{"id":694,"date":"2017-02-22T00:00:00","date_gmt":"2017-02-22T00:00:00","guid":{"rendered":"http:\/\/blog.hostinger.io\/hostinger-tutorials\/uncategorized\/wordpresshow-to-secure-wordpress\/"},"modified":"2026-03-10T09:37:32","modified_gmt":"2026-03-10T09:37:32","slug":"how-to-secure-wordpress","status":"publish","type":"post","link":"\/ph\/tutorials\/how-to-secure-wordpress","title":{"rendered":"How to improve WordPress security: 22 methods to protect your website"},"content":{"rendered":"<?xml encoding=\"utf-8\" ?><p>WordPress is the most popular content management system (CMS), with 43.2% of all websites running on its software. Unfortunately, its popularity attracts all sorts of cybercriminals who exploit the platform&rsquo;s security vulnerabilities.<\/p><p>This doesn&rsquo;t mean that WordPress has a terrible security system, as security breaches can also happen due to the users&rsquo; lack of security awareness. Therefore, it&rsquo;s best to apply precautionary security measures before your website becomes a hacker target.<\/p><p>We will discuss 22 methods to improve WordPress security and protect your site from various cyberattacks. The article will include best practices and tips, with or without WordPress plugins. Some methods are also applicable to other platforms than WordPress.&nbsp;<\/p><p class=\"has-text-align-center\"><a href=\"https:\/\/assets.hostinger.com\/content\/tutorials\/pdf\/WordPress-Security-Checklist.pdf\" target=\"_blank\" rel=\"noopener\">Download WordPress security checklist<\/a><\/p><h2 class=\"wp-block-heading\" id=\"h-how-to-secure-wordpress-website-video-tutorial\">How to secure WordPress website &ndash; video tutorial<\/h2><p>No time to read? Find out more about WordPress security measures in our tutorial instead. <\/p><figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"How to Secure WordPress Website | WordPress Security\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/-GOym_hALG4?start=1&amp;feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure><p>\n  <div class=\"youtube-shortcode\">\n    <div class=\"row\">\n      <div class=\"col-7 col-sm-8 d-flex align-items-center\">\n        <img decoding=\"async\" class=\"channel-logo\" src=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/themes\/tutorialsthemeuplift\/public\/images\/youtube-channels\/hostinger-academy.jpg\" alt=\"youtube channel logo\">\n        <div class=\"d-flex flex-column justify-content-between\">\n          <span class=\"slogan d-none d-sm-block\">Subscribe For more educational videos!<\/span>\n          <span class=\"channel-name\">Hostinger Academy<\/span>\n                    <\/div>\n      <\/div>\n      <div class=\"col-5 col-sm-4 d-flex align-items-center justify-content-end\">\n          <a class=\"subscribe-button\" target=\"_blank\" rel=\"nofollow noopener noreferrer\" href=\"http:\/\/www.youtube.com\/channel\/UCbNIC-svDbtUOH2qsLnPQPg?sub_confirmation=1\">\n            <img decoding=\"async\" src=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/themes\/tutorialsthemeuplift\/public\/images\/icons\/youtube.svg\" alt=\"subscribe\">\n            <span>Subscribe<\/span>\n          <\/a>\n      <\/div>\n    <\/div>\n  <\/div>\n\n    \n\n\n\n<\/p><h2 class=\"wp-block-heading\" id=\"h-wordpress-security-checklist-and-additional-tips\">WordPress security checklist and additional tips<\/h2><p>Implementing one or two WordPress security measures won&rsquo;t be enough to make your WordPress website completely safe.&nbsp;<\/p><p>Download our <a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/WordPress-Security-Checklist.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">WordPress Security Checklist<\/a> to help track your progress in applying important security measures to your website. We also share some <a href=\"\/ph\/tutorials\/wordpress-security-checklist\">WordPress security tips<\/a> to help you protect your site further.<\/p><p><div class=\"protip\">\n                    <h2 class=\"featured-snippet title\">How to Secure Your WordPress Website?<\/h2>\n                    <p>1. Keep your site up to date.<br>\n2. Use secure wp-admin login credentials.<br>\n3. Setup safelist and blocklist for the admin page.<br>\n4. Use a trusted WordPress theme.<br>\n5. Install an SSL certificate for a secure data transfer.<br>\n6. Remove unused WordPress themes and plugins.<br>\n7. Enable two-factor authentication.<br>\n8. Create backups regularly.<br>\n9. Limit the number of failed login attempts.<br>\n10. Change your WordPress login page URL.<br>\n11. Automatically log out idle users.<br>\n12. Monitor user activity.<br>\n13. Regularly scan your site for malware.