13 December 2023

10 Ways to Strengthen WordPress Security

By Ronald Smith

If you run a WordPress website, keeping it secure should be your top priority. Unfortunately, many WordPress blogs fall prey to hackers due to outdated core files and plugins. Outdated files are like breadcrumbs to hackers, making your site an easy target.

So, how can you protect your blog from these bad actors? Start by always keeping your WordPress installation up to date. But there’s more you can do. Today, I want to share with you some helpful plugins and tips to fortify your WordPress security.

10 Plugins for Strengthening WordPress Security

You’ve built your website on WordPress, chosen a reliable hosting provider, and applied a beautiful theme. But don’t stop there. Take the necessary steps to safeguard your site from potential threats with the help of these plugins:

1. Changing the Default “wp_” Prefixes

Your website might be at risk if you’re using the predictable “wp_” prefixes in your database tables. Hackers can exploit vulnerabilities like SQL Injection. But don’t worry! I’m here to show you how to change those prefixes in just 5 easy steps using phpMyAdmin.

Step 1: Access phpMyAdmin

First, you need to access phpMyAdmin. You can usually find it in your web hosting control panel. If you’re not sure how to access it, you can ask your hosting provider for assistance.

Step 2: Select your WordPress database

Once you’re in phpMyAdmin, you’ll see a list of databases. Look for the one that is associated with your WordPress installation and click on it to select it.

Step 3: Find your “wp_” tables

Now, you’ll see a list of tables within your WordPress database. Look for the ones that start with “wp_”. These are the tables that we want to change the prefixes for.

Step 4: Edit table names

To change the prefixes, you’ll need to edit the names of the tables. Select each table that starts with “wp_” and click on the “Operations” tab at the top.

In the “Table options” box, you’ll find a field called “Rename table to”. In that box, enter your new prefix followed by an underscore. For example, you could use “mynewprefix_” as your new prefix.

Click on the “Go” button to save your changes. Repeat this step for each “wp_” table.

Step 5: Update the database

Once you have renamed all the tables, you need to update your WordPress installation to use the new prefixes. Open your WordPress configuration file, “wp-config.php”, and look for the line that says:

$table_prefix = ‘wp_’;

Change ‘wp_’ to your new prefix. For example, if your new prefix is “mynewprefix_”, the line should look like this:

$table_prefix = ‘mynewprefix_’;

Save the file and you’re done! Your database tables now have new prefixes, making your website more secure against potential threats.

Now that we’ve taken care of your database prefixes, let’s move on to another important security measure.

Step 2: Hide login error messages

When you try to login to your WordPress admin panel and make a mistake, you might see an error message saying that your username or password is incorrect. Hackers can use this information to guess valid usernames and launch brute-force attacks.

To prevent this, we can hide login error messages. To do this, simply add the following code to your theme’s “functions.php” file:

add_filter( ‘login_errors’, ‘__return_false’ );

This code will prevent any error messages from being displayed when a login attempt fails.

Now you’ve made your login page more secure by hiding error messages that could give hackers valuable information.

Next, let’s move on to our next security measure.

Step 3: Keep wp-admin Directory Protected

The “wp-admin” directory is like the control center of your WordPress website. It’s where you manage your site, install plugins, and make important changes. It’s crucial to keep this directory protected to prevent unauthorized access.

To protect the “wp-admin” directory, you can use a password. Most hosting providers offer this feature through the use of an .htaccess file. You can usually find this file in the “wp-admin” directory.

If you’re not familiar with .htaccess files or you’re not comfortable editing them, you can ask your hosting provider for assistance. They should be able to help you set up password protection for your “wp-admin” directory.

By keeping your “wp-admin” directory protected, you add an extra layer of security to your website and reduce the risk of unauthorized access.

There you have it! By changing your database prefixes, hiding login error messages, and keeping your “wp-admin” directory protected, you’re taking important steps to improve the security of your WordPress website. Keep up the good work!

