How to secure WordPress website with & without a plugin

Hi, there I’m Praneeth.

In this blog, you will learn everything related to how to secure a WordPress site with and without using a plugin.

Without further ado let’s get started.

Here is a 30000-foot view of the blog.

How to secure WordPress site without a plugin.

Here are 12 things that you can do to secure your WordPress website Without using a plugin.

  1. Managed themes and plugins properly.
  2. Change admin username and password.
  3. Get the right hosting for your website.
  4. Get SSL and only use SFTP to connect to your website server
  5. Manage user accounts of your WordPress website.
  6. Keep WordPress updated with the latest version.
  7. Export your content.
  8. Move a wp-config.php file.
  9. Disable Access to XML-RPC.
  10. Disable directory indexing and browsing.
  11. Manage the database of your website.
  12. Disable File Editing in WordPress Dashboard.

Let’s learn all the things in detail,

  1. Manage themes and plugins properly.

When it comes to the security issues with the WordPress website,

A huge portion of the Security issues of WordPress is related to Themes and plugins.

You should be very mindful of What, and how you use these things.

The best practices are,

  • Delete themes and plugins that you have installed but not using on your WordPress website.
  • Always update the themes and plugins and use the latest version of them.
  • Don’t install themes and plugins Without doing proper research.
  • Always install themes and plugins that have a good number of downloads, positive reviews, active support, and is recently updated.
  • Avoid installing themes and plugins from unknown sources.

Follow these best practices To avoid any chance of getting your WordPress website hacked due to plugins and themes.

  1. Change the admin username & passwords of your WordPress website.

wordpress start

When you are logging in to your WordPress website Change your WordPress Login username from Just “admin” to your custom name So that It is more secure.

You can do it by creating a new admin of yourself with creating a custom name as admin username and delete the existing admin account by logging in with your new account.

Another thing is passwords,

It feels repetitive but it is one of the most important things when we talk about having a Secure WordPress website.

Consider using different characters and numbers in your password to make it more difficult for hackers to hack it.

  1. Get the right hosting For your website.

best web and cloud hosting for startups

Your web hosting plays a vital role in the security of your website,

Your web hosting work is not just Confined to Providing Great uptime, speed, and support for the website,

Your web hosting also has to take care of some important things of your website like,

  • Protecting your website from online threats like Malware, Spyware, and IP spoofing With Firewall protection
  • Identify and reduce DDoS attacks to your website.
  • Manage brute force attacks and hotlink protection.
  • Conducting backups of your website.
  • Monitoring your website traffic.

Check and always use the right hosting provider for your website as it can either make or break your website.

If you can’t afford premium hosting Consider using a CDN like Cloudflare CDN Which takes care of all the things of a free.

  1. Get SSL & only use SFTP to connect to your website server.

secure wordpress

Most web hosting providers today offer free SSL(Secure socket layer) certificates in their plans,

If you do not know whether your web hosting gives free SSL or not.

You can check it in the control panel.

If not you can get your website connected with CDN and get a free SSL certificate for your Website.

The reason why an SSL certificate is very important is that, 

Having an SSL certificate on your website makes it impossible for hackers to Hack the data transfer between user browsers and the server of the website.

The data is encrypted from both ends with SSL.


Whenever you are going to access your Website server files,

Choose a secure file transfer protocol (SFTP) instead of FTP to transfer your files safely without getting data from hackers.

Most hosting companies offer SFTP, you can search it in your Cpanel or contact your web hosting company for details about it.

  1. Manage user accounts of your WordPress website carefully.

secure wordpress

If you have a WordPress website that is managed by multiple people.

WordPress has this user management system which is amazing.

Based on the roles of different users the responsibility and the work they have on the website,

Allot them in different positions starting from,

  • Subscriber.
  • Contributor
  • Author
  • Editor
  • Administrator.

Based on the respective roles and responsibilities on the website, 

Give them these user accounts.

And be very careful with these accounts and permissions and whom you make your admins and editors as they are very important positions because they have almost complete control over the website, files, posts, etc.

The good thing about managing your users with different roles is that even if their accounts get hacked because they have been allotted in small roles with fewer permissions, hackers cause less damage to the website.

  1. Keep WordPress updated with the latest version.

secure wordpress

This is one of the main reasons why WordPress websites get hacked.

As per WP manage Ninja,

39% of all the WordPress websites that get hacked Use outdated versions of the software.

It is also the fact that Using an outdated version of the software is a big reason why so many WordPress websites get hacked.

