Protecting your WordPress blog is crucial to ensure its security. Before we begin, here are a few important things you should keep in mind:

  • Always update your WordPress blog, plugins, and themes to install security fixes.
  • Use a strong password to secure your blog. Avoid using common passwords like “12345” or “qwerty”.
  • Connect to your site using only SFTP client.
  • Install antivirus software on your PC to protect it from malicious attacks.

Step 1: Backup

Backing up your WordPress site is essential to safeguard your data in case of any security breach. Follow these steps to back up your site:

  1. Create a backup of your database by using phpMyAdmin or a WordPress plugin such as BackWPUp.
  2. Back up your theme files and uploads folder using an SFTP client or any other method.
  3. You don’t need to backup WordPress core files and plugins unless their files have been modified. You can always download the latest clean version of WordPress and install the plugins to remove any malicious code that may have infected your website files.

Step 2: Chmod

Setting up the correct permissions for WordPress files and folders is critical to prevent unauthorized access. Here are the recommended chmod rights for WordPress files and folders:

Folder/File Chmod
/wp-content/ 755 (or 777 if needed)
/wp-content/themes/ 755
/wp-content/plugins/ 755
/wp-admin/ 755
/wp-includes/ 755
wp-config.php 400 (or 440)

You can use your SFTP client to set up chmod rights.

Step 3: Securing the Admin Area

The admin area is the heart of your WordPress site and is a prime target for hackers. Here are two effective ways to secure it:

Additional Password Protection

This method adds an extra layer of protection by requiring a password to access the admin area. However, this is not recommended if you are using the admin-ajax.php handler on your website or if you are not the only author on the blog. Here’s how to add additional password protection:

  1. Create two files in the wp-admin directory – .htaccess and .htpasswd
  2. Include the following code in the .htaccess file:
AuthType Basic
  AuthName "Hi, Dude!"
  AuthUserFile /home/
file should contain the username and password that you want to use to access the admin area. Here's how to create the .htpasswd file:
    1. Visit the htpasswd generator website.
    1. Enter your desired username and password and click on “Create .htpasswd file”.
    1. Copy the generated code and paste it into your .htpasswd file.

Limiting Access to IP Addresses

You can also limit access to the admin area by allowing only specific IP addresses to access it. Here’s how to do it:

    1. Add the following code to your .htaccess file:
order deny,allow
  allow from
  deny from all

Replace “” with the IP address that you want to allow access to the admin area. You can repeat this line for every IP address that you want to allow.

Step 4: Change Your Login URL

By default, the WordPress login URL is “/wp-admin/”. Changing it to something else can make it more difficult for hackers to find it. Here’s how to change your login URL:

  1. Install and activate the WPS Hide Login plugin.
  2. Go to Settings > WPS Hide Login.
  3. Enter your desired login URL and click on “Save Changes”.

Step 5: Disable File Editing

By default, WordPress allows you to edit plugin and theme files from the admin area. Disabling this feature can prevent hackers from injecting malicious code into your website. Here’s how to disable file editing:

  1. Add the following code to your wp-config.php file:
define('DISALLOW_FILE_EDIT', true);

Step 6: Use SSL Encryption

Using SSL encryption can prevent hackers from intercepting data transmitted between your website and its visitors. Here’s how to enable SSL encryption:

  1. Purchase an SSL certificate from your web hosting provider or a third-party provider.
  2. Install the SSL certificate on your server.
  3. Activate SSL encryption by adding the following code to your wp-config.php file:
define('FORCE_SSL_ADMIN', true);

Step 7: Protect Your WP-Config File

The wp-config.php file contains sensitive information about your WordPress installation, such as your database username and password. Protecting this file is critical to ensuring the security of your website. Here’s how to protect your wp-config.php file:

  1. Add the following code to your .htaccess file:
<files wp-config.php>
  order allow,deny
  deny from all

Step 8: Limit Login Attempts

Limiting login attempts is a simple but effective way to prevent brute-force attacks. Here are two plugins that can help:

  • Limit Login Attempts Reloaded: This plugin limits the number of login attempts and blocks an IP address after a certain number of failed attempts.
  • Jetpack: Jetpack is an all-in-one plugin that includes a feature to limit login attempts.

Both plugins can be easily installed from the WordPress plugin repository.

Step 9: Install a Security Plugin

Installing a security plugin can help you detect and prevent security threats on your WordPress site. Here are a few popular security plugins:

  • Wordfence Security: Wordfence is a comprehensive security plugin that includes a firewall, malware scanner, and login security features.
  • iThemes Security: iThemes Security offers over 30 ways to secure and protect your WordPress site, including two-factor authentication, malware scanning, and brute-force protection.
  • All In One WP Security & Firewall: This plugin offers a range of security features, including brute-force protection, file integrity monitoring, and database backup.

Choose a security plugin that suits your needs and install it from the WordPress plugin repository.

Step 10: Disable File Editing

By default, WordPress allows you to edit plugin and theme files from the dashboard. This can be dangerous if a hacker gains access to your dashboard. Here’s how to disable file editing:

  1. Open your wp-config.php file in a text editor.
  2. Add the following code to disable file editing:
define( 'DISALLOW_FILE_EDIT', true );

Step 11: Stay Informed

Keeping up-to-date with the latest WordPress vulnerabilities and security patches is crucial to ensure your site’s security. Here are a few resources to help you stay informed:

  • WordPress Security Blog: The official WordPress security blog provides the latest information on security vulnerabilities and patches.
  • WPScan Vulnerability Database: WPScan is a free online database of WordPress vulnerabilities.
  • Security Plugin Alerts: If you have installed a security plugin, it will notify you of any security threats or vulnerabilities on your site.

Make sure to regularly check these resources to stay informed and keep your WordPress site secure.

Was this article helpful?

Leave a Reply

Your email address will not be published. Required fields are marked *

Close Search Window