5 Tips to Improve WordPress Security in 15 Minutes

WordPress is amazing at so many things—from building blogs to setting up online stores and more. However, the popularity of the software often makes it the target of hacker attacks. Since WordPress is an open-source project, it’s your sole responsibility to protect your website from hackers and malware.

In 2017, around 1.5 million WordPress websites got hacked as a result of a vulnerability in the core system. More than 350,000 blog pages were defaced by a single hacker campaign alone during this attack. By the time WordPress released a fix for this vulnerability, it was too late.

As you can imagine, you’ll never know when the next hacker attack might happen. Your website could be the next victim. It only takes a second for all the months and years of your hard work to disappear.

You can’t control how the WordPress software works or the vulnerabilities in plugins. But, you can take the necessary action to protect yourself from these threats. It’ll only take 15 minutes. Here’s what you should do to secure your WordPress website.

One Subscription: Everything You Need to Build a Website

Get everything you need to build your next website with one simple subscription. From $16 per month, get unlimited access to nearly 2 million WordPress themes, web templates, fonts, graphics, and photos.

Build Your Next Website

Basic WordPress Security Tips

Before getting started on protecting your website, make sure that you’ve already covered the basics of website security.

  • Choose The Right Host: Use reliable and secure web hosting for your website. Read reviews and check what type of protection the host offer for its clients.
  • Switch to HTTPS: Setup SSL certificate for your website or choose a website that offers SSL by default.
  • Remove Unnecessary Plugins: Get rid of old plugins that haven’t been regularly updated.
  • Use A Secure Password: Never use Admin/Pass as your login username and password. Generate secure passwords with WordPress and use personalized usernames.
  • Update WordPress: Always update to the latest version of WordPress whenever a new update is available. Or use a plugin to automatically update WordPress.

1. Switch To A Better Theme

One of the biggest mistakes most bloggers make that turn their blog into a target for hackers is choosing a free theme or poorly coded theme to build the website. Hackers often target the websites that use such themes to inject malicious JavaScript codes to do their bidding.

Recently, Sucuri security team found a hacker campaign that targets websites with outdated themes where they inject a code to redirect website visitors into harmful websites and open pop-up ads.

This vulnerability even enabled the hackers to create admin accounts on WordPress websites to allow them to take control of the entire website. It’s amazing what a simple vulnerability in a theme can do to destroy a business.

Avoid making that same mistake by always using safe and secure WordPress themes. Find themes from marketplaces that run each theme through a review process and avoid downloading premium themes from free sources.

Even if you’re already using a free or an outdated theme, it would only take a few minutes to buy a new theme and install it to improve your website security.

2. Install A Website Firewall

Once you’ve switched to a more secure theme, you can then protect your website from hackers, malicious files, and DDoS attacks by installing a firewall in WordPress.

While this may sound like a complicated process, you can actually do that by installing a plugin. Think of it as installing an antivirus software for your WordPress website. This security plugin will not only scan and protect your website from malicious content, it will also make sure your website is safe from vulnerabilities.

Wordfence is a popular free WordPress security plugin you can install to get started on securing your website. iThemes Security is another plugin you can use to install a firewall and do much more to protect WordPress from hackers.

3. Hide The Login Page

Your default WordPress admin login page is often exposed to hackers. Anyone can find your login page by simply adding /wp-login.php or /wp-admin to your domain name (eg: yourdomain.com/wp-admin). This makes it much easier for the hackers to find your login details and gain access to your website.

To make things more difficult for the hackers, you can hide your main login page by relocating it to a custom location. Using a plugin like WPS Hide Login, you can change the default URL of your login page to a custom URL of your choice.

Just make sure to use a memorable URL or you might even get locked out of your own website.

4. Enable 2-Step Verification

Hiding your login page is only the first step of protecting your website from brute force attacks. The next step is to add an extra layer of protection to your website by setting up 2-step verification to your WordPress website.

2-step verification is a popular security measure used by popular online services, such as Facebook, Google, Dropbox, to prevent hackers from accessing user accounts. When enabled, this prompts users to enter a secret code after entering the password. The code is delivered to your phone as an SMS or via the Google Authenticator app so that only you can access the website.

WordPress doesn’t support this feature by default. You have to install a plugin to enable 2-step verification. Use the free plugin Google Authenticator to get that job done.

5. Setup A Backup System

Sometimes, no matter what you do to protect your website, things can take a wrong turn and you might end up losing all the content on your website. It could be a hacker attack that defaces your blog pages or a web host server malfunction that destroyed your website content. That’s why you should always prepare for the worst and have a Plan-B.

Even though your web host provider promises to keep backups of your website, you should have a backup source of your own, just in case. Setting up automatic backups on your WordPress website is as easy as installing a free plugin.

You can use a plugin like UpdraftPlus to setup automatic website backups and safely store your backup files in your Dropbox or Google Drive cloud storage. You can choose to set daily or weekly automatic backups or manually backup whenever you want.

What makes UpdraftPlus even better is that it also allows you to restore your website from a backup with a single click. BackupBuddy is a good premium option you can choose as an alternative.


In addition, always stay updated on WordPress related news to know when a new vulnerability is discovered and to learn how to take actions to protect yourself from various kinds of hacker attacks. Also, follow WordPress security blogs such as Sucuri Blog and Threat Post.

Don’t wait until it’s too late. Take a few minutes to protect your website today!