Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
25 Million+
Websites using our plugins
Years of WordPress experience
WordPress tutorials
by experts

The Ultimate WordPress Security Guide – Step by Step (2024)

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

WordPress security is a topic of huge importance for every website owner.

If you are serious about your website, then you need to pay attention to WordPress security best practices. Otherwise, you may become one of the 10,000+ websites Google blacklists every day for malware and phishing.

In this guide, we will share our top WordPress security tips to help you protect your website against hackers and malware.

The Ultimate WordPress Security Guide - Step by Step

While WordPress core software is very secure and is audited regularly by hundreds of developers, there’s still a lot that needs to be done to keep your site secure.

At WPBeginner, we believe that security is not just about risk elimination. It’s also about risk reduction. As a website owner, there’s a lot that you can do to improve your WordPress security, even if you are not tech-savvy.

In this article, we put together a list of actionable steps that you can take to protect your website against security vulnerabilities.

To make it easy, we have created a table of contents to help you easily navigate through our ultimate WordPress security guide.

Table of Contents

Basics of WordPress Security

WordPress Security in Easy Steps (No Coding)

WordPress Security for DIY Users

Ready? Let’s get started.

Why Website Security Is Important

A hacked WordPress website can cause serious damage to your business’s revenue and reputation. Hackers can steal user information and passwords, install malicious software, and even distribute malware to your users.

Worst, you may find yourself paying ransomware to hackers just to regain access to your website.

Ransomware Attack

Every day, Google warns 12-14 million users that a website they are trying to visit may contain malware or steal information.

Furthermore, Google blacklists around 10,000+ websites each day for malware or phishing.

Just as business owners with a physical location have the responsibility of safeguarding their property, online business owners need to pay extra attention to their WordPress security.

[Back to Top ↑]

Keep WordPress Updated

Easily update WordPress

WordPress is open-source software and is regularly maintained and updated. By default, WordPress automatically installs minor updates.

For major releases, you need to manually initiate the update.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers, which regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.

[Back to Top ↑]

Use Strong Passwords and User Permissions

Manage strong passwords

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords that are unique to your website.

We are not just talking about the WordPress admin area. Remember to create strong passwords for your FTP accounts, databases, WordPress hosting accounts, and custom email addresses that use your site’s domain name.

Many beginners don’t like using strong passwords because they are hard to remember. The good thing is that you don’t need to remember passwords anymore because you can just use a password manager.

See our guide on how to manage WordPress passwords for more information.

Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to.

If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.

[Back to Top ↑]

Understand the Role of WordPress Hosting

WP Engine WordPress Hosting Homepage

Your WordPress hosting service plays the most important role in the security of your WordPress site. A good shared hosting provider like Hostinger, Bluehost, or SiteGround takes extra measures to protect their servers against common threats.

Here are just a few ways that good web hosting companies work in the background to protect your websites and data:

  • They continuously monitor their network for suspicious activity.
  • All good hosting companies have tools in place to prevent large-scale DDoS attacks.
  • They keep their server software, PHP versions, and hardware up to date to prevent hackers from exploiting a known security vulnerability in an old version.
  • They have ready-to-deploy disaster recovery and accident plans that allow them to protect your data in case of a major accident.

On a shared hosting plan, you share the server resources with many other customers. There is a risk of cross-site contamination where a hacker can use a neighboring site to attack your website.

By contrast, using a managed WordPress hosting service provides a more secure platform for your website. Managed WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website

We recommend WP Engine as our preferred managed WordPress hosting provider. They are also the most popular provider in the industry.

Make sure you get the best deal by using our special WP Engine coupon.

[Back to Top ↑]

WordPress Security in a Few Easy Steps (No Coding)

We know that improving WordPress security can be a terrifying thought for beginners, epecially if you are not techy. Guess what – you are not alone.

We have helped thousands of WordPress users in hardening their WordPress security.

We will show you how you can improve your WordPress security with just a few clicks (no coding required).

If you can point-and-click, you can do this!

1. Install a WordPress Backup Solution

WordPress Backup

Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours.

Backups allow you to quickly restore your WordPress site in case something bad was to happen.

