The Internet is full of cyber threats so it is mandatory for everyone to stay safe online and protect data. Because of that, you have to be serious about WordPress site security and be aware of possible malware & viruses that can damage your website. 

According to webmasters, Google blacklists 30,000+ websites every single day that has high-security risk. If you are doing SEO on your site but you ignore the security then the time & money spent on SEO will be worthless

Even a small security hole on your website can cause a huge disaster. That’s why it is better to invest in prevention rather than cure because investing money for website security is 80% cheaper than the recovery of a hacked website.

In this post, I will share in-depth ideas on how to secure a WordPress website from hackers. Here I have mentioned several ways of hardening the security of WordPress websites. If you become successful in implementing all the security hardening practices on your website, your website will be far from security vulnerabilities. 

So, let’s start with basic & simple WordPress security tips.

1. Always Use Latest WordPress Version

update WordPress

WordPress is an open-source Content Management System that is regularly updated and maintained. Every major WordPress release makes huge changes on dashboard, performance & security. 

Official WordPress Software Engineers identify and solve the security issues so that updating WordPress hardens the security of your website. 

Besides WordPress core software, you should also update all the installed plugins and themes.  Themes & Plugins are maintained by third-party developers who regularly release updates.

2. Use Latest PHP Version

PHP is the backbone of the entire WordPress CMS including themes, & plugins so using the latest version of PHP on the server is very important.  Every major release of PHP fixes bugs & security issues. 

If your website is running on an older version below 7.2 then you won’t get any security support. Your website can be exposed to unpatched security vulnerabilities too.  This is one of the major reasons that cause security issues in WordPress websites and make websites unsecured.

According to the official WordPress stats page, “60% of WordPress users are currently using PHP versions that are no longer supported”. 

PHP version stats WordPress

Don’t know on which PHP version your website is running? A quick, simple & easy way to check the PHP version is WordPress Site Health Tool. You can access this tool from your WordPress dashboard. First, navigate to Tools → Site Health.

navigate to SiteHealth Tools

On this Site Health Status page, you can view the health status of your website and also any other available recommendations to improve security. On this page, select the Info tab.

WordPress site health status

Next, scroll down and click on the down arrow to expand the Server section. This section shows information about your server setup including PHP version

check PHP version in WordPress Site Health Status Tools

If you found your website is running on an older version or below 7.2 then it’s time to update your PHP version and run your website on a stable PHP version. 

Here at Cloudlaya we only recommend using the latest stable and supported PHP versions: 7.4, 7.3, 7.2.  PHP versions below 7.2 are not stable and do not provide any security support

First, log in to the cPanel of your website, then scroll down and find the Software section. Here, navigate to Select PHP Version option.

software section cpanel

On the PHP Selector page, you can switch between the PHP versions easily by selecting the current PHP version for your website. 

current PHP version

3. Use SSL for Encrypted Connections

SSL (Secure Sockets Layer) is a protocol that encrypts the data transfer between your website and browser. After enabling SSL, your website will start loading through the HTTPS protocol. 

Google tends to rank websites having SSL higher than normal websites. Thus, SSL is very essential for organic traffic. 

Securing your WordPress website with SSL is so easy. You can get it for free from Cloudflare or you can simply install & activate Really Simple SSL plugin. 

Here at Cloudlaya, we offer a free Let’s Encrypt SSL certificate with all hosting packages. You can simply activate SSL on your website directly from cPanel. To enable SSL with the Let’s Encrypt tool, you don’t need to have additional plugins and configurations for your website.

Let's Encrypt SSL cpanel

4. Use WordPress Security Plugin

Installing a WordPress security plugin prevents different attacks and keeps track of everything that happens on your website.

Those plugins protect your website from different major WordPress attacks such as brute-force attacks, SQL injection attacks, DDOS attacks and vulnerability in themes/plugins.

Security plugins perform many other security hardening activities like frequent malware scanning, file monitoring, limiting the failed login attempts, etc. 

There are various free & premium security plugins, but if you want to go with a free one then it is best to choose Sucuri Scanner.

So, let’s get started with Sucuri.

After installing the Sucuri Scanner plugin on your website, you have to generate an AP key. This enables logging, integrity checking, email alerts of vulnerabilities, and also prevents attackers from deleting audit logs. 

