15 Discussions on How to Secure WordPress Websites

WordPress Security Tips: A few days ago, I had a serious problem with my WordPress website. My website was hacked and some fake bot traffic was sent there. After about 7 days of hard work and use of various security settings, I found a solution to this problem.

And, at that time, I realized that it was important for me to think about the security of a WordPress website beforehand. As an owner of a WordPress website, it is important for you to think about this. Because, your website can be hacked at any time.


Bad time but not to say.  She just moves on. WordPress is one of the most used CMS (content management software) in the world. And using this WordPress CMS, about 36% of the total websites on the Internet have been created. So, WordPress is already a very popular platform and is made through a variety of famous and small websites.

Also remember,

From time to time the WordPress platform has become a very advanced and secure platform. And, for hackers, hacking this WordPress platform is not an easy task.

But hey,

With today’s hackers and computer bots becoming more and more advanced, the chances of your WordPress site being hacked are about 75%.

Therefore, it is important to have some security settings on a WordPress website, which makes it very difficult to hack the website.

And, as a result, the chances of WordPress websites being hacked are reduced by about 70%. So, in this article I will tell you about some important and important “WordPress Security Tips”. If you apply these security settings well, there is no chance of your WordPress website being hacked.

You are the vulnerable in this blogging world not your website or software


But it is not possible to make any website 100% secure. But hey, being 80% secure also means a lot. So, below we know some important tips and settings about WordPress website security.

Improve the Google search ranking of the website

Why is it important to think about the security of WordPress? As I said above, it is important to think about “why WordPress website security”.

But I will say it again.

On a WordPress website, there are basically three special problems that can occur if you have never taken any action regarding the security of the website.

  • Brute force attack
  • Fake bot traffic attack
  • SQL injection attack
  • DDoS attack
  • Others attack

Each of the above attacks but different types of damage can do to your WordPress website. Each attack is very deadly and can destroy your entire website. And so, it is very important to protect your WordPress website from being hacked in any way.

Let’s know a little bit about the above WordPress attacks.

 01.  Brute force attack

This type of hacking attack is very common in the case of a WordPress website. This means that almost every WordPress website has this kind of brute force attack. In the case of this attack, some automated bots or real users try to login to the login page of your WordPress website.

In case of login to the website, the automated bots use them by guessing different types of passwords. And, this process continues until the bots find the correct password and login to your website. In this case, thousands of requests are made to your website every day by automated bots.

Now, this type of brute force attack can cause you two deadly problems.

  • Hosting suspension
  • Gain Website access

Gain Website access

If the attackers succeed in guessing the correct login details of your website through brute force, then they will bring it under their control by logging in to your website.

In this case, your website will be completely hacked. And, hackers can easily do any kind of work on the entire website like file edit, publish, theft etc.

 Hosting suspension risk

Although hackers fail to guess your WordPress login details through brute force, you still have a fear.

That is, web hosting suspension. If your website is using shared hosting, then your web hosting company has the opportunity to suspend your account very easily.

Because, having a brute force attack on the website means thousands of requests and loads are falling on your hosting server every day.

In this way, other websites associated with share hosting are affected and their websites have a chance to slow down. And so, in any case, it is very important to prevent these brute force attacks on your WordPress website.

There are many ways to keep a WordPress website safe from brute force attacks. Moreover, how to block “brute force attacks” on your website, I will tell you below.

 02.  Fake bot traffic

I was a victim of this fake bot traffic attack on Abdi and my website a few days ago. However, I currently have a solution to this problem.

In the case of this type of bot attack, hackers send some fake robot traffic to your website. However, if you do not do good research on the traffic to your website, you will not be able to catch that they are fake traffic.

Thus, if suddenly a lot of traffic is coming to your website and that too only on one or two special pages, then it is a sign of fake bot traffic.

Using Google analytics, you can monitor the behavior of each visitor to your website. And, with just this Google analytics, I can learn about any kind of bad bot traffic that comes to my website.

Now the question is, what harm can these bad boat traffic do to your website?