There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account).

We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

Thankfully this can be easily done by using plugins like Duplicator, UpdraftPlus, or BlogVault. They are both reliable and most importantly easy to use (no coding needed).

For more details, see our guide on how to back up your WordPress website.

[Back to Top ↑]

Install a Reputable WordPress Security Plugin

After backups, the next thing we need to do is set up an auditing and monitoring system that keeps track of everything that happens on your website.

This includes file integrity monitoring, failed login attempts, malware scanning, and more.

Thankfully, you can easily take care of this by installing one of the best WordPress security plugins, such as Sucuri.

You need to install and activate the free Sucuri Security plugin. For more details, please see our step-by-step guide on how to install a WordPress plugin.

Now, you can head over to the Sucuri Security » Dashboard to see if the plugin found any immediate issues with your WordPress code.

Setting up the Sucuri WordPress security plugin

The next thing you need to do is navigate to the Sucuri Security » Settings page and click on the ‘Hardening’ tab.

The default settings work well for most websites, so you can go ahead and activate them by clicking the ‘Apply Hardening’ button for each option.

Hardening your WordPress blog or website

This helps you lock down the key areas hackers often use in their attacks.

Tip: We will cover further ways to harden your website later in this article, such as changing the database prefix and admin username. However, these are more technical and may require coding knowledge.

After the hardening part, the plugin’s other default settings are good enough for most websites and don’t need any changes.

The only thing we recommend customizing is email alerts, which can be found in the ‘Alerts’ tab of the settings page.

Customizing your website's security alerts

By default, you will receive a lot of email alerts that can clutter your inbox.

We recommend enabling alerts only for key actions you wish to be notified about, such as plugin changes and new user registrations.

Customizing your WordPress security notifications

This WordPress security plugin is very powerful, so browse through all the tabs and settings to see all that it does such as malware scanning, audit logs, failed login attempt tracking, and more.

For more information, you can see our detailed Sucuri review.

Enable a Web Application Firewall (WAF)

The easiest way to protect your site and be confident about your WordPress security is by using a web application firewall (WAF).

A website firewall blocks all malicious traffic before it even reaches your website.

  • A DNS-level website firewall routes your website traffic through its cloud proxy servers. This allows it to send only genuine traffic to your web server.
  • An application-level firewall examines the traffic once it reaches your server but before loading most WordPress scripts. This method is not as efficient as the DNS-level firewall in reducing the server load.

To learn more, see our list of the best WordPress firewall plugins.

How website firewall blocks attacks

We used Sucuri on WPBeginner for many years and still recommend it as one of the best web application firewalls for WordPress. We recently switched from Sucuri to Cloudflare because we needed a larger CDN network with features that focused more on enterprise clients.

You can read about how Sucuri helped us block 450,000 WordPress attacks in a month.

Attacks blocked by Sucuri

The best part about Sucuri’s firewall is that it also comes with a malware cleanup and blacklist removal guarantee. That means that if you were to be hacked under their watch, they guarantee to fix your website, no matter how many pages you have.

This is a pretty strong warranty because repairing hacked websites is expensive. Security experts normally charge more than $250 per hour, while you can get the entire Sucuri security stack for $199 for a whole year.

That being said, Sucuri is not the only DNS-level firewall provider out there. The other popular competitor is Cloudflare. See our comparison of Sucuri vs. Cloudflare (Pros and Cons).

[Back to Top ↑]

Move Your WordPress Site to SSL/HTTPS

SSL (Secure Sockets Layer) is a protocol that encrypts data transfer between your website and the user’s browser. This encryption makes it harder for someone to sniff around and steal information.

How SSL Works

Once you enable SSL, your website address will use HTTPS instead of HTTP. You will also see a padlock or similar icon sign next to your website address in the browser.

SSL certificates are typically issued by certificate authorities, and their prices start from $80 to hundreds of dollars each year. Due to added cost, most website owners in the past opted to keep using the insecure protocol.

To fix this, a non-profit organization called Let’s Encrypt decided to offer free SSL Certificates to website owners. Their project is supported by Google Chrome, Facebook, Mozilla, and many more companies.

