We will talk about a few common methods to keep your WordPress website safe. We briefly included in our article how to protect WordPress website in 10 steps.

1. Work only with safe and known hosting

You should only work with reliable, quality and secure hosting. We recommend that you choose one of the top 20 hosting companies that are known for WordPress, which offers you secure login methods and can easily manage your https configuration.

The features offered by all hosting companies are not the same and the possibilities on the security side vary. Hosting companies that offer you full access to the management panel, 24/7 support, and easy to backup and re-install will be a good choice.

2. Create and use strong passwords

From the database password asked at the beginning of the WordPress installation to the WordPress admin password, you have to specify a strong password with at least 8 characters, including uppercase letters and special symbols.

3. Protect the wp-config.php file

The wp-config.php file contains important information about your WordPress installation and is the most important file in the root directory of your site. This file contains the information of your database and the keys required to log in securely to your website. Protecting this file means securing your WordPress website.

To protect this file, take your wp-config.php file and move it to a higher level than the root directory.

Well, if you keep this file elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set to the highest value in the priority list. So even if a folder is hidden above the root directory, WordPress can still see it.

4. Change table prefix

WordPress allows you to set the prefix of its tables for the database in setup. The standard “wp_” prefix is of course known to hackers. Example of a mixed word instead of the “wp_” prefix. In “wp958fzw_” you make it difficult for potential hackers. Also, this prefix must be specified only once. You don’t need to remember this prefix.

5. Do not create user accounts such as admin or administrator

WordPress prompts you to specify a user account to login to the administration panel during installation. You can choose a name that is difficult to guess instead of admin or administrator for the username.

6. Set directory permissions carefully

You can grant stricter permissions instead of directory access offered by hosting companies. Changing files and directory permissions is a good way to secure the website at the hosting level. Setting directory permissions to “755” and files to “644” protects the entire file system – directories, subdirectories, and individual files.

This can be done manually via the File Manager inside your hosting control panel, or via the terminal (connected with SSH) – use the “chmod” command.

For more information, you can read the correct permission scheme for WordPress or install the iThemes Security plugin to check your current permission settings.

7. Disable directory listing with .htaccess

A htaccess file is a very powerful tool. With “.htaccess”, many security settings can be made that restrict access to many important configuration files and backend space. If you don’t put an index.html file in your root or website’s home directory, you might be surprised to see that your visitors can get a complete directory list of everything in that directory. For example, if you create a directory named “theme”, you can see everything in that directory simply by typing http://www.example.com/theme/ in your browser. No password or anything is needed.

8. Use or activate two-factor authentication for WordPress security

Using a two-factor authentication (2FA) module on the login page is another important step for security. In this case, the user provides login information for two different components. The website owner decides what these two are. This can be a normal password followed by a secret question, a series of characters, a secret code, or a more popular app, the Google Authenticator app that sends a code to your phone. This way, only the person using your phone (you) can log in to your site.

9. Install WP-Security Scan by WebsiteDefender Plugin

There are a few plugins among WordPress plugins that will keep your WordPress site secure and provide you with information about vulnerabilities. You can install the most commonly used and most preferred plugins by typing “security” in the search box on the https://wordpress.org/plugins/ website. You can choose one of the most preferred plugins such as Wordfence Security, All In One WP Security & Firewall, iThemes Security as security plugins.

10. Update the WordPress version regularly.

Every good software is supported by product developers and updated from time to time. These updates are for fixing errors and sometimes for crucial security issues. If you deprive your WordPress site of updates, this will be a serious problem in time. Especially popular and serious applications also attract attention in hackers. Fortunately, WordPress offers one-click updates, allowing WordPress site owners to transition to the new version in a practical way.