17 tips to lock down your WordPress website!

To start with Digital Marketing, one of the first steps is to create a website that gathers all the information about your company. But how to have security in WordPress, one of the most used platforms for the development of corporate pages, blogs, and e-commerces? A few simple tips can help you with this task!

17 tips for wordpress security

See what 1400+ marketers had to say about the top marketing trends for 2024.

If you got to this post, you probably already understand the importance of a website for a company’s digital strategy, starting with the choice of an appropriate and secure platform for you to manage it.

WordPress is one of the most used content publishing platforms. But how to make sure that the site is well protected? How to have a good WordPress security?

Hacker attacks are increasingly common and they can be lethal when they harm your website, as it is the main online channel for generating new business. For this reason, here are the 17 tips you should know to make your WordPress site completely safe:

  • 1. Create frequent backups
  • 2. Log in with your email
  • 3. Change your website’s login URL
  • 4. Protect the wp-config.php file further
  • 5. Increase the security of the wp-admin directory
  • 6. Use two-factor authentication
  • 7. Have an SSL certificate
  • 8. Keep themes and plugins up to date
  • 9. Be careful when choosing themes
  • 10. Use strong passwords on the platform
  • 11. Delete unnecessary files
  • 12. Prevent spam
  • 13. Prevent registration of new user accounts
  • 14. Assign the right permissions for files and folders
  • 15. Make sure the debug file is well protected
  • 16. Change the database table prefix
  • 17. Connect the server correctly

Continue reading and check them out!

Download this post by entering your email below

Do not worry, we do not spam.

17 ways to secure your WordPress website!

1. Create frequent backups

Think of the following example: you have a corporate website with a lot of content, ranging from pages describing your products or services to a list of customers who have purchased from you and articles created on your blog. What if, suddenly, everything just disappears? What would you do?

Yes, this is possible, for reasons such as a problem with your server or even an invasion on your site by malware or a competitor. Do not think it will not happen to you.

<!–[if lte IE 8]>
<![endif]–>Download the free infographic to understand how speed impacts your site
hbspt.cta.load(355484, ’47f60a2c-ba01-437b-a5b5-dff3a81a6f58′, {});

For example, did you know that Microsoft’s competitors used to look for information about the company in the trash it dumped? Therefore, make sure to backup your site periodically so that all your information is secure.

2. Log in with your email

When creating a WordPress site, you can choose to login with a username or email. For greater WordPress security, we recommend that you choose the email, and we will explain why.

Usernames are easy to predict, which makes it easier for someone to discover them, especially if it is their first name.

Emails are more difficult, even if they are for corporate use, as only members of your company and people with whom you establish contact will know it. So, if you have another email that few people know about, it’s more appropriate to use it.

3. Change your website’s login URL

All WordPress sites have, by default, the URL http: //yoursiteaddress.com/wp-admin. When hackers try to break into your site, they try to log into that page forcibly, using a GWDb (short for Guess Work Database).

That is a database that contains various combinations of usernames and passwords. When one of them matches, the attacker is able to enter your website.

That is why you need to change the login URL and eliminate the chances of that happening. To do so, use the iThemes Security plugin, which allows you to change /wp-admin/ to any other text string of your choice.

Another thing you need to have in mind is to limit login tries to avoid brute force attacks on your page. This way, attackers can’t keep trying different combinations of login and passwords endlessly.

4. Protect the wp-config.php file further

The wp-config.php file contains information about installing WordPress, being your site’s most important element. Therefore, it must be the most protected from virtual attacks.

Working on securing it further so that the file is inaccessible to attackers is quite simple. You just need to move the wp-config.php file to a higher level within your root directory.

The WordPress architecture allows the server to access the file, even if it is elsewhere above in the system. Invaders won’t see it, but WordPress will.

5. Increase the security of the wp-admin (or wp-login) directory

Speaking of wp-admin, we must remember that it is the main directory of your WordPress site, so it can be completely corrupted if that part is breached. Therefore, try to protect your wp-login.php with a password so that only the site administrator and the website owner can access it.

This causes the login page, in addition to displaying username and password, to also request a second password in order to grant access. There are WordPress security plugins, such as AskApache Password Protect, aimed at securing this area. But you can also choose the two-factor authentication, which we’ll talk about next.

6. Use two-factor authentication

WordPress security should not be restricted to the website but also to the system you use to log in—it must be protected in the same way. A way to do this is through two-factor authentication.

This authentication brings the need for a double login on your website to ensure greater security. Thus, it prevents intruders from entering the system and having access to your data.

In addition to login and password, when using two-factor authentication, you also need to enter a code. It can be sent to you by email, SMS, or otherwise.

One example of a good two-factor authentication plugin for WordPress is the Google Authenticator. Very simple, free, and functional. You can download it here.

7. Have an SSL certificate

An SSL certificate is essential to make your WordPress website secure by guaranteeing protection for your visitors—especially if they need to enter personal and credit card information. It also increases your website’s chances of indexing, since secure sites are part of Google’s ranking criteria.

To get a certificate, you must contact your hosting server — many offer it for free. After activating it, you need to apply it in WordPress using the Really Simple SSL plugin.

8. Keep themes and plugins up to date

One of the first steps you take when creating a WordPress site is to choose a theme that will be applied. Also called templates, there are several types that you can select to make the website look like your company.

In addition to the design, themes also bring features that meet your needs. However, for them to work well, you need to install updates whenever they are released. Otherwise, the template may lose some of its functions and not work properly.