It’s easier than ever to start using SSL for all your WordPress websites. Many hosting companies now offer a free SSL certificate for your WordPress website.

If your hosting company does not offer one, then you can purchase an SSL certificate from They have the best and most reliable SSL deals on the market. The certificate comes with a $10,000 security warranty and a TrustLogo security seal.

If you do everything that we have mentioned thus far, then you are in pretty good shape.

But as always, there’s more that you can do to harden your WordPress security.

Keep in mind that some of these steps may require coding knowledge.

Change the Default Admin Username

In the old days, the default WordPress admin username was ‘admin’. Since usernames make up half of the login credentials, this made it easier for hackers to do brute-force attacks.

Thankfully, WordPress has since changed this and now requires you to select a custom username at the time of installing WordPress.

However, some 1-click WordPress installers still set the default admin username to ‘admin’. If you notice that to be the case, then it’s probably a good idea to switch your web hosting.

Since WordPress doesn’t allow you to change usernames by default, there are three methods you can use to change the username.

  1. Create a new admin username and delete the old one.
  2. Use the Username Changer plugin
  3. Update username from phpMyAdmin

We have covered all three of these in our detailed guide on how to properly change your WordPress username.

Note: Just to be clear, we are talking about changing the username called ‘admin’, not the administrator user role, which is also sometimes called ‘admin’.

[Back to Top ↑]

Disable File Editing

WordPress comes with a built-in code editor that allows you to edit your theme and plugin files right from your WordPress admin area.

In the wrong hands, this feature can be a security risk, which is why we recommend turning it off.

Adding custom CSS in a child theme's stylesheet in the theme file editor

You can easily do this by adding the following code to your wp-config.php file or with a code snippet plugin like WPCode (recommended):

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

We show you how to do this step by step in our guide on how to disable theme and plugin editors from the WordPress admin panel.

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin mentioned above.

[Back to Top ↑]

Disable PHP File Execution in Certain WordPress Directories

Another way to harden your WordPress security is by disabling PHP file execution in directories where it’s not needed, such as /wp-content/uploads/.

You can do this by opening a text editor like Notepad and pasting this code:

<Files *.php>
deny from all

Next, you need to save this file as .htaccess and upload it to the /wp-content/uploads/ folder on your website using an FTP client.

For a more detailed explanation, see our guide on how to disable PHP execution in certain WordPress directories.

Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin that we mentioned above.

[Back to Top ↑]

Limit Login Attempts

By default, WordPress allows users to try to log in as many times as they want. This leaves your WordPress site vulnerable to brute-force attacks. This is where hackers try to crack passwords by trying to log in with different combinations.

This can be easily fixed by limiting the failed login attempts a user can make. If you are using the web application firewall mentioned earlier, then this is automatically taken care of.

However, if you don’t have the firewall set up, then you can go ahead using the steps below.

First, you need to install and activate the free Limit Login Attempts Reloaded plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.

Upon activation, the plugin will start to limit the number of login attempts users can take.

The default settings will work for most websites, however, you can customize them by visiting the Settings » Limit Login Attempts page and clicking the ‘Settings’ tab at the top. For example, to comply with GDPR laws, you can click the ‘GDPR compliance’ checkbox.

Limit Login Attempts

For detailed instructions, take a look at our guide on how and why you should limit login attempts in WordPress.

[Back to Top ↑]

Add Two Factor Authentication (2FA)

The two-factor authentication method requires 2 different steps for users to log in:

  1. The first step is the username and password.
  2. The second step requires you to use a code from a device or app in your possession that hackers can’t access, such as your smartphone.

Most top online websites like Google, Facebook, and Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.

First, you need to install and activate the WP 2FA – Two-factor Authentication plugin. For more details, see our step-by-step guide on how to install a WordPress plugin.

A user-friendly wizard will help you set up the plugin and then you will be given a QR code.

Use Your Authenticator App to Scan the QR Code

You will need to scan the QR code using an authenticator app on your phone, such as Google Authenticator, Authy, and LastPass Authenticator.

