How to Secure WordPress Site?

How to Secure WordPress Site? >> Innovative Techniques of Digital Marketing to Grow & Sustain RMG Business

How to Secure WordPress Site: Hackers can steal your information and password to install malware software so they can distribute.

  • Google blacklisting more than 20,000 websites for malware and more than 50,000 for phishing each week. (Source: sucuri . net )
  • 90k website hacks everyday, 10k websites blacklisted everyday.
  • There is an attack every 39 seconds by Hackers and steal 75 records in every second (Source: Security Magazine )
  • 73% black hat hackers said traditional firewall & antivirus is irrelevant (Source: Thycotic . com)
  • Hackers make 300,000 new malwares daily. (Source: McAfee)
  • 30,000 websites are hacked every day. (Source: Forbes)
  • Shared Hosting Providers. hackers escalate their privileges on whole server, so automatically gaining access to your website
  • 170,000 times a year criminals attempt to steal domains.

WordPress Site Statistics

  • WordPress powers 35% of the internet in 2020 and 28% of eCommerce site
  • 98% of WordPress hack are related to plugins
  • 87% of websites have mid-level weaknesses. (Acunetixs Report 2019)

Check List

Security NameAtBnSpHdHl
Set strong passwordsYYYYY
How to Backup and Restore WordPress Site with or without PluginYYYYY
Update Theme Storefront, Kuteshop, Woodmart & SahifaYYYYY
Update Plugin (Free & Pro Only)YYYYY
Remove unused theme Active/DisabledYYYYY
Remove unused theme Active/DisabledYYYYY
Remove Inactive User from WP, cPanel, FTP etc .....
Do not use Admin / Root as User NameYYYYY
New User Default Role set as SubscriberYYYYY
Set strong passwords YYYYY
Automatically log out Idle Users in WordPress.....
Change Default Login URL...Y.
Limit Login Attempt.....
Add Security Questions to WordPress Login ScreenYYYYY
Add two factor authentication for WP.....
Enable Web Application Firewall (WAF) In WP.....
Change WordPress Database wp_prefixYYYYY
Disable Directory Indexing (Robots.txt)YYYYY
Protected Access to WP Admin FOLDER.....
Scanning WordPress for Malware and VulnerabilitiesYYYYY
Configure Brute Force Protection in WordPressYYYYY
How to block spam commentsYYYYY
Fixing a Hacked WordPress SiteYYYYY
1 Click StagingYYYYY
Set strong passwordsYYYYY
Add two factor authentication for hostingYYYYY
Enable Web Application Firewall (WAF) in Hosting.....
Disable SSH Access.....
Incorrect File Permissions.....
How to Edit Wp Config Php From Dashboard.....
Disable XML-RPC in WordPress.....
Prevent PHP direct execution on sensitive directories.....
WordPress Htaccess Configuration Access Control Allow Origin.....
Check & Compare All System HTML FilesYYYYY
Check & Compare All System Php FilesYYYYY
Configure Brute Force Protection in Hosting.....
Hotlink Protection (cPanel).....
Set strong passwordsYYYYY
How to implement cloudflare CDN YYYYY
How To Install SSL Certificate in cPanel for WordPress WebsiteYYYYY
SSL between Hosting & Cloudflare.....
Set strong passwordsYYYYY
Add two factor authentication for domainYYY..
Keep note for all registration informationYYYYY
Set domain expiry notificationYYYYY

Backup your Website

This is very important because when your file will be infected you may not clean all infected code, so in this situation you can restore your files

Disable File Edit

WordPress has built in code editor under Appearance menu which allows you to edit your theme and plugin files from your WordPress admin area. You should disable it. You can add code in wp-config.php files

1 // Disallow file edit
2 define( ‘DISALLOW_FILE_EDIT’, true );

Limit Login Attempt

Limit Login Attempts to protect your site from brute force attacks

  • phppot . com/wordpress/how-to-limit-login-attempts-in-wordpress/
  • stackoverflow . com/questions/25836668/wordpress-limit-login-attempts-without-plugins

Add below code to WordPress functions.php. This code contains the WordPress action & filter hook and the corresponding callback function. The callback contains code for restricting number of invalid login attempts.

