iThemes site-wide discount! 40% OFF Grab this offer!

The Ultimate WordPress Security Guide 2021 [18 Security Hacks]

I will not take responsibility for solving any malicious or vulnerability issues of your WordPress site. This post is for sharing a guide on how to keep secure WordPress sites, and how can we fix them? I will not guarantee that all methods 100% works on your site because there are many reasons. 

So if you want to save your site from unnecessary viruses, malicious and suspicious activity, or want to prevent hacking, follow this guide. 

Here I have shared all major weak points of a WordPress site that you can learn them and be able to fix them easily.

Why WordPress Site Is Hacked?

The first thing you need to understand is why a WordPress site is hacked? It is true, all sites are not hacked because there are many reasons. So if you find out those reasons or weak points of a site, you will be able to prevent hacking.

Hackers apply specific reasons to hack a website. Especially the hacking process is easier for WordPress sites. 

WordPress hacking report

Most of the hacking process is automated. Hackers spread their strong virus or malicious by using specific weak points of a WordPress site. That is why attacks are almost done automatically.

Hackers attack many sites by applying the automated process thus increasing their odds of success dramatically.

WordPress security is all about proactivity. Proper security steps can completely help to prevent a site from being hacked. 

Basics of WordPress Security

I have talked before many cases of hacking a WordPress website. So below are the main weak points that use hackers to attack.

(1) WordPress Admin Password

Sometimes your WordPress site can be hacked for the weak admin password. Hackers attempt to find the admin password to complete the hacking process. Once they find your password, they can access the admin area and can do unusual activities. So that you will totally lose your site data. Admin password hack means one kind of site owner transfer. 

How to fix: Do not use a weak password, instead use 10-15 character password combinations with the number, uppercase & lowercase. You can generate strong passwords from the Strong password generator tool.  

(2) WordPress Custom Admin Login URL

This is another primary step for hackers. If your site is not more secure with the admin login URL, you can lose it. The default WordPress login slag is /wp-admin that hackers already know. So they try to use this slag to inject viruses or malware. 

WordPress Custom Admin Login URL

How to fix: keep safe the site from brute force attack or manually attack that mostly occurs for the default admin URL, you can change it using a plugin. I recommend WPS hide login plugin. You can also set a custom login URL using the iThemes Security plugin.

(3) Keeping WordPress Updated

WordPress is a content management software that is regularly updated and maintained by the expert WordPress team. By default, WordPress automatically updates a minor version, but you need to update it manually when it releases a major update of the latest version.

As it is an open-source platform, so there are many third-party plugins and themes for use. These plugins and themes need to be regularly updated for fixing bugs or malicious. So if you do not update the latest WordPress version, the third-party plugins or themes can be harmful to your website. Even it shows fatal errors while opening.

How to fix: keep up to date your WordPress version. So check it regularly or when it is available for an update, do it as soon as possible.

(4) Default “Admin” Username

If you do not change your username while installing the first time, your username will be ‘admin’ that is the default username of WordPress. The default username is harmful to WordPress sites.

Hot to fix: Change default ‘admin’ username as soon as possible. Normally you will not get permission to change it if you do not set a custom username while 1st install. So you can use a WordPress username changer plugin

(5) Web Hosting:

According to WP White Security, 41% of WordPress websites are being hacked by the hacker for the security vulnerability of a hosting network.

A good WordPress hosting service always represents enough security for a WordPress site. Good hosting service providers like Bluehost, inmotion hosting & WPX have extra security layer protection that helps to protect a site from common threats. 

A hosting platform is a major thing for WordPress security. So carefully choose a good web hosting that has.

  • PHP and MySQL latest version
  • Optimize for running WordPress version
  • WordPress optimized firewall
  • Has malware scanning and intrusive file detection.
  • Expert support team, which always try to improve security

An excellent website hosting provider protects sites in the background. They take care of all your data. 

  • They always monitor their networks for suspicious activity.
  • A good hosting company has various viruses or malware prevention tools. They also save sites from DDoS protection.
  • They keep their server up to date that is good for preventing sites from suspicious activities.
  • They protect your data from malware or other suspicious activity. They keep a daily backup of data to prevent unwanted disk damage.

