Branex - International

WordPress Security Tips to make your website healthy, wealthy and wise

WordPress Security header

According to Norton, the cost of a single data breach for a company in the USA is estimated to be $7.9 M. Unless you are Elon Musk or Jeff Bezos this number should give you a heart attack, or at least prepare you to secure your website before hackers take control of it.

As a professional website design agency, we develop hundreds of WordPress websites every year. Which is why we have to take special measures to address the problem of WordPress security and equip you with workable solutions that will prevent hackers from peeking and tweaking in your website.

WordPress is one of the solutions that have gotten better with age and has become the primary choice of marketers, bloggers, entrepreneurs who have something to sell online but don’t know where to begin.

Start with WordPress login page

Avoid using “admin” as your username

Regardless of the level of hacker – the first loophole is the “admin” username. Even a toddler knows that “admin” username is the primary user with all the access of the website. By default, you’ll be assigned, the “admin” username but instead of presenting the hacker with an easy breach you can change the default username by using an SQL query in PHPMyAdmin. Just ask your website developer and he will understand and rename the username to something else.

A Strong Password can save millions

This brings us to the second problem. Even if you have a strong username, hackers can pass the login page if the password is weak.

It is advised to use alphanumeric username and password which can be 10 – 14 characters long. If you cannot think of something strong; try Strong Password Generator which will definitely generate a secured password for your WordPress website.

Don’t just rely on one-time password. For security reasons keep changing your password at regular intervals.

Utilize Two-factor Authentication

This is one of the most powerful method to combat brute force attacks. The brute force is a form of attack where the hacker tries unlimited combinations of usernames and passwords until they gain access to the website.

If you use two-factor authentication it will be difficult for the hacker to break the password without first notifying you. The most basic form of two-factor authentication is in order to access the admin page you require the combination of mobile code along with the password. Unless the hackers has access to both, can’t access the your website’s secured areas.

Personalize login URL

The easiest way a hacker can get access to your website is with the default login URL. With the default login URL – wp-login.php it will be easy for a hacker to try brute force and gain access to your login credentials. 

You can either change the login URL manually or install the iThemes Security plugin to automatically change your login URLs.

Shift to HTTPS

It is a common practice of experienced website developers to switch their WordPress website to HTTPS in order to give an extra layer of security to their website. This will help your website to gain access from unreliable hidden scrips that are used to steal data from the login forum.

Even if you are not willing to switch to HTTPS, WordPress made it compulsory so that you can rank better in Google search results.

Increase your security on WordPress Plugin

Remove unnecessary Plugins

The worst mistake that website owners or excited entrepreneurs make is that they install too many plugins to make the website seamless and fast. But, sadly, they forget to uninstall the extra, unused plugins. What this does is open a gateway that hackers can use to breach security. If you don’t use a certain plugin, uninstall it at once. And don’t just uninstall it right away – the correct way is to deactivate the plugin and then uninstall it.

Update Them Regularly

One of the most convenient features of WordPress is notifying the owner when an update is due. When you do the core update of WordPress ensure that the installed plugins are also updated accordingly. You have to do it manually or if it seems difficult you then can enable the auto-update feature that comes along with every plugin. 

The best advice is DON’T UPDATE IT YOURSELF. Ask a developer to do it for you. Why? Because you’ll never know if they have made customizations to the website that will be undone in case you update the plugin yourself.

Avoid Using Premium Plugins for FREE

There are tons of websites out there who claim to give Premium WordPress plugins for FREE. Avoid downloading plugins from those websites. Always, use WordPress official website to download the premium version of the plugin.

Mostly, when you get a plugin from an unknown plugin developers, hackers send a Trojan along with that plugin and you really don’t want to hear what can happen next with your website.

So, make sure that you avoid downloads from illegal websites, torrents or taking it from unverified developers.

Pick a strong hosting provider

Regardless of how many tips you use to secure your WordPress website; if the hosting server is not reliable, your website will always be in danger.

It is a known fact that out of 30,000 WordPress websites that are hacked daily, most of these websites share a weak hosting service provider. This means that choosing a reliable hosting server means a lot to maintain WordPress security.

For now, SiteGround and BlueHost and providing shared hosting with satisfactory security-driven features. But if you are willing to go for a dedicated hosting provider that will be a wise option.

Safeguard the wp-config.php file

It is important to understand that the wp-config.php file contains all the necessary confidential information that a hacker needs in order to sweep off your website from the internet.

To add a layer of protection on your wp-config.php file, just include this code in your .htaccess file:

<Files wp-config.php>

order allow,deny

deny from all


Deactivate directory listings

A wise developer will never place the index.html file in a new directory. As visitors can easily access the full directory listing from any particular directory. So, the best option is to disable directory listing access of .htaccess file.

Cleverly change the directory permissions

If you are the website owner, you have the power to give or take access of directories. If you are not technically sound, it is best that you just give orders to your developer.

Ask your developer to change the directory permissions to “755” (readable by User, Group and World, writable by User, executable by User, Group and World). Or file permission “644” (owner of the file has read and write access, while the group members and other users on the system only have read access).


You need security measures on your WordPress website. There are always going to be people seeking to inflict your business by hacking your websites. The best thing you can do is don’t become a victim of a cyberattack and proactively prepare for the worst, so you know what to do if a hacker manages to make it past all of your defenses.

Yousuf Rafi

A Caffeine dependent non-mainstream person trying to elevate small talk to medium talk. I know I will win, not immediately but definitely. I do most of the talking in my head. However, for other things, I prefer writing blogs.

Your Header Sidebar area is currently empty. Hurry up and add some widgets.