  • It can crash your server
  • Can suspend Google AdSense account
  • Crash your server

When this kind of bad bot traffic comes to your website, it has a bad effect on your hosting server.

Because, whether the traffic is bad or good, when it comes to your website, it uses the resources of your web server.

And, when more bad bot traffic comes to your website, a lot of web server resources start to be used. As a result, there will be a time when there will be a lot of pressure on your web server.

And as a result, there is a good chance that your web server will eventually crash.

  Suspend Google AdSense account

Now, you must know that making money using Google AdSense is very profitable. Almost every new blogger has a dream to make money from Google AdSense. However, it is important to adhere to the Google AdSense policies, terms and conditions. In that case, it is normal for your Google AdSense account to be suspended at any time.

And, when this type of fake boat traffic comes to your website, they can behave in a variety of offensive ways. And among them, “clicking on a blog ad” is a special behavior or work of theirs.

In this case, when the AdSense ad on your website, click through bot traffic, your AdSense account can be suspended very easily.

And, suspending an AdSense account means that there is no chance of earning income from the website in the future.

As a result, you will not benefit from blogging.

So, it is very important to keep your WordPress website safe from this kind of fake bot traffic. As such, there are no effective ways to keep WordPress websites secure from fake boat traffic.

However, the way I have been blocking this kind of boat traffic for a few days now, I will let you know below.

 03. SQL Injection attack

This type of WordPress hacking process is not seen to be very advanced and easy.

However, this does not mean that your WordPress site will not be hacked with SQL injection.

Maybe, there have been many.

In fact, with this SQL injection, some malicious SQL statements are placed in the database of your WordPress website.

And as a result, hackers have the ability to steal your website data, redirect from your website to malicious websites, or destroy your entire website. So, even if the chances are low, hacking through SQL injection in WordPress database is seen a lot now.

This type of SQL database injection is mostly done through websites, “bad plugin” and “theme”. So, do not install and use the plugin or theme on your WordPress website from any unbelievable website.

And, keep your WordPress website’s installed themes updated regularly.

Moreover, I would suggest using as few plugins on the website as possible. Below I will tell you how to protect your WordPress website from being hacked with this type of SQL database injection.

 04. DDoS attack on WordPress site

Speaking of the security of a WordPress website at the moment, it is not necessary to talk about the “DDoS attack”.

Because, attempts to damage a WordPress website through a DDoS attack, are done on a much larger scale.

DDoS attack means “Denial of service attack”.

This is a type of cyber-attack, where various other computer devices are hacked to target your web server.

And, in this way, a huge amount of fake traffic is sent by different computer devices targeting a particular website or web server.

As a result, your website’s server crashes because it can’t handle so many traffic requests at once. This type of DDoS attack will cause a lot of damage to your website when it comes to your website.

Because, your competitors will definitely try to harm your website. My website also has this kind of DDoS attack. However, I do have the knowledge of how to protect my WordPress website from DDoS attack.

Below I will tell you the way and the rules.

Other attack 

Securing a WordPress website is very important. If your WordPress website is not secure then in addition to the above mentioned website attacks or hacks, there are many more types of attacks on your website.

So, you can keep your WordPress website safe by following each of the tips and security tips below.

 05. How to secure your WordPress website?

Keep in mind that after adjusting to each of the WordPress security settings mentioned below, your website will be 90% less likely to have any type of DDoS attack, SQL injection attack, or brute force attack.

Now, let’s know one by one the ways to secure WordPress website, let’s keep your website safe.

Protect WordPress login page

About 85% of us WordPress users do not change the URL of their WordPress dashboard login.

With this, brute force attacker and anyone who wants to login to your WordPress site, they can easily come to your login page and try to guess the password.

Thus, the default URL of each of our WordPress login pages is,

  • example.com/wp-admin
  • example.com/wp-login.php
  • example.com/login
  • example.com/admin

And with the opportunity not to change this default login URL, hackers make brute force attack on our website.

As I said before, in the case of brute force attack, hackers send thousands of bots to the login page of our website that try to login by guessing your WordPress password.

