Skip to main content

10 steps to make your Wordpress website secure

Rob Harris
Written by: Rob Harris
Length: 8 min read
Date: 30 Apr 2024

Looking to harden your Wordpress website security and prevent your website from being hacked? The following 10 steps will take less than an hour to implement, and are quick wins to put your mind at ease and keep those pesky hackers at bay. 

In this guide,, I’ll explain how the following security tips will help make your WordPress website more secure: 

  1. Install a SSL Certificate
  2. Keep things up to date
  3. Use a good hosting company
  4. Hide WordPress version
  5. Use latest PHP version
  6. Change the WordPress database prefix
  7. Add HTTP security headers
  8. Disable file editing in the WordPress dashboard
  9. Take daily backups
  10. Limit login attempts


1. Install a SSL Certificate

An SSL certificate is a must have in 2021, and the best thing is that they are free and easy to install. SSL stands for secure sockets layer, which means that all data sent from the users, such as payment details, is encrypted, so no hackers can intercept and view the data while being sent to the server. 

If you don’t have a SSL certificate installed most browsers will display warnings before you enter the website, stating that your connection will not be private. Also a red “not secure” notice will appear besides your domain name, next to the address bar within the browser. Most importantly, not having an SSL certificate installed on your website will affect your SEO rankings, meaning Google will punish your site by preventing it from showing up in the search results.Follow the link to find out more about what is an SSL certificate.


2. Keep things up to date

Since Wordpress is an open source platform, there are lots of 3rd party plugins and themes to choose from to enhance your site. However, each time you decide to install another plugin you are opening your website up to potential vulnerabilities and hacks as you’re relying on someone else’s code. 

Therefore, it is important to keep everything up to date on a regular basis, and as soon as fixes and improvements become available. I would recommend this is done monthly if you value your website's security, and depending on how many plugins you have installed you should see updates become available on a regular basis. 


3. Use a good hosting company

Your WordPress hosting provider plays a pivotal role in the security of your WordPress website. Using a managed hosting provider is the best approach as this means a lot of the technical requirements such as automated backups and managed security is taken care of for you. Also, if you do ever have a problem then a managed WordPress hosting provider will offer 24/7/365 support. Here at FINALLY, we personally use and recommend to all of our clients.

If you think paying more than £10 a month is expensive then please think again. I advise you to stay away from shared hosting as these are slower and have more downtime compared to a managed host. Also, with a shared host provider you are sharing a server with thousands of other websites meaning that if one of those gets hacked into, you too could find yourself in trouble if the hacker has got into the entire server.  


4. Hide WordPress version

By default WordPress generates a meta tag in the websites <head> section which discloses the WordPress version number of your website, as seen in the example below. 

<meta name="generator" content="WordPress 5.7.2" />

Every time WordPress updates and fixes bugs, all of the changes are noted in detailed reports which means anyone can know which security bug affects which version of WordPress. This means that hackers know exactly what kind of attack to use on your website if your WordPress version is freely displayed and is why it’s very important to hide your version number on your WordPress website. 

To remove the WordPress version number from your website, simply add the following code to your functions.php file.

function remove_wordpress_version() {

return '';


add_filter('the_generator', 'remove_wordpress_version');


5. Use latest PHP version

WordPress is built on PHP which is a coding language, and its version is set at the server level by your hosting company. In point 2, I suggested that you keep your themes and plugins up to date but it is also important to keep your PHP version up to date too. There are two main benefits of keeping your PHP version up to date each year:

  •  Your website will be faster.
  •  More importantly, it will be more secure as the latest versions will have the latest security features. 


6. Change the WordPress database prefix

Your WordPress database is the brain of your website and is where all of your information and content is stored; everything is logged within it, so it’s important to protect it. Due to this, it is a hackers favourite target to run automated codes for SQL injections. This means that a mass attack is created targeting the default prefix “wp_” as not many sites change the database prefix from it’s default value, making it an easy route in. 

To change your database prefix you just need to edit the table prefix value found within your wp-config.php file.

$table_prefix = 'wp_';


7. Add HTTP security headers

Your web browser supports many HTTP security headers which can improve your website security against clickjacking, cross-site scripting, XSS attacks and other common attacks.  

To implement this for your Wordpress website copy, paste the code snippet below into your functions.php file within your theme.

add_action('send_headers', function(){

// X-Frame-Options
header('X-Frame-Options: SAMEORIGIN');

// Content Security Policy (CSP)
header('Content-Security-Policy: default-src \'self\' \'unsafe-inline\' \'unsafe-eval\' https: data:');

// X-XSS-Protection
header('X-XSS-Protection: 1; mode=block');

// Prevent MIME-Type Sniffing
header('X-Content-Type-Options: nosniff');

// Referrer-Policy
header("Referrer-Policy: no-referrer-when-downgrade");

//HTTP Strict Transport Security (HSTS)
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");

// Permissions-Policy
header('Permissions-Policy: microphone=()');

}, 1);


8. Disable file editing in the WordPress dashboard

Within the WordPress admin area there are two file editors for theme files. One is under Appearance > Theme Editor, and the other is an editor for plugin files at Plugins > Plugin Editor. Both of these are enabled by default, and it is common practice to disable these as soon as possible. 

The reason to disable this feature is because if an attacker gets access to an “Administrator” account on your WordPress site, and if a file editor is available, then it’s easy for that attacker to change a plugin or theme with malicious code. 

To disable the file editor edit your wp-config.php file and add the following line:

define( 'DISALLOW_FILE_EDIT', true );

Save the file and check your WordPress dashboard to see if you can no longer see the option to edit the files with the WordPress admin area. 


9. Take daily backups

Creating backups for your website ensures that if the worst were to happen, you would still have a recent version of your website stored all safe and secure, ready for it to be relaunched. A backup is essentially a copy of your website data, such as files, content, images, and databases. 

There are multiple ways to backup your website, these include:

  • A dedicated backup service such as CodeGuard or Sucuri, which, at a price, does the work for you.
  • Enable backups with your hosting provider - most web hosts include backups in their plans or as an optional extra. A personal recommendation would be and if you ever need to rollback your website to a previous version, it can be automatically done by a click of a button. 
  • A WordPress plugin such as UpdraftPlus or Jetpack. An easy method to install a chosen plugin and manage your own backup preferences.

Whichever method you choose, make sure they are off-site backups, which are done automatically on a regular basis.


10. Limit login attempts

Ever forgotten your password, failed 3 attempts, and  been locked out for a set period of time? It’s common practice for most login areas to set a limit on the number of login attempts, so why not do the same for your website login area. The purpose of this is to stop brute force attacks from happening, which are bots that constantly try multiple password combinations until eventually they find one that works. 

To limit the number of login attempts on your WordPress website we recommend installing the Limit Login Attempts Reloaded plugin which has over 1 million active installations - This will help block those bots from trying to brute force their way into your WordPress admin area. 

By implementing these 10 quick security tips, you should now be protected against the most common vulnerabilities within the WordPress ecosystem. As always, we are here to help you further if you have any questions or need website support. Get in touch with our web team at FINALLY today!

Frame 158 (1)


Fill out the form and one of our team will reach back out to you soon. Alternatively, use the live chat to speak directly with us.

Millie Collier Marketing Manager