Step-by-Step Guide to Setting Up WordPress Website Security
Website security is critical for protecting your website from hackers, malware, brute-force attacks, spam, and data theft. Whether your site is local (XAMPP) or live online, these steps will help secure it.
Step 1: Keep WordPress Updated
Always update:
- WordPress core
- Themes
- Plugins
Go to:
Dashboard → Updates
Install updates regularly.
Why?
Most WordPress hacks occur through outdated software.
Step 2: Use Strong Login Credentials
Avoid usernames such as:
admin
administrator
test
Use something unique.
Example:
skoc_admin2026
Use a strong password containing:
- Uppercase letters
- Lowercase letters
- Numbers
- Symbols
Example:
T#9x!M4@pL82
Step 3: Install a Security Plugin
Popular options:
- Wordfence Security
- Sucuri Security
- All-In-One WP Security & Firewall
Install
Go to:
Plugins → Add New
Search for:
Wordfence Security
Install and activate.
Step 4: Enable Two-Factor Authentication (2FA)
2FA requires a second verification step when logging in.
With Wordfence:
- Open Wordfence settings.
- Enable Two-Factor Authentication.
- Scan the QR code using an authenticator app.
Recommended authenticator apps:
- Google Authenticator
- Microsoft Authenticator
Step 5: Limit Login Attempts
This prevents brute-force attacks.
Using Wordfence or All-In-One WP Security:
Set:
Maximum Attempts: 3–5
Lockout Time: 30 Minutes
Step 6: Install an SSL Certificate
SSL encrypts communication between visitors and your website.
Your site should load as:
https://yourdomain.com
instead of:
http://yourdomain.com
Many hosts provide free SSL certificates.
Step 7: Force HTTPS
After SSL installation:
Go to:
Settings → General
Ensure both URLs use:
https://
Step 8: Change the Login URL
Default login:
/wp-admin
/wp-login.php
Attackers know these URLs.
Install:
WPS Hide Login
Example custom URL:
/skoc-login
Step 9: Disable File Editing
By default, WordPress allows editing theme files from the dashboard.
Edit:
wp-config.php
Add:
define('DISALLOW_FILE_EDIT', true);
This reduces risk if an admin account is compromised.
Step 10: Configure Proper File Permissions
Recommended permissions:
Folders: 755
Files: 644
wp-config.php: 600 or 640
Your hosting provider can help if needed.
Step 11: Backup Your Website Automatically
Install:
- UpdraftPlus
- Duplicator
Schedule:
Daily Database Backup
Weekly Full Backup
Store backups off-site when possible.
Step 12: Protect wp-config.php
The wp-config.php file contains database credentials.
Add protection rules through your hosting environment or security plugin if available.
Step 13: Disable XML-RPC if Unused
Many attacks target XML-RPC.
Install:
Disable XML-RPC
or disable it through your security plugin.
Step 14: Scan for Malware
Use:
- Wordfence Scan
- Sucuri Scan
Run scans weekly.
Review:
- Suspicious files
- Modified files
- Malware alerts
Step 15: Protect Against Spam
Install:
- Akismet
or add CAPTCHA to forms.
Step 16: Secure Your Hosting Account
Enable:
- Strong hosting password
- Two-factor authentication
- Secure email account
If your hosting account is compromised, the website can also be compromised.
Step 17: Monitor Website Activity
Install:
WP Activity Log
Track:
- Logins
- User changes
- Plugin installations
- Content edits
Step 18: Remove Unused Themes and Plugins
Delete:
- Unused themes
- Inactive plugins
- Test installations
Unused software can become a security risk.
Step 19: Secure Your Database
Use a custom table prefix during installation.
Instead of:
wp_
Use:
skoc_
This helps reduce automated attacks.
Step 20: Security Checklist for your website
Before launching:
✅ WordPress updated
✅ Plugins updated
✅ Strong admin password
✅ Two-factor authentication enabled
✅ SSL installed
✅ Backups configured
✅ Security plugin installed
✅ Login URL changed
✅ Malware scan completed
✅ Spam protection enabled
Recommended Security Plugin Stack
For most small business WordPress sites:
- Wordfence Security
- UpdraftPlus
- WPS Hide Login
- Akismet
This combination provides firewall protection, malware scanning, backups, login protection, and spam filtering without requiring advanced technical knowledge.