<br>\n14. Disable the PHP error reporting feature.<br>\n15. Migrate to a more secure web host.<br>\n16. Disable file editing.<br>\n17. Use .htaccess to disable PHP file execution and protect the wp-config.php file.<br>\n18. Change the default WordPress database prefix.<br>\n19. Disable the XML-RPC feature.<br>\n20. Hide your WordPress version.<br>\n21. Block hotlinking from other websites.<br>\n22. Manage file and folder permissions.<\/p>\n                <\/div>\n\n\n\n<\/p><h2 class=\"wp-block-heading\" id=\"h-general-best-practices-to-improve-website-security\">General best practices to improve website security<\/h2><p>In this section, we will go over six general WordPress security tips that don&rsquo;t require advanced technical knowledge and high-risk investments. Even a beginner will be able to do these simple tasks, like updating WordPress software and removing unused themes.<\/p><h3 class=\"wp-block-heading\" id=\"h-1-update-wordpress-version-regularly\">1. Update WordPress version regularly<\/h3><p>WordPress releases regular software updates to improve performance and security, protecting your site from cyber threats.&nbsp;<\/p><p><a href=\"\/ph\/tutorials\/how-to-update-wordpress\">Updating your WordPress version<\/a> is one of the simplest ways to improve WordPress security. However, <a href=\"https:\/\/wordpress.org\/about\/stats\/\" target=\"_blank\" rel=\"noopener\">35.3% of WordPress sites<\/a> are running on an older WordPress version, making them more vulnerable.<\/p><p>To check whether you have the latest WordPress version, <a href=\"\/ph\/tutorials\/wordpress\/how-to-login-to-wordpress-dashboard\">log in to your WordPress admin area<\/a> and navigate to <strong>Dashboard <\/strong>&rarr; <strong>Updates <\/strong>on the left menu panel. If it shows that your version is outdated, we recommend updating it as soon as possible.<\/p><div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/wordpress-updates-version.png\"><img decoding=\"async\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/wordpress-updates-version.png\" alt=\"WordPress version status in the Updates section\"><\/a><\/figure><\/div><p>We also recommend <a href=\"\/ph\/tutorials\/how-to-update-wordpress-theme\">updating the themes<\/a> and plugins installed on your WordPress site. Outdated themes and plugins may conflict with the newly updated WordPress core software, causing errors and making your site prone to security threats.<\/p><p>Automate updates to prevent running your website on outdated software. With <strong>WordPress auto-updates<\/strong>, Hostinger users can easily do so from the hPanel dashboard.<\/p><ol class=\"wp-block-list\">\n<li>Navigate to <strong>WordPress <\/strong>&rarr; <strong>Security<\/strong>.<\/li>\n\n\n\n<li>Go to the <strong>WordPress auto-updates<\/strong> section and select <strong>Smart auto-updates<\/strong>.<\/li>\n<\/ol><div class=\"wp-block-image\"><figure data-wp-context='{\"imageId\":\"69df6aa9d6a2c\"}' data-wp-interactive=\"core\/image\" class=\"aligncenter size-large wp-lightbox-container\"><img decoding=\"async\" width=\"1024\" height=\"375\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2021\/09\/hostinger-smart-auto-updates-options-1024x375.png\" alt=\"Hostinger's WordPress auto-updates feature with smart auto-updates and security updates only enabled\" class=\"wp-image-124803\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2021\/09\/hostinger-smart-auto-updates-options-1024x375.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2021\/09\/hostinger-smart-auto-updates-options-300x110.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2021\/09\/hostinger-smart-auto-updates-options-150x55.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2021\/09\/hostinger-smart-auto-updates-options-768x282.png 768w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2021\/09\/hostinger-smart-auto-updates-options-1536x563.png 1536w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2021\/09\/hostinger-smart-auto-updates-options-2048x751.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><button class=\"lightbox-trigger\" type=\"button\" aria-haspopup=\"dialog\" aria-label=\"Enlarge\" data-wp-init=\"callbacks.initTriggerButton\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-style--right=\"state.imageButtonRight\" data-wp-style--top=\"state.imageButtonTop\">\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewbox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\"><\/path>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure><\/div><ol start=\"3\" class=\"wp-block-list\">\n<li>With the Customize panel open, choose your update preferences for WordPress core, themes, and plugins. Options for each are <strong>No updates<\/strong>, <strong>Security updates only<\/strong>, or <strong>All updates<\/strong>.