Is WordPress really as secure as it seems? After all, 90% of infected websites were hosted on WordPress in 2018. However, many of these attacks are easily preventable. With just a little bit of preparation, your website can become much more secure. In fact, you can secure it in mere minutes with just a few WordPress security hacks.

1) Use Premium Hosting

This is hardly a “WordPress security hack,” but it’s extremely important: don’t skimp on your WordPress hosting. Hosting services may not seem fun and flashy, but they make all the difference. In fact, 41% of all WordPress attacks are caused by a bad hosting platform.

Managed hosting may be pricier than your standard shared hosting, but trust us: it’s worth every penny. You’re paying a company to manage all of the technical details that keep your website alive, which means your security is backed up by a WordPress expert.

But what does this mean for your website? For starters, your host will keep all the software and hardware up to date. When you run the latest version of WordPress, hackers can’t exploit the security vulnerabilities in the older version.

Up-to-date hardware and software only scratch the surface. Most premium hosts also provide a web application firewall (WAF), which keeps viruses and malware out of your website.

Two users pass through the WAF, but the hacker does not

If malware does get into your website, all hope is not lost. The host will take action. It will notify site owners and even disable accounts to run scans.

However, viruses aren’t the only threat thwarted by high-quality hosting. Premium hosts will even protect your website from DDoS attacks and other disasters. They offer accident plans and disaster recovery solutions to keep your site safe and secure–no matter the threat.

Premium hosting is the single best way to secure your website. However, security doesn’t stop here. With just a few five-minute fixes, your website can become still more secure.

WordPress recommends Bluehost, DreamHost, and SiteGround, but lots of other wonderful options exist. Give us a holler to discuss which option may work best for you

2) Install a WordPress Backup Solution

What will you do if your website disappears? What’s your backup plan?

A fail-proof website needs a good fail-safe. That’s why a full backup of your website is so important.

If anything goes wrong, you’ll thank your lucky stars that you have a backup of your website. It’s a simple way to recover from a total disaster in mere seconds.

But remember: you need to frequently back up your website for a backup to be effective. Back it up at least once per day, if not in real-time, depending on how frequently you make updates. Plugins will usually do this job for you. We recommend WPengine. It makes backing up and restoring your website near effortless.

In mere minutes, you can make your website exponentially more secure by backing it up. But what about more active defense, such as monitoring?

3) Install a Malware Scanner

Monitoring your website can be tedious. No one has time for all those manual scans. So why not do it automatically?

WordFence logo

Installing security plugins with a good malware scanner like Wordfence can be a gamechanger. Wordfence scans and spots every file that deviates from the normal WordPress files. Once it identifies those non-core files, you can quarantine them properly.

Plus, it’s easy to install. In just minutes, you can say goodbye to hidden malware.


How much difference can a single letter make? As it turns out, quite a lot.

Check your website URL. Does it start with https://? It’s not encrypted. Your URL should start with https://–that “s” stands for “secure.”

A single letter may seem silly, but that squiggly little “s” packs a punch. If your website communicates over HTTP, anyone with some free software can intercept, or “sniff” that info. However, HTTPS is encrypted with TLS/SSL certificates. No one can sniff it. This is especially important for any website with a login since you want to keep your data secure.

HTTP can be intercepted, but HTTPS is encrypted

HTTPS also helps your SEO. Google dings websites that use HTTP instead of HTTPS, so that tiny “s” can actually boost your rankings.

With services like Let’s Encrypt offering free SSL, it’s never been easier or cheaper to use SSL. It lends reassurance to your visitors and an extra layer of security on your website.

5) Change the Default “Admin” Username

Depending upon when and how you created your admin account, you may need to change the username.

In ye olden days before WordPress 3.2, the default admin username was “admin.” That’s not very secure because hackers already have your username. All it takes is a few brute force attacks before they’re in–especially if you have a weak password.

WordPress now requires you to create a custom username. However, if you use an older account, or if you installed WordPress with a one-click installer, your username may still be “admin.”

Luckily, WordPress now allows you to change your username without too much fancy footwork. If you can’t change the username, create a new username and ditch the old one. You could even use a plugin or edit it through phpMyAdmin. However you do it, make sure you set your username to something unique. It’s an extremely simple step that goes a long way.

6) Disable PHP File Execution in Certain WordPress Directories

Websites are made up of files and folders (directories). Some directories store images, others store web files, and some are even empty. You can learn more about WordPress directories on wpbeginner.

WordPress files

WordPress files. Image from wpbeginner.

If some directories don’t need PHP file execution, why should you leave it enabled on all of them?

If you leave PHP file execution enabled when you don’t need it, hackers can upload malware or backdoor access files to your website.

Disabling PHP file execution in certain directories is pretty simple. Wpbeginner has a straightforward guide for disabling PHP execution, so I encourage you to check it out.

7) Install the “Limit Login Attempts” Plugin

WordPress login displaying a "3 attempts remaining" message

Hackers can only attempt a few logins at a time. Screenshot from the Limit Login Attempts Reloaded plugin page

The most devastating attacks don’t need a ton of code. All it takes is one person guessing username/password combinations indefinitely.

If visitors can attempt multiple logins, they can brute force their way into accounts. However, by limiting the number of login attempts, you significantly reduce the risk of a damaging attack or a compromised user account.

The Limit Login Attempts plugin is a great solution. It allows you to set a maximum number of login attempts.

This plugin pairs especially well with any two-factor authentification plugin, since they both prevent malicious logins–just remember to add a reset password option in case your users forget their password.

8) Randomize the WordPress Database Prefix

Security isn’t just about plugins–those would be some boring WordPress security hacks. You can also secure your website on the database level.

A WordPress database is made up of rows and columns. These rows, or “tables,” have different names like “wp_users” or “wp_options.” Renaming the “wp_” prefix obscures the true table’s name. WordPress still knows where to find them, but hackers don’t.

9) Disable Directory Indexing and Browsing

If you want to keep hackers from snooping through your website, don’t give them a free guide on how to do it.

By default, visiting an Apache web server that doesn’t have an index.php file will return a recursive directory listing of all files and folders–that’ll look like this:

Index of /admin/ backup

Image from acunetix.

In case you can’t tell, it’s a hacker’s goldmine. They can use it to observe your directory structure, look at files, and more. It’s basically a map to your website.

Disabling directory indexing and browsing will prevent this nightmare scenario from unfolding. Follow this wpbeginner guide to disable it yourself.

10) Disable XML-RPC

XML-RPC is awesome–but it shouldn’t be enabled across the board.

XML-RPC a pretty simple protocol: the call is encoded with XML and transported with HTTP. It was enabled in WordPress 3.5, and many custom websites use it for app integration.

A diagram of XML-RPC

While it does some powerful stuff, it can also be used by brute force hackers. They use it to make multiple password guesses in a single login attempt, which lets them bypass login attempt limits and save time and computing resources.

If you’re using XML-RPC to connect your website to an app, keep it. However, if it’s sitting idle and unused, disable it. Use this wpbeginner guide to turn it off.

Did you enjoy this guide? While these are some of the most important tips, there are plenty more ways to secure your WordPress site. Learn more WordPress security tips on wpbeginner. It’s a great resource for beginners and pros alike. For more hands-on assistance building or securing a WordPress website, check out our web development services. We have years of experience working directly with the client to build secure and stunning custom and semi-custom websites. Reach out online to find out what we can do for you.