How to fix: A shared hosting plan cannot totally prevent sites from hackers and other suspicious activities. Because many users use the same server so the hacker can attract your site using another site that is hosted on the same server. So try to avoid shared hosting.

I will recommend Bluehost WordPress managed hosting for the best security and daily backup. It is the most popular among worldwide bloggers and recommended by WordPress.

(6) Limit Login Attempts

Hackers always use brute force attacks to hack a WordPress site. They use random usernames and passwords. So limit login attempts are the best way to protect a WordPress site from brute force attacks.

limit login attempts reloaded

How To Fix: To stop hacker logging attempts, you can install Limit Login Attempts Reloaded. This plugin block users or hackers from their given IP range.

(7) Remove the WordPress Version Number

It’s another important thing for WordPress hackers to hack a site. They always observe which WordPress version you are using on your site. Normally, WordPress shows the default version on your site code?

<meta name=”generator” content=”WordPress 3.9.1″>

Unfortunately, this information is the most helpful for the hacker because they will be able to easily guess which version you are using. If you are using an older version of WordPress that has a security hole, hackers easily determine your active version of vulnerabilities.

How to fix: So you should better remove the WordPress version from your active WordPress site. There are many ways you can remove the version. To remove the WordPress version, you can use the following code on the top of your theme funcation.php file.

remove_action(‘wp_head’, ‘wp_generator’);

On the other hand, if you don’t want to add the code, you can remove the WordPress version number by installing the plugin Version Info Remover

(8) Disable File Editing

If your site is hacked by a hacker or spammer, they can damage or change files. To keep your WordPress secure, you can disable file editing.

How To Fix: So if you would like to protect your WordPress file from the hacker or unknown editing, you can add the following code to wp-config.php file.

define(‘DISALLOW_FILE_EDIT’, true);

You can use a security plugin. I highly recommend iTheme Security pro.

(9) Consider Two-Factor Authentication

Two-factor authentication is the high-level security step for WordPress sites. If you enable two-factor authentication login, honestly your site’s security will improve.

If you enable this service, every time you will need a verification number to login. So a hacker does not take proper steps to hack sites If it is turned on.

WordFence Two-Factor Authentication

How To Fix: 2Setp verification is another extra security lear to keep more secure a WordPress site. So use a 2 step verification plugin. WordFence is the best for website security and 2setp verification.

(10) Change Regularly WordPress Salts & Keys

WordPress uses cookies and browser cache to verify identity to login users and commenters. WordPress stores these cookies to better protect login information data.

WordPress includes secret authentication keys and salts in the wp-configer.php file. So these secret authentication keys and salts are one kind of strong password that is more complicated and random.

Change Regularly WordPress Salts & Keys

There are some plugins that allow you to change the WordPress salts & keys. Itheme Security is one of the best plugins that change WP salts and keys for you. But you can use WP Config File Editor as well.

(11) Use Secure File Permissions

If anyone accesses your server directory file and writes to it, how will you protect this from happening? Directory file rewriting is another way of hacking WordPress site. 

For example, of directory files are 

  • Directory – 777
  • File – 666

How To Fix: How can you actually prevent directory permission to change files server to server? Yes, you can strongly stop directory permission through your host control panel (cPanel) or FTP clients. 

You can change those files 777 to 400 or 666 to 444 or whatever you want, but blocking manually WordPress directory permission is so tough. So that you can use iTheme security plugin that has all opportunities to block all types of directory permission with just one click.

(12) Use sFTP Whenever Possible

If you edit files on a website, use sFTP or FTP. Hackers are more intelligent to hack a website through the network. Let me clear about this.

sFTP and FTP both protocols are used for transferring data that are the same and more secure. File transfer protocols data works between two remote connections in plain text only.

When a user opens up a regular FTP session, the entire data transmission is made between host and user sends the plain text.

So result of anyone who has a better idea about networking can read the entire data, including password information.

How To Fix: SFTP is more secure than FTP.  sFTP ensures more security of your data that transfer privately with the use of the SSH2 protocol. When you use SFTP protocol instead of FTP the entire data of the session will be encrypted after the session ends. So your password information will be more secure and difficult to find out for someone using the network.

