Security is one of the main concerns when it comes to running WordPress. As the owner of a WordPress based website, it is your responsibility to protect the site from hackers and other security attacks. Without a doubt, the WordPress CMS platform is equipped with the power that contains tons of themes, plug-ins and external options, but you can not change the fact that it is one of the most coveted CMS platforms for hacking attempts around the world.

15 Simple WordPress Security Tips to keep your Site Secure in 2018

Regardless of whether you are a WordPress beginner or an experienced webmaster, be sure to use the best security procedures to prevent your site from preventing hackers. You need to strengthen the login page, the admin page of your site to limit the hacker to access your site. You can also install the best security tools and plug-ins offered by WordPress to make the most of them and make the most of them.

In addition, WordPress offers you some of the best security tips/tricks to make your site safe and secure to a great extent. Below are some of the best practices that each WordPress website owner must take into account while optimizing their site for greater security. These tips will protect your site from hackers in 2018.

To make your work easier, we divided our tips into four different categories:

(a) Enhance your sign-in pages in WordPress and the Admin Panel

(b) Improving the security of WordPress topics and plugins

(c) strengthening the security of the database

(d) Providing the WordPress host environment


Let’s start now!

(a) Reinforcement of the WordPress sign-in page

Secure WP Login Page

Tip 1: Do not use “admin” as a username

Unfortunately, the WordPress Web site is one of the main goals for hackers. They always try to gain access to the site by guessing the login details (username and password) again and again.  So,  do not use the default username for your WordPress site – this makes it easier for hackers to access their login page.

If you’ve already installed WordPress using the default username, you can change it immediately by adding the SQL query to PHPMyAdmin. Also, make sure you use some unique and difficult-to-use username for your site.

Tip 2: Create a strong password

Regardless of how unique your username is, if your password is weak, a hacker can quickly gain access and destroy website’s website visibility.

To strengthen this special section, you need to use a unique username along with a strong password. Also, make sure that the password is a combination of different characters (for example, kHiU778 @ 3O) and that there must be a length of 10 to 15 characters. You can also use Strong Generator passwords if you can not select the most secure password for your WordPress site.

Also, change your password at regular intervals. This will greatly consolidate your login page in WordPress and keep the hackers away from your site.

Tip: 3 Activates dual-form authentication

This is one of the best ways to protect your WordPress site from being attacked by brute force. By integrating two-way authentication, you can take the security page of your login page to the next level. This method requires a password along with the authorization code that is sent to your mobile phone so you can sign in to your site. Without a combination of password and authorization code, you will not be able to access the login page on your WordPress site.

Quick Tip: Install Google Authenticator to add this feature to your site without any heavyweight.

Tip 4: Customize your login URL

It’s better to change the URL of your login page to protect the site from hackers. By default, you can log in to the WordPress login page via wp-login.php, which anyone can see in the main URL of the site.

This makes it very easy for hackers to access your login page and try to gain access to the site. Therefore, it becomes necessary for you to customize your login URL and make it safer and more robust. You can create a custom URL, such as moj_custom_login, or set iThemes Security plugin automatically change the login URL.

Tip 5: Upgrade to HTTPS

Do not forget to switch your WordPress site to HTTPS to protect it from hackers and other security attacks. HTTPS encrypts the connection between your web browser and your web server, which will keep the attacker when you transfer data from one server to another.

Besides, it can protect your site from untrusted hidden scripts that are available on your computer, and a script that is used to steal data from the application forms. In addition, WordPress has become obliged to have HTTPS on WordPress web pages in order to improve the ranking of Google’s search results – this is a great boost to your brand awareness.

Tip 6: Protect the directory wp-admin

Protecting the wp-admin directory is one of the key practices when it comes to WordPress security. Since the administrative dashboard is one of the target parts of the site for hackers, be sure to increase its security.

To secure the security of your control panel, you can use the password to protect the wp-admin directory. Under this method, the site owner must submit two different passwords to access their control panel. One password is for the login page, while the other is for the WordPress administrator. This is a great way to protect the WordPress site admin dashboard.

(B) Improving the Security of WordPress themes and plugins

Tip 7: Remove unused themes and plugins

 Themes and plugins not only make your site slow but also make vulnerable to security attacks.

This rather obvious that if you do not use any plugin/theme, you stop updating it. This permits a hacker to find a loophole in the fade and gain access to your site. To combat this situation, you must turn off and delete the admin dashboard of your WordPress.

Tip 8: Keep updated

Update your themes and plugins are installed along with the core WordPress on your routine to keep hackers away from your site. Because each theme and plugin is installed as a front door to your admin area, be sure to update it with the latest version of their respective owners.

But, sometimes it becomes difficult to maintain the site on a regular basis, and this is where the automatic update to come into play that. You can configure the automatic update for themes and plugins by inserting a few lines of code to wp-config.php.


  • Use the following code to plugins:

add_filter ( ‘auto_update_plugin’, ‘__return_true’)


  • Add this line to coding themes installed WP:

add_filter ( ‘auto_update_theme’, ‘__return_true’);


This will automatically update your WordPress themes and plugins when they released the new version.

