How To Secure Your WordPress Website in 2020

Having your WordPress site hacked could be a nightmare.  It can damage the reputation of your business and lower consumer confidence. Sadly, many people pay little attention to Secure Your WordPress Website and end up being victims of systemized WP hacking. In this article, I discuss a few security measures which can improve website security and prevent hacking.

Update Your WordPress Framework

The most basic security measure that you can take is to update the WP framework of your website design. It is a simple way of boosting the security of your site. Just log into your admin panel, then check for WordPress updates. If you are using an old version of the WordPress framework, you should consider upgrading to the latest version.  The good thing about WordPress is that there are periodic updates to fix security holes.

Use Strong Log in Details

Unless you are working in the Local WordPress Test Environment, you have no excuse or reason for using a crappy login password or ID.  Most hackers know that the default login ID is “admin.” So if you have been using the default login ID, you need to change that immediately to an und that is hard to guess. For the login ID, it is advisable to combine letters with numbers that say “rumpelstiltskil93”.  The same applies to passwords, but since passwords are more sensitive, include special characters ( *#&^<>) in your password.  This will deter all kinds of brute force from targeting your site.

Secure the Wp-config.php

The Wp-config.php is an important file to secure your WordPress website. Since it contains sensitive data and the configuration for your web design, you should secure it through .htaccess. You can protect this file by adding the following code to the .htaccess file in your website’s root directory,

# protect wp-config.php

Order deny, allow
Deny from all

The above code restricts access to your  wp-config.php  file.

Prevent WP Injection

WP injection is a common technique that hackers use to breach the security of WP sites. To secure your WordPress website or blog from script injection or unwelcome modification of GLOBALS and _REQUEST, copy and paste the following code to the .htaccess in the root.

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\\<


%3E) [NC,OR]


\\%[0-9A-Z]{0,2}) [OR]

RewriteRule ^(.*)$ index.php [F,L]

Secure the WP Admin Files

Unless you have a webmaster or a website designer admin, you are the only person who should have access to the Wp-admin. Since this file is sensitive to the overall security of your WP site, you should use the .htaccess to restrict access to only specific IP addresses.  This option works better if you have a static IP address or manage your website from a single PC.  However, if you run a multi-user website, then you should allow access to specific IPs.  Below is a code that you can use to secure your wp-admin. Just copy and paste it to the .htaccess file in the wp-admin folder.

# deny access to wp-admin
order deny, allow
allow from xx.xx.xx.xx # This is your static IP
deny from all

The code above will restrict browser access to files in these directories instead of your IP address. Alternatively, you can restrict access to the directory by using a strong password.

Secure your WP-CONTENT

Without a doubt, the wp-content is the weakest link in your web directory and the easiest point of entry for hackers. This is understandable since it is part of the web directory that has to be writable.  While this is the case, you can still secure your WordPress website by disabling the execution of PHP files via the .htaccess. Copy and paste the following code into the .htaccess file.

Order Deny, Allow
Deny from All

*caution: depending on your theme or nature of plugins, the code may or may not break your site. If it breaks, disable or remove the code.

Use Secure FTP and SSH

Though FTP and SSH are common terms, many people are not familiar with the importance of these protocols/communication mechanisms.   The FTP is basically a File Transfer Protocol or mechanism through which servers exchange files. On the other hand, the SSH or Secure Shell is a protocol that establishes a secure connection to another server to communicate securely. Therefore, if you are presented with the option to transfer files between two servers, it is advisable to use the Secure File Transfer Protocol, which allows you to tunnel to any server through an SSH connection. Besides transferring files securely, this protocol allows you to work securely on a server.

Protect Htaccess file

The .htaccess file of your WordPress site is a very critical component that should be secured at all costs.  This file is often modified when dealing with redirects and therefore is commonly used to rewrite files to make them executable.  Since the .htaccess file gives you immense power to control some functions, you must secure it by restricting permissions or denying access. To apply for low permissions, you should set the number to 640.  Alternatively, you can discourage external attacks by adding the following.HTACCESS Directives


Order Deny, Allow
Deny from All

Conceal the WordPress Version

Intruders and hackers normally target websites that run on older versions of WordPress. They know what security flaws each version carries. If you can’t update your website regularly, the best thing is to conceal the version number. Remove Version and Hid WordPress versions can help you hide the version details on enqueued style and scripts URLs.

Change Login Area Slugs

It may not sound like a foolproof solution, but it will certainly help you conceal the login page from people who want to attempt forced login. For example, you can change the default login in WordPress from /wp-admin & wp-login to something that intruders won’t be able to know.

Install WordPress Security Plugins

There are so many WP plugins on the market, so you can’t run short of options. Security plugins can lower the risk of forced entry to your website. Before you install any of them, log in to your dashboard, then remove any unused plugins. Try to reduce the number of plugins that you’re using at a time.

Going back to security plugins, there are more than 20 of them in the WP plugin repository. I know it may be tough choosing amongst the ones available. Below are some good plugins that can help keep your website secure in 2017 and beyond.

  • All in one WP security is an awesome plugin for checking for vulnerabilities and implementing various security measures. In addition, you can use it to scan for malicious code.  The good thing about it is that it comes with a dashboard that shows you the security score of your site. Free and premium versions are available.
  • Wordfence – it’s another good plugin that allows users to implement login security, block specific IP addresses and scan for malicious code in WP core. Once you install it, you can set up monitoring and a web firewall. The plugin also provides real-time threats, thus alerting you of any unusual activity.
  • iThemes security is a good plugin with awesome security features that can keep intruders out of the bay. You can use it to modify database prefixes, scan for malware, track user activity, and generate strong passwords for your site.
  • Sucuri – This plugin allows you to scan for malware, monitor user activity, audit security activity, set up a web firewall, among other things. It’s a perfect option for those who want to harden the security of their WP sites.

Only Buy Themes from Trustworthy Vendors

Many online marketplaces offer Free WordPress themes. Some of them are developed by excellent developers, while amateurs do others. But to be safe, always go for premium themes from trusted vendors such as ThemeForest, Theme Isle, and Mojo Marketplace. Why is that? Trusted vendors normally update security flaws in their themes promptly. They also perform rigorous scans and tests before they roll out any theme. So you’re not only assured of a quality theme but a secure one too.

Sign Up with a Host who has High-Security Standards

Not every security flaw or risk comes from the website. Instead, some of the vulnerabilities arise from the host. If you want to set up a simple website design, go to a hosting service provider with robust security measures. A good host will actively fight off hackers, provide routine updates, and help you resolve security issues that could jeopardize website security.

Be Vigilant

Just because your WordPress site runs on the latest WP framework or has security plugins installed doesn’t mean it’s foolproof. Hackers never sleep. They are always looking for security flaws and devising new ways of compromising WordPress sites. So check for updates, reset your password from time to time, and monitor site activity. Most importantly, stay abreast of what’s happening in the industry.


Hackers will stop at nothing to have their way.  So you must be alert to secure your WordPress website. Check and install WP updates, use security plugins to set up a web firewall, buy themes from trusted vendors, and restrict access to sensitive files by blocklisted IP addresses. Whatever it takes to secure your site, do it. Suppose you are new to managing a WordPress site, better look for trusted website designing companies to do it for you.

If you need further help on this topic, Web Digital can help you in many ways. Aside from offering web design services, we also provide web hosting and other plans. In addition, we’re a well-established web design specialist (NZ), and we can help your small business website design needs with our assorted web design packages to choose from.

To get more information about website designer Auckland and website design services in Auckland, contact Web Digital!

Get free consultation

Call us 093901010

Free quote