How To Secure Your WordPress Website

By James LePage
 on May 15, 2020
Last modified on January 7th, 2022

How To Secure Your WordPress Website

By James LePage
 on May 15, 2020
Last modified on January 7th, 2022

Many website owners are rightfully worried about the security of their WordPress site. There a lot of manual hackers, as well as automated bots that are looking to break into your website, steal valuable user information, and push visitors to pop-up advertising.  This is a guide for a website owner who is looking to increase the security of their WordPress website for free, without much technical know-how, and without much integration or configuration.  We're going to discuss the best solutions to incorporate into the website, and how to do it.

Each solution is recommended by us because we've used them in past client websites, and have good experiences with them.

Why do we care?

First, let's go over why you should actually secure your WordPress website. If you already understand why this is a necessity in 2020, feel free to skip to the next section using the table of contents feature at the top of this post.

First and foremost if your visitor ends up on your web page, and is immediately bombarded with pop-up ads and redirects, they will click away. Your business will lose revenue, as well as credibility. This is the most typical and least serious think that a website hack will result in.

If the hack escalates to a more serious level, the hacker can steal your user information. This means customer emails and contact information can be captured from the website.  In a worst-case scenario, the hacker can log entries into the website, and gather credit card numbers and other sensitive data if you had payment processing on your site. 

If you are processing sensitive customer information, then you can be legally liable if your website gets hacked.

People have realized how serious consumer data privacy and security is, which is why we're seeing a lot of regulation in this area. For example, if you serve customers in the EU, the GDPR applies to you. GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. In the US there federal laws as well as state specific laws for data privacy. If you're interested in the legalities surrounding website security, go check out this impressive curated list of every law in the United States that could apply to your website:

If you have secured your website, you can build consumer trust by showing the measures you've taken to protect their information. You can do this through a blogpost, through a dedicated security page, or through footer badges. Did you know that choosing the right badge / seal can actually increase your conversion rate?

65% of online shoppers felt that the Norton™ Secured Seal was reassurance that the site would not give them a virus and was safe to browse.

Of course, to get this badge, you need a secure website to start off with. Now that we know why having a secure website is a must, and the benefits that it brings, let's look at some easy to incorporate ways to secure your WordPress website.

Ways to secure your WordPress website

Now that we know why security is a necessity, let's look at some solutions out there that you can incorporate into your WordPress website. We're going to be looking for the most cost-effective plugins, most of the ones in this list are free, but some are paid.

First, there are a few things that you can do to secure your website without a plugin.

  • Choose a reputable host: 
    • A secure website starts at the server level. If your web host is not reputable and doesn't properly secure its servers, and then continually scan for security, all of your hardening methods of the WordPress site will do nothing. It's absolutely essential that you choose a good host. We recommend Cloudways, as they allow you to have your site on enterprise-level hosting. All Cloudways hosted servers are protected by OS-level firewalls that filter out malicious traffic and keep out the intruders.
  • Obfuscate your login:
    • You can pretty quickly change your login slug from the default wp-login.php  do something of your own choosing. Changing this makes it difficult for automated bots that are programmed to search for pages with these slugs run attacks, as they can’t find the page in the first place. Keep in mind that this is not a method that will actually harden your website security, it's just something that will make bot attacks less common.
  • Choose a strong password:
    •  Perhaps the simplest but most overlooked security method is choosing a strong password. The base installation of WordPress can be hacked but, but is fairly secure in its own right. Choosing a strong password makes it difficult for Brute Force attacks to be run successfully.
  • Disable XML-RPC access
    • XML-RPC is a system that allows you to post on your blog using 3rd party clients & IFTTT. This is another route that hackers can exploit to gain access to your website (though it's become increasingly secure as WordPress Has gone through its versions). Disabling this if you don't use it service is a great idea to remove another potential vulnerability.

Security Solutions To Add To Your Site

Now let's take a look at some security plugins and solutions to add to your WordPress website, which  will seriously increase the security of it.

First up on the list is WordFence, which is a free plug-in that offers a collection of security services.

The main features of this plug-in follow:

  • Wordfence includes a Web Application Firewall (WAF) that identifies and blocks malicious traffic. 
  • The Wordfence scanner checks core files, themes and plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections. It also compares your files with what is in the repository, checking their integrity and reporting any changes to you. 
  • The Threat Defense Feed arms the Wordfence plugin with the newest firewall rules, malware signatures, and malicious IP addresses it needs to keep your website safe. 
  • You can see more features at, just scroll down on the homepage.

The plug-in is really simple and easy to install, all you need to do is add it from the plugin repository on your WordPress installation, and follow the quick wizard which will configure it’s settings to best protect your website.

You can also set up your website to be connected to Wordfence Central. This allows you to manage Wordfence on multiple sites from one location. It makes security monitoring and configuring Wordfence easier.

With the free version of this plug-in on a fairly popular website asset of ours, we're getting this level of protection: 

That's pretty impressive for a free service. On all of our websites, the free or premium version of Wordfence is a core plugin.

The main two things we’ll go in and configure further are the reCAPTCHA & the 2Factor Auth for our login. Both are free and both are Google services that integrate with WordFence.

Another great plug-in with both a free and a premium version is called Hide My WP Ghost. This changes and hides WP common paths. No file or directory is changed, instead all the changes are made by WordPress redirects. Remember we discussed the automated WordPress Bots that will look up common WordPress paths to try to run Brute Force attacks? This changes all of those paths (not just the login one) so these bots become ineffective. 

Other than these additions to your WordPress website, and the manual changes that you can make, that's about all you need to do to secure things. Wordfence is the main way you will stop attacks on your website, Hide My WP will help on the automated attacks side of things. Always make sure to be diligently checking the front end and the back end of your website for any file changes or forigen access.

If you get hacked

If you find yourself in a situation where your WordPress website gets hacked, it's best to get professional help. You can consult with isotropic on how best to remedy the situation. We’ll either refer you to a specific remediation service, or we will secure your website ourselves.

If this is mission critical, take a look at Securi -- they’ll respond within 6 hours. 

Subscribe & Share
If you liked this content, subscribe for our monthly roundup of WordPress news, website inspiration, exclusive deals and interesting articles.
Unsubscribe at any time. We do not spam and will never sell or share your email.
Notify of
Inline Feedbacks
View all comments
Article By
James LePage
James LePage is the founder of Isotropic, a WordPress education company and digital agency. He is also the founder of, a venture backed startup bringing AI to WordPress creators.
We're looking for new authors. Explore Isotropic Jobs.
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram