Updated: The Best WordPress Security Guide – Step by Step (2024)

There is no other time than now to take WordPress Security as the topmost priority.  You will never be able to scale your business if hackers gain access to your site. WordPress is the largest Content Management System (CMS) in the world, powering more 39.6% of all websites in 2021 which accounts for over 455 million websites that use WordPress.

WordPress is unarguably very popular, easy to use, and yet very powerful. Virtual everyone with little technical skill can set up and use it. Because of its popularity, it has also become a popular target for hackers. This is what makes it very important that every WordPress user should take the issue of security very seriously. You must follow the necessary guides and take precautions to secure your WordPress site, else, you might just be the next victim of hacking.

When a WordPress site is hacked, hackers inject malware codes that can be used for different purposes like sending spam mail or running botnets among other things.

So, how do you secure your WordPress site?

Hackers’ activities and hacked websites are not in any way decreasing but rather increasing every day. I have highlighted common and some advanced methods of preventing WordPress sites from being hacked.

The list may not be exhaustive, but I included important points and methods that I feel would help you secure your WordPress site. You can also use the same approach to recover your website if you have already been hacked.

So, take your time to read through, apply them to your site, and let me know if you enjoy it.

  1. Secure your uploads folder

Sometimes, hackers upload malware in the wp-content/uploads folder and run php files from there. To prevent this, please take the following steps:

How to Secure WordPress Uploads folder

  • Navigate to your WordPress installation directory
  • Open “Wp-contents”, then open “Uploads”
  • Create an empty file and name it .htaccess inside your uploads folder
  • Edit the file and enter the following codes. To edit, right-click on the file and click edit.

<Files *.php>
deny from all

These steps will prevent PHP codes from running within your uploads folder.

2. Delete “admin” user account of Your WordPress Installation


The default WordPress admin account login detail is:

Username: admin

Password: password

Hackers like to target this account to gain access for some users who are very new to WordPress security knowledge. This account has to be deleted immediately after you complete your WordPress installation.

To delete admin, take the following steps:

  • Log in to your “admin” user account
  • Go to Users and create a new user account with administrator privileges.
  • Enter the username and password you can remember.
  • Log out of your “admin” user account.
  • Log in to your new user account. Go to Users and delete the “admin” user.
  1. Upload a WordPress security plugin.

Security plugin helps you to block brute force and malicious attacks from accessing your WordPress site.

Thankfully, there are many security plugins in the WordPress free repository you can use that will automatically take steps to secure your website or blog. In some cases, you just need to understand the settings and set them to suit your needs.

Some of the options I have tried before are WordFence,  iThemes Security plugin, and Sucuri.

Some of the common tasks they do to secure your site are that they allow you to conduct malware scanning and of course malware removal, Effective security hardening. They also keep track of everything that happens on your site, including file changes, last logins, and failed login attempts.

WordFence for example blocks too many failed login attempts and sends you notifications of outdated WordPress plugins and different security-related activities on your site.

  1. Disable xmlrpc.php File

What is xmlrpc.php?

It is one of the core WordPress files which should not be deleted. Because WordPress is not totally a self-contained system, it occasionally needs to communicate with other systems, xmlrpc.php file is set up to handle such requests.

It enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism.

For example, if you are out without your computer and you want to quickly post to your site from your iPhone or any other mobile device. You could use the remote access feature enabled by xmlrpc.php to do just that.

But sadly, this particular file has become one of the target files hackers use to gain access to WordPress sites. If you are not using this feature on your site, it’s advisable to disable it before it’s compromised or used by hackers to wreak havoc on your site.

How to disable xmlrpc.php

  • Login to your WordPress admin dashboard.
  • On the left-hand menu, choose ‘Plugins’, then click on ‘Add New”.
  • On Add New page, search for the ‘Disable XMLRPC‘ plugin.
  • Install and activate the plugin and that will automatically disable your xmlrpc.php file

And if you ever want to enable XMLRPC, all you have to do is to just deactivate the plugin and your file will be active again.

  1. Hide WordPress login page

If there is any other file in WordPress that hackers like to exploit to gain access to a site, it’s the “wp-login.php” file. It is a page that contains the form you use to login into your WordPress. It also contains the backend code that process login request.

How to hide the WordPress login page.

For the purpose of this article, we will be using a plugin called “WPS Hide Login”.