Read Also: 7 Things That You Should Avoid in WordPress Site

So, there are definitely some ways to protect your WordPress website from this type of brute force attack and other login attacks.

 Ways to keep WordPress login pages secure

WordPress Secure Page
Add reCAPTCHA by Google on the WordPress Login Page
  1. Change WordPress default login URL. Or,
  2. Add captcha to login page. Or,
  3. Adding a password to the WordPress login page.

Using any of the above means you can protect your WordPress login page from any automated bots or brute force attack.

However, there are various free WordPress plugins to keep the login page of WordPress safe and secure.


  1. You can use the following plugins to change the default login URL of WordPress.
  • WPS Hide login
  • iThemes security plugin
  • Rename wp-login.php

There are also various good WordPress security plugins that you can use to change the login URL of WordPress.

  1. You can use the following plugins to add captcha to WordPress login page.
  2. reCaptcha by BestWebSoft
  3. Simple login captcha
  4. Login no captcha reCAPTCHA
  5. Advanced noCaptcha & invisible Captcha
  6. Now, you can use the following plugins to add a password to the login page of your WordPress website.

 06. WordPress Password Protect Page Plugin

By using any one of the 3 processes mentioned above, you can be safe from the brute force login attack on your WordPress website.

But the best and easiest way will be the first two.

Use strong login password

Now, we all know that it is very important to have a strong admin password for your WordPress website.

However, if you create a password using only a few words and numbers, but it can not be called a strong password.

So, to create a strong WordPress admin password, follow the rules below,

  • Use at least 4 “special characters” in the password. g., # $% & *.
  • Of course you have to add some numbers in your password.
  • Never put a password on top of your own name or website name.
  • Create passwords as long as possible. This will make it easier for hackers to guess your password.
  • Try to change the password of your website after about 1 month.

So, you can create a strong and secure password for WordPress by following some of the general rules mentioned above.

Use two factor authentication (2FA)

One of the most popular ways to secure a WordPress website’s login page is with “two factor authentication (2FA)”.

If you are using this “2FA” process on your WordPress login page. So, every time you go to the WordPress Login Page and type your username and password, you have to give a secret code to that login page as well. And, this secret code will only be created on your mobile through “2FA application”.

But that’s it, if you have set authentication through mobile app. There are other ways to get secret code.


Without this “secret code” or “authentication code” created, neither you nor anyone else can login to your WordPress admin panel. So, if you use this medium, you will not be afraid of unauthorized login to your WordPress website. A WordPress website has several free plugins to use “two factor authentication (2FA)”.


 Google Authenticator by miniOrange

After installing and activating the above mentioned plugin on your WordPress website, you can secure your WordPress login page through various means.


  • Google verifies authentication app.
  • Adds security question to login page.
  • Receives OTP SMS on mobile phone.
  • Receives OTP email with your own email ID.
  • Mobile uses mini orange authentication app.

By configuring the process that you think is convenient, you can add the authentication process to your WordPress login page. Thus, without a special authentication code, no fake bot or user can login to your WordPress admin panel.

Backup website regularly

Hey I know, your hosting company may have a backup of the entire website for you.

However, if you want to keep your website safe and secure at any time, you must take a backup of the website from yourself. In this case, if at any time your website is hacked or your hosting company suspends you, you have nothing to fear.

You can use the backup file of your website, which you have, to re-launch the website with hosting from any other hosting company. Or, if your website has been hacked, you can restore the backup file of the website you have and restore the website to its previous state. So, the most effective way to keep your website safe and secure forever is to create your own backup system.

 07. How do I backup a website?

I am using the “UpdraftPlus” plugin to backup every one of my WordPress websites. This plugin is the best and completely free to make a full backup of any WordPress website. With UpdraftPlus, you can backup your entire website to your Google Drive account with just one click.


If necessary, you can restore the backup of the entire website by clicking on the “restore backup” option at any time.


With backup through updraftPlus you can migrate your entire WordPress website by installing it in another hosting company. So, if your hosting company suspends your account in the future or your website server is hacked,

Then you can easily restore your backup files to another hosting server through updraftPlus and save the website from being damaged. So, start backing up your entire WordPress website with UpdraftPlus from today, and keep your website safe forever.