<\/li>\n\n\n\n<li>Hit the <strong>Save<\/strong> button.<\/li>\n<\/ol><p><div class=\"editor\">\n                    <h4 class=\"title\">Expert Tip<\/h4>\n                    <p>Enabling automatic updates eases up your workload, but it can crash your website due to incompatibility with older plugins or themes. If you enable this option, make sure that your website is backed up regularly so that you can revert to the previous version in case of an error.<\/p>\n                    <div class=\"d-flex mt-40\">\n                        <div class=\"author-photo\">\n                            <img decoding=\"async\" src=\"https:\/\/secure.gravatar.com\/avatar\/3f8f936599ed4c2b54d7ab0936bd107b574c9b14778fa3dac31494176981201c?s=65&d=mm&r=g\" width=\"65\" height=\"65\" class=\"border-radius-50\" alt=\"Editor\" \/>\n                        <\/div>\n                        <div class=\"mt-auto mb-auto\">\n                            <p class=\"author-name\">Mantas S.<\/p>\n                            <p class=\"author-position\">Site Availability Engineer<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n\n\n\n<\/p><h3 class=\"wp-block-heading\" id=\"h-2-use-secure-wp-admin-login-credentials\">2. Use secure WP-Admin login credentials<\/h3><p>One of the most common mistakes users make is using easy-to-guess usernames, such as &ldquo;admin&rdquo;, &ldquo;administrator&rdquo;, or &ldquo;test&rdquo;. This puts your site at a higher risk of <a href=\"\/ph\/tutorials\/hacked-website\">brute force attacks<\/a>. Moreover, attackers also use this type of attack to target WordPress sites that don&rsquo;t have strong passwords.<\/p><p>Therefore, we recommend making your username and password unique and more complex.&nbsp;<\/p><p>Alternatively, follow these steps to create a new WordPress administrator account with a new username:<\/p><ol class=\"wp-block-list\">\n<li>From your WordPress Dashboard, navigate to <strong>Users<\/strong> &rarr; <strong>Add New<\/strong>.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-add-new-user.png\"><img decoding=\"async\" width=\"976\" height=\"807\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-add-new-user.png\" alt=\"Screenshot of WordPress' add new user prompt\" class=\"wp-image-43905\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-add-new-user.png 976w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-add-new-user-300x248.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-add-new-user-150x124.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-add-new-user-768x635.png 768w\" sizes=\"(max-width: 976px) 100vw, 976px\" \/><\/a><\/figure><ol start=\"2\" class=\"wp-block-list\">\n<li>Create a new user and assign it the <strong>Administrator<\/strong> role. Add a password and hit the <strong>Add New User<\/strong> button once you&rsquo;re done.<\/li>\n<\/ol><p>Incorporate numbers, symbols, and uppercase and lowercase letters into your password. We also recommend using more than 12 characters as longer passwords are way harder to crack.<\/p><p><div class=\"editor\">\n                    <h4 class=\"title\">Expert Tip<\/h4>\n                    <p>The longer password &ndash; the safer. However, strong passwords don&rsquo;t have to be long and complex &ndash; use special symbols and numbers instead of well-known letters. For example, 41@bAm@! instead of Alabama! is easy to recall and harder to crack. Alternatively, use a pattern on the keyboard instead of actual words, like qpzmwoxn. Additionally, mix these two to create a stronger password.<\/p>\n                    <div class=\"d-flex mt-40\">\n                        <div class=\"author-photo\">\n                            <img decoding=\"async\" src=\"https:\/\/secure.gravatar.com\/avatar\/1da34b24158c9f85a4527f1af7b568a8388c01222249d52eea960cd5f6d4463c?s=65&d=mm&r=g\" width=\"65\" height=\"65\" class=\"border-radius-50\" alt=\"Editor\" \/>\n                        <\/div>\n                        <div class=\"mt-auto mb-auto\">\n                            <p class=\"author-name\">Dominykas V.<\/p>\n                            <p class=\"author-position\">Cyber Security Specialist<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n\n\n\n<\/p><p>If you need help generating a strong password, use online tools like <a href=\"https:\/\/1password.com\/password-generator\/\" target=\"_blank\" rel=\"noopener\">1Password<\/a>. You can also use their password management services to store strong passwords safely. That way, you don&rsquo;t have to memorize them.