function check_attempted_login( $user, $username, $password ) {
    if ( get_transient( 'attempted_login' ) ) {
        $datas = get_transient( 'attempted_login' );

        if ( $datas['tried'] >= 3 ) {
            $until = get_option( '_transient_timeout_' . 'attempted_login' );
            $time = time_to_go( $until );

            return new WP_Error( 'too_many_tried',  sprintf( __( '<strong>ERROR</strong>: You have reached authentication limit, you will be able to try again in %1$s.' ) , $time ) );

    return $user;
add_filter( 'authenticate', 'check_attempted_login', 30, 3 ); 
function login_failed( $username ) {
    if ( get_transient( 'attempted_login' ) ) {
        $datas = get_transient( 'attempted_login' );

        if ( $datas['tried'] <= 3 )
            set_transient( 'attempted_login', $datas , 300 );
    } else {
        $datas = array(
            'tried'     => 1
        set_transient( 'attempted_login', $datas , 300 );
add_action( 'wp_login_failed', 'login_failed', 10, 1 ); 

function time_to_go($timestamp)

    // converting the mysql timestamp to php time
    $periods = array(
    $lengths = array(
    $current_timestamp = time();
    $difference = abs($current_timestamp - $timestamp);
    for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) - 1; $i ++) {
        $difference /= $lengths[$i];
    $difference = round($difference);
    if (isset($difference)) {
        if ($difference != 1)
            $periods[$i] .= "s";
            $output = "$difference $periods[$i]";
            return $output;

Add two factor authentication

Source: wpbeginner . com/wordpress-security/#whysecurity

Do not use Admin / Root as User Name

Change Default Admin username if any. If not you are not able to delete user, make him subscriber.

Change WordPress Database wp_ Prefix

We can change it tow ways. One is Plugin Installation and custom SQL mode.

We can change it both custom more or with SQL command. The steps given below –

Step 1 – Change all table prefix in wp-config.php. Edit below prefix from File Manager

$table_prefix = ‘wp_’;

Change as

$table_prefix = ‘wprmg_’;

Now Save the file

Step 2 – Change all table prefix in database

Click on database name > Select all table start with wp_ ; > Click With selected to open drop down > With selected > Type in wp_ in the From-field, and type wprmg_ in To-field, wprmg_ > Click Continue for change

Step 3 – Replace all references into the old prefix

WordPress still contain to the old table prefix. To all changing the prefix, you need to replace these with new prefix.

Now go to SQL command in phpmyadmin and copy and paste the following commands

update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_capabilities' where meta_key = 'OLDPREFIX_capabilities';
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_user_level' where meta_key = 'OLDPREFIX_user_level';
update NEWPREFIX_usermeta set meta_key = 'NEWPREFIX_autosave_draft_ids' where meta_key = 'OLDPREFIX_autosave_draft_ids';
update NEWPREFIX_options set option_name = 'NEWPREFIX_user_roles' where option_name = 'OLDPREFIX_user_roles';

Replace OLDPREFIX and NEWPREFIX, with your own old and new prefix. Like in the example below, where we replace wp_ with david_:

update david_usermeta set meta_key = 'david_capabilities' where meta_key = 'wp_capabilities';
update david_usermeta set meta_key = 'david_user_level' where meta_key = 'wp_user_level';
update david_usermeta set meta_key = 'david_autosave_draft_ids' where meta_key = 'wp_autosave_draft_ids';
update david_options set option_name = 'david_user_roles' where option_name = 'wp_user_roles';

Click on Go to run the commands and complete the change.

Change Default Login URL Without Plugin

Process 1: WordPress default URL: /wp-login.php or /wp-admin

  • At first go to public_html
  • Then take backup wp-login.php file
  • Then rename wp-login.php into any namen like mashiur.php
  • Then open file mashiur.php in any editor like notepad++
  • Then Replace all wp-login.php into mashiur.php (Generally 12 file will replace)
  • Finally it is done. Now go to your new URL and login

Process 2: Add the following code to your .htaccess file to change the name of your login URL:
01 RewriteRule ^mynewlogin$ [NC,L]

Process 3: Plugin Installation

Prevent PHP direct execution on sensitive directories

Directories such as “wp-content” and “wp-includes” are generally not intended to be accessed by any user, consider hardening them via Sucuri Security -> Settings -> Hardening.