We recommend using LastPass Authenticator or Authy because they allow you to back up your accounts to the cloud. This is very useful in case your phone is lost, reset, or you buy a new phone. All your account logins will be easily restored.

Most of these apps work in a similar way, and if you are using Authy, then you simply click the ‘+’ or ‘Add account’ button in the authenticator app.

Click the + Button to Add an Account

This will let you scan the QR code on your computer using your phone’s camera. You may first need to give the app permission to access the camera.

After giving the account a name, you can save it.

Next time you log in to your website, you will be asked for the two-factor authentication code after you enter your password.

Users Must Enter an Authentication Code Before Logging In

Simply open the authenticator app on your phone, and you will see a one-time code.

You can then enter the code on your website to finish logging in.

Find Your 2FA Token

[Back to Top ↑]

Change the WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database.

If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.

You can change your database prefix by following our step-by-step tutorial on how to change the WordPress database prefix to improve security.

Note: Changing the database prefix can break your site if it’s not done properly. Only do this if you feel comfortable with your coding skills.

[Back to Top ↑]

Password Protect WordPress Admin and Login Page

Password protect WordPress admin example

Normally, hackers can request your wp-admin folder and login page without any restrictions. This allows them to try their hacking tricks or run DDoS attacks.

You can add additional password protection on a server-side level, which will effectively block those requests.

Just follow our step-by-step instructions on how to password-protect your WordPress admin (wp-admin) directory.

[Back to Top ↑]

Disable Directory Indexing and Browsing

Directory Browsing

When you type the address of one of your website folders into a web browser, you will be shown the web page called index.html if it exists. If it doesn’t exist, then you will be shown a list of files in that folder instead. This is known as directory browsing.

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

You need to connect to your website using FTP or your hosting provider’s file manager. Next, locate the .htaccess file in your website’s root directory. If you cannot see it there, then refer to our guide on why you can’t see the .htaccess file in WordPress.

After that, you need to add the following line at the end of the .htaccess file:

Options -Indexes

Don’t forget to save and upload the .htaccess file back to your site.

For more on this topic, see our article on how to disable directory browsing in WordPress.

[Back to Top ↑]

Disable XML-RPC in WordPress

XML-RPC is a core WordPress API that helps connect your WordPress site with web and mobile apps. It has been enabled by default since WordPress 3.5.

However, because of its powerful nature, XML-RPC can significantly amplify brute-force attacks.

For example, if a hacker traditionally wanted to try 500 different passwords on your website, then they would have to make 500 separate login attempts. This can be caught and blocked by the Limit Login Attempts Reloaded plugin.

But with XML-RPC, a hacker can use the system.multicall function to try thousands of passwords with say 20 or 50 requests.

This is why if you are not using XML-RPC, then we recommend that you disable it.

There are 3 ways to disable XML-RPC in WordPress, and we have covered all of them in our step-by-step tutorial on how to disable XML-RPC in WordPress.

Tip: The .htaccess method is the best one because it’s the least resource-intensive. The other methods are easier for beginners.

Alternatively, this is taken care of automatically if you are using a web application firewall (WAF) as we mentioned earlier.

[Back to Top ↑]

Automatically Log Out Idle Users in WordPress

Logged-in users can sometimes wander away from the screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

This is why many banking and financial sites automatically log out an inactive user. You can set up similar functionality on your WordPress site as well.

You will need to install and activate the Inactive Logout plugin. Upon activation, visit the Settings » Inactive Logout page to customize the logout settings.

Logout idle users

Simply set the time duration and add a logout message. Then, don’t forget to click on the ‘Save Changes’ button at the bottom of the page to store your settings.

For step-by-step instructions, please refer to our guide on how to automatically log out idle users in WordPress.

[Back to Top ↑]

Add Security Questions to the WordPress Login Screen

Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.

You can add security questions by installing the Two Factor Authentication plugin. Upon activation, you need to visit the Multi-factor Authentication » Two Factor page to configure the plugin’s settings.

This will allow you to add various types of two-factor authentication to your site, including security questions.

Adding Security Questions to WordPress Login

For more detailed instructions, see our tutorial on how to add security questions to the WordPress login screen.

