Hardening WordPress Security

How to enhance WordPress security

Most WordPress users makes a common mistakes like using admin as an username, they don't make updates and many many more. But your WordPress security is a top priority task if you want to make your users visits safe. Getting compromised by hackers is sometimes equal to be banned in Google and lose traffic which is wasting money. Don't let it happen, read this article and go to your WordPress installation to make it safe.

So, today's quick tip is how to make your WordPress safer in a few steps.

1. Disable directory listing in cPanel.

It's sometimes default on at many hostings. Here's a link, where to find it in cPanel.

2. Move your wp-config.php file to a parent directory.

It's gonna be invisible for attacker. One of the top security tips.

3. Delete admin username.

If you are using admin as a username, stop doing it! Just to make sure all stay correct, create a new user with all administrative privileges and set strong password using strongpasswordgenerator.com. Log out and then log in with new user name. The last step is to delete admin user and attach all posts to new user with admin acces. Also a good practice is to set username with uppercase letters, numbers etc. just nothing common.

4. Restrict file permissions

Be sure, that you have the lowest required CHMOD permissions. Some plugins can require 755, but for most 644 is enough.

5. Remove your WordPress version.

It's fast and easy just add remove_action('wp_head', 'wp_generator'); to your functions.php

 6. Use a CDN.

It doesn't have to be a paid version, check CloudFlare it has a great WordPress integration and setup takes few minutes.

7. Update, update, update.

Update your theme, WordPress version, plugins as often as you can. Make it your everyday habit to check for updates.

8. Backup, backup, backup! 🙂

Yes, the second thing it to making backups before updating and also making backups at least once a week. You can do this on your own, or using a plugins, but for me, the best available option on the market is VaultPress - I know that Premium option it's not cheap, but it's worth every penny. At least use the Lite version.

9. Use ssl if it's available.

If your hosting provides ssl - use it. It's always much safer.

10. Use good plugins to enhance those security tips:

Login Security Solution - A simple way to lock down login security for multisite and regular WordPress installations.

Wordfence - Wordfence Security is a free enterprise class security plugin that includes a firewall, virus scanning, real-time traffic with geolocation and more.

And Activate Akismet - it's installed by default in your WordPress.


So, for the end take a look at this great infographic that Mike from startbloggingonline.com made.




Divi 2.0 WordPress Theme

Like what you read here in this blog post? If yes, please sign up and get latest articles delivered to your email account for FREE! You’ll be also subscribed to newsletter, where I share a exclusive content and offers.

About Kris Hoja

Hi! I'm Kris. For a while I was blogging about WordPress, now I'm owner of HogStudio - Creative Agency focused on website development.
Add me on Google+ and don't forget to follow me on Twitter :)


  1. Muhammadibn says:

    It is very important to secure your WP blog/website.

    One way I found that prevented the annoying bots trying to attack was by changing the login URL and disabling wp-admin for non logged in users. I saw a massive downfall in brute force attacks!

    • Messing with url is a good way to prevent bot attacks, but it's important to restore default settings before moving website to other server.
      Also some plugins can output errors when urls are changed.

      • Muhammadibn says:

        I'm using a plugin to achieve this and there haven't been any problems so far. So fingers crossed. I just hope all stays well.

  2. sandi says:

    I have not had a similar problems, but you never know.

    I also use WordPress, so thanks for the advice!

Leave a Reply