Disable SSH Access

By default it may open. 99% hacker try to login with SSH console. So must disable it

Configure Brute Force Protection

You can protect from WordPress Plugin, cPanel, WHM, VPS, even form dedicated server control panel

Jetpack Security :

User Free feature of Jetpack plugin to protect brute force attack

cPhulk Brute Force Protection Configure

Disable XML-RPC in WordPress
XML-RPC file is required to jetpack to work. Without the xmlrpc, Jetpack will not work.

1 Click Staging

Safely test changes to your website before you roll them out to visitors without breaking your site. Staging gives you confidence to test changes before you publish without worry. It creates a copy of your site in a “sandbox” environment where you can experiment & preview changes without it affecting . When you’re ready, push your changes to your live site with a simple click!

  • You’ll see a link and login information
  • When you go here, you’ll be asked for user name / password. Its provided on the same staging tab
  • The staging site should be a replication of your live site.You can then login to the staging wp-admin and make the changes there
  • Remember, your changes in the staging will not affect the live site.If you like the changes you made on the staging site and want to push to the live site, you can request that on the staging tab

Security Plugin List

(A) Jetpack – WP Security, Backup, Speed, & Growth

(B) Wordfence Security – Firewall & Malware Scan

(C) All In One WP Security & Firewall

(D) Defender Security – Malware Scanner, Login Security & Firewall

(E) Cerber Security, Anti-spam & Malware Scan

(F) Security & Malware scan by CleanTalk

(G) WP Hide & Security Enhancer

(H) NinjaFirewall (WP Edition) – Advanced Security

(I) Shield Security: Powerful All-In-One Protection

(J) Security Ninja – Secure Firewall & Secure Malware Scanner

(K) MalCare Security – Free Malware Scanner, Protection & Security for WordPress

(L) BulletProof Security

(M) Sucuri Security – Auditing, Malware Scanner and Security Hardening

(N) Titan Anti-spam & Security

(O) WP Activity Log

(P) Anti-Malware Security and Brute-Force Firewall

(Q) Hide My WP Ghost – Security Plugin

Free Features

  1. Block spam comments
  2. Brute force attacks to hack password
  3. Brute force attacks to identify account name
  4. Two-factor authentication (2FA)
  5. CAPTCHA stops bots from logging in
  6. Google reCAPTCHA for against spammers.
  7. Limit Login attempt
  8. Custom Login URL
  9. powered login & 2FA for extra protection
  10. Back up your site automatically and restore
  11. Set a maximum password age and force users to choose a new password
  12. Security Protection for WordPress login form
  13. Security Protection for WordPress backend
  14. Uptime / downtime monitoring
  15. Checks core files, themes and plugins for malware
  16. Activity log and Alert to admin for file editing
  17. Repair files that have changed by overwriting them with a pristine, original version.
  18. Checks your content safety by scanning file contents, posts and comments for dangerous URLs and suspicious content
  19. Block logins for administrators using known compromised passwords.
  20. Firewall identifies & blocks malicious traffic
  21. Blocks requests that include malicious code & content.
  22. Temporary Privilege Access permissoin

Login masking – change the location of WordPress’s default login area
Login lockout – failed login attempts lockout
404 Detection – automated block of bot IPs
Geolocation IP lockout – block users based on location and country (IP blocking)
WordPress Security Firewall – block or whitelist IPs
Disable trackbacks and pingbacks – spam prevention
Change default database prefix – they won’t find this
Disable file editor – if they get in, they won’t get far
Prevent PHP execution – because it’s daaaangerous
Permit or restrict access by White IP Access list and Black IP Access List with a single IP, IP range or subnet.
Cerber anti-spam engine for protecting contact and registration forms.
Protects wp-login.php, wp-signup.php and wp-register.php from attacks.
Hides wp-admin (dashboard) if a visitor isn’t logged in.
Immediately blocks an intruder IP when attempting to log in with non-existent or prohibited username.
Restrict user registration or login with a username matching REGEX patterns.
Block access to XML-RPC (block access to XML-RPC including Pingbacks and Trackbacks).

External Tutorial

cPHulk Brute Force Protection
cPHulk Brute Force
VPS Backup
WP Login URL
WP Login URL
1 click