WordPress team mostly updates its software bringing in new updates largely for the sake of improving the security of the software and adding new features.

Updating your WordPress Software version with the latest one will solve and fix most of the security issues right there.

 If you do not know how you can update your WordPress website you can either look it in the control panel of Your website hosting or just get in touch with your website hosting support team and ask them to do it for you.

  1. Export your content.

Prevention is always better than cure.

Even though your web hosting provider will have a backup of your website all the time,

It is highly recommended to have a backup of your website with yourself as well so that if something bad happens with your hosting like,

  • Servers crash.
  • The issue in data centers.
  • Servers are hacked.

You can easily switch to a new web hosting provider using the XML file that you have exported of your existing WordPress website on your Desktop.

You can do this by exporting your files and all content in the tools section of WordPress.

  1. Move a wp-config.php file.

It is one of the core WordPress files, It contains information about some important things like,

  • Database.
  • Name.
  • Host.
  • Password.
  • And some other important details like login, etc.

Whatever the information and details present in this file help WordPress software To communicate with the database To either Store or retrieve Important things about the WordPress website like posts, files, and settings.

In short, this file contains the Website database connection.

What you should do is to move this File from the public_HTML  folder which is present in the root directory of WordPress installation which is where this file is downloaded as default by WordPress to a private folder.

  1. Disable Access to XML-RPC.

secure wordpress

XML-RPC Is an XML-based protocol That is used to exchange information Between computer systems over the network.

This function Helps you to integrate multiple Computing environment.

Ultimately it is a specification that enables wordpress with external systems like phones Using an HTTP transport mechanism.

Like, using this specification you can manage WordPress with its official mobile application to perform different tasks on your mobile Like,

  • Moderate comments.
  • publish, edit or delete posts.
  • Upload new files.

Because this function enables the connection between WordPress and external systems which is an easy room for hackers to hack the website.

You should consider disabling the function, Learn more on how you can disable the XML-RPC function here to maximize the security of your WordPress website.

  1. Disable directory indexing and browsing.

The main reason why you should disable the directory Is,

Hackers use the directory browsing to check for the files which have Vulnerabilities so that they can get into that And hack the system after logging in to your WordPress website.

Or they can steal Images and data from your website.

Hence it is highly recommended to disable directory indexing and browsing.

You can do this by visiting the SFTP of your website and make some changes in the htaccess file.

  1. Manage the database of your website.

When it comes to managing the database of your website there are two important things that you need to do to make it more secure and protect your website from hackers and spammers.

A] Change WordPress Database Prefix.

By default, WordPress uses WP_ as a prefix for all the tables in its database.

Because of that hackers and spammers run Automated codes for SQL injection and harm your database.

By changing the database prefix to something that you like as a custom one from wp_ to wpmynew_ or anything you like.

This reduces the chance of hacking your website database.

Be careful while changing the prefix as your dealing with the database of your website which can break your website if down wrong.

B] Use a strong name and password for your database.

Because it is the database that is the core of your WordPress website.

You need to be extra careful with the username and password that you have kept in your database.

For example, if your website name is,

Healthy then your default name of the database would be wp_healthyfoods.

Change the prefix which is wp_ to anything customs like wpxatt4_ and suffix which is healthy foods to anything like healthy 55 foods or your wish,

But avoid keeping the exact name of your website as your Database name and password,

Make some changes in name Which makes it hard for hackers to identify and access the database details of your website.

You can make the changes in PHP my admin area of your WordPress website.

  1. Disable File Editing in WordPress Dashboard.

Disable the already built-in code editor in the appearance section of the WordPress dashboard.

This place helps you to edit themes and plugins which you have installed on your WordPress website.

If it gets into the wrong hands like accessed by multiple users, they can mess up the code and break the website which can cause damage to the website as it is the back end of your website.

You can easily disable the theme editor in the wp_config.php file.

How to secure WordPress website with a plugin.

Here is a quick overview of five things you need to do to secure your WordPress website with the plugin.

  1. Use two-factor authentication.
  2. Take backups with updraft plus.
  3. Use security plugins.
  4. Manage logins of your website.
  5. Automatically log idle users out of your site.

Let’s learn the things in detail.

  1. Use 2factor authentication.

secure wordpress

Two-factor authentication is an extra layer of protection added to your account as additional security to prevent other people from logging into your account with a password.

With enabling two-factor authentication To your account the user has to pass the additional layer of security by,

Entering either an OTP sent to the email or a message sent to a phone or in an app or biometric key, etc, each time they want to login to the account.