Related: 7 Best Advanced Secure Web Hosting Practices to Keep Your Site Safe

I have uploaded a tutorial video of UpdraftPlus on my YouTube channel. If necessary, look at the process of backing up and restoring the website.

Block directory indexing & browsing

If the website directory indexing and browsing is open, anyone can see the important directory files of your website.


Block directory indexing & browsing
Block directory indexing & browsing

If you add “/ wp-content” or “/ wp-content / plugins /” to the end of your WordPress website,


Then, if the directory shown in the image below comes up,

 07. Protect WordPress Websites

Disable directory indexing in WordPress

Then your website’s directory indexing and browsing is open. And, it must be blocked as soon as possible. Looking at the picture above, you can understand what is called directory indexing.

Hackers can get important information through these directories of your website. Then you can easily attack or hack the theme and plugin or server of the website. So, be sure to pay attention so that your website directory browsing and indexing is stopped.

How to stop WordPress directory indexing and browsing?

If you are using web hosting from a good hosting company, your hosting company will stop this kind of directory indexing. If you ask your hosting company to stop directory indexing, they will stop. Moreover, if you are using a good “WordPress security plugin”,


  1. Wordfence
  2. Secure security
  3. iTheme security

If so, these security plugins will stop directory indexing of your website.


If you go to the “.htaccess” file of your website and add the “Options -Indexes” line at the very end, then the directory indexing and browsing of the website will stop.

Disable directory indexing in WordPress
htaccess Options -Indexes

Disable WordPress Meta generator and version

You can also prevent your website from being hacked by disabling and hiding the version and meta generator of your WordPress website. Many hackers can hack your website by taking the information of version and meta details of WordPress website. So, of course make these two things disable.

 How to hide WordPress Meta generator and version?

There are definitely many free plugins to do this. However, if you are using a good WordPress security plugin, there will be options to disable and hide the Meta generator and WordPress version.


  • Secure security
  • All in one WP security & firewall
  • iTheme security

Each of these WordPress free security plugins has the option to hide the WordPress version and meta details. Moreover, if you do not get the option in your WordPress security plugin,

Then, using the “Meta Generator and Version Info Remover” plugin, you can remove and hide WordPress meta details and version.

09. Use CloudFlare for extra security

If you’re a blogger and you don’t know about cloudflare, it’s hard to believe. Nowadays, almost every blogger or every WordPress website is using “cloudflare”. In fact, cloudflare is a “content delivery network” which is simply called “CDN”. The main purpose of CDN is to speed up the loading of your WordPress website.Cloudflare’s server is in different places in the country and abroad.

And so,

When we add our website to CloudFlare, it saves a copy of our website on each of its servers.

In this,

When a user requests to come to our website, our website is provided from the user’s nearest server. As a result, the server response time of our website decreases and the loading speed of the website becomes faster.


There are a variety of caching and minification options that allow CloudFlare to speed up the loading of our website.

The role of cloudflare in website security

Cloudflare is an advanced and very popular CDN that will not only improve the loading speed of your website, but will also help you a lot in terms of website security and safety.

Cloudflare has some advanced security settings,

You need to go to these security settings –

Dashboard >> Firewall >> settings >>

Security level – is used to verify the visitors to the website.  Whether they are real people or robots is seen.  In case of good security, keep the Security Level Medium at all times.

Bot fight mode – If your website is getting a lot of fake bot traffic, then turn on the option.  In this way, CloudFlare will stop these bot traffic before it enters your website.

 10. JavaScript Detection – Keep this option on to fight fake bot traffic.

Browser Integrity Check – This allows CloudFlare to monitor the web browser of your website visitors.  If they have a virus in their web browser, they are not allowed to access your website.

By keeping each of these settings on Cloudflare, you can protect your website from bad boat traffic or various types of attacks.

If you are using WordPress, be sure to use “Cloudflare”. You can add your own website to CloudFlare for free and use the security settings mentioned above. We’ve created a video on how to add your own website and other settings to CloudFlare. You can watch the whole thing by visiting our YouTube channel.