Sucuri Generate API Key

Sucuri Scanner also helps you in hardening security of your website. You can start hardening the security by enabling various free hardening options such as website firewall protection, block PHP files in Uploads, WP-INCLUDES & WP-CONTENT directory, avoid information leakage, disable plugin & theme editor.

sucuri security hardening options

If you need the best alternatives of Sucuri Scanner plugin then check out the best WordPress security plugins.

5. Make your WordPress Login Secure

Since WordPress is a most famous CMS and everybody knows the default login page URL. Brute-force attackers can attack your website by just adding wp-admin or wp-login at the end of your domain name and entering the various combinations of username & password. 

So, if you want to prevent brute-force attacks then it is essential to make your WordPress login secure. 

i. Setting up Strong Login Credentials:

Most of the people put easy to remember login credentials such as Username: admin & Password: Password123 or something like this. Some people use their nickname or pet’s name as their password.  

Using weak login credentials is like an open invitation for hackers. If the password is easy to guess, hackers will get access to the admin dashboard of your website. 

So, never go with an easy method if you are serious about security.

If you are willing to set up strong login credentials then follow the short but very useful tips explained below:

  • Username: Never use your name or email address and don’t use “admin” default username that comes with WordPress installation. 
  • Password: Use combination of uppercase & lowercase letters, numbers and special symbols. Your password must be at least 12 characters long. 
  • Never use the same characters in your username & password. 
  • Change your password often.

ii. Implement reCaptcha:

recaptcha in wordpress login page

Implementing reCaptcha in the login page can also protect from unauthorized automated access to websites. Enabling reCaptcha differentiate between real humans and bots by adding a captcha test. There are a number of reCaptcha plugins that you can install & set up easily.

iii. Use 2FA:

Two-factor Authentication (2FA) is an electronic authentication method on which admins/users are granted access to the admin dashboard of a website only after successfully presenting identity such as phone or email verification. Once you’ve entered a username & password, the authentication system sends a SMS to your phone or email with a verification code that you need to input to verify your identity. 

Two factor authentication for WordPress login security

For example: if an unauthorized person tries to login with your username & password, then that person will not get access to the dashboard without completing 2FA. To get access to the admin dashboard hackers must have access to your email or mobile number.

If you want to harden the website login page with 2FA then you can use 2FA plugins available in the official WordPress plugins directory. 

iv. Limit Number of Login Attempts:

Limiting the number of login attempts can protect your WordPress website from Brute-Force attack. In Brute-Force attack, attackers continuously submit the many combinations of username & password until the correct one is found. 

You can use Cloudflare CDN services and WordPress plugins to protect your website from Brute-Force attacks. Several WordPress Brute-Force protection plugins such as Login Lockdown & Loginizer limit the number of failed login attempts and block the IP address that is sending failed login attempts.

6. Disable File Editing

WordPress comes with a pre-installed file editing feature that allows you to edit your theme and plugins code right from your WordPress dashboard.

When you disable the code editor, bad guys won’t break your website by adding malicious code. If your website is hacked, hackers will get access to the admin dashboard but can’t modify any of the files.

disable file editing in WordPress dashboard

To make this work, place the following code in your wp-config.php file. You can find wp-config.php file in the root directory of WordPress installation of your website.

define(‘DISALLOW_FILE_EDIT’, true);

7. Disable Directory Listing

If you type wp-content at the end of your domain (, you can see everything in the wp-content directory. To index and browse the directory no username or password is needed. 

wordpress directory indexing and browsing

Directory listing can be used by hackers to find out if any files on your website have vulnerability. Other people can also copy your important files such as media, theme, and plugin. 

You can disable the directory listing with .htaccess file. To make this work, place the following code at the end of the .htaccess file.

Options All -Indexes

8. Disable XML-RPC in WordPress

The XML-RPC is a system developed by WordPress that helps in connecting your website with other web and mobile apps. For example, a mobile application is capable of publishing and deleting posts directly to WordPress because of XML-RPC.

Using XML-RPC, hackers can find any elements on your website that has security issues and break into your site.

The common vulnerabilities associated with XML-RPC is brute-force attack. Attackers can make login attempts by using bots to guess your username and password.

Thus it is recommended to disable the XML-RPC file if you are not using it.

How to Disable XML-RPC in WordPress?


The easiest method to disable XML-RPC is using a plugin. ‘Disable XML-RPC‘ is the best plugin that you can use to block WordPress xmlrpc.php requests and disable XML-RPC API entirely. It also protects your WordPress website from the denial of service attacks that can be done by sending pingback requests through xmlrpc.php.