Download sFTP & FTP Software for Windows

(13) Use SSL of Your WordPress Site

What is SSL? SSL means ‘Secure Sockets Layer’. While browsing a website if you see a padlock icon (it would be green or black) before the left side of the https or www sign that is SSL.

SSL creates an encrypted connection between your web server and your visitors’ web browser.

secure non secure ssl example

Hot to Fix: You can use a good SSL for your WordPress site. Secure Sockets Layer completely establishes a secure connection with your server and web visitor’s browser that helps to prevent sites from hacking.

I recommend Namecheap SSL service which is more secure and reliable.

(14) Use Automatically log out System

Sometimes existing logged-in users are away from the computer screen. In that time someone can change their password, hijack the session, and change their account. 

So it is very harmful to WordPress site security. To prevent this type of case, you should use an automatic logout system.

How to Fix: You will need to install Inactive Logout Plugin. Upon activation, go to WordPress setting>Inactive logout and finally set your Idle Timeout. that’s done.

Automatically log out System

You can also activate the ‘Popup Background’ option that will hide after logout. Activating this option will remove the transparency.

(15) Add Security Questions To Login Screen

You can use security questions to the WordPress login screen. This is one kind of 2-factor authentication. Adding a security question on the login screen enhances WordPress security.

Security Questions To Login Screen

How To Fix: To add security questions on the login box. Firstly Install WP Security Question plugin. Go WP Security Question> click plugin setting then set your question. You can remove questions by pressing the Remove text button.

WordPress Security Without Coding

(16) WordPress Backup Solution

There are many reasons to hack a website that I have talked about before. Somehow, if your site is hacked, what can you do? You should quickly restore the site by using a WordPress backup plugin. There is no way without this.

There are many backup plugins but I only recommend Updraft plus which is a free backup plugin for WordPress users. You can backup files on your computer drive manually or remote locations like Google Drive, Dropbox, Amazon s3, etc.

 Updraft plus backup plugin

I also recommend backup your website files daily based not weekly or monthly. You can set a backup schedule daily basis or a custom time frame. The plugin is easy to use, no coding needed. You can use another one. Read my other post about the best WordPress backup plugin.

(17) Best WordPress Security Plugin

We always need help from plugins because we do not know coding or designing. After successfully backup files we need to install or setup a monitoring system to keep track of unwanted activities of various or malicious.

The activists include file integrity monitoring, failed login attempts, malware scanning, etc. 

So for security, why will you not use a security plugin? A good security plugin can help to prevent sites from hackers and reduce time to analyze security levels or threads.

iTheme Security

There are many WP security plugins, but I only recommend iTheme Security and Sucuri both are premium. Both have free versions that cannot completely protect your site from hackers and suspicious activities. But you can use the free version for getting some security benefits.

(18) Enable Web Application Firewall

The easiest way to protect WordPress sites is by using a good web application firewall that will totally take care of your WordPress security. 

A best rated web application firewall blocks all malicious traffic before it reaches your website.

Sucuri Firewall

I recommend Sucuri web firewall that is the best-rated web firewall in the web firewall industry. It will protect your site from different angles like DNS level website firewalls, application-level firewalls, network firewalls, and more.

Besides, it will provide you real-time data monitoring directly to our email inbox. So that you can be aware before happening something bad.

Sucuri Web Firewall

Sucuri ensures malware cleanup and blacklist removal guarantee. Besides, once your site is being hacked under their watch, they promise they will fix your hacked site free of extra cost.  

Normally fixing a hacked website, you may need $250-$300 bucks per hour. Usually, this amount charges expert developers. But if you use the Sucuri web application, you can do it for only $199 per year that is pretty low. 

Improve your Advanced WordPress Security with the Sucuri Firewall »

Last Advice

Finally, I hope this WordPress security guide will be helpful to improve WordPress site security. Please use my recommend plugins and follow the instructions that are tested.

If you have any questions about WordPress security, please comment below. If this guide is helpful for you, please share this with your friends & colleagues.


Gym Edge Theme- Full Review [Theme For Gym, Yoga & Personal Trainer Website]

8 Best Dedicated Server Hosting 2021 (Recommendation)


A team of WordPress experts that always ready to share WordPress related tips, tricks, plugins, and themes review, and more.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.