11. Don’t use null WordPress theme & plugin

If you use Null WordPress theme and plugin, the chances of your WordPress website being hacked increase by 200%. Because, when we download and install any expensive and premium WordPress theme or plugin from various unbelievable websites on the internet on our own WordPress website,

Then various unnecessary codes, hacking scripts and files enter our website. And these codes, scripts and files can do a lot of damage to our website in the future. You can use premium themes or plugins from any unreliable website, to show hackers access to your blog.

So, never make this mistake.

Never use a null theme or a null plugin on your WordPress website. WordPress has thousands of optimized themes and plugins. So, first of all, use the theme and plugin inside WordPress.

If you start earning income from blogs in the future, you can buy and use premium WordPress theme or plugin from the official website in the right way.

Use trusted secure hosting company

We must make the mistake of using cheap low quality and local web hosting to save some money.

Remember, the next thing is whether traffic is coming to your blog. However, if you want to keep your WordPress website secure, Then use web hosting from a good hosting company.

12. Be careful before buying hosting

Good and best web hosting company

See, cheap, local and low quality web hosting companies do not use any security settings and options to protect their servers. And, even if they are used, they are not very good.

So, at any time, there is a chance of database attack, server hack or other types of cyber attack on their server. As a result, the entire hosting server crashes and your website and every other website on the server is damaged.

And so on. I want to tell you, at the same time buy hosting from some popular web hosting companies that have been in the market for almost many years.


  • bluehost.in ($3.95 + free domain for one year)
  • hostgator.com ($2.75)
  • greengeeks.com ($2.95)
  • cloudways.com (Best speed & security)
  • namecheap.com ($2.67)

And there are many more web hosting companies that are very popular, secure and fast as well as providing hosting for much less money.

13. Use a good WordPress security plugin

All of the above tips on security and safety of your WordPress website must be followed. Thus, it is possible to provide good quality security to your WordPress website by using a good security plugin.

At present, There are many good WordPress security plugins that will protect your website in every case.


  • Basic firewall security
  • Two-Factor Authentication
  • Malware Scan
  • Password Security
  • Protection from brute force attacks.
  • Detects and blocks bad bots.
  • WordPress login URL change.
  • Protect System Files
  • Directory Browsing disable
  • Disable XML-RPC

And there are many more security settings, which you can apply to your website using these WordPress security plugins. You will find each of the above security settings in the “iThemes Security plugin“.

I personally use this plugin to keep my WordPress websites safe and secure. For A to Z security of any WordPress website, I recommend using this iThemes security plugin.


There are many more WordPress plugins that are used to keep WordPress website secure.

Best Top 5 free WordPress security plugins

  • Wordfence security – (more popular)
  • Sucuri Security – (These are WordPress security experts)
  • Shield Security – (Popular Plugin)
  • iThemes Security – (Best Security Plugin)
  • All In One WP Security & Firewall (powerful but free)

As mentioned above, using any one of the security plugins will make your WordPress website much more secure and secure.

14. You can use CloudFlare for free.

Content Delivery Network

I’m doing too. Friends, I always try to give you completely accurate and working information. So, if you have any problems or suggestions related to the article, please let me know in the comments.

15. What did we learn today?

Friends, today we learned how to keep your WordPress website secure and secure.


  • When using a good web hosting,
  • If you do not use null theme and plugin, and
  • Using a good WordPress security plugin,
  • The chances of your website being hacked are greatly reduced.

However, when you continue to be successful but many will be jealous of your success. As a result, various types of automated bot traffic will be sent to your website. So, using CloudFlare in this case, you can save your website from this kind of fake bot traffic.

In the end, if you like the article, you must share. We hope you enjoy today’s article on the security and safety of WordPress websites.

Share on:

I'm Readoy K Das. I love to write about Tech articles on my blog at desk2blog.com. Passionate & expert with blogging articles Writing, SEO, love to travel, Dreamer, entrepreneur, and YouTuber.

Leave a Comment