How to protect WordPress website – WordPress Security guide

Security of WordPress website is something that many blogs or website owners take for granted. Learn how to properly secure your WordPress website and manage to stay safe from hackers.

Over 10 000 of WordPress website gets hacked daily and you should consider implementing some security in order to avoid insertion of phishing scripts or infected with nasty malware.

Basic WordPress Security

Here are some quick steps to make sure that the basic security is set up on our WordPress website.

WordPress Updates

The first thing you need to make sure is that you are using the latest WordPress version. WordPress is a very popular open-source platform and thus it receives regular updates with bug fixes and new features introduction.

In order to check the version installed, just access WP admin -> Dashboard -> Updates. You will see the infobox with the installed version and option for updating.

Update WordPress

User permissions and passwords

Now access the WP Admin -> Users. You can see the user’s roles and change the passwords for the admin/user account. Always make sure that you use a strong password in order to avoid any possible brute force attacks or dictionary attacks.

WordPress Hosting and security

wordpress hostingOne of the most crucial parts of securing a WordPress website is hosting. It presents the foundation to your website and thus you’ll need to have a properly setup and secured hosting.

If you are using shared hosting with cPanel, you should check the SiteGround, Namecheap, Hostinger, A2Hosting, etc.

If you need something more advanced you can check WP Engine, WPX Hosting, or Kinsta.

Your hosting provider should provide DDOS protection as well as a properly secured hosting environment for a start.

SSL Certificate & HTTPS

Get SSL for your WordPress websiteYou should also make sure that your blog or website is running on HTTPS secure protocol. If you don’t have the SSL certificate installed yet, ask your hosting provider to enable a free SSL certificate as it’s something in standard offers at any hosting provider.

It’s very important to encrypt your website traffic, especially if you have any forms on your website or if you collect sensitive client information.

You might also consider installing the Really Simple SSL plugin as it might help adjusting the SSL for some specific hosting environments

WordPress Security plugins

Once we have finished checking the basic steps in securing your WordPress website, we can proceed to the security plugins.

WordFence Security

The first plugin that is highly recommended is the WordFence plugin. It comes in a Free and Pro version.


WordFence is currently the most popular and very powerful Web Application Firewall (WAF) and Malware scanner for WordPress. The plugin features lots of premium grade options available in the Free version too.

WordFence also provides blocking per IP reputation, Malware scanner, and Brute force protection. Rounded out by 2FA it’s the most comprehensive WordPress security solution available. Pro version also offers some cool features like Live Traffic reporting, Live Firewall rules and blocking and much more.

wordfence live traffic

In general, the WordFence Security plugin is a very good and optimized malware protection and WAF tool.

All In One WP Security & Firewall

This is yet another great security plugin with Firewall fully integrated. It comes with tons of features and functionality live malware and virus scanner, brute force protection, .htaccess and file protection module, and live scanner. It also provides reCaptcha support, prevents comments spam, monitoring accounts activity, IP blocking from admin panel, Traffic reporting, etc.

All In One WP Security & Firewall

This plugin will also boost the security of your WordPress website to a whole new level.

BulletProof Security

BulletProof WordPress Security Protection plugin features all needed services like Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam, etc.

bulletproof security wordpress

Hide My WordPress

Finally, you might wanna hide WordPress references and details from your website code. In order to do that easily and most effectively, install and run this plugin.

This plugin will remove all instances of WordPress, meta generator and it will hide theme and plugins path as well.


After you perform all these actions, from checking up on the Basic Security for your WordPress website and securing it with the WAF firewall and active malware protection plugins and hide, you can add cache at the end.

We recommend registering your website on the Cloudflare (Free account) and it will work as a reverse proxy with DDOS protection and more. It will also hide your server real IP and serve cached and compressed website copy via its own CDN network.

And, in the end… Feel free to share your thoughts and impressions in the comments section.

Share this post if you like it.
Davor Veselinović
Davor Veselinović

I'm Davor aka. Worda, founder of Worda Themes. Working as a Full Stack Developer with more than a decade of experience with WordPress. I build themes and plugins and enjoy writing useful blog posts and sharing my ideas with others.

Leave a Reply

Your email address will not be published. Required fields are marked *