WPS Hide Login is a very light and simple to use a plugin that lets you safely change the url of the login form page to anything you want. It doesn’t literally rename

To use WPS Hide Login, follow the steps below:

  • Login to your WordPress admin dashboard.
  • On the left-hand menu, choose ‘Plugins’, then click on ‘Add New”.
  • On Add New page, search for the ‘WPS Hide Login’ plugin.
  • Install and activate the plugin.
  • On the left-hand menu, choose ‘Settings’, then click on ‘WPS Hide Login”. This page contains other information about your website which you don’t have any business with except your desire to change anything. Towards the end of the page, you will see the area that relates to WPS Hide Login.
  • On the “Login url” field, enter anything you want. Make sure it’s something you can easily remember when you want to login
  • On the “Redirection url” field, enter any page you want anyone to see when they try to open “wp-login.php”
  • Click “Save changes”.

Having followed the steps above, your website admin login page will now be changed to anything you entered in the steps above. You can test the page by login out and log in again.

  1. Scan your website regularly

Get a scanner that regularly checks your site for malware or any other malicious codes. One of the commonly recommended scanners is SiteLock. Most web hosting platforms partner with SiteLock to render this service to their users. It is a very powerful scanner and performs regular scans and removes malware found on your site.

  1. Backup your site regularly

Keep regular backups of your WordPress site and download them in a safe place. It is not advisable to store the backups on your hosting account. You may try out CodeGuard, the platform that performs daily backups of your site safely and away from your hosting account. This way, you are sure if anything happens to the active site files, you can replace them with fresh ones and your site will be back on and working.

  1. Change the passwords of all admin account regularly.

Sometimes, old and easy passwords can be exploited by these hackers. Many internet users like to keep one password across their internet activities. This is highly not recommended. You should make sure you use different passwords for different accounts on the internet.

The reason for this is that one website might be compromised or hacked which may expose the users’ sensitive account details like password, email or username. What hackers do with these exposed data is simply try out the password and username on other websites or use it to gain access to your site if they can deduce any website is linked to your exposed data.

Make sure you change your password as often as possible and ensure you use different passwords on different platforms you access.

  1. Use Two Factor Authentication for admin accounts

Two Factor Authentication is an electronic authentication method that requests two more pieces of evidence to prove your identity before you can gain access to your account.

There are different plugins you can use to activate Two Factor Authentication on your site. One of them is Wordfence.

How to activate two-factor Authentication on Wordfence

At this stage, I assume you already installed and activated Wordfence for your website, just follow the steps below:

wordpress security

  • Go to Play Store to download Google Authenticator. If you are using an iPhone, click here to download it.
  • Login to your WordPress admin dashboard.
  • On the left-hand menu, choose ‘Wordfence’, then click on ‘Login Security”.
  • On the Login Security page, you will see two columns, one for the QR code scanner and the other for code confirmation.
  • Open your authenticator, and scan the QR code shown on your screen.
  • Enter the number showing on your authenticator app into the field provided on the second column
  • Activate it

Next time you want to login from your admin account, it will ask you to authenticate and confirm the code sent to your authenticator.


10. Limi login attempt.

The Importance of Limiting Login Attempts in WordPress


While WordPress doesn’t limit login attempts by default, leaving it unchecked can be a security risk. Hackers can exploit this by repeatedly guessing passwords, potentially gaining access to your website.


Here’s why you should limit login attempts:


Prevents brute-force attacks: Setting a limit thwarts hackers who try countless password combinations.

Monitors suspicious activity: Frequent failed attempts from the same IP might indicate an attack.


Implementing Login Attempts Limit:


Fortunately, various plugins can help you achieve this:


Popular Plugin Options:


Limit Login Attempts Reloaded:

  •     Configures login attempts per IP.
  •     Allows safelisting and blocking users.
  •     Informs users of remaining lockout time.


Offers security features like two-factor authentication (2FA) and CAPTCHA.

Provides login challenge questions.

Limit Attempts by BestWebSoft:

Automatically blocks IPs exceeding attempt limits.

Adds blocked IPs to a deny list.


Addressing Lockout Concerns:


While accidental lockouts are a potential concern, you can easily recover locked accounts. Therefore, limiting login attempts is a crucial step in securing your WordPress site.


I hope you have enjoyed this post. Please share your thought or any other method you know with us in the comment session below. If you prefer to share a long list like this that will benefit the audience, please send it to our email via the contact form here.


We will be happy to hear your thoughts

      Leave a reply

      Shopping cart