10 WordPress Security Tricks and Tips To Keep Your Site Safe in (2021)

by | Sep 18, 2021 | Security

As a business owner, you already know how to make your WordPress secure. Strong passwords, using a good hosting provider, doing regular backups — all of these do help you protect your site from hackers, but are these all enough?

Not really!

You need to take action to make your site completely secure. After all, you do not want to give malicious actors any chance to break into your site.

WordPress, by default, is already secure. However, you need to follow industry-leading best practices for securing your WordPress site.

Let’s get started.

Install WordPress Security Plugin

Even though WordPress is a secure platform, using a third-party security plugin can help secure your site further. There are plenty of third-party WordPress security plugins that you can try including WordFence, Sucuri Security, and Bulletproof security.

A WordPress security plugin takes care of the overall site’s monitoring and auditing. For example, it will handle failed login attempts, file integrity monitoring, and malware scanning — to name just a few things that a modern WordPress security plugin does.

As a consumer, you have many choices when it comes to choosing the best WordPress security plugin. I generally suggest WordFence and Sucuri. However, you are also free to use other WordPress security plugins.

Setting up a security plugin is also easy. Once you install and activate them, it will guide you step by step on what needs to be done to harden your site’s security. Almost all of them require an API key to work. To generate the API key, you need to go to the respective security plugin main site and create an account. Once done, it will generate a unique API key for your site.

Rename Login URL

Most of the attacks on your WordPress site are carried out by bots. These bots target the login URL of WordPress and try to guess the password by constantly trying out new combinations.

So, a bot will simply go to your site login URL page: www.yougoodrsite.com/wp-login.php — and then bombard it with login attempts. 

To overcome this, you can simply change the login URL to something different(and hard). You can opt for a random login URL or simply change it to something that is easy for you to remember.

It may be something like: www.yourgoodsite.com/this_is_the_way_batman_login.php.

You can change the URL using WordPress security plugins such as iThemes. There are also dedicated plugins for changing URLs. If you are a dedicated developer or webmaster for your site, you can also ask them to change it for you.

Limit Login Attempts

Apart from the Login URL change, you also need to limit login attempts. By limiting the login, you are discouraging bots from trying out combinations. It also prevents hackers who try to enter you using brute-force methods.

To enable it, you can free-to-use plugins such as WP Limit Login Attempts or Login LockDown.


Secure Socket Layer(SSL) is a way to secure your site with another layer of technology. It encrypts the data that is shared between your site and visitors. 

To enable SSL on your site, you need to ask your hosting provider to install one for you. Many hosting plans already contain SSL certification. You can also get an SSL certificate from third-party providers and install it on your site.

If you do not want to spend, you also use the industry-standard free SSL; let’s encrypt. It is easy to install using the plugin. If you cannot do it, you can take the help of professional web admins who can do it for you as low as $5.

Protect wp-config.php

WordPress wp-config.php is used to configure and manage WordPress installation. It is basically the core of your site. This means that you need to protect it so no one can change the values and disrupt your site’s functionality.

To protect the wp-config.php file, you need to move it to one folder above your WordPress root directory. This will hide it from hackers.

Another thing that you can do is disable file editing. To do so, open the wp-config.php file using your favorite text editor. Once it is opened up, you need to add the following code.

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true );

Two-Factor Authentication

Strong passwords get you a long way, but nothing beats two-factor authentication(2FA). 2FA adds another security layer for your site. Basically, you need to go through two steps before you can access your site. The second step is adding a one-time password(OTP) that can be sent to email or phone(call or text).

The second layer adds ambiguity to the hacker’s attack. Even if they can guess the password, they do not have access to the OTP. 2FA is 100% effective against brute force attacks and prevents your site from hackers(mainly bots).

There are plenty of Two-Factor authentication plugins. You can check out Google Authenticator or Duo Two-Factor Authentication.

Disable XML-RPC

XML-RPC is an interesting technique that lets pass multiple methods within a single request. It is a useful method as you can reduce HTTP requests. However, it can also be used with malicious intent.

Few WordPress plugins use XML-RPC, but it is better to disable it to secure your site. Jetpack is one of the popular plugins that use XML-RPC.

To check if your XML-RPC is enabled on your site, you need to try the XML-RPC Validator tool by Danilo Ercoli from the Automattic team. If the XML-RPC validator fails to detect XML-RPC on your site, it will throw an error.

If it is enabled, then you need to use the XML-RPC plugin to disable it. In some cases, the hosting provider takes care of XML-RPC by configuring their NGINX config file accordingly.

HTTP Security Headers

To further harden your site from hackers, you can also add HTTP security headers. The HTTP security headers work at the webserver level. They tell the browsers that the content needs to behave on the user’s side.

As a business owner, you do not have to worry about all HTTP security headers. All you need to do is make sure that the following HTTP security headers are implemented correctly.

  • X-XSS-Protection
  • X-Frame-Options
  • Content-Security Policy
  • Public-Key-Pins
  • X-Content-Type
  • Strict-Transport-Security.

To check which HTTP security headers are already enabled, you need to use Chrome dev tools.

Database Security

The database is at the core of your WordPress website. After all, it stores all your data in a centralized and secure manner. However, there are few tweaks you can do to make your database more secure.

For example, you can choose a database name that is not obvious. If you are running a tech site, your database name might be something wp_tech or wp_yoursitename. The hacker can easily guess these, and the information can be used to penetrate your database security. The best way to solve this is to use a difficult yet clever database name.

Another small change that you can make is to change the database table prefix. WordPress, by default, use wp_. You can change it anything like 15rx_, protecting it in the best possible way.

You can change the prefix during the WordPress installation process. 

Hotlinking prevention

Hotlinking is a method by which you can use images on the internet directly to your site. Basically, you are serving the image without the need to host it. This means you are doing bandwidth theft. For the original owner, it can lead to more server costs and overall slow site performance.

To prevent hotlinking, you need to do the following based on your server type.

Disabling Hotlink in Apache

All you need to do is copy-paste the following code in your .htaccess file.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]

Disabling Hotlink in NGINX

In NGINX, you need to copy-paste the following code in the config file.

location ~ .(gif|png|jpe?g)$ {
    valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;
    if ($invalid_referer) {
    return 403;

DDoS Protection

Distributed Denial of Service(DDoS) attack uses multiple systems to send requests to the server so that it overwhelms it and makes it either crawl or simply make it go down. These are prevalent attacks and generally happen to interrupt the service.

To protect against it, you need to use a CDN such as Cloudflare. You can also use other services such as Sucuri to prevent DDoS attacks. Your hosting provider also might have its own arrangement when it comes to handling DDoS attacks.

What’s next?

Securing your site requires careful planning and execution. Some of them are technical, and you may require help from your developer or a professional. If you are curious, you can also implement them yourself by doing the research yourself!

Implemented all of the security tips and tricks? Then, your site is pretty secured! However, you should check your site periodically to make sure that there is no lapse in security.

If securing your site seems tough to you, then you can always contact us at [email protected]. Our approach to secure the WordPress site is backed by years of experience where we helped secure the best websites out there.