<\/p><div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/1password-password-generator.png\"><img decoding=\"async\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/1password-password-generator.png\" alt=\"1Password password generator\"><\/a><\/figure><\/div><p>After creating a new WordPress admin username, you&rsquo;ll need to delete your old admin username. Here are the steps to do so:<\/p><ol class=\"wp-block-list\">\n<li>Log in with your newly created WordPress user credentials.<\/li>\n\n\n\n<li>Navigate to <strong>Users<\/strong> &rarr; <strong>All Users<\/strong>.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-users.png\"><img decoding=\"async\" width=\"1024\" height=\"284\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-users.png\" alt=\"Screenshot of WordPress' users tab\" class=\"wp-image-43907\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-users.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-users-300x83.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-users-150x42.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-users-768x213.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><ol start=\"3\" class=\"wp-block-list\">\n<li>Select the old admin account that you want to delete. Change the <strong>Bulk Actions<\/strong> dropdown menu to <strong>Delete<\/strong>, and click <strong>Apply<\/strong>.<\/li>\n<\/ol><p>To keep your site safe, it&rsquo;s also important to check the network before logging in. If you&rsquo;re unknowingly connected to a <a href=\"https:\/\/blazingseollc.com\/blog\/what-is-a-honeypot-trap\/\" target=\"_blank\" rel=\"noopener\">Hotspot Honeypot<\/a>, a network operated by hackers, you risk leaking login credentials to the operators.<\/p><p>Even public networks such as a school library&rsquo;s WiFi may not be as secure as it appears. Hackers can intercept your connection and steal unencrypted data, including login credentials.<\/p><p>For that reason, we recommend using a <a href=\"\/ph\/tutorials\/what-is-vpn\">VPN<\/a> when you connect to a public network. It provides a layer of encryption to the connection, making it harder to intercept data and protecting your online activities.<\/p><h3 class=\"wp-block-heading\" id=\"h-3-set-up-safelist-and-blocklist-for-the-admin-page\">3. Set up safelist and blocklist for the Admin page<\/h3><p>Enabling URL lockdown protects your login page from unauthorized IP addresses and brute force attacks. To do that, you need a <a href=\"\/ph\/tutorials\/firewall-for-wordpress\">web application firewall (WAF) service for WordPress<\/a>, such as Cloudflare or Sucuri.<\/p><p>Using Cloudflare, it&rsquo;s possible to configure a <a href=\"https:\/\/support.cloudflare.com\/hc\/en-us\/articles\/115001595131-Understanding-Cloudflare-Zone-Lockdown\" target=\"_blank\" rel=\"noopener\">zone lockdown rule<\/a>. It specifies the URLs you want to lockdown and the IP range allowed to access these URLs. Anyone outside the specified IP range won&rsquo;t be able to access them.<\/p><p><div class=\"protip\">\n                    <h4 class=\"title\">Suggested reading<\/h4>\n                    <p>Looking for how to set up other rules on your CDN? Check out our guide to <a href=\"\/ph\/tutorials\/cloudflare-page-rules\">configuring Cloudflare page rules<\/a>.<\/p>\n                <\/div>\n\n\n\n<\/p><p>Sucuri has a similar feature called <a href=\"https:\/\/docs.sucuri.net\/website-firewall\/whitelist-and-blacklist\/blacklist-an-url-path\/\" target=\"_blank\" rel=\"noopener\">URL path blacklist<\/a>. First, you add the login page URL to the blocklist so that no one can access it. Then, you safelist authorized IP addresses to access the login page.<\/p><p>Alternatively, restrict access to your login page by configuring your site&rsquo;s <a href=\"\/ph\/tutorials\/create-default-wordpress-htaccess-file\"><strong>.htaccess<\/strong><\/a> file. Navigate to your root directory to access the file.<\/p><p>Before making any changes, we strongly advise you to back up the old <strong>.htaccess<\/strong> file. If anything goes wrong, you&rsquo;ll be able to restore your site easily.<\/p><p>Adding this rule to your <strong>.htaccess<\/strong> will limit access to your <strong>wp-login.php<\/strong> to only one IP. Thus,&nbsp; attackers won&rsquo;t be able to get in your login page from other locations.<\/p><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># Block IPs for login Apache 2.2\n&lt;files \/wp-login.php&gt;\norder deny,allow\nallow from MYIP\nallow from MYIP2\ndeny from all\n&lt;\/files&gt;\n# Block IPS for login Apache 2.4\n&lt;Files \"wp-login.php\"&gt;\nRequire all denied\n&lt;\/Files&gt;<\/pre><p>This rule should be placed after the <strong># BEGIN WordPress<\/strong> and <strong># END WordPress<\/strong> statements, as shown below.