Enumeration using HTTP Fuzzer. In order to stop WordPress Username Enumeration you'll be able to add the subsequent rule to WordPress site’s .htaccess file, this located in your WordPress root directory.

    RewriteCond %{QUERY_STRING} author=d

    RewriteRule ^ /? [L,R=301]

    By default, WordPress can place a Meta tag in your site code that states the version of WordPress you're using:

    <meta name="generator" content="WordPress 3.9.1">

    Sadly, this info is helpful to hackers, significantly if you're using an older version of WordPress that features a security hole.There is a helpful code snippet that enables you to simply take away the WordPress version variety from your website. You’ll be able to try this by adding the subsequent code to the highest of your theme functions.php file: 

    remove_action('wp_head', 'wp_generator');

    Otherwise, you'll be able to take away the WordPress version variety by putting in the plugin take away Version.

  11. Now, at last, we will recommend you continue monitor and scanning your website and server against malware and vulnerabilities. Because without monitoring and scanning your will never know when your website has been compromised and hackers were using your server for their malicious purpose like sending spam emails. So the most effective ways of discovering malicious files and vulnerabilities is to scan your whole WordPress website regularly. Well, to make your work easy there are few effective service plugins are available for you like:

     - iThemes Security  

   - All in one wp security & firewall

   - Sucuri Security 

   - Provensec CloudproX :

We want to recommend the latest CloudproX online vulnerability and malware scanning service by Provensec LLC because Cloudpro-X is basically a cloud based security testing suite. Cloudpro-X goes beyond the traditional vulnerability scanning techniques by using its exploit intelligence engine to prove that a system is actually exploitable.


  • Online Intelligent Vulnerability Scanning

  • 24X7 Uptime monitoring for your website.

  • Website Malware Scanning

  • And if you want more deep security testing for your website we are providing on Demand Penetration Testing service too.


Author:  Provensec is a leading cyber security services provider like penetration testing services, online website scanner etc catering to midsized businesses. Provensec LLC is amongst top 10 contributors on Packet Storm for responsible disclosures and security research. You can contact Provensec at [email protected].


August 10, 2016


Hakin9 TEAM
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023