21 Best WordPress Security Tips & Tricks 2020 [UPDATED]

4 (80%) 3 votes

Best wordpress security tips and tricks 2020


WordPress is one of the most widely used content management system (CMS) these days. With an increased usage, its reliability and wordpress security has become more problematic over time and its complexity has increased in 2020. Thanks to the hackers who are ever evolving with new hacks.

There are certain security measures you can take to fix a hacked WordPress site. Our team of wordpress security experts have collected information and data on thousands of websites to present you with most detailed WordPress security tips to improve the security of your wordpress site in 2020 and prevent it from being hacked.

Download our latest WordPress Security Guide which includes checklists to safeguard your wordpress installation and prevent future hack attempts.

Common WordPress Security Issues

  • Weak Passwords.
  • File Inclusion Exploits.
  • SQL Injections.
  • Brute Force Attacks.
  • Cross-Site Scripting (XSS).
  • WordPress Malware attack
  • Outdated WordPress, Plugins or Themes.
  • Plugins and Themes from Untrustworthy Sources.

Is your site secure. Let’s Find Out

wordpress security scanner online

WordPress Hacks

Even industry leaders don’t always use best practices. Reuters was hacked back in 2012 because they were using an outdated version of WordPress. Check out some of the different types of below.

WP Backdoor

The aptly named backdoor vulnerability provides hackers with hidden passages bypassing security encryption to gain access to WordPress websites via abnormal methods – wp-Admin, SFTP, FTP, etc. Once exploited, enable hackers to wreak havoc on hosting servers with cross-site contamination attacks – compromising multiple sites hosted on the same server.

Pharma Hacks

The exploit is used to insert rogue code in outdated versions of WordPress websites and plugins, causing search engines to return ads for pharmaceutical products when a compromised website searched for.

Brute-force Attack

 use automated scripts to exploit weak passwords and gain access to your site. Two-step authentication, limiting login attempts, monitoring unauthorized logins, blocking IPs and using strong passwords are some of the easiest and highly effective ways to prevent brute-force attacks.

Malicious Redirect Hack

During a WordPress malware redirect hack, a hacker creates backdoors in WordPress installations using FTP, SFTP, wp-admin and other protocols and injects redirection codes into the website. The redirects are often placed in your .htaccess file and other WP core files in encoded forms.

To ensure that your site is free from any kind of malware:

>> Scan Your site for malware using a WordPress malware cleaner here.

wordpress-security-scan-for-malware>> Follow these steps to .

WordPress DDOS Attack

Perhaps the most dangerous of them all, Denial of Service (DoS) vulnerability exploits errors and bugs in the code to overwhelm the memory of website operating systems via .

21 WordPress security Tips & Tricks 2020


Listed below are some of the best wordpress security tips you must know to increase the security of your WordPress website in 2019.

1. Cleanup your WordPress installation

Ensure to delete unused versions of WordPress on your server. Unused WordPress themes, plugins, files etc even if they are not active or are not being used should be deleted.

Try to keep your server clean and follow a simple rule ‘Delete delete delete’! the unwanted files or installs.

2. Use Updated WordPress plugins, themes

Maintain safe WordPress themes and  plugins. Also, use the proper API’s provided byWordPress.org to avoid the direct actions and manipulations.

A user needs to take security into consideration when opting for the WordPress themes and plugins.

Approximately 30% hacks occur due to the same reason so it’s definitely a good decision to stick with a theme/plugin that is updated timely.

Also, you must before installing a nulled theme, to ensure that your theme is fully secure and is not compromised in any way.

3. Change WordPress table prefix


For WordPress, the default table prefix is wp_. Everyone is aware of the prefix and so is the hacker. Changing your table prefix is recommended to make your website more secure and protected from SQL injections.

Just change the table prefix and you will be one step close to your secure site. With the use of this plug-in you can easily replace your database default prefix to any other prefix in single click.