[Back to Top ↑]

Scan WordPress for Malware and Vulnerabilities

Malware Scan

If you have a WordPress security plugin installed, then it will routinely check for malware and signs of security breaches.

However, if you see a sudden drop in website traffic or search rankings, then you may want to scan for malware manually. You can do this using your WordPress security plugin or one of the best malware and security scanners.

Running these online scans is quite straightforward. You just enter your website URL, and their crawlers go through your website to look for known malware and malicious code.

Now, keep in mind that most WordPress security scanners can only warn you if your site contains malware. They can’t remove the malware or clean a hacked WordPress site.

This brings us to the next section, cleaning up malware and hacked WordPress sites.

[Back to Top ↑]

Fix a Hacked WordPress Site

Many WordPress users don’t realize the importance of backups and website security until their website is hacked.

Hackers install backdoors on affected sites, and if these backdoors are not fixed properly, then your website will likely get hacked again.

For the adventurous and DIY users, we have compiled a step-by-step guide on fixing a hacked WordPress site.

However, cleaning up a WordPress site can be very difficult and time-consuming. Our advice would be to let a professional take care of it.

If you are paying to use the Sucuri security plugin we mentioned above, then hacked site repair is built into the price.

You can also use the WPBeginner Pro Services hacked site repair service. This requires a one-time payment of $249 and includes premium file determination, malicious code removal, software and security updates, and a cleaned site backup.

WPBeginner Pro Services Hacked Site Repair

We guarantee to fix your site or give your money back. We also cover your website for 30 days after the repair, so if you get hacked again during that time, we’ll be there to fix it.

We have been cleaning and securing WordPress websites for 10+ years, so you’ll have peace of mind when you use our Hacked Site Repair service.

[Back to Top ↑]

Bonus Tip: Hire a WordPress Maintenance Service

As a busy small business owner, you may not have time to monitor your website security and protect it from vulnerabilities. So, to ease your mind and lighten your workload, you can hire a WordPress maintenance service for 24/7 security monitoring.

WPBeginner Pro Services offers comprehensive WordPress website maintenance at an affordable price. It includes security monitoring, routine cloud backups, WordPress updates, uptime monitoring, and much more.

WPBeginner WordPress website maintenance service

Simply choose a monthly maintenance service package that suits your needs, and you’ll get a more secure WordPress site and extra free time to work on other aspects of your business.

If you’d like other recommendations, you can see our picks of the best website maintenance services for WordPress.

[Back to Top ↑]

We hope this article helped you learn the best practices for WordPress security and discover the top WordPress security plugins for your website. You may also want to see our ultimate WordPress SEO guide to improve your SEO rankings, and our expert tips on how to speed up WordPress.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

Reader Interactions

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

169 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Leanne says

    This is one of the best tutorial sites (on any subject matter) I have found. Thank you I will refer wpbeginner to others – awesome site!

  3. Daniel says

    You know there are guys charging more than $50 or $100 dollars to teach you how to do all of this, and you gave it for free! Thanks heaps guys!

  4. Mydas says

    This was super-useful. I have the coding skills to implement all of it, and now I can take much better care of my and my clients’ WordPress installations. Thank you for the info, it’s so complete that I can’t believe it’s free xD

  5. Splendor Edesiri says

    Please do I need a VPN to access my WordPress site from the backend as part of my WordPress site security.

    • uzoma ichetaonye says

      I don’t think you need any VPN to access your website via its backend.

      VPN are used to disguise or help your identity or access a site that has been blocked from your location.

  6. Kam says

    Thank you for this article. It is essential reading!

    If you have a host like Bluehost, is it essential to have backup with a plugin such as Updraft plus + remote storage? After all, hosting providers should be providing backup?

    • WPBeginner Support says

      While some hosts offer backups, we still recommend creating your own backups for safety


  7. kalmoa says

    just an FYI, with Nginx there is no directory-level configuration file like Apache’s .htaccess. All configuration has to be done at the server level by an administrator, and WordPress cannot modify the configuration, like it can with Apache. So the part about ‘Disable PHP File Execution’, cannot be completed by wordpress installs running on Nginx. That includes myself, who is running my wordpress install on Vultr. Their one-click wordpress install gets deployed on Nginx (ubuntu 18.04)

    • WPBeginner Support says

      Thank you for sharing this for the users who specifically are using Nginx for their site.


