15 Discussions on How to Secure WordPress Websites

WordPress Security

WordPress Security Tips: I had a serious problem with my WordPress website a few days ago. My website was hacked and some fake bot traffic was sent there. After about 7 days of hard work and the use of various security settings, I found a solution to this problem.

And, at that time, I realized that it was important for me to think about the security of a WordPress website beforehand. As an owner of a WordPress website, it is important for you to think about this. Because your website can be hacked at any time.


WordPress is one of the most used CMS (content management software) in the world. And using this WordPress CMS, about 34% of the total websites on the Internet have been created. So, WordPress is already a very popular platform and is made through a variety of famous and small websites.

Also remember,

From time to time the WordPress platform has become a very advanced and secure platform. And, for hackers, hacking this WordPress platform is not an easy task.

But hey,

With today’s hackers and computer bots becoming more and more advanced, the chances of your WordPress site being hacked are about 75%.

Therefore, it is important to have some security settings on a WordPress website, which makes it very difficult to hack the website.

And, as a result, WordPress websites' chances of hacked are reduced by about 70%. So, in this article, I will tell you about some important and basic “WordPress Security Tips”. If you apply these security settings well, there is almost no chance of your WordPress website being hacked.

You are the vulnerable in this blogging world not your website or software.

But it is not possible to make any website 100% secure. But, being 80% secure also means a lot. So, below we know some important tips and settings about WordPress website security.

Improve the Google search ranking of the website

Why is it important to think about the security of WordPress? As I said above, it is important to think about “why WordPress website security is needed?”.

But I will say it again.

On a WordPress website, there are basically five special problems that can occur if you have never taken any action regarding the security of the website.

  • Brute force attack
  • Fake bot traffic attack
  • SQL injection attack
  • DDoS attack
  • Others attack

Each of the above attacks has different types of damage that can do to your WordPress website. Each attack is very deadly and can destroy your entire website. And so, it is very important to protect your WordPress website from being hacked in any way.

Let’s know a little bit about the above WordPress attacks.

 01.  Brute force attack

This type of hacking attack is very common in the case of a WordPress website. This means that almost every WordPress website has this kind of brute-force attack. In the case of this attack, some automated bots or real users try to log in to the login page of your WordPress website.

In the case of login to the website, the automated bots use them by guessing different types of passwords. And, this process continues until the bots find the correct password and login into your website. In this case, thousands of requests are made to your website every day by automated bots.

Now, this type of brute force attack can cause you two deadly problems.

  • Hosting suspension
  • Gain Website access

Gain Website access

If the attackers succeed in guessing the correct login details of your website through brute force, then they will bring it under their control by logging in to your website.

In this case, your website will be hacked entirely. And, hackers can easily do any kind of work on the entire website like file editing, publishing, theft, etc.

 Hosting suspension risk

Although hackers fail to guess your WordPress login details through brute force, you still have fear.

That is, web hosting suspension. If your website is using shared hosting, then your web hosting company has the opportunity to suspend your account very easily.

Because having a brute force attack on the website means thousands of requests and loads are falling on your hosting server every day.

In this way, other websites associated with share hosting are affected and their websites have a chance to slow down. And so, in any case, it is very important to prevent these brute-force attacks on your WordPress website.

There are many ways to keep a WordPress website safe from brute force attacks. Moreover, I how to block “brute force attacks” on your website, I will tell you below.

 02.  Fake bot traffic

In the case of this type of bot attack, hackers send some fake robot traffic to your website. However, if you do not do good research on the traffic to your website, you will not be able to catch that they are fake traffic.

Thus, if suddenly a lot of traffic is coming to your website and that too only on one or two special pages, then it is a sign of fake bot traffic.

Using Google Analytics, you can monitor the behavior of each visitor to your website. And, with just this Google analytics, I can learn about any kind of bad bot traffic that comes to my website.

Now the question is, what harm can this bad bot traffic do to your website?

