Of the WordPress sites that get hacked every day, almost 40% of them wouldn’t have been if they’d simply updated the WordPress core and their site’s themes and plugins. WordPress makes updating so easy, it’s astonishing that many people don’t bother.
In a previous post, I discussed seven ways to secure a WordPress site. In this article, I double the number of ways to lock down and secure your website.
Better still, this article requires considerably less expertise from you. I’ve hunted down ways to provide many of the protections below with free WordPress plugins.
And so, without further ado, here are fourteen ways to secure a WordPress site...
Note: You’ll find the link to each of the plugins listed above in the sidebar to the right of this article. If you’re viewing this article on a mobile device, you’ll find the sidebar underneath the article.
When you secure a WordPress site using the 14 methods listed above, you immediately place yourself beyond the reach of many hackers and cybercriminals. To see why, consider the following data...
As you can see, many WordPress sites have no security protection at all. These websites are easy pickings for hackers.
Laudable Consulting has a free tool that checks to see whether your WordPress site passes five security vulnerabilities. Visit their Web Audit Page and enter your site’s URL into the form.
Their WordPress security scanner will generate a free report and give your site a pass or fail in five different areas.
If you need someone to protect your online presence, then Laudable Consulting’s experts will give you an obligation-free quote to secure a WordPress site. Visit their website or call Brad in Brisbane, Australia, on +61-404-898-832.
How did your site do? Did the audit uncover areas that need to be addressed? If so, don’t worry, you’re in the right place to secure a WordPress site.
When you harden your website using the fourteen fifteen security methods in this article, many criminals will move on and look for less challenging targets.
Let’s dig in and take a look at each of the 14 15 ways to secure a WordPress site...
I use Solid Security Basic (free) for brute force detection and IP blocking, two-factor authentication (2FA), regular scans for malicious uploads, and a daily email that alerts me to any issues.
I have also set it to email me immediately if there’s an urgent problem that I need to deal with.
The “pro” (paid) version adds a wealth of additional security features that secure a WordPress site via a friendly front-end that performs tasks that otherwise require web developer skills.
When you back up your site regularly and download backups to hold locally, you’re protected in the event one of the following happens...
The key phrase in the above scenario is, “In your possession.” WPvivid Backup allows you to download the backup to your local computer, ensuring you have a copy in your possession should your web server become unavailable.
Bonus Tip: You should also have the DNS for your web domain with a separate company from the one hosting your website. That way, if your hosting company locks you out of your site, you can restore a backup with a new hosting company and update the IP address on your domain to that of your new web server.
I host with a company called Cloudways. They provide a number of external security tools, including an external firewall. This sits between my web server and the outside world.
The Cloudways firewall detects brute force and other external threats and blocks them before they get to my website. Not only does this help to secure a WordPress site, but it also keeps my bandwidth costs down and keeps my server responsive.
If your hosting company doesn’t provide this service, then you can switch your hosting to The One Stop Web Shop, use Cloudflare. Better still, try Auckland’s Managed Hosting Partners, the comprehensive hosting and maintenance service that includes most of these security features as standard.
Cloudways also provides an external malware scanning service, which is another reason why I use them.
This detects and removes malware before it reaches my server, stopping it in its tracks. And because it’s running externally to my website, my bandwidth costs are reduced, and my server isn’t bogged down by persistent attacks. It’s akin to antivirus software, but one that is specific to WordPress.
If your hosting company doesn’t offer external WordPress malware scanning, paid versions of the Sucuri plugin offer this facility. Or you can switch your hosting to The One Stop Web Shop (we have extra tricks to secure a WordPress site), or use Managed Hosting Partners.
This plugin changes the WordPress Admin URL to anything you like. Using this plugin will cause many attempts to gain access to your site’s Admin section to fall at the first hurdle.
Frankly, the only reason not to use this plugin is if one of your other plugins provides the same service. And even then, I eschew this feature in Solid Security and use WPS Hide Login because it’s easier.
Two-factor authentication adds a second step during the login process and is an excellent way to secure a WordPress site. The 2FA process usually involves sending a code via email, text message, or entering one generated by an authenticator app.
When 2FA is in place, the person logging in is asked to enter the code they were sent before being allowed to log in.
It’s an extra step that sometimes annoys users, but their inconvenience is worth it, because it makes it much harder for criminals to steal your user’s credentials.
Many WordPress security plugins already offer 2FA, but if yours doesn’t, this plugin does the job and helps to secure a WordPress site.
I once provided support to a large corporation running a WordPress site. At the time, WordPress didn’t enforce strong passwords by default, so I had installed plugin that did so.
Unfortunately, a company employee with an Admin account deactivated this plugin, allowing the site’s users to set simple passwords.
Before long, the site had been hacked, and malicious code was added to a configuration file that is loaded every time somebody viewed a page on the company’s website.
Password Policy Manager disables the checkbox that allows users to override strong password enforcement and provides other useful security features.
WordPress is the most-used web development platform in the world. That makes it a target for hackers and criminals, but it’s also one of the most secure systems because there are so many people...
WordPress updates and fixes are issued regularly, and almost always contain important security updates. This is true for...
