8 Essential WordPress Security steps before website launch

wordpress security

WORDPRESS SECURITY is as important as your website content and services.

WordPress is a well-known CMS and has accessibility in so many different ways, which makes it vulnerable to hacking. If you do not follow the right WordPress security guidelines, you will be hacked.

So, to follow the right WordPress security guidelines means reducing accessibility to those who want to hack you. This means you will have to keep your WordPress website secure around the clock.

This article will reveal the 6 essential methods you should follow if you want to have a secure WordPress website. Please note that you have to follow this step by step and use the codes I am going to provide you here with caution. Every WordPress installation is different so please take these precautions before applying this to your website:

  • Back up your website before doing anything: if you don’t have a backup plugin, download UpdraftsPlus; this is the plugin I use to back up my website.

Is there 100% security for WordPress Websites?

Before we get started let me answer this question: This is going to shock you, but to be honest, WordPress Security is relative and there is always a risk if you don’t take the matter seriously. To secure your WordPress website takes effort and requires you to control your website frequently.

How to secure your WordPress website today


As you know, WordPress lets you add new plugins and themes to try out before you finally decide which one is best for your requirements. What you don’t know is that every plugin, you install comes with files and code. If these are not updated, they might be a vulnerability for your website.

important tips: You should make sure you have the following:

  1. An SSL Certificate for your website: this is a padlock that appears on the left side of your browser telling your website visitors that this is a secure website. It is important for credibility and adds an extra layer of security for your website.
  2. Trusted / Premium WordPress Themes & plugins

1# Choose a secure Web Hosting Company

WordPress security guide

Web Hosting for WordPress security is as crucial as any other security measures. As to our check, most hosting providers provide different security levels. Still, the security they provide does not include the WordPress security itself unless you buy that service as extra.

However, if you get compromised, most hosting companies are unlikely to resolve the issue of the hacked website for you. If you are looking for a secure Web Hosting company, then you should consider SiteGround. This Web Hosting is known for its speed and security.

2# Change the admin username to custom one upon installation

WordPress security guide

The installation comes with Admin as a default username for your login credentials. Please change the Admin to a more custom username that can only be remembered by you.

When you log in to your WordPress dashboard, go to users and click on your profile. Then create a nickname that´s unique and different from your custom username and set it as your public display name. Otherwise, your actual custom admin username will be displayed in your postings and hackers will know it. You don’t want that to happen.

If they know your custom username, you make it easier for them to just guess the password and then your hacked.

3# Use a strong password for your admin login credentials

WordPress security guide

When installing your WordPress, create a very complicated Login password. Some people use passwords like these: john123523, 123652admin, admin2020. These passwords are very weak and can be easily exploited by hackers. They are easy to guess, aren’t they?

Passwords should:

  • Have more than 8 characters: a mix between numbers, letters, and symbols.
  • Not be even remembered by the admin him/herself. Please use a Password Manager to remember your complicated passwords.

4# Change default WP-Admin to limit access to your WordPress website

WordPress security guide

Bad guys (hackers) will always try to get access to your Admin login area, which is for example yourwebsite.com/wp-admin. This the default admin login URL that comes with every WordPress install. WordPress Security will be elevated if you change that default WP-Admin to something like yourwebsite.com/office.

This practice will make it very hard for hackers to brute force your login area because they don´t have access to it anymore.

Sucuri Firewall Plugin is the leading on restricting access to authenticated URLs like the Admin login page. By using such a WordPress Security Plugin, you will secure your website without having to mess around with the .htaccess file.

5# – You should keep WordPress Core, Themes & Plugins updated regularly

WordPress security guide

WordPress Core

As there are so many bad guys who attempt to hack WordPress installs, that´s why the WordPress team works hard to provide security updates and vulnerability patches.

 So, you should as an administrator login to your Website dashboard on a daily basis to check for updates. Your job is to keep regular checks to update the WordPress core.

Please configure automatic updates for your WordPress Core. Please Add this snipper to your wp-config.php:


Themes & Plugins:

A – Before installing a theme or plugin, please make sure to check the following elements:

  • Does the plugin or theme have so many installs? More than 100 000 installs is an indication that people tend to like them
  • Do they have regular updates? The developer of the plugin or theme should provide regular updates that are compatible with the last updated version of your WordPress core.
  • Do they have good reviews? If so many people like the plugin or theme and are happy with the features, this gives some credibility to the plugin or theme you are about to install.
  • Do they have the same owner? Sometimes hackers buy a specific plugin or theme to add malicious code or a backdoor functionality to get into the website they want to compensate.

B – Delete plugins and Themes you no longer use:

Keeping, forgetting or ignoring your unused themes and plugins within your WordPress install, is a risky habit. I did it when I started learning back then. Please delete any of the plugins and themes you don’t use.

  • This will prevent any vulnerability exploits from bad guys because unused themes or plugins might have hacks you don’t know about and you haven’t updated them to prevent that risk.
  • This also will free up space on your website and improve its speed, which is useful for your ranking on search engines.

6# Install a plugin that limits WordPress Login Attempts.

wordpress security guide

Hackers will attempt to brute force your login page so many times they want because WordPress allows unlimited attempts by default. To limit that, install Loginizer Plugin. This is one of the so many popular plugins on the market that does the job well:

  • Please limit the attempts to no more than 3
  • Set lock time for at least 1 hour. Most hackers won´t wait that long to attempt again and they will move to a more vulnerable website.

7# Use a WordPress Security plugin that does all the background monitoring

There are hundreds of WordPress security plugins on the market. Most of them will secure your website, but you should be selective because we are talking about security here. A VERY SERIOUS MATTER.

If you choose the wrong WordPress Security plugin, you will end up losing a website, and a recovery will cost you effort and time. This is bad for your business and website traffic.

A WordPress Security plugin will:

  • With strict checks, these plugins prevent any intruders from manipulating your website files and eventually hacking it.
  • WordPress security detects potential attacks and stops them before they even take action.

I recommend Sucuri WordPress Security Premium Plugin for your valuable WordPress website or Blog. Sucuri provides many features that you can use and be sure you are in safe hands:

  • Sucuri Security WordPress Plugin audits your website activities
  • It monitors your website´s file integrity
  • It scans your website for malware regularly
  • It monitors potential threats and blacklists them to better protect your website

Tip: You should use a backup plugin to keep your files on separate locations in case your website gets hacked. By doing so, you can easily restore the clean version of your hacked website and get back to business without interruptions. I recommend UpdraftsPlus Backup Plugin.

8# Add these WordPress security Code snippets to your .htaccess file

wordpress security guide

Caution: .htaccess File can break your website if you don’t use it with caution. Please back I up before you add the WordPress security Code Snippets, I am going to provide you here.

Protect wp-config.php from unwanted access:

# Protect wp-config Apache 2.2
<files wp-config.php>
Order allow,deny
Deny from all
#Protect wp-config Apache 2.4
<Files “wp-config.php”>
Require all denied
Require ip
  • Prevent directory browsing of your website files:
# Prevent directory browsing
Options All-indexes
  • Prevent Your images from being used by other websites: Hotlinking:
# Prevent image hotlinking
Rewrite Engine on
RewriteCon %{HTTP_REFERER}!^$
RewriteCon %{HTTP_REFERER} \
RewriteRule\.(gif|jpg|jpeg|bmp|png)$ - [NC,F,L]
  • Block hackers from inserting malicious codes to the following Includes:
  • /wp-admin/includes
  • /wp-includes
  • /wp-includes/js/tinymce/langs/
  • /wp-includes/theme-compat/
# Block includes
<ifModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule ^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]