  • It can crash your server.
  • Can suspend Google AdSense account.
  • Spike in traffic from an unexpected location. 
  • Junk conversions.
  • Surprisingly high or low session duration.
  • Abnormally high bounce rate.
  • Abnormally high pageviews.

When this kind of bad bot traffic comes to your website, it has a bad effect on your hosting server.

And, when more bad bot traffic comes to your website, a lot of web server resources start to be used. As a result, there will be a time when there will be a lot of pressure on your web server.

And as a result, there is a good chance that your web server will eventually crash.

  Suspend Google AdSense account

Now, you must know that making money using Google AdSense is very profitable. Almost every new blogger has a dream to make money from Google AdSense. However, it is important to adhere to the Google AdSense policies, terms, and conditions. In that case, it is normal for your Google AdSense account to be suspended at any time.

And, when this type of fake boat traffic comes to your website, they can behave in a variety of offensive ways. And among them, “clicking on a blog ad” is a special behavior or work of theirs.

In this case, when the AdSense ad is on your website, click through bot traffic, and your AdSense account can be suspended very easily.

And, suspending an AdSense account means that there is no chance of earning income from that website in the future from AdSense.

As a result, you will not benefit from blogging.

So, it is very important to keep your WordPress website safe from this kind of fake bot traffic. As such, there are no effective ways to keep WordPress websites secure from fake bot traffic.

However, the way I have been blocking this kind of bot traffic for a few days now, I will let you know below.

 03. SQL Injection attack

This WordPress hacking process is not seen as very advanced and easy.

However, this does not mean that your WordPress site will not be hacked with SQL injection.

Maybe, there have been many.

In fact, with this SQL injection, some malicious SQL statements are placed in the database of your WordPress website.

And as a result, hackers have the ability to steal your website data, redirect from your website to malicious websites, or destroy your entire website. So, even if the chances are low, hacking through SQL injection in the WordPress database is seen a lot now.

This type of SQL database injection is mostly done through websites, “bad plugins,” and “themes”. So, do not install and use the plugin or theme on your WordPress website from any unbelievable website.

And, keep your WordPress website’s installed themes updated regularly.

Moreover, I would suggest using as few plugins on the website as possible. Below I will tell you how to protect your WordPress website from being hacked with this type of SQL database injection.

 04. DDoS attack on WordPress Site

Speaking of the security of a WordPress website at the moment, it is not necessary to talk about the “DDoS Attack.”

Because attempts to damage a WordPress website through a DDoS attack are done on a much larger scale.

DDoS attack means “Denial of service attack.”

This is a type of cyber-attack, where various other computer devices are hacked to target your web server.

And, in this way, a huge amount of fake traffic is sent by different computer devices targeting a particular website or web server.

As a result, your website’s server crashed because it can’t handle so many traffic requests at once. This type of DDoS attack will cause a lot of damage to your website when it comes to your website.

Because your competitors will definitely try to harm your website. My website also has this kind of DDoS attack. However, I do have the knowledge of how to protect my WordPress website from DDoS attacks.

05. Other attacks 

Securing a WordPress website is very important. If your WordPress website is not secure, in addition to the above-mentioned website attacks or hacks, there are many more attacks on your website.

So, you can keep your WordPress website safe by following each of the tips and security tips below.

How to secure your WordPress website?

Keep in mind that after adjusting to each of the WordPress security settings mentioned below, your website will be 90% less likely to have any type of DDoS attack, SQL injection attack, or brute force attack.

Now, let’s know one by one the ways to secure a WordPress website, let’s keep your website safe.

Protect WordPress login page

About 85% of us WordPress users do not change the URL of their WordPress dashboard login.

With this, brute force attackers and anyone who wants to login into your WordPress site, can easily come to your login page and try to guess the password.

Thus, the default URL of each of our WordPress login pages is,

  • example.com/wp-admin
  • example.com/wp-login.php
  • example.com/login
  • example.com/admin

And with the opportunity not to change this default login URL, hackers make brute force attacks on our website.

