WordPress Security Tips Updated 2021


We have seen many website owners are worrying about the security of WordPress. Whatever you see the security tips online, most of them are outdated and we have worked on the latest tips to secure your WordPress website.

As we know WordPress is one of the most popular and widely used content management system available these day among website users. With the increase usage of this CMS, the reliability and the security of WordPress has become more hardened over time.

There are many security standards wordpress users deploy to prevent  and protect a WordPress based website from hackers. At HostingRaja we have a team of security experts and they have collected some important data and information to present you WordPress users with most reliable and best tips to improve the security and protection of your WordPress website and by using these tips they can prevent their wordpress hosting from being hacked by hackers.

1. Avoid Using “Admin” As Your Administrator Username of WordPress

These days everyone knows , including hackers and normal website users that admin is the mostly used username. You should not make the life of hackers so easier. Once you create WordPress website for you, it is highly recommended to choose a different username for it and try to start with capital letters. Once you create the user for your your WordPress give all rights to that user and delete the old user from your account.

2. Choose a Strong Password

This security tip many sound really basic to website owners, but in actual many people are still using passwords for their accounts such as 12345, admin123 or qwerty etc. By using this kind of password for your WordPress website, you are inviting hackers to hack your website. So it is highly recommended to choose a highly complicated password that has mixture of numbers, symbols, upper & lower characters and try to make it at least 15 characters long.

3. Get Plugins From Trusted Resources

WordPress has huge library of plugin and Wordpress users can perform almost every task using these plugins. WordPress plugins can be considered as treasure for the website owners and everyone wants to use. At present WordPress has more than 50000 plugins. As a WordPress website owner you should be aware that a plugin to download and install on your website might sometime harm it.

In order to prevent it , you should always download plugin from trusted resources and always check for comments or users reviews and also check if support is exists or not.

DO NOT INSTALL A WORDPRESS PLUGIN IF YOU DONT NEED THEM. Generally everyone (website admin) is tempted to try and install all the available plugins from WordPress. Plugins are the root cause of many security issues in wordpress. INSTALL ONLY THE REQUIRED PLUGINS. Installing more plugins will leads to website loading slow.

4. Keep Your WordPress Platform Updated

The team of security expert at WordPress takes the security related tasks quite seriously. WordPress expert take care of your websites with every possible patch and update. Each and every new update boost your website security, fixes the bugs (if any) and increase the website performance. So it is always recommended to keep your WordPress updated with latest environment.

5. Disable The WordPress Plugin and Editor

The in-built tool available inside the WordPress dashboard, known as plugin and theme editor is one of the wonderful tool, although if you are not using it then it is better to disable due to the security reasons. In case any hacker hacks your website, they can easily destroy your whole website by changing the code of it.

You can easily disable or remove  the plugin and theme editor by inserting one single line code:

define( ‘DISALLOW _FILE_EDIT’, true); to wp-config.php and .hta


6. Create Regular Backups

It is always recommended to create backups of your website on regular basis and you should not depend upon someone else including your WordPress website hosting provider to take backup your website. You can take backup manually or you can use some plugins to do it.

7. FireWall Plugins

You can secure your WordPress website using Firewall plugins and there are some good plugins available in WordPress library. For example “All In One WP Security & Firewall” plugin. This plugin will take your website security and protection to a completely new heights. This plugin minimizes security related uncertainty by looking for suspicious activities and by deploying and executing the newest recommended WordPress security techniques.

8. Cleanup Your WordPress Installation

Make sure that you delete unused and non-functioning versions of WordPress from your server. Any type of unused WordPress themes, plugins, widgets or any other files whether they are not in use or not in active mode should be deleted from your server. You should keep one simple rule in your mind “Delete Delete and Delete” all the unwanted and unused installations.

9. Change WordPress Table Prefix

In WordPress, the default table prefix is wp_ and these days everyone including hackers are also aware of that. SQL injection attacks can be easily perform with the default table prefix because it is easier to identify it. Changing the WordPress table prefix is  highly recommended to prevent SQL injection attacks. You can do this by using any WP security plugin form example SSH SFTP Updater Support plugin.

10. Delete Inactive User Accounts

Inactive or unused user accounts in your WordPress can be a security threat for your WordPress based website. The only thing you need to do is remove all the inactive or unused accounts from WordPress.

Steps you need to follow to do this:

Login to your WordPress dashboard

Hit ‘Users

You will be redirected to the page where all users will be listed

Remove the the one which is inactive or unused.


