How to secure your WordPress website

As a wildly popular content management system (CMS) that powers millions of sites on the Internet, WordPress is an attractive target for hackers. You can never guarantee that a website is fully protected from potential exploits, mainly when the platform in question relies on – or supports – a multitude of open-source or third-party technologies.

However, there are steps you can take to protect your website from most types of intrusion, many of which are reasonably straightforward. As the developers of WordPress state, security comprises three domains: People, Process, and Technology. As such, best practice for securing your website isn’t just about your configuration – it extends to your office or home environment, your working practices and the people you collaborate with.

Here are a few tips you can use to improve the security of your WordPress website.

1. Keep your WordPress installation, themes and plugins up to date.

The WordPress platform is in active development, which means that updates are released regularly. Some of these releases focus on feature enhancements, but most, if not all, include patches to improve the platform’s security. You can review the changelogs for the platform over at the WordPress Codex.

Be sure to install WordPress updates as soon as possible following their release. If you’ve installed WordPress via the Softaculous App Installer in cPanel, you can take advantage of automatic upgrade features for WordPress itself as well as supported themes and plugins.

Softaculous Auto Upgrade

Once enabled, your site will be automatically upgraded to the latest versions of your software as soon as they are available.

Pay special attention to plugins and themes that are no longer supported or updated by their developers. These may include outdated libraries or other supporting software that have known exploits. Later versions of these libraries may have been patched, but as the plugin or theme development is dormant, your installation may not have received these updates.

2. Block access to your WordPress administration area

It’s a good idea to only permit WordPress administration access to those people that need it. Of course, your administration back-end is password-protected. You can create an additional layer of security by blocking access to your /wp-admin/ folder or the wp-login.php file specifically, based on the visitor’s IP address.

This method is particularly effective if you or your other WordPress administrators have Internet connections with fixed or static IP addresses. To find out your IP address, simply visit and note down the numbers listed.

You can use a .htaccess file to restrict access to your server. .htaccess is a configuration file used by the Apache web server, which rules override global settings for the directory in which it is placed. You may find that .htaccess files are created automatically on your server when you install popular web applications like WordPress, Drupal and Magento. However, it can be easily created in a text editor and uploaded to your server if one does not exist. You can also make one directly from cPanel’s File Manager.

Include the following command in your .htaccess file, replacing the xxx entries with your actual IP address:

<Files wp-login.php>
order deny,allow
Deny from all
Allow from

This blocks all access to the WordPress login page, except for connections coming from the IP address listed (your home or office). To permit additional IP addresses to access the page, simply repeat the Allow from line and include the IP addresses you wish to add (one IP address per line).

3. Do not use an “admin” username

Just as millions of WordPress installations rely on a wp_ database prefix, millions of WordPress administrators use the same user name. You guessed it, “admin.” Sure, it’s convenient and easy to remember, but by using the “admin” username, you’ve already given potential hackers a vital piece of data they need to exploit your account.

Go with a different username, and you’ll immediately protect your site from a swathe of basic brute force attacks.

4. Use complex passwords

Changing your admin username is the first step in protecting your account, and the second is strengthening your password. WordPress prefers the use of strong passwords but is pretty lenient if you wish to be lazy.  If you haven’t already, it’s time to abandon that traditional password and use a password manager application like LastPass or 1Password. Alternatively, try a passphrase instead.

For more tips, check out this great advice on strengthening your account password over at

5. Do not use a wp_ database prefix

When configuring your WordPress website, try not to use an obvious WordPress database prefix such as wp_. This “default” prefix is used on millions of active WordPress installations, making it an attractive target for random, brute force attacks.

In truth, changing the prefix may not deter skilled hackers that are specifically targeting your installation, but it can add a little extra protection.

Head over to WPMUDev, where you’ll find a detailed explanation and instructions for changing your WordPress database prefix on existing installations.

6. Install virus protection and regularly scan your computers for malware

Alongside protecting your server, you should also ensure that the PCs you use locally are safe from intrusion. Install an antivirus program on all of your PCs and ensure they are updated with the latest virus definitions.

7. Regularly scan your website for exploits

It may not always be evident that your website has been compromised, particularly if an attacker seeks to capture customer or user data. However, security scanners such as the one available from Google can check your website for known malware, blacklisting status, website errors, and out-of-date software.

Sucuri scanner

8. Regularly back up your WordPress installation

Should you experience an attack, the easiest way to ensure your data is safe is to hold one or more backups of your WordPress installation. Be sure to regularly download backups of your website to your local PC and archive them offline for safety, on a USB drive or even CD/DVD.

WordPress includes an integrated cloud backup and restore feature called Vaultpress, but you can also backup your websites using cPanel at no additional charge. Together, these simple steps can dramatically increase the security of your WordPress installation, protecting it from unauthorized access and data loss. 

If you need help with your HostPapa account, please open a support ticket from your dashboard.

Related Articles

Get online with our affordable web hosting

Get online with our affordable web hosting

Learn more now
HostPapa Mustache