As I said before, in the case of a brute force attack, hackers send thousands of bots to the login page of your website that tries to log in by guessing your WordPress password.

Read Also: 7 Things That You Should Avoid in WordPress Site

So, there are definitely some ways to protect your WordPress website from this type of brute force attack and other login attacks.

 Ways to keep WordPress login pages secure

WordPress Secure Page
Add reCAPTCHA by Google on the WordPress Login Page
  1. Change WordPress default login URL.
  2. Add captcha to the login page.
  3. Add a password to the WordPress login page.

Using the above means you can protect your WordPress login page from automated bots or brute force attacks.

However, there are various free WordPress plugins to keep the login page WordPress safe and secure.


You can use the following plugins to change the default login URL of WordPress.

  1. WPS Hide Login
  2. iThemes security plugin
  3. Rename wp-login.php

There are also various good WordPress security plugins that you can use to change the login URL of WordPress.

You can use the following plugins to add a captcha to the WordPress login page.

  • ReCaptcha by BestWebSoft
  • Simple login captcha
  • Login no captcha reCAPTCHA
  • Advanced noCaptcha & invisible Captcha

Now, you can use the following plugins to add a password to the login page of your WordPress website.

 06. WordPress Password Protect Page Plugin

By using any one of the 3 processes mentioned above, you can be safe from the brute force login attack on your WordPress website.

Use a strong login password

Now, we all know that it is very important to have a strong admin password for your WordPress website.

However, if you create a password using only a few words and numbers, it can not be called a strong password.

So, to create a strong WordPress admin password, follow the rules below,

  • Use at least 4 “special characters” in the password. g., #, $, %, &, *.
  • Of course, you have to add some numbers to your password.
  • Never put a password on top of your own name or website name.
  • Create passwords as long as possible. This will make it hard for hackers to guess your password.
  • Try to change the password of your website after about 1 month.

So, you can create a strong and secure password for WordPress by following some of the general rules mentioned above.

Use two-factor authentication (2FA)

One of the most popular ways to secure a WordPress website’s login page is with “two-factor authentication (2FA)”.

If you are using this “2FA” process on your WordPress login page. So, every time you go to the WordPress Login Page and type your username and password, you have to give a secret code to that login page as well. And, this secret code will only be created on your mobile through the “2FA application”.

But that’s it if you have set authentication through the mobile app. There are other ways to get a secret code.

Without this “secret code” or “authentication code” created, neither you nor anyone else can log in to your WordPress admin panel. So, if you use this method, you will not be afraid of unauthorized login to your WordPress website. A WordPress website has several free plugins to use “two-factor authentication (2FA)”.


 Google Authenticator by miniOrange

After installing and activating the above-mentioned plugin on your WordPress website, you can secure your WordPress login page through various means.


  • Google verifies the authentication app.
  • Adds security question to the login page.
  • Receives OTP SMS on a mobile phone.
  • Receives OTPs passcode on your own email ID.
  • Mobile uses a mini orange authentication app.

You can add the authentication process to your WordPress login page by configuring the process that you think is convenient. Thus, without a special authentication code, no fake bot or user can login to your WordPress admin panel.

Backup website regularly

Hey I know, your hosting company may have a backup of the entire website for you.

However, if you want to keep your website safe and secure at any time, you must take a backup of the website yourself. In this case, if your website is hacked or your hosting company suspends you at any time, you have nothing to do.

You can use the backup file of your website, which you have, to re-launch the website with hosting from any other hosting company. Or, if your website has been hacked, you can restore the backup file of the website you have and restore the website to its previous state. So, the most effective way to keep your website safe and secure forever is to create your own backup system.

 07. How do I backup a website?

I am using the “UpdraftPlus” plugin to backup every one of my WordPress websites. This plugin is the best and completely free to make a full backup of any WordPress website. With UpdraftPlus, you can backup your entire website to your Google Drive account with just one click.