4. Use SSH2 (SFTP) connections for WordPress Upgrade

SSH2 (SFTP) connections are much more secure than the regular FTP connection to Upgrade Your WordPress. The shell method is more secure as it encrypts all the data transfer.

You can also use “SSH SFTP Updater Support” wordpress plugin which uses phpseclib – it is the best way to utilize SSH, SFTP, RSA and X.509 in PHP.

5. Use SSL certificate

The SSL (Secure Socket Layer) is one the best option for the users to secure their WordPress admin panel. SSL certificate for your site makes it difficult for the hackers to spoof your information and also affects your WordPress website Google rankings.

It’s really beneficial as Google has announced recently that it uses https as a ranking signal, so SSL sites are awarded with high rankings in search results.

Having SSL installed on your WordPress website allows you to login securely (via HTTPS). The users can purchase it from the renowned companies or ask their host providers to hook up with the one.

6. Backup Your WordPress Website

Although backups are not that helpful in recovering from WordPress hacks but they are beneficial for the recovery of your WordPress website.

Ensure to backup your site before it’s too late as your entire website content is stored in the database. The users can backup wordpress datatabse manually or can also use plugins such as updraftplus.

7. Protect .htaccess

.htaccess is basically used to specify the WordPress security restrictions for a particular directory and is the default name of a directory level configuration.

In order to secure your blog from the attack of hackers, simply place the below mentioned code in the domain’s root .htaccess files.


<Files ~ “^.*\.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all


8. Secure wp-config.php

The wp-config.php file is the most important file of your website’s root directory and basically stores the crucial information about your WordPress blog.

Securing wp-config.php means you are protecting the core of your blog as it becomes way more difficult for the hackers to breach the information from your site as it becomes inaccessible to them.

A user can secure wp-config.php by simply placing the below mentioned code in the root directory.

# protect wp-config.php

<files wp-config.php>

Order deny,allow

Deny from all


9. Configure .htaccess to prevent directory browsing


Another concerned issue for the WordPress security is to avoid people from browsing your website’s directory structure.

If you are curious to know what this all looks like, you just need to enter ‘index of’ in Google and then Google will provide the list of all the websites that generally allow the directory browsing.

In order to avoid directory browsing with.htaccess add ‘Options All – Indexes’ to your .htaccess file in the root directory.

10. Protect WordPress admin

The wp-admin directory is one of the major part of your WordPress website. Any damage in this part may damage your entire site. To protect the WordPress admin section from the attack of hackers, ensure to have password-protection for the directory.

WordPress files should be accessed only by a person who is designated or only by you. You can restrict the access by using .htaccess to allow only specific IP addresses to this directory. Just add the below code to the .htaccess in the wp-admin folder.

# deny access to wp admin

Order deny,allow

Allow from xx.xx.xx.xx # (This is your static IP)

deny from all

Any access from other IP’s will be disallowed.

11. WordPress security keys in Wp-config.php

WordPress security keys in Wp-config.php is one of the important security measure to avoid your blogs from getting hacked. The keys in wp-config.php ensures better encryption of user’s data.

Use WordPress Key Generator to generate the keys and replace them in wp-config.php file.

define(‘AUTH_KEY’, ‘put your unique phrase here’);

define(‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);

define(‘LOGGED_IN_KEY’, ‘put your unique phrase here’);

define(‘NONCE_KEY’, ‘put your unique phrase here’);

12. Use HTTPS To Log-in Your Dashboard

HTTPS is a secure version of HTTP. When you are using HTTPS, your data is sent into an encrypted form instead of a clear text.

This makes it difficult for the hackers to decode and intercept the data (password, user name). Use define(‘FORCE_SSL_LOGIN’, true); code in wp-config.php when logging into your dashboard to use HTTPS.

13. Remove Inactive User Accounts

Inactive user accounts may be a security threat for your website. The best thing is to delete the inactive user’s accounts in WordPress.

To do this,

>> Go to your WordPress dashboard >> Click on ‘Users’ this will take you to the page where each user will be listed >> Delete the ones that are inactive.