Tip 9: Never download a premium plugins for free

Instead of downloading free premium plugins, make sure that you buy from the official website. Most beginners download premium plugins unreliable source because it is free. But this is the wrong approach.

With this trick, the user is taken to an illegal site that can damage their WordPress site with malware. This means that hackers are oriented premium plugins to get into the backend of the site. All this happened because they want to save money.


(C) Strengthening the security of the database

Secure WordPress Database

Tip 10: Tweak WordPress database table prefix you

While the trick is quite complicated, it would improve security in your WordPress database. WordPress’s standard employs a “wp_” table prefix to all tables of the database site that makes it quite easy for hackers to steal your database via SQL injection attacks.

To prevent such attacks, you need to change the default database table prefix you for it more reliable. A custom prefix table makes it difficult for hackers to guess it, which in turn, keeps your site from getting hacked. To customize it, you will need to access the file wp-config.php you see your standard table prefix:

$-Table prefix = ‘wp_’;

Now, turning to something more unique:

$-Table prefix = ‘wp_OH77 & K “;

Tip 11: Backup and Update your site regularly

No matter how secure your site, you should always make a backup of your WordPress site. This site will keep you in the safe mode as anything can happen with your site. Thus, make sure that you keep up the regular use VaultPress, BackUpWordPress or BackWPup.

(d) Protecting the WordPress hosting environment

Secure WordPress Hosting


Tip 12: Choose the most reliable hosting provider

If you don’t have a reliable hosting provider, it doesn’t matter how you implement the latest tips to protect your site, otherwise, you won’t be able to improve your site’s security.

According to the survey, 41% of WordPress websites have been hacked due to security breaches on the hosting server. This means that when it comes to WordPress security, choosing the right hosting provider can be very important.

If you want to use a shared host, make sure to select either SiteGround or BlueHost. Both providers have some useful security driver features. But if you want a more reliable solution, you can choose a dedicated hosting provider. They provide you with a large number of security features, unlimited bandwidth and disk space and other features, allowing you to easily protect your website.

Tip 13: Protect the wp-config.php file

The trash-config.php file contains any confidential information relating to your installation of WordPress. It’s one of the most important files on your site, make sure that you can prevent hackers and other security attacks.

To protect your wp-config.php file, add the following code snippet in your .htaccess file:

<Files wp-config.php>

Order allowed, denied

Deny everyone


Tip 14: Disable directory listing

Never place your index.html file in a new directory on the WordPress website. Because visitors can easily access the full list of directories available in that particular directory, it is best to use the .htaccess file to disable directory listings.

To do this, you need to embed the following code snippet in the .htaccess file:

Options All – Index

Tip 15: Change directory permissions wisely

As a site owner, you can not set the resolution wrong directory, especially when protecting your shared hosting environment. It is better to change the permissions on the directories by setting access rights to directories on the “755”. You should also set the file to “644” – this will protect your file system, including directories, subdirectories, and other files.

To change it, you can do it manually through the file manager in the host control panel or through a terminal (through an SSH connection).

(Tips 15+): Using the WordPress Security Plugin

Last but not least; install the WordPress security plugin to protect your website from security threats. Using the WordPress security plugin is a relatively simple technique, but you do not want to miss the very effective technique.

Well, for security purposes, there are several WordPress plugins that run in different ways.

I mention some of the most useful security plugins below.

1. Wordfence Security

Wordfence Security WordPress Plugin

WordPress security is the most downloaded free WordPress security plugin. The main features of this plugin are:

WordPress Firewall: Identify malicious traffic, stop attackers and prevent websites from being hacked.

Block: Block known attackers and the entire malicious network.

WordPress login security: Two-factor authentication helps increase passwords.

Security Scan: Scan core WordPress files, themes and plugins.

The plugin offers both free and paid versions.

2. iThemes security

iThemes Security formerly Better WP Security WordPress Plugins


iThemes Security is another WordPress security plugin. It provides many ways to protect your WordPress website. The main features of this plugin are:

Brute-force attack protection: Prevent brute-force attacks by prohibiting host and user invalid login attempts.

Detection: Detect bots to search for vulnerabilities, monitor file systems, scan for malware.

Obscure: hide common WordPress security holes, including changes in WP dashboard URL-addresses, the content WP-ways, etc.)

You can get this plug-in free and paid versions.

3. All in One WP Security and Firewall

All In One WP Security Firewall WordPress Plugins


The All In One WP Security and Firewall Plug-in is a free WordPress plugin for protecting WordPress security. This is a good choice for the above two security plug-ins. The main features of this plugin are:

User Login Security: Prevents violent login attacks.

Database Security: Keep automatic backups.

Blacklist function: Users are prohibited by specifying the IP address and user agent.

This plugin can be downloaded for free from



These are some of the best tips and tricks that can help you protect your WordPress site from hacking. You can follow these tips carefully to make your site more secure without spending a lot of money.