Hey there! Did you know that keeping your “wp-admin” folder protected adds an extra layer of security? When someone tries to access any files or directories after the “wp-admin” folder, they’ll be prompted to log in. It’s super important to protect your “wp-admin” folder with a login and password, and luckily, there are a few different ways to do it!

First off, you can use a WordPress plugin called WordPress HTTP Auth. This plugin allows you to set up strong login credentials to protect your “wp-admin” folder. It’s a simple and effective way to keep unwanted visitors out.

If you’re using cPanel for your website, protecting your “wp-admin” folder is a breeze. Just log in to your cPanel admin area and look for the “Password Protect Directories” option. From there, you can easily set up password protection for any folder, including your “wp-admin” folder. Check out a tutorial to learn more about it!

Another method involves using the .htaccess and .htpasswd files. With these files, you can create a password-protected folder in just a few steps. Simply specify the folders you want to protect in the .htaccess file and list the users who are allowed to access them in the .htpasswd file. It’s a bit more technical, but our step-by-step tutorial will walk you through the process.

So, there you have it! Three different ways to protect your “wp-admin” folder and keep your WordPress site safe and secure. Choose the method that works best for you, and enjoy the peace of mind that comes with knowing your website is well-protected!

4. Keeping Your WordPress Blog Safe with Backups

Hey there! Did you know that having backup copies of your entire WordPress blog is just as important as protecting it from those pesky hackers? Trust me, it’s a lifesaver! If all else fails, you can always go back to your clean backup files and start fresh. Now, there are two types of backup practices we can explore: Full Backup and Incremental Backup.

Let’s start with the “full backup” method. This one includes everything on your site – the files, the database, the whole shebang. It’s like having a complete snapshot of your blog at a particular time. However, keep in mind that this method might take up more space than necessary. Plus, it could put a strain on your site’s CPU and disk usage when performing the backup. So, if your site has limited resources, this might not be the best option for you.

When it comes to backing up your WordPress website, there are two main options to consider: full backups and incremental backups.

A full backup includes all of your website’s files and data, and it is done every time you want to make a backup. This ensures that you have a complete copy of your website, but it can be time-consuming and resource-intensive.

On the other hand, an incremental backup only takes a full backup the first time, and from then on, it only backs up the items that have been recently changed. This method is more efficient because it saves time and resources by only backing up what is necessary.

There are several options available for incremental backups in WordPress, some of which come with a fee. Examples of such services include VaultPress and WP Time Capsule.

In addition to backups, there are other solutions for backing up your WordPress files and database. These solutions include useful plugins and backup services, which we have discussed in a previous article.

In terms of security, it is important to prevent directory browsing, as having your directories and files exposed can pose a security risk. To check if your WordPress directories are protected, you can perform a simple test:

1. Open your browser and enter the following URL (without the quotes): “http://www.domain.com/wp-includes/”

By following these steps, you can ensure the security and integrity of your WordPress website. Remember, it’s always better to be safe than sorry.

If the page appears blank or redirects you back to the home page, you can breathe easy. Everything is all good. However, if you come across a screen that looks like the picture below, that’s a red flag. Something is definitely not right.

10 Ways to Strengthen WordPress Security

To make sure that no one can access any of the directories on your website, you need to add this code to your “.htaccess” file:


# Prevent folder browsing. Options All -Indexes


If you’re using the nginx server, you can use this code instead:


autoindex off;


Next, let’s move on to some important steps you can take to keep your WordPress site safe:

Step 6: Keep your WordPress core files and plugins updated regularly. This is one of the best ways to ensure the security of your site. Thankfully, WordPress has an automatic update feature that keeps your site up to date with the latest releases. Just double-check that this feature is enabled, and you’re good to go.

Step 7: Choose a strong password for your WordPress account. This might seem obvious, but it’s worth mentioning. A strong password can greatly reduce the risk of your site being hacked. Make sure to use a mix of letters, numbers, and special characters, and avoid using easily guessable information like your name or birthdate. The stronger your password, the better protected your site will be.