14. Use email as login

As you open your WordPress website you have to input the username to login your account. Logging in by a username instead of an email ID is more secure approach to avoid your website from being hacked.

This can be done by on Login page.

15. Prevent Script Injection

Users can easily protect their WordPress blog from script injection. Just apply the code mentioned below into your .htaccess root directory.

This will protect your blog from unwanted modification of _REQUEST and/or GLOBALS.

You can find various tips here.

# protect from sql injection

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index.php [F,L]

16. Strong Passwords

Strong password is the first layer of protection to your WordPress site. Use lowercase, uppercase, special characters and numbers to set the strong password for your account.


You can also use Force Strong Passwords, which enforces strong passwords for users with publish_posts, upload_files & edit_published_posts capabilities

Few basic requirements for a strong password:

  • Include numbers, capitals, special characters (@, #, *, etc.)
  • Can include spaces and be a passphrase
  • Change passwords every 120 days, or 4 months
  • Be long (10 characters – minimum; 50 characters – ideal)

17. Restrict Failed WordPress Login Attempts


Restricting the number of failed attempts basically prevents the users from using the brute force techniques on their WordPress site.

Brute Attack is an attempt to know the user’s password via trying out each and every single possibility. You can add an extra layer of security to your WordPress login page by implementing two-factor authentication in WordPress or add HTTP authentication

18. Remove/disguise login error messages

When you enter an incorrect username and password combination into a WordPress login page the error messages give you hints about what you got wrong.

For example, if you enter an incorrect username AND an incorrect password the error message says “Error: The username or password you entered is incorrect”.

However, if you enter the correct username but an incorrect password the error messages says” Error: The password you entered is incorrect”.

That’s bad for business. If you’re a hacker, you now know that you have a valid username and you just need to crack the password. For that reason it’s much better to keep the first error message all the time, “Error: The username or password you entered is incorrect”.

19. Hide WordPress Version number

The WordPress Version is placed into your website’s source view and can be an easy target for the hackers. If your WordPress version is known, the hackers may easily build up a perfect attack technique.

Use this WP plugin to remove the WordPress version number from Meta, RSS, and Javascript & CSS parameters for increased security of your wordpress site.

Just place that single line into your theme’s functions.php

remove_action('wp_head', 'wp_generator');

20. Change Default WordPress Login/Password


A user may i.e ‘admin’ to reduce the chances of login attempt by the hackers. One of the best thing to do is to delete the default admin and create a new custom login for the account. If the password is really strong, you must be perfect with your account.

21. Block Search Engine Spiders from Indexing the Admin Section:

Search engine crawlers like the Google, basically crawl over your entire blog site and indexes each content placed there unless they are asked not to do so. It is to be kept in mind that the use?rs do not want to index their admin section as all the sensitive information is placed there. One of the easiest ways to prevent crawlers from indexing the admin section is by creating a robot.txt file in the root directory. Just place the code provided below.


User-agent: *

Disallow: /cgi-bin

Disallow: /wp-admin

Disallow: /wp-includes

Disallow: /wp-content/plugins/

Disallow: /wp-content/cache/

Disallow: /wp-content/themes/

Disallow: */trackback/

Disallow: */feed/

Disallow: /*/feed/rss/$

Disallow: /category/*

We cannot guarantee that your WordPress blog will not be hacked after the implementation of the above discussed points but we ensure you that the chances of getting attacked by the hackers will be minimised. The more you strengthen your WordPress security, the harder it will be for a hacker to breach into your information.

Any suggestions.?????????????????????????

Any piece of advice related to the wordpress security from your side can help masses to refrain their WordPress website from being hacked.

Please use the comment box below to share your thoughts!

 Simple WordPress Security Tricks to Keep Your Website Safe_secure-your-wordpress-website

Common WordPress Errors:

WordPress Security DO’s & DONT’s in 2020

WordPress Security DO's & DONT's in 2020

WordPress Security 2019

Leave a Reply

Your email address will not be published. Required fields are marked *