If you want to disable XML-RPC manually, then first log in to cPanel of your website and follow these steps.

Step1: Inside ‘File Manager’ open ‘public_html’ folder there you will see your website configuration files and 3 main folders: wp-admin, wp-content and wp-includes.

list your website files in cpanel

There you will see ‘.htaccess’ file. If you don’t find it, you can use the search bar and click on Show Hidden Files (dotfiles).

show hidden files in cpanel

Step2: Now open the .htaccess file by right-clicking and choosing ‘Edit’ option. Then paste the following code that disable XML-RPC in your WordPress website.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Step3: Once you done, save and close the file.

9. Backup your WordPress Site

Backup is like a medicine that quickly restores your website to a working state. Nothing is 100% secured. Thus, it is recommended to perform regular site backups. 

You can find various WordPress backup plugins such as Updraftplus, BackupBuddy, BackWPup and many more. Installing a backup plugin allows you to set the time interval to take backup. You can download the generated backups locally on your PC or you can integrate the external storage such as Google Drive or Dropbox. 

Check out our another guide on How to Backup WordPress Website.

Here at Cloudlaya, we provide automated backups with all managed WordPress hosting packages. Thus, you don’t need to install backup plugins and don’t need to spend time performing regular backup operations. 

10. Harden WordPress Database Security

database prefix

By default, WordPress uses wp_ prefix for all tables in your database. It helps hackers easily guess the table name of your WordPress database and attack your website with SQL injection.

Thus it is recommended to use a strong prefix name for your database tables while installing WordPress on your domain name.

change database table prefix

If you have already installed WordPress then you can use plugins like WP-DBManager to change the table prefix and perform other many database security hardening operations.

11. Choose the Secure WordPress Hosting

Web hosting plays the most important role in security of your WordPress website. Web hosting is the platform where all your website files including WordPress installation, themes, plugins, content and media files are stored. Thus, it is necessary to choose such a service provider that protects all the files and prevents attacks.

On a shared hosting service, you have to share the server resources with many other websites and all website files can be accessed by a single FTP account. Websites hosted on shared hosting are mostly prone to hack since hackers can attack your site using a neighboring site. 

So, it is best to choose managed WordPress hosting rather than shared hosting if you are serious about your website security.

Why should you choose a managed WordPress hosting?

On a managed WP hosting, all the technical aspects of running WordPress is managed by the host. This includes security, speed, automatic WordPress updates, automatic backups, website uptime etc. 

managed WordPress hosting

With managed WordPress hosting, you get premium support. Here at Cloudlaya, we provide 24/7 WP expert support to our customers. Cloudlaya’s experts are available 24/7 to answer all your queries as well as you can chat with us live or Email us for queries. 

The most important reason to choose a managed WordPress hosting is here security is taken seriously. Here at Cloudlaya, we have implemented different measures to stop attacks. To ensure security, we have increased security protocols, perform continuous malware scans, and ward off all kinds of cyber threats. 

Cloudlaya also uses Litespeed 256-bit SSL encryption to ensure the security of all your website data. 


You have seen many ways to harden your WordPress website security. Using a strong password, implementing reCaptcha & 2FA, and limiting the number of failed login attempts help to harden your WordPress login security. Server security is also important so we recommend you choose a best-managed WordPress hosting service.

I hope you have realized the importance of backups. Thus, you have to either separate a time to manage your backups manually or choose a managed WordPress hosting service to automate this task.

If you enjoyed this article, then you’ll love Cloudlaya’s managed WordPress hosting platform. Improve the performance & security and get 24/7 support from our WP expert team. Our AWS-powered infrastructure focuses on automatic backups, malware scanning & preventing attacks, security, scaling, and performance. If you are excited to run your website on a secured platform then Check out our plans.

FAQs: Harden WordPress Site Security

  • How to secure WordPress website login page?

    Make your WordPress login page secure by using strong username & password, implement reCaptcha, use Two Factor Authentication, and limit the number of failed login attempts.

  • How do I secure my WordPress website?

    Choose a good hosting company. Run your website on the latest WordPress & PHP version. Use a strong username & password. Implement reCaptcha & 2 FA. Limit the failed login attempts. Disable file editing and directory listing. Harden database security by using a strong prefix name. Install a security plugin. Use an SSL certificate.