  8. Tom says

    What is the best method to update plugins if I have several that need updating? Update one at a time and see if the updated plugin breaks any of the functionality on the website?

  9. Kartik Satija says

    Amazing article, very well articulated and documented.
    Thank you all so much for this.
    More power to you guys, keep up the good work.


  10. Liz says

    Great article. I have a question about the hardening options. I read that enabling hardening on all options can cause some plugins or the theme to break/not work properly. If this happens, how difficult is it to fix? It seems like there’s more to it than just reverting the hardening option. Any insight you could offer would be greatly appreciated. Thanks!

    • WPBeginner Support says

      It would depend on the specific hardening recommendation, plugin, and error message for the difficulty should an error appear. Otherwise, most plugins shouldn’t have an issue


  11. Gary Starling says

    Very helpful suggestions and well explained from the basic to the complex
    Thank you four your explanations

  12. Andrei says

    Hi guys,

    After the first user enumeration, brute force a security plugin will block that IP address.

    If you password protect the wp-admin directory the plugin can no longer block that IP.

    Is that a correct assessment?

    • WPBeginner Support says

      Correct, there would be a similar load to a blocked IP but if you need many new users to access your site then limiting login attempts would be better than password protecting your wp-admin


      • Andrei says

        Ok, I finally understood how this works and sharing here for everyone. Password protecting wp-admin is done at the server (Apache/Nginx) level. If a user enumeration, brute force is unable to bypass the server level, it would not be able to touch PHP/MySQL. Thus, password protecting wp-admin does not put additional load on the database.

  13. Peter says

    Very informative and helpful, I have configured all the hardening procedure you mentioned, Thanks a lot.

  14. Aqib khan says

    i will always follow you.i will always love you and always share such a fresh and cool content to make us smile.Thank You.

  15. mahmoud says

    I love this site. you’re offering precious information.
    I’m a beginner and this is helpful.
    but can I only have a strong password and disable indexing to do the matter?
    what about all these plugins I think they will affect the site speed or this not installed on the site?

  16. Krishna says

    Hi WP Beginner Team,

    Thanks for such a brief explanation of WordPress security. This article was very useful and let know the value of wp security for the users and website owner.


  17. Kushal says

    I used all plugin that you mentioned sucuri, itheams, wp serber and jetpack. How many plugin can I use on my website.

  18. Dietrich says


    Is it okay to use Sucuri and Wordfence at the same time? I installed Wordfence since Sucuri’s free version doesn’t have a firewall feature.

    • WPBeginner Support says

      We would not recommend using both, multiple security tools can conflict with each other and cause issues with your site.


  19. Monty parihar says

    Now my website is secured, after read your post immidiatly we install security plugin. Thank u WP Beginner.

  20. Melvin Adame says

    Amazing read! Security should always be the #1 priority for any website owner, for their sake and their visitors.

  21. Mark Bunner says

    Some good tips here. I have already used a lot of them; but it gives a few other areas to think about.

  22. Heidi says

    Great article, thanks! I think I’ve done most of these things now (except ones requiring coding). I did however have a problem setting a password for the admin folder. While I worked out how to do this in cPanel (under ‘directory privacy’), when I went back to my dashboard I found I was locked out. Then I spent over an hour on chat support with Bluehost only to discover what I suspected – that when you log in to WP from Bluehost it takes you straight to the admin area, so there is no opportunity to login to the admin folder, which means you just get locked out. Guess this is a problem with Bluehost and the only solution they gave me was install a plugin :(

    • WPBeginner Support says

      If you’re using their link from the hosting dashboard to log into your site that may be true but if you add /wp-admin to your domain then it should take you to the login page which will bring up the additional login requirement


  23. Julian Song says

    Awesome article on security. Setup WordPress is easy, but to managed it need lots of study & research. Your blog helps the community more than you can imagine. I even share your blog on the recent WordPress meet-up as one of the best guidelines.

