21 Killer Tips To Protect Your WordPress Site In 2023

Are you sure that your WordPress site is 100% secure? Did you take any action to improve the security of your website? If the answer is no, don’t worry. Let’s see killer tips to Protect your WordPress sites.

WordPress is a popular blog platform. It is one of the reasons, hackers attack the WordPress site. If you do not take any action to secure your site, you will be the next target for hackers.

21 Tips To Protect Your WordPress Site

  • Save
Killer Tips To Protect Your WordPress Site

Here are some useful tips to protect your website from hackers.

Choose a Good Web Hosting Provider

One of the easiest ways to protect your WordPress site is to choose a web hosting company that offers good protection.

While it is a good choice to choose a company with a lower price, it can cause problems in the later period. If you spend a little more of your money on a good web hosting provider, your website will get more security features.

It also helps load your WordPress website fast.

Many companies in the market offer the best security features for your website. We suggest, WPEngine, Kinsta, and Nexcess for managed WordPress websites.

If you are a beginner, you can choose shared web hosting. You can sign up for A2 Hosting or Fastcomet.

Install a WordPress Security Plugin

Using WordPress Security Plugins are a great way to protect WordPress website. There are many security plugins available in the market.

You can install one such plugin and add an extra layer of protection to your website.

Use Two-factor Authentication

Two-factor authentication boosts security by adding an extra step to your website’s login.

With 2FA, users need two keys to get in. One key is their password, and the other is often a quickly generated code, like an OTP.

Two-factor authentication provides an additional security boost by providing an additional step to log in to your website.

With 2FA, the users need two keys to log in. One is the website password and the second one is a code like OTP.

Even if someone gets your login details, they will not be able to log in without the code. This is a great way to prevent brute-force attacks on your website.

Always Update Your WordPress

If there is any new update available for your software or plugin, you will be notified when you log into your website.

New versions are released to introduce brand-new features, fix bugs, or patch security holes. So don’t ignore these updates.

When you get the notification in the admin panel for the latest version, update it.

Update All The Plugins

Always update your plugins.

Most of the security issue is related to plugin vulnerabilities. Install the most trusted plugins, which are updated frequently and give better support.

Remove all unwanted and inactive plugins from your site.

Update Your Theme

Update your theme properly when they release new versions.  Purchase your theme from a known vendor.

When I purchase a theme, the first thing I check is the creator of the theme. Second, are they known members of the community with an established reputation?

Don’t download the free version of premium themes from unknown sites. Sometimes these themes may be infected by malware and destroy all your sites.

Remove all unused themes from your site.

I would recommend using a theme that comes with a good framework. That will assure double security at your site.

I recommend GeneratePress and Astra theme.

Use A Complex Password

Use a complex password for your site. Use a combination of uppercase, lowercase letters, digits, and special characters. If you are using WordPress.com enable two-step authentication.

You can use KeePass, free open-source software to generate more complex passwords for your site.

Backup Your Site Regularly

The regular backup will save all your data when your site gets hacked. You can restore all your posts, comments, and pages from this backup.

Use the WP-DBManager plugin to back up your database regularly. If you want to back up your entire WordPress installation like Widgets, themes, plugins, files, and SQL database, use BackupBuddy.

No matter, what kind of site you are running, stay vigilant and keep updated!

Never Use Admin As a Username For Your Website

This is one of the important steps to protect the WordPress site.

Hackers target website that uses the username “admin“.

If the username of your website is “admin“, then you have provided half of the information they need to hack the website.

It makes their job very easy. Once they get the username, they just have to find your password.

Once they get into your website, they can do anything they want. So, never use “admin” as the username of your website.

  • Save
Login Attempts

If you are currently using the username “Admin“, you can create a new one and delete the admin.

Changing the username of your website increases its security.

Here are the simple steps to create a new user profile

1. Log in to your website and click on users.
2. Select “Add new” and enter the name.
3. Assign the admin role to it.

Once you have made the changes, log out and log in again to your website and delete the user who has the username “admin“.

Limit The Number Of Login Attempts

Please limit the number of login attempts to your site to protect it from a botnet attack. You can use the Limit login attempt or Better WP Security for the same. If someone is trying to guess your password, it will stop them from doing so.

Better WP Security is one security plugin that scans, secures, and recovers your WordPress site. It is now renamed as the iThemes security plugin.

There are several plugins available to secure your WordPress site. Here, I will explain the iThemes Security plugin. iThemes Security plugin was previously called “Better WP Security“.

Once you install the plugin, you will receive the notification as shown in the image below. Just click “Secure your site now“.

There are many security options available in this plugin. However, we will discuss only the important things here.

Change The Admin URL of Your website

Changing the admin URL is another important step to protect the WordPress site.

By default, the admin URL will be www.abc.com/wp-admin.

Change this URL to something of your preference.

To change this click on “Your WordPress area is not hidden” and Fixect fix it. You will get a new window and you need to check “hide backend”.

Enter the new URL of your website through which you will log into your website.

Change the Database of your site

By default, your database will be wp_something. Click on “Your blog prefix should not be wp” and rename it. A random prefix will be assigned to your website.

These are the basic and important steps to secure your website through this plugin.

If you are looking for more advanced security, try Sucuri.net. This is the best malware scanning and clean-up service on the web. You can choose an optimum plan for your site.

Disable XML-RPC

WordPress utilizes a version of the XML-RPC protocol to add extra capabilities for software programs.

This method of Remote Procedure Calling lets you give commands that are carried out, and the results are given back in an XML format.

For most people, using the XML-RPC features in WordPress isn’t necessary. It’s one of the most common weak points that can make users susceptible to attacks.

That’s why it’s a smart move to turn it off.

Protect your WP-config.php

The wp-config.php file holds significant importance for your website. Ironically, it’s also one of the weakest points in terms of security.