When you create a new account or update your password on WordPress, you’ll see a helpful field that suggests a strong password. It will tell you if your password is strong or weak. It’s important to choose a strong password, but the issue is that strong passwords are hard to remember. That’s why I suggest using a password manager like 1Password or LastPass. These tools can help you keep track of all your passwords securely.

10 Ways to Strengthen WordPress Security

Step 8: Bye Bye, Admin User!

Did you know that when you install WordPress, it automatically gives you a user named “admin”? Well, here’s a secret – using “admin” as your username makes it easier for hackers to get into your site. Yikes! But don’t worry, I’m here to help you fix it.

Instead of using “admin” to log into your website, let’s create a new administrator and say goodbye to the old “admin” user. Follow these steps:

  1. First, log in to your WordPress admin panel.
  2. Once you’re logged in, go to the “Users” section and click on “Add New”.
  3. Now, create a new user with the role of “Administrator”. Make sure to choose a strong password. Remember, security is key!
  4. After you’ve created the new user, log out of WordPress and then log back in using your new admin username.
  5. Head back to the “Users” section.
  6. Time to say goodbye to the old “admin” user! Remove it from your site.
  7. Oh, and one more thing – if the “admin” user has any posts, make sure to attribute them to your new user. We wouldn’t want any content going missing!

That’s it! By removing the “admin” user and creating a new, secure administrator, you’ve taken an important step towards keeping your WordPress site safe from those pesky hackers. Now go forth and enjoy a worry-free website!

Step 9: Disable XMLRPC

Hey there! I wanted to tell you about this thing called XMLRPC in WordPress. It’s a bit technical, but it’s important to know about because it can be a way for bad guys to attack your site. Don’t worry, though! I have a solution for you.

If your site doesn’t need XMLRPC, then it’s a good idea to disable it. This will make your site more secure and protect it from potential attacks. You can even go a step further and restrict access to the XMLRPC endpoint to only certain IP addresses. Let me show you how:

For Apache:

order deny,allow

allow from

deny from all

For Nginx:

location = /xmlrpc.php {


deny all;

access_log off;


Step 10: Add HTTP Security Headers

Hey, I have another important step for you to make your website even more secure! It’s all about adding some special codes called HTTP security headers. These headers tell web browsers and servers how to handle your website and protect it from certain types of attacks. Cool, huh?

Adding these headers is super easy. You just need to put some lines of code in your website’s configuration file. Here’s an example:

[Insert example code here]

By adding these HTTP security headers, you’ll be adding an extra layer of protection to your website and making it even safer for you and your visitors. Keep up the good work!

Adding security headers to your website can enhance its security by adding an extra layer of protection against certain types of attacks. These headers provide instructions to the browser on how to behave in certain situations, giving you control over how your site is displayed and accessed. For instance, the X-Frame-Options header allows you to determine whether your site can be embedded within an iframe.

There are several types of headers you can add to your site to further enhance its security. These include:

  • X-XSS-Protection
  • Strict-Transport-Security
  • X-Content-Type-Options
  • Content-Security-Policy
  • Referrer-Policy

If you are using Nginx as your web server, you can add these headers by including the following code in your configuration file:

Header always append X-Frame-Options DENY

Header set X-XSS-Protection “1; mode=block”

Header set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”

Header set X-Content-Type-Options nosniff

Header set Content-Security-Policy “default-src ‘self’;”

Header set Referrer-Policy “no-referrer”

Securing your website with security headers

To add these headers, you may need to contact the hosting company that handles your website.

As a bonus, I recommend subscribing to WPVulnDB to stay informed about the latest vulnerabilities in WordPress Core, Plugins, and Themes. WPVulnDB provides detailed information about the type of vulnerability, which versions are affected, and whether a fix is already available.