  24. Shiva Prasad says

    Thanks for being a good mentor and for guiding me on the right path. I will always be thankful to you.

  25. Majid says


    I am new to wordpress, I am using bluehost to host my website, when I cliked on the wordpress button, it automatically took me to cPanel, without asking any password, which passwords are we talking about?

    P.S at the right top corner I could see Howdy, my name…does that mean is that my username?

    I do’t remember installing wordpress on bluehost, neither did I enter any username or password separately for wordpress.

    Please help.

    • WPBeginner Support says

      That is BlueHost’s tool to make setting up your WordPress site easier, our article is talking about the password for your WordPress site. You can change your password for your site under Users>Your Profile. The name next to Howdy should be your username.


  26. Terence Vickers says

    You may have a typo in the XML-RPC section which is a bit confusing.
    Presently reads: “This is why if you’re not using XML-RPC, then we recommend that you disable it.”

    If I’m not using i There would likely be no way to disable it.

    • WPBeginner Support says

      Apologies for any confusion, with that statement we mean if you’re not using it for a specific plugin or other need then we would recommend disabling it rather than meaning if it is disabled to disable it. We’ll look into clarifying that :)


  27. Syed Gallani says

    I understand keeping wordpress updated is essential for security, but is it really necessary ,from security point of view, to update all the plugins. How outdated plugins can make your website more prone to being hacked?

    • WPBeginner Support says

      It would depend on the plugin for how it could make your site vulnerable but some plugins may have code that could be out of date for a newly discovered issue with a piece of code.


  28. Nick says

    Would blocking Search Engine Spiders (via robots.txt) from Indexing directories help with security?

  29. peg says

    i’m learning the hard way! : ) i’m so glad to have found you. i have a hacked 5-year old site hosted on godaddy (can’t get into the admin at all) … they want $300 to fix it, so i’m rebuilding on bluehost and implementing your security suggestions. looking forward to learning much more! thank you so much for this resource.

  30. Jeff Moyer says

    Great comprehensive list thank you! Limiting the amount of login attempts I find is a big one since it will discourage a lot of hackers right from the get go. It might be frustrating if you lost or forget your passwords but still well worth it.

  31. Tanmay Kapse says

    An awesomely detailed post!! each and every thing is described perfectly. Keep up the good work

  32. Santhosh Naikar says

    What are things I need to worry when it is hosted on a internal network[Has access to only systems with in our office network]?

    • WPBeginner Support says

      Your main concern for an intranet would be to ensure each user has the correct privileges for their role, after that it would be protecting yourself from brute force attacks and similar.


  33. steven suslick says

    I find this and many of the posts very helpful. I have a hack related question. Google analytics is reporting strange pages that do not actually existing in my posts. The all seem to have a /?s= for example /?s=dox. I can not seem to locate source any suggestions?

    • WPBeginner Support says

      Those pages are from users using the search on your site, for the second someone searched for the word dox :)


  34. Bobbie Camp says

    Found this article to be very helpful. I am very new and not “techy” and need all the assistance I can get. Appreciate your easy to read instructions.

  35. Brad Vincent says

    Hey guys,

    I must agree with your mentions of Sucuri – they have sorted out a couple of hacked sites of mine over the years. Worth every penny!

    I am really loving these extended posts with all the info I need. I have been following your website speed post and that has made a big difference to my sites. After I have finished with that I will be following this one for sure.

    Awesome work and much appreciated.

  36. Brian says

    What are your thoughts on Wordfence and Sucuri on the same WP installation? They seem to have some similar functionality so was wondering how much more I get with both versus just one security tool. Is Wordfence a reasonable alternative?

    • WPBeginner Support says

      We would recommend only one at a time to prevent conflicts between the plugins.


    • Mark says

      I use Wordfence and Sucuri for different functions. While they may at first appear to be competitors, they are actually complementary. I’ve had no issues running both … so far … but of course there are incompatibilities among plugins in general.

Leave a Reply to WPBeginner Support Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.