Despite offering one of the easiest update systems and the update process being the best way to secure a WordPress site, many users don’t run updates. The plain fact is that a security fix only works once it has been applied.
Updates to the WordPress core and your themes and plugins are among the easiest ways to secure a WordPress site and make the lives of hackers and criminals far more difficult.
Here’s how to run updates and secure a WordPress site safely...
Note: If you have deactivated plugins and/or themes, these still need to be updated. See the next section to find out why.
Don’t make the mistake of thinking a deactivated plugin or theme is safe from hackers. WordPress isn’t using them, but the code they contain is still sitting on your web server.
When criminals scan for vulnerabilities on your site, they include deactivated plugins and themes because these are often older versions that haven’t been updated. As a result, they’re more likely to contain security flaws than newer versions.
One very easy way to secure a WordPress site is to delete unused themes and plugins. Once the code is no longer present on the web server, nobody can exploit any security flaws it might contain.
These two files offer criminals the keys to your web server and database. For this reason, it’s a very good idea to secure them by...
That’s probably gobbledigook to many of the people reading this, and this plugin will do that job for you, so you don’t need to worry about “how” to accomplish this. Here’s why it’s important...
The file wp-config.php contains all the information needed by WordPress to load your website, and includes the credentials needed to connect to the site’s database.
Preventing criminals from being able to edit wp-config.php is a great way to secure a WordPress site. And below, I also explain how to protect your site’s database credentials.
Note: When you change the owner of .htaccess and wp-config.php to root, you stop WordPress itself from being able to update or modify these files. When it needs to do so, use the above plugin to temporarily switch it back.
Having the ability to change file and folder permissions on your WordPress site normally requires knowledge of the Linux operating system and sufficient access to the web server’s file system.
Shared hosting companies seldom supply this level of access, but if you’re on a virtual machine or cloud server, you may well have access.
This isn’t something I recommend that people unfamiliar with Linux file permissions and the WordPress directory structure do themselves, even with a plugin. But if you’re determined to throw caution to the wind and don’t wish to pay an expert to do it for you, this plugin may help.
But please be very careful. If you’re not sure what you’re doing, pay somebody like me to do it for you.
The file wp-config.php connects to the database and then loads the rest of WordPress. By default, this file contains the credentials needed to connect to, make queries of, and write information to your site’s database.
As you can imagine, this information offers hackers the keys to your kingdom. When a business really needs to secure a WordPress site, they use environment variables in wp-config.php rather than displaying database credentials in plain text.
This isn’t something a plugin can do for you. If you want to secure a WordPress site further, you’ll need somebody with my skills and background to do this for you. Contact me and let’s chat.
This unassuming plugin helps to secure a WordPress site by disabling XML-RPC and RSD, thus shutting off a major source of denial of service and distributed denial of service attacks.
This plugin disables the XML-RPC, trackback, and pingback services on your WordPress website. It does other useful things, too, each of which can be switched on or off individually.
Fixing broken links on your website benefits your SEO efforts and helps secure a WordPress site in several ways...
When you regularly audit and fix broken links, it helps to secure a WordPress site. The easiest way I know to achieve this is by installing the Broken Link Checker plugin.
The One Stop Web Shop offers a security monitoring service that includes the following...
This service is an excellent way to secure a WordPress website without having to get your hands dirty or find out what the plethora of options in all these plugins do, and how they should be configured on your website. Click here and find out more.
Many of the plugins on this page are designed to be used by non-technical people. This type of plugin asks you a few questions and then configures itself. Even if you’re not sure what you’re doing around website security, you should...
Just doing these three things will help to secure a WordPress site against most malicious activity.
The One Stop Web Shop always overdelivers, so here are two bonus ways to secure a WordPress site.
Disable the WordPress theme and plugin editor, which prevents unauthorised file modifications through the WordPress dashboard.
This isn’t something a non-technical WordPress site owner should do, but fortunately, if you install the free version of the Solid Security plugin. It contains a setting that does the following for you.
Once Solid Security has been installed, navigate to Security > Settings > Advanced. If you have the ability to edit the WordPress wp-config.php file, then you can do this yourself by adding the following code to your site’s wp-config.php file...
define('DISALLOW_FILE_EDIT', true);Add Google reCAPTCHA to your WordPress Admin login system. You’ll need two things to achieve that...
Click each of the above links and follow both Google’s instructions to set up an account for your WordPress site, and the instructions that come with the plugin that links your reCAPTCHA account to the plugin.
These are the plugins and tools I use to secure a WordPress site for my clients...
Do you want a PDF that describes these security plugins and links to them? Download The One Stop Web Shop’s WordPress Security Resource.
If you want your site to rank well in search engines, you must find and fix broken links. Install Broken Link Checker on your WordPress site. It alerts you by email when it discovers a broken link on your site.
The Marksmen IT Email Reputation Checker looks at the DNS configuration of your domain and tells you whether your email reputation is intact and properly protected against fraud.
There’s no excuse, is there? Thanks to the plugins above, it has never been easier to secure a WordPress site.
Copyright © 2025 TheOneStopWeb.Shop. All rights reserved.
