7 Tips to Improve WordPress Security

Even if you are a novice, you are likely to know some popular tactics to improve WordPress security. You probably also know that you can install one or two plugins to improve your site security considerably.

But in this post, I’m not talking about those. Instead, I will tell you about 7 simple but vital steps you can take to secure your website that many people overlook.

improve wordpress security
improve wordpress security

Improve WordPress Security (7 Tips)

1. Change the default admin username

When you are installing WordPress, you have to select a custom username. However, a lot of 1-click WordPress installers use the default “admin” as a username.

Usernames make up half of the login credentials. If your admin username is “admin,” it’s easier for hackers to make brute-force attacks.

You can change your admin username by:

Creating a new admin username and deleting the old one

Updating username from phpMyAdmin

2. Hide author username

It’s quite easy for people to find out each author’s username for your site. Since a lot of the time, the main author is the site administrator, people can easily find out the admin’s username.

So it’s a good idea to hide the authors’ username.

To do this, you just need to add a bit of code into your functions.php file:

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
if (is_author())
wp_redirect( home_url() ); exit;

After you add this code, when people inputs ?author=1 after your main URL, they won’t be presented with the administrator’s information. They will be taken straight to the homepage.

3. Limit login attempts

WordPress allows you to try to log in as many times as you want. This makes it easier for hackers to try to crack your passwords by trying to log in with different combinations.

If you limit the number of failed login attempts, you can easily avoid this. One way you can do this is by installing a web application firewall.

Sucuri Firewall is my favorite one. It does a lot more than limit failed login attempts. It will give you complete website security, monitor for security incidents, and fix website hacks.

The only downside is, it will cost you $9.99/month.

Cloudflare is a popular alternative to Sucuri. But it will cost you $20./month.

If you don’t want a firewall, you can use the free Login LockDown plugin to limit login attempts.

4. Add security question to WordPress login screen

If you add a security question to your login page, it will be harder for people to get unauthorized access.

You can do it easily by installing the WP Security Questions plugin. After installing it, go to Settings » Security Questions page and add your security question and answer.

Check This: Secure Your WordPress in 10 Effective Ways

5. Set themes and plugins to update automatically

People usually update themes and plugins manually. But if you don’t pay too much attention to site maintenance, you should configure automatic updates.

This way, everything will stay up to date without you having to intervene regularly.

To do this, you have to insert a line of code into wp-config.php. For themes, add this:

add_filter( ‘auto_update_theme’, ‘__return_true’ );

For plugins:

add_filter( ‘auto_update_plugin’, ‘__return_true’ );

6. Disable file editing

WordPress has a built-in code editor. Using it, administrators can edit theme and plugin files from the admin area.

If someone undesirable gets access to it, it may result in a catastrophe. So it’s better to turn it off.

To do this, add this code in your wp-config.php file:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

7. Keep track of your dashboard activity

If you have more than one user on your site, you should keep track of their activity on the dashboard.

Even if there is no chance of them doing any wrongdoings, sometimes a simple misstep can cause havoc.

If you have a plugin that keeps track of the dashboard activity, you can retrace the user’s steps up to the point of site breakage.

WordPress logs the activity of users. But it’s hard to use. It’s much easier to use a plugin that organizes the data.

One that will show you the connection between a specific action and a specific reaction. One that will show you if a certain code change or a plugin is causing any problem.

WP Security Audit Log is my favorite plugin for this. It’s free and keeps a log of everything (and I mean everything) that happens on your site’s backend. 

Simple History and Activity Log is also very good if you don’t like WP Security Audit Log.


Always keep a backup of your site. It will come in handy if your site ever gets hacked.

If your site gets hacked, it’s better to let professionals handle it. Cleaning up a hacked site is a difficult and time-consuming process. If you don’t clean it properly, it’s likely to get hacked again.

What other things you do to improve WordPress security that many people don’t know about? Let us know in the comment section.

Leave a Comment