Why is that?

Well, this file contains vital details and data about your entire WordPress setup. It’s essentially the heart of your WordPress site. If anything unfortunate happens to it, your blog won’t function as usual.

Here’s a simple trick: You can relocate the wp-config.php file to just one level above your main WordPress folder. Your website won’t be impacted by this shift, but it will become much harder for hackers to locate.

Disable File Editing

Users with admin privileges can edit any files on your website. This includes all plugins, themes, etc.

Once file editing is disabled, it is not possible to edit any of the files.

You can place the following code in your wp-config.php file to remove the file editing capabilities.

define('DISALLOW_FILE_EDIT', true);

Check the File and Server Permissions

Permissions to the file and server play an important role in protecting your website.

If they are weak, anyone can gain access to your files and servers easily. On the other hand, if they are strict, it can break the basic functions of your website.

Therefore, you need to set the right permissions.

File Permissions

When a user has the authority to read a file, read permissions are granted.
When a user can write or change a file, write permissions are provided.
If a user is allowed to run a file or use it as a script, execute permissions are assigned.

Directory Permissions

  • Read permissions are granted when a user has the privilege to view the content within a specific folder or directory.
  • Write permissions are provided when a user is authorized to add or remove files contained within the folder or directory.
  • Execute permissions are assigned when a user is enabled to access the directory itself and carry out operations, including the potential to erase data within the folder or directory.

For checking permissions on your WordPress site, you can use any security plugin.

Typical File permissions
  • Save

Here are some typical recommendations for permissions when it comes to file and folder permissions in WordPress.

  • All files should be 644 or 640. Exception: wp-config.php should be 440 or 400 to prevent other users on the server from reading it.
  • All directories should be 755 or 750.
  • No directories should ever be given 777, even upload directories.

Disable Directory Indexing and Browsing

Directory browsing is a technique hackers use to uncover files with known vulnerabilities and gain access to your website.

Additionally, directory browsing allows unauthorized users to explore your files, copy images, learn about your directory arrangement, and gather information.

This is why it’s strongly advised to disable directory indexing and browsing.

To do this, access your website through FTP or cPanel’s file manager. Then, find the .htaccess file located in your website’s main directory.

Add the following code at the end of the .htaccess file and save it.

Options -Indexes

Remove Unused WordPress Plugins and Themes

Unused themes and plugins should be removed from your website. Hackers can gain access to websites using them.

Follow these steps to delete an unused WordPress plugin:

Navigate to Plugins → Installed Plugins.
You’ll see the list of all installed plugins. Click Delete under the plugin’s name.

Note that the delete button will only be available after deactivating the plugin.

Here are the steps to delete an unused theme:

From your WordPress admin dashboard, go to Appearance Themes.
Click on the theme you want to delete.
A pop-up window will appear, showing the theme details. Click the Delete button on the bottom-right corner.

Use SFTP/SSH for the Transfer of Files

If you want to make any changes to your WordPress website, always use SFTP instead of FTP.

SFTP works in the same way as FTP for transferring files. But they will use SSH which is a secured protocol.

Disable Hotlinking

Hotlinking, also referred to as inline linking or leeching, is when a user links to images, videos, or different media documents on your site from their website.

This method uses the resources and bandwidth of your server to display those files. It leads to additional load on your server and slows down your website performance.

To disable hotlinking in WordPress, follow these steps:

  • Use an FTP client or cPanel’s file manager to locate and edit the .htaccess file in your WordPress root directory.
  • Before making any changes, create a backup copy of your .htaccess file. This ensures you can revert to the original state if something goes wrong.
  • Add the following code to your .htaccess file and save it. Replace yourwebsite.com with your actual domain name. This code prevents hotlinking of common image formats (jpg, jpeg, png, gif) from external sites.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
  • Upload it back to the public_html folder.

If you’re using a CDN like Cloudflare, it might have built-in hotlink protection features that you can configure from your CDN settings.

Hide Your WordPress Version

Your website can be hacked easily when the hackers know the version of the WordPress you are using.

They can use the vulnerability of that version to attack your website. You can easily prevent this by hiding the version of your WordPress site.

Follow the steps below:

  • From your WordPress dashboard, navigate to Appearance Theme Editor.
  • Choose your current theme and select the functions.php file.
  • To remove the version number from the header and RSS feeds, paste the following code to the functions.php file:
function dartcreations_remove_version() {
return '';
} add_filter('the_generator', 'dartcreations_remove_version');

WordPress generator meta tag also displays the WordPress version number. Add this line to get rid of it:

remove_action('wp_head', 'wp_generator');

Click Update File to save the changes.


That’s all about the tips to protect WordPress sites.

Various types of cyberattacks can occur, ranging from injecting malicious code to launching DDoS attacks. Hackers often focus on WordPress sites as they are widely used.

As a result, those who use WordPress must know the knowledge and tips to protect their website. Securing the WordPress website is not a one-time task. It is a continuous process. There is always a risk but you can apply these security measures to reduce them.

  • Save

Join My Premium List!

Join us for the latest updates and get access to our checklists, templates, guides, and more. 


Blogger and Entrepreneur. You can follow him on Twitter. At Onlinedecoded.com, he writes mostly about Blogging and Technology Tips

2 thoughts on “21 Killer Tips To Protect Your WordPress Site In 2023”

  1. Hi Umapathy,
    I am so glad again to be here,
    Yours indeed a wonderful site with lot of information on wp and other blog related tutos. I a new to wordpress and still in the learning stage.
    Thanks for sharing
    Have blessed day
    ~ Philip

  2. Thank you for sharing your thoughts. I truly appreciate your efforts and I will be waiting for your further post thank you once again.


Leave a Comment

Share via
Copy link