How to secure your Wordpress website

Want to improve your WordPress security? Here are the WordPress security best practices with tips to avoid your WordPress from malware attacks.

How to secure your Wordpress website


Wordpress is the most used CMS and also the most targeted CMS by hackers. You can follow these steps which will considerably increase the security of your wordpress website hosting


Do all the following steps one by one. Do one changes and ensure that, your website is working fine. If website is working fine, proceed with next step or Undo the changes.

1. PHP INI (Update your PHP.ini settings as follows)

file_upload is off

display_errors is off

expose_php is off

allow_url_fopen is off

allow_url_include is off


2. wp-config.php (Update all your WordPress files with the following settings)

define( 'WP_AUTO_UPDATE_CORE', true );

define( 'DISALLOW_FILE_EDIT', true );

define( 'WP_POST_REVISIONS', false );


3. .htaccess (Add the following lines in your .htaccess)

# protect wpconfig.php

<files wp-config.php>

order allow,deny

deny from all

</files>

# Block the include-only files.

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

</IfModule>

# BEGIN WordPress

4. Install "All In One WP Security & Firewall"

click the Left menu option WP Security in WordPress Dashboard

follow the below step to secure your WordPress account.

1) User Account Section:

a. Don't keep username as admin or website name hack can predict your username easily, so keep any random username and also it's differ from display name.

b. Set Strong password such as 327h4!cbNNm#xXib21G

2) User Login

Enable "Login Lockdown" option it's protect brute force login attempts. Here multi option such maximum login attempts, Login Retry time period, time length of the lockdown

3) User Registration

a. Manual Approval

This is more secure than automatic registrations as it prevents bots from creating account.

b. Registration Captcha

This adds to the security of your site simply by adding another layer to prevent bots from registering.

c. Registration Honeypot

This allows you to catch relatively sophisticated bots and prevents them from making accounts.

4) Database Security

a. DB prefix and DB user prefix

5) Blacklist Manager

This option help to blocklist IP address. provide the IP addres and save it.

6) Brute Force

a. Rename Login Page

Change the login page instead of http://website.com/wp-admin to http://website.com/demologin

7) SPAM Prevention

a. Comment SPAM

If anyone comments on your site there will be a Captcha before the comment is submitted and known Spambots will be blocked.

8) Scanner

9) Firewall

If you can do all the steps mentioned above is enough to secure your website. No need follow the below mentioned steps, those are optional.

Step1: Always stay updated. WordPress updates contains security fixes, so don’t ignore the notification in the wp admin panel regarding version updates.

Step2: Change the default ‘admin’ username to something safe and unique and choose a strong password. Password should contain minimum 8 letters with special characters, numbers and alphabets.

a) Open your PHPMyAdmin and browse the wp_users table. Under the column user_login you should see "admin." Change it to your desired name.

Step3: Deny access or write protect wp-config.php File. You can write protect by simply setting 0444 permission. For denying access place this code in .htaccess

<Files wp-config.php>
order allow,deny
deny from all
</Files>
Also secure .htaccess file the same way, by replacing wp-config.php by .htaccess in the above code

Step 4: Always use correct hosting settings such as safe_mode should be ON, use PHP5 rather than PHP4. You can also set following PHP.INI settings
disable_functions ="show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen"
file_uploads = Off (If you don’t want file upload, then make it off)
safe_mode = On

Step5: Delete unused templates and unwanted files/folders from your root directory

Step6: It is a common practice to give 777 permission to the folder in wordpress pack, which is a security threat. Correct permission of folders in Linux environment is 755.
You can use this in Linux:
find /home/$i/public_html -perm 777 -type f -exec chmod 644 {} \;
find /home/$i/public_html -perm 777 -type d -exec chmod 755 {} \;

Step7: Change the Database prefix from wp_ to some other string.

Step 8: You need to make sure that your local machine from which you make changes in live website is virus free. This is very important. You can scan your computer with any updated antivirus available in market

Step 9 : Delete the version number shown in your website by editing the config files.

Step 10: Consider Installing WordPress Security Scan Plugin which scans your WordPress installation and give the suggestion accordingly. This plugin will check for Passwords, File Permissions, Database Security and WordPress Admin protection

Step 11: Take regular backup of your website hosting and databases. There are several plugins available for WordPress which manage the backup for you.

Step 12: Last but not least, Choose the right web host who do malware detection and have right firewall configuration to detect false login attempts

If you follow these steps, you can make it considerably difficult for a hacker to hack into your website.

Tips to avoid your WordPress from malware attacks

More and more businesses are using the website and web hosting solution for their business. And the main reason behind it is that today a lot of people are using the interner solution. And this as made business easy to showcase their talent, service and products to the people across them easily. At HostingRaja today there are a lot of solution available but most of the people like to go with Wordpress hosting and the reason behind it is that First, they can easily create their own website, second they and hosting that website easily. Not only that using WordPress hosting also gives you other amazing features and advantages.

Tips to avoid your WordPress from malware attacks one

So today if you are using a WordPress hosting service for your website and if your WordPress hosting is not secured then hackers can access to your website. Not only that they may also demand for some ransom. So to overcome this you need to have a solid foundation on your WordPress account so that no hacker can attack and hack your website.

Here are some of the steps that you can follow to prevent your WordPress security issue.

Tips to avoid your WordPress from malware attacks two

1. You can avoid your WordPress website from malware attacks by using strong passwords for your cPanel and also for your WordPress admin panel. To set a password you can use password manager tool where it will generate a strong password.

2. One of the best ways to keep your website secure is that you need to keep updating your WordPress account along with its plugins and themes. Moreover, if you are using the latest version of WordPress then you can easily update all its sources like- themes, plugins, and core WordPress tool.

3. You also need to protect your WordPress directors from attackers and you can do this by giving proper directory permissions. So to protect all your directories, important files and images you need to write the respected conditions in the .htaccess file.

4. Avoid your WordPress website from malware attacks by using two-factor authentication for your WordPress admin panel while logging in. So by including the security plugins, it will enable the two-factor authentication and you can have a safe guard your website from hackers.

5. One of the important thing that you need to consider in avoiding your WordPress website from malware attacks is by choosing the right and proper and secured hosting provider. Yes using a right and secured hosting provider will ensure that all your WordPress account will be secure from the hacker.

6. Try not to use untrusted or pirated WordPress plugins and themes. If you are looking for any plugins or themes then you will get it in wordpress.org. But before you buy the install that plugins you need to check the ratings and numbers of users using that plugin. Because ratings and users count help to find the plugin trust.

7. You also need to remove the unused plugins and themes from your WordPress tool. And once after switching to new themes then remove the old plugins from your tools. Because sometimes hacker can hack your website through it.

8. One more thing always you need to consider is that while connecting to the server you need to make your FTP connection as secured. And also use trusted antivirus in your local PC and scan all the files before updating into your server.

9. Also, filter your IP and block them in case if there is any hazardous activities occurs. And you can do it by adding Security plugins.

10. Safeguard your administrative details and do not share it with anyone.

11. And last but not least take your website backup regularly so that you can restore it quickly at the time of an accidental crash.

Today if you are looking for the best WordPress hosting provider for your website then you are at right and also at best place. Because here at HostingRaja we provide best in class WordPress solution for our customers at an affordable price. We also provide WordPress hosting solution on our highly secured servers at an affordable price with amazing features. Since we provide highly secure server along with that we also provide 99.9% server uptime with 24/7 customer support.