If necessary, you can restore the backup of the entire website by clicking on the “restore a backup” option at any time.


With backup through updraftPlus you can migrate your entire WordPress website by installing it in another hosting company. So, if your hosting company suspends your account in the future or your website server is hacked.

Then you can easily restore your backup files to another hosting server through updraftPlus and save the website from being damaged. So, start backing up your entire WordPress website with UpdraftPlus from today, and keep your website safe forever.

Related: 7 Best Advanced Secure Web Hosting Practices to Keep Your Site Safe

Block directory indexing & browsing

If the website directory indexing and browsing are open, anyone can see the important directory files of your website.


Block directory indexing & browsing
Block directory indexing & browsing

If you add “/ wp-content” or “/ wp-content / plugins /” to the end of your WordPress website,


Then, if the directory shown in the image below comes up.

 07. Protect WordPress Websites

Disable directory indexing in WordPress

Then your website’s directory indexing and browsing are open. And, it must be blocked as soon as possible. Looking at the picture above, you can understand what is called directory indexing.

Hackers can get important information through these directories of your website. Then you can easily attack or hack using the theme and plugin of the website server. So, be sure to pay attention so your website directory browsing and indexing are stopped.

How to stop WordPress directory indexing and browsing?

If you are using web hosting from a good hosting company, your hosting company will stop this kind of directory indexing. They will stop if you ask your hosting company to stop directory indexing. Moreover, if you are using a good “WordPress security plugin,”


  1. Wordfence
  2. Secure security
  3. iTheme security

If so, these security plugins will stop the directory indexing of your website.


If you go to the “.htaccess” file of your website and add the “Options -Indexes” line at the very end, then the directory indexing and browsing of the website will stop.

Disable directory indexing in WordPress
htaccess Options -Indexes

Disable WordPress Meta generator and version

You can also prevent your website from being hacked by disabling and hiding your WordPress website's version and meta generator. Many hackers can hack your website by taking the information of the version and meta details of the WordPress website. So, of course, make these two things disabled.

 How to hide WordPress Meta generator and version?

There are definitely many free plugins to do this. However, if you are using a good WordPress security plugin, there will be options to disable and hide the Meta generator and WordPress version.

  • Secure security
  • All in one WP security & firewall
  • iTheme security

Each of these WordPress free security plugins has the option to hide the WordPress version and meta details. Moreover, if you do not get the option in your WordPress security plugin,

Then, you can remove and hide WordPress meta details and versions using the “Meta Generator and Version Info Remover” plugin.

09. Use CloudFlare for extra security

If you’re a blogger and you don’t know about Cloudflare? it’s hard to believe. Nowadays, almost every blogger or every WordPress website is using “Cloudflare”. In fact, Cloudflare is a “content delivery network” which is simply called “CDN”. The main purpose of CDN is to speed up the loading of your WordPress website. Cloudflare’s servers are in different places in the country and abroad.

And so,

When we add our website to CloudFlare, it saves a copy of our website on each of its servers.

In this,

When a user requests to come to our website, our website is provided from the user’s nearest server. As a result, the server response time of our website decreases and the website's loading speed becomes faster.

There are a variety of caching and minification options that allow CloudFlare to speed up the loading of our website.

The role of Cloudflare in website security

Cloudflare is an advanced and very popular CDN that will not only improve the loading speed of your website but will also help you a lot in terms of website security and safety.

Cloudflare has some advanced security settings,

You need to go to these security settings –

Dashboard >> Firewall >> settings >>

Security level – is used to verify the visitors to the website.  Whether they are real people or robots is seen.  In case of good security, keep the Security Level strong at all times.

Bot fight mode – If your website is getting a lot of fake bot traffic, then turn on the option.  This way, CloudFlare will stop these bots’ traffic before entering your website.