11. Secure WordPress Updates/Upgrades with SSH2 (SFTP)

SSH2, also Secure File Transfer Protocol, or SFTP based connections are much more secure than normal FTP connection to upgrade and update your WordPress. The shell based technique highly secure because it encrypts all the data transfer. You can make use of “SSH SFTP Updater Support” plugin available in WordPress plugins directory and it use phpseclib. Additionally it is one of the best option to make use of SSH (Secure Shell), SFTP (Secure File Transfer Protocol), RSA and X.509 in PHP.

12. Avoid Using Nulled Themes 
WordPress premium themes look more skillful and have more adjustable choices than free one. Yet, one could contend you get what you pay for. Premium topics are coded by extremely talented engineers and are tried to pass various WordPress looks at the right of the crate. There are no limitations on tweaking your subject, and you will get full help if something turns out badly on your site. Most of you will get customary subject updates.

However, there are a couple of destinations that give nulled or broken topics. A nulled or broke topic is a hacked rendition of a top-notch topic, accessible through illicit means. They are likewise extremely perilous for your site. Those subjects contain covered-up malevolent codes, which could obliterate your site and data set or log your administrator certifications.

While it very well might be enticing to save a couple of bucks, consistently stay away from nulled subjects.

13. Protect You wp-config.php File

One of the most important file available on your server is wp-config.php and it is available in the root directory of your website. Wp-config.php usually contains the information about your WordPress website. Protecting wp-config.php file means you actually securing the core part of your website because once you secure it, it becomes more hard for the hackers to break and steal the information from your website because it becomes unreachable to those kind of hackers. As a user of WordPress site you can secure your wp-config.php by putting the following code in it:

A user can secure wp-config.php by simply placing the below mentioned code in the root directory.

# protect wp-config.php

<files wp-config.php>

Order deny,allow

Deny from all



13. Use SSL Certificate

Having a SSL certificate installed on your website is another excellent option for the WordPress users to protect the websites admin panel. Having SSL certificate installed on your website makes it more complicated for the hackers and security stealers to cheat and steal your sensitive information and it also helps to gain better rank in Google search.

SSL is must for every website these days because recently Google has officially announced that it will use https as a ranking signal, so if your website is having SSL it will be awarded with top rankings in Google search results. Having SSL security implemented on your website allows you to login securely through HTTPS. You can get SSL certificate for free of cost from us.


14. Protect .htaccess file

The main use of .htaccess file is to specify the WordPress security controls for a specific directory of files. In order to protect your WordPress website or blog from hackers, all you have to do is put the following code in the .htaccess files of your registered domain.


<Files ~ “^.*.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all



15. Hide WordPress Version of Your Website

The number of the WordPress version of your website is available into the source code of it and it can be easily targeted by the hackers. If any hacker find the version number of your site they can easily create a perfect attack technique to hack it. To prevent this you can use “Remove Version” plugin of WordPress. This plugin remove the version number of your site from everywhere it is required like Meta, Javascript, RSS and CSS in order to protect your website.

16. Avoid Script Injection

As a WordPress user you can easily protect your website from script injection. All you have to do is place the following code into your .htaccess file.


# protect from sql injection

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

The above code will secure your website from undesirable changes of _REQUEST and/or GLOBALS.

17. Block Failed WordPress Login Attempts

Blocking the number of failed login tries mainly intercepts the website users from utilizing the brute force methods on a website based on Wordpress. Brute force attack is an effort to get the websites password through implementing each and every possible way. In order to block failed login attempts and complement extra security on your website you can implement two-factor authentication as well as HTTP authentication.



18. Modify Default WordPress User Login/Password

As a user of WordPress the best thing to reduce the risks of login attempts by hacker is to modify or delete the default admin account or change the username and password of your account and also you can create new account with tough username and password. Try to make your password as difficult as possible.


19. Avoid Indexing of Admin Section from Search Engine Spiders

Search engines like Google, mainly crawl all the pages of your website and index all the contents placed on those pages unless they are not informed to not to do that. Keep in mind that as a website owner you should not allow indexing of your admin area and other sensitive parts of your website. One of the ideal ways to stop crawlers from indexing the admin part of your website is by creating robot.txt file and place the following code in it:



User-agent: *

Disallow: /cgi-bin

Disallow: /wp-admin

Disallow: /wp-includes

Disallow: /wp-content/plugins/

Disallow: /wp-content/cache/

Disallow: /wp-content/themes/

Disallow: */trackback/

Disallow: */feed/

Disallow: /*/feed/rss/$

You can put whatever you want to avoid from block inside the robot.txt file by following Disallow:*/file name/


These are few of the most important tips you can use to secure your WordPress website.


If you need more help, feel free to contact our WordPress experts via live chat, phone and Raising ticket today.