The benefits of 2-factor authentication are that,

  • Increased security of your account.
  • Reduced frauds and hackers cannot access your account.
  • Lower security costs with higher flexibility and productivity.

Two-factor authentication also helps reduce and manage brute force attacks.

For more information on how to start 2-factor authentication on your WordPress website, click here.

  1. Take backups with updraft plus.

updraft plus

Prevention is better than cure.

If you have a WordPress website, you must take backups of it yourself.

Even Though if your web hosting company will do the backup for your website or not, you must take backups yourself.

Here are a couple of benefits of taking backup of your WordPress website.

  • Irrespective of how experienced you are, You will make technical mistakes while working website.
  • Your web hosting company servers might get crashed.
  • Your WordPress website can get hacked by hackers who can make the damage your website content and data.
  • You should not solely depend on your website hosting for backups.

To make backups of your website I highly recommend you to consider choosing the updraft plus backup plugin.

This is the best and most trusted plugin for backups of WordPress websites.

You can click here to learn more about the updraft plus backup plugin and how you can take a backup from it.

  1. Use security plugins.

This is another big deal.

We have lots of security plugins Like Sucuri and Wordfence which can manage a lot of security-related issues with your WordPress website like,

  • User action logging.
  • Multi-Factor authentication.
  • Malware scanning.
  • WordPress security firewalls
  • IP whitelisting
  • IP blacklisting
  • File changelogs
  • Monitor DNS changes
  • Block malicious networks.
  • Updating WordPress security keys.

Consider using those security plugins on your WordPress website to enhance the security of your website.

One of the important features that you get with WordPress security plugins is that you can see what the users are doing after logging in to your WordPress account.

You can have a look at the audit of the actions that the users are taking after logging in to your WordPress dashboard.

Again if you have a multi-author website Then it is a great tool to see what your users are doing like, 

  • Passwords changes.
  • Themes and plugins changes and updates.
  • Widgets changes.
  • Posts and file uploads.
  • Security changes and updates.

And there are many premium WordPress security plugins like wordfence which can take care of the DDoS attacks, brute force attacks, and many other security attacks to your website.

  1. Manage logins.

secure wordpress

When it comes to Security and protection of login at your WordPress website,

One of the most frequently used hacking techniques which most hackers use is brute force attacks.

A brute force attack is a technique of Using a large number of combinations of common usernames and passwords and attempting to crack a password of an account and get into the account.

To stop brute force attacks,

You need to manage 2 important things here,

A] Change login URL.

It is very important to change your login URL from just your domain to something custom.

If you do not change your login URL from the default one Which is already there,

It is going to be easy for hackers to get to the login page of your WordPress website And start brute force attacks on your login page to get into your website.

Changing the login URL makes it very hard for hackers to access the login page of your website and start brute force attacks on your website.

Consider using the plugin called WPS hide login to change the login URL of your website.

B] Reduce the login attempts to your website.

Other than enabling two-factor authentication and Changing the login URL.

Reducing the login attempts of your website is another good practice that you can do to reduce and manage the brute force attacks of your website.

By limiting the login attempts by a user to a limit of a number like let’s say 5 will keep your Website safe from hackers Who are trying to get into your website through brute force.

It can get renewed every 24 hours but limiting the login attempts is a great practice to reduce the brute force attacks.

You can use the Wordfence security plugin to get with this.

  1. Automatically log idle users out of your site.

If you have a WordPress website that is managed by multiple authors and users.

If you have lots of users in admin roles of your website then it is highly recommended to start using this practice in action.


Because users login to your website and if they deviate or move away from the computer or website for a while for some work or rest,

Other users and people can take this opportunity to get into the website with or without awareness and,

Change some important settings like passwords and posts or mess up things like plugins and break your website which can be risky or cause damage to your website.

Hence it is always a good practice to get this method into action If you have a WordPress website that is managed by lots of users who are in Admin and editor roles mainly as these roles have the most permissions on the website.

You can use the plugin called idle User Logout plugin.

Install activate and configure a few settings in this plugin and you are done.

Ending remarks.

There you go I have answered everything related to how to secure a WordPress website with and without a plugin in detail.

Do comment down what do you think about how else you can prevent a WordPress website in the comment section below.

Share the blog with your family and friends if you found it helpful,

Sharing is caring.

Read my other blogs,

I will catch you next time till then,

Keep learning and keep growing.