The same applies to plugins that add specific functions to the site, such as a contact form, social media buttons, the creation of lead generation banners, etc. Every time they have updates, you need to install them so that there are no issues.

As I’m talking about updates, always update WordPress versions along with your themes and plugins.

9. Be careful when choosing themes

This is very important for WordPress security, and not just for the web design. In order to have a professional website focused on results, it is recommended that you use a premium theme. As much as WordPress has a variety of free templates, they are usually aimed at personal websites or blogs.

However, we leave a warning: buy the template, do not make the mistake of downloading it via piracy. In addition to being illegal, you put your site at risk, as the file may come with some kind of virus or malware and harm your site.

In addition, when purchasing the theme in this way, you are also not entitled to the premium support team, in case you have any problems or need help to adapt the template to your website’s needs.

10. Use strong passwords on the platform

When setting your password to access the WordPress dashboard, the CMS itself points out whether it is weak, medium, or strong. As much as the weaker ones are easier to remember, always opt for strong passwords that are not very obvious.

After all, certain accesses must be restricted internally within the company. Also, you need to protect yourself from intrusions that can happen due to the use of weak passwords.

WordPress itself generates automatic passwords as a suggestion. But if you want to create your own try to use upper and lower case letters, as well as numbers and some special character.

If you run out of good password ideas, you can always use a password generator to do this job for you. There’s plenty of pages on the internet that can help you with this.

11. Delete unnecessary files

Do you know what is the longest that people usually wait for a website to load? Three seconds. So, if your site takes longer than that to display its full content, be aware that many people may choose to abandon it before performing any type of conversion.

One of the factors that slow down websites is the excessive number of files within them: images, documents, videos, among others. Of course, some need these files to provide a better experience for their visitors. But for those that are not needed, it is recommended that you exclude them to optimize the website’s speed.

12. Prevent spam

Truth be told: nobody likes spam. It is commonly seen in email messages, although it can also be seen on social media. But you must be asking yourself: how can it be applied on websites?

The most common way is in response to your contact forms and through blog comments. For this reason, it is recommended to have dedicated commenting tools, such as Disqus.

However, spam techniques are more advanced nowadays, since they invade your site and inject codes that are only displayed to Google bots, which hinders your indexing in SERP. This reinforces the need for a secure website so that this kind of threat does not occur.

13. Prevent registration of new user accounts

A WordPress site can have several people involved in it, according to their role functions. But it is necessary that those are carefully chosen. Check out the WordPress roles below:

  • Super Admin: has access to all functions of the site;
  • Administrator: has access to almost all functions;
  • Editor: can publish content both on pages and on the blog;
  • Author: can also create content but only manage their own publications;
  • Collaborator: can produce content but cannot publish it;
  • Subscriber: can manage only their own profile.

So, grant access to people who fit each role. After all, your company’s main digital data is managed by WordPress, so the administrator profile should be restricted to a few people, such as the website owner and a few administrators.

If you are using a web application firewall, you can lock down a URL path. This way, you can assure that only your IP address will have access to the login page.

Moreover, some 1-click WordPress installers put “admin” as a default username. This can ease the job of attackers to enter your website. So, always change your username.

14. Assign the right permissions for files and folders

In addition to WordPress users, it is also important that folders and files have restricted permissions in order to preserve your WordPress security. Imagine how harmful it would be if someone with access to them, even if by accident, deleted an essential file and damaged the page’s performance.

Therefore, make sure that files essential to your business website, such as wp-config.php, debug.log, among others, are also restricted only to people involved in the website’s administration.

15. Make sure the debug file is well protected

The debug file collects the most sensitive information regarding your website. Thus, it should be kept as hidden as possible so that it is not seen by attackers.

If you or a developer who works for your business needs to use the debug file at some point, make sure debug.log has a secure permission setting.

16. Change the database table prefix

The database is used to store and organize information about your website. The prefix of your table is represented by wp-table. Like with wp-admin, it is recommended that you change it to a different name.

After all, using the default prefix makes the database vulnerable to attacks. If you are unsure of how to make this change within the site, there are WordPress security plugins that perform this function.

WP-DBManager is one of them, like iThemes Security, which we mentioned earlier. Before making this or any modification to your database, we recommend that you back up your site.

17. Connect the server correctly

When configuring your website with the server, prefer using SFTP or SSH. Although FTP is preferred, especially by developers, the two mentioned have more security features.

Thus, you can transfer files to the host in a more secure way. Actually, there are hosting servers that offer these services, so you don’t have to run them manually.

By following these 17 WordPress security tips, you will be able to make your company’s website more protected. That way you will have peace of mind for the success of your business in Digital Marketing.

However, good WordPress security is not enough if you want to have a successful website. For that you need PAGESPEED. How’s the pagespeed of your website? Want to check it out for free? Just put your URL below and check how you can improve your performance.

[rock_performance lang=”en”]


2024 State of Marketing Report

Your golden ticket to crush your goals with data-driven insights!

2024 State of Marketing Report

Your golden ticket to crush your goals with data-driven insights!

Subscribe to our blog

Sign up to receive Rock Content blog posts

Rock Content WriterAccess - Start a Free Trial

Order badass content with WriterAccess. Just as we do.

Find +15,000 skilled freelance writers, editors, content strategists, translators, designers and more for hire.

Want to receive more brilliant content like this for free?

Sign up to receive our content by email and be a member of the Rock Content Community!

Talk to an expert and enhance your company’s marketing results.

Rock Content offers solutions for producing high-quality content, increasing organic traffic, building interactive experiences, and improving conversions that will transform the outcomes of your company or agency. Let’s talk.