How to Keep Your WordPress Website Safe and Secure in 2023

The biggest concern of website owners is the security and privacy of their websites. Nevertheless, not all of them do the things necessary to stop hackers from penetrating their blogs or e-commerce shops. Keeping your WordPress site safe and secure is vital to prevent cybercriminals and malware from harming it. The last thing you want is to wake up one day to discover that you’ve lost all your data, and worst, the site itself.

There’s no denying that WordPress is the most popular CMS to date. It offers users a plethora of plugins and themes. The platform is also simple to use and you can build almost all types of sites with it.

Nonetheless, this popularity does come with a price as hackers often target WordPress websites. Its core software is highly secure and hundreds of developers audit it periodically. But there are plenty of ways to enhance your site’s security further even if you’re technically challenged.

With that in mind, here are some actionable measures you can do to protect your WordPress website against any security vulnerability. Also, make sure to read our post on how you may be killing your website without your knowledge.

Implement Secure Socket Layer (SSL)

After launching your WordPress website, SSL implementation should be on top of your priority list. SSL protocol is a way to create a secure tunnel between servers or devices operating across the web. Additionally, it’ll change your website address to HTTPS, indicating that it is secure.

The lack of SSL certificate means that every data moving within your site is presented in plain text, which is quite dangerous. Hackers can easily intercept them with little to no effort.

Likewise, it’s also crucial to keep in mind that having a secure site may impact your Google ranking. The popular search engine always rank secure and fast WordPress sites higher on its search results.

Add Two-Factor Authentication Log In

Users need to go through a two-step process before they can log in with the two-factor authentication. Aside from entering their username and password, it also requires them to authenticate via a separate app or device.

Major websites like Facebook and Google now offer this functionality to your accounts. Likewise, you can add this feature to your WordPress website. Simply install and activate the plugin for the Two Factor Authentication.

Once you activate it, head on over your WordPress admin sidebar and click the “Two Factor Auth” link. It will then prompt you to install the plugin. Upon installation, open an authenticator app on your smartphone. There are numerous apps like this available for download on the Google Play Store and App Store. Also, you can find a lot of security plugins online to tighten your site’s protection.

Password Protect Your WordPress Login And Admin Page

Hackers can usually request your login page and wp-admin folder without any sort of limitation. This enables those cybercriminals to hack your site with hacking tricks up their sleeves or perform DDoS attacks. You can block these types of requests effectively by adding further password protection on your server.

You can password protect manually or through the cPanel. The latter is the simplest method since the interface of cPanel is more user-friendly.

To add password protect via cPanel, follow the steps below:

  • Login to your cPanel and look for the Security tab.
  • Click the icon for Password Protect Directories.
  • A lightbox will popup, which will ask you for a directory location. Click the webroot.
  • Once on the webroot, navigate your way to the /wp-admin folder and click on it.
  • The Security Settings screen will appear. Simply check the box next to Password protect this directory.
  • Then, create a user for the directory.

When attempting to access or login to your wp-admin directory, you’ll see an authentication box requiring your username and password.

Change Your Admin Username

Most website owners do not bother to change the default “admin” username set by WordPress by default. Usually, this is the username that hackers initially use when trying to penetrate your website. That’s why it’s crucial to change your admin username.

Follow these steps on how to change and create an admin username of your WordPress website:

  • Go to Users and click Add New.
  • Pick a strong and solid username and password.
  • Set the role of Administrator.
  • Click the button for Add New User.

Before deleting your old admin user, don’t forget to assign every content to your new one.

Create An Editor Or Contributor Account

Consider creating an account for an editor or contributor to take things a step further. You can use the account when adding new articles or posts to your WP website. The administrator privileges of editors and contributors are limited. As a result, doing this additional step will make it more difficult for cybercriminals to harm your site.

Disable The Browsing And Indexing Options Of Your Directory

Cyberpunks can use your directory browsing to check if you have files with some vulnerabilities. They can use these files to their advantage and gain access to your site.

Furthermore, other people can also use directory browsing to view your site’s information, including files, directory structure, and copy images. Hence, it’s vital to turn off your directory browsing and indexing.


Here’s how to do it:

  • Connect to your WP website through the file manager using cPanel or FTP.
  • Go to the root directory of your site and look for the .htaccess file.
  • Next, add Options All -Indexes line at the end of the .htaccess file.
  • The last step is to save and upload .htaccess file back to your WP site.

Change The Prefix Of Your WordPress Database

WordPress employs wp_ as its default prefix for every table in your database. Hackers will find it easier to guess the name of your table if your website is using this default database prefix. For this reason, changing it is recommended.

However, keep in mind that if you don’t have the right coding skills for it, do not proceed with it. One mistake, and it can break your website. So make sure to perform this complex step only if you have a deep understanding of coding. You can learn more about changing WordPress database prefix here.

Disable XML-RPC In WordPress

WordPress 3.5 enables XML-RPC by default since it allows you to connect your website with plugins and mobile apps. XML-RPC is pretty powerful, which can also increase any brute-force attack significantly. That’s why it’s also one of the favorite protocols that WordPress hackers abuse.

They can use it to execute numerous commands at the same time to access your website easily. To stop this from happening, you can disable the feature by applying one of these steps:

WordPress 3.5 enables XML-RPC by default since it allows you to connect your website with plugins and mobile apps. XML-RPC is pretty powerful, which can also increase any brute-force attack significantly. That’s why it’s also one of the favourite protocols that WordPress hackers abuse.

They can use it to execute numerous commands at the same time to access your website easily. To stop this from happening, you can disable the feature by applying one of these steps:

  • Use a plugin for disabling XML-RPC.
  • Disable all xmlrpc.php requests from the .htaccess file before even passing the request on WordPress.

Just paste the line of codes below in the .htaccess file:

Don’t Forget To Protect Your Computer

You may be wondering why you need to protect your computer. Well, it’s as simple as it’s what you use when accessing and updating your WP site. If your files in your computer are infected with viruses, it can also infect your site when uploading those infected files on your site.

So to prevent any virus from infiltrating your computer or laptop, make sure to avoid connecting public WiFi when accessing your website. Also, don’t forget to install excellent anti-virus software and keep it up-to-date at all times.

There’s no need to fear cyber attacks this 2021 as long as you take the necessary steps on tightening the security and privacy of your WordPress website. Aside from these, check out our these additional  WordPress site safety tips. If you find this article helpful or have questions in mind, don’t hesitate to leave a comment below!

Aileen Cuaresma

Aileen Cuaresma

Aileen is a Technical and Creative writer with an extensive knowledge of WordPress and Shopify. She works with companies on building their brand and optimizing their website. She also runs a local travel agency with her family. On her free time, she loves reading books, exploring the unknown, playing with her two adorable dogs, and listening to K-pop.

Start Building your Medical Services Website with Medicus!

We have a sweet deal for you! We are offering a huge sale! You can get our latest Medicus Divi theme with a 20% discount! Use the coupon code MEDICUS20 at checkout!


  1. Aiden

    Regarding to password protection, I recommend Password Protect WordPress Pro plugin. It does help protect the site and also provides a bunch of extra features.

    • Aileen Cuaresma

      Hi again Alden…thanks for the recommendation..that’s a good plugin

  2. NwoowNews

    It’s important to keep our websites secure, and these tips seem really useful for doing just that. Thanks for the helpful advice!


Submit a Comment

Your email address will not be published. Required fields are marked *

Sign up to our newsletter list

Pin It on Pinterest

This site uses Cookies to improve your online experience. By continuing to use this site without changing your cookie preferences we will assume that you are agreeing to our use of cookies. For more information visit ourPrivacy Policy.