 10. JavaScript Detection – Keep this option on to fight fake bot traffic.

Browser Integrity Check – This allows CloudFlare to monitor the web browser of your website visitors.  If they have a virus in their web browser, they are not allowed to access your website.

By keeping each of these settings on Cloudflare, you can protect your website from bad bot traffic or various types of attacks.

If you are using WordPress, be sure to use “Cloudflare.” You can add your own website to CloudFlare for free and use the security settings mentioned above.

11. Don’t use null WordPress theme & plugin

If you use the Null WordPress theme and plugin, the chances of your WordPress website being hacked increase by 200%. Because when we download and install any expensive and premium WordPress theme or plugin from various unbelievable websites on the internet on our own WordPress website.

Then various unnecessary codes, hacking scripts, and files enter our website. And these codes, scripts, and files can do a lot of damage to our website in the future. If You use premium themes or plugins from any unreliable website to show hackers access to your blog.

So, never make this mistake.

Never use a null theme or a null plugin on your WordPress website. WordPress has thousands of optimized themes and plugins. So, first of all, use the theme and plugin inside WordPress.

If you want to start earning from blogs in the future, you can buy and use a premium WordPress theme or plugin from the official website in the right way.

Use a trusted, secure hosting company

We must make the mistake of using cheap, low-quality, and local web hosting to save some money.

Remember, the next thing is whether traffic is coming to your blog. However, if you want to keep your WordPress website secure, Then use web hosting from a good hosting company.

12. Be careful before buying hosting

Good and best web hosting company

See, cheap, local and low-quality web hosting companies do not use any security settings and options to protect their servers. And, even if they are used, they are not very good.

So, at any time, there is a chance of a database attack, server hack, or other types of a cyber attack on their server. As a result, the entire hosting server crashes, and your website and every other website on the server is damaged.

And so on. I want to tell you, at the same time buy hosting from some popular web hosting companies that have been in the market for almost many years.


And there are many more web hosting companies that are very popular, secure, and fast as well as providing hosting for much less money.

13. Use a good WordPress security plugin

All of the above tips on the security and safety of your WordPress website must be followed. Thus, it is possible to provide good quality security to your WordPress website by using a good security plugin.

At present, many good WordPress security plugins will protect your website in every case.

  • Basic firewall security
  • Two-Factor Authentication
  • Malware Scan
  • Password Security
  • Protection from brute force attacks.
  • Detects and blocks bad bots.
  • WordPress login URL change.
  • Protect System Files
  • Directory Browsing disable
  • Disable XML-RPC

And there are many more security settings, which you can apply to your website using these WordPress security plugins. You will find each of the above security settings in the “iThemes Security plugin“.

I personally use this plugin to keep my WordPress websites safe and secure. For the A to Z security of any WordPress website, I recommend using this iThemes security plugin.


Many more WordPress plugins are used to keep WordPress websites secure.

Best Top 5 free WordPress security plugins

  1. Wordfence security – (more popular)
  2. Sucuri Security – (These are WordPress security experts)
  3. Shield Security – (Popular Plugin)
  4. iThemes Security – (Best Security Plugin)
  5. All In One WP Security & Firewall (powerful but free)

As mentioned above, using any one of the security plugins will make your WordPress website much more secure and secure.

14. You can use CloudFlare for free.

Content Delivery Network

I’m doing too. Friends, I always try to give you completely accurate and working information. So, if you have any problems or suggestions related to the article, please let me know in the comments.

15. What did we learn today?

Friends, today we learned how to keep your WordPress website secure and secure.


  • When using good web hosting?
  • If you do not use the null theme and plugin.
  • Using a good WordPress security plugin.
  • The chances of your website being hacked are greatly reduced.

However, when you continue to be successful, many will be jealous of your success. As a result, various types of automated bot traffic will be sent to your website. So, using CloudFlare in this case, you can save your website from this kind of fake bot traffic.

In the end, if you like the article, you can share it. We hope you enjoy today’s article on the security and safety of WordPress websites.