<\/p><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-ip-restriction-code.png\"><img decoding=\"async\" width=\"397\" height=\"405\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-ip-restriction-code.png\" alt=\"Example of the WordPress IP restriction code in use\" class=\"wp-image-43908\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-ip-restriction-code.png 397w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-ip-restriction-code-294x300.png 294w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-ip-restriction-code-147x150.png 147w\" sizes=\"(max-width: 397px) 100vw, 397px\" \/><\/a><\/figure><p>This rule applies even if you don&rsquo;t have a static IP, since you can restrict logins to your ISP common range.&nbsp;<\/p><p>You can also use this rule to restrict other authenticated URLs, such as <strong>\/wp-admin<\/strong>.<\/p><p><div class=\"editor\">\n                    <h4 class=\"title\">Expert Tip<\/h4>\n                    <p>Note that blocklisting is effective only against known threats. Hackers can design malware specifically to evade detection by tools that use a blocklist system. While safelisting offers more robust security, it can also be more complex to implement, especially if you want a third party to do it &ndash; they will need information on all the applications you use.<\/p>\n                    <div class=\"d-flex mt-40\">\n                        <div class=\"author-photo\">\n                            <img decoding=\"async\" src=\"https:\/\/secure.gravatar.com\/avatar\/3f8f936599ed4c2b54d7ab0936bd107b574c9b14778fa3dac31494176981201c?s=65&d=mm&r=g\" width=\"65\" height=\"65\" class=\"border-radius-50\" alt=\"Editor\" \/>\n                        <\/div>\n                        <div class=\"mt-auto mb-auto\">\n                            <p class=\"author-name\">Mantas S.<\/p>\n                            <p class=\"author-position\">Site Availability Engineer<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n\n\n\n<\/p><h3 class=\"wp-block-heading\" id=\"h-4-use-trusted-wordpress-themes\">4. Use trusted WordPress themes<\/h3><p>Nulled WordPress themes are unauthorized copies of premium themes. They might seem cheap, but they have many security problems.<\/p><p>Most nulled themes are hacked versions of original themes. Hackers add harmful code, like malware and spam links. These themes can also create backdoors for more attacks on your WordPress site.<\/p><p>Since nulled themes are illegal, you won&rsquo;t get any support from the developers. If something goes wrong, you&rsquo;ll need to fix it yourself.<\/p><p>To stay safe, use themes from the official <a href=\"https:\/\/wordpress.org\/themes\/\" target=\"_blank\" rel=\"noopener\">WordPress repository<\/a> or trusted developers. You can also find many premium themes in reputable theme marketplaces like <strong>ThemeForest <\/strong>and <strong>Envato<\/strong>.<\/p><h3 class=\"wp-block-heading\" id=\"h-5-install-ssl-certificate\">5. Install SSL certificate<\/h3><p>Secure Sockets Layer (SSL) encrypts data exchanged between websites and visitors, enhancing security against data theft by attackers. Websites with an SSL certificate use <a href=\"\/ph\/tutorials\/http-vs-https\">HTTPS protocol<\/a> instead of HTTP, making them easy to identify.<\/p><p>Most hosting companies include SSL with their plans. Hostinger, for example, provides free lifetime Let&rsquo;s Encrypt SSL certificates on all its <a href=\"\/ph\/wordpress-hosting\">WordPress hosting<\/a> plans. Our users can check their SSL status via <strong>Websites <\/strong>&rarr; <strong>Security <\/strong>&rarr; <strong>SSL <\/strong>from the hPanel dashboard.<\/p><div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/hpanel-ssl.png\"><img decoding=\"async\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/hpanel-ssl-1024x186.png\" alt=\"SSL section in Hostinger's hPanel\"><\/a><\/figure><\/div><p>For non-Hostinger users, plugins like <a href=\"https:\/\/wordpress.org\/plugins\/really-simple-ssl\/\" target=\"_blank\" rel=\"noopener\">Really Simple SSL<\/a> or <a href=\"https:\/\/wordpress.org\/plugins\/ssl-insecure-content-fixer\/\" target=\"_blank\" rel=\"noopener\">SSL Insecure Content Fixer<\/a> can handle the technical aspects and SSL activation in a few clicks. The former&rsquo;s premium version lets you activate HTTP Strict Transport Security headers to enforce HTTPS usage on the site.<\/p><p>Once done, change your site&rsquo;s URL from HTTP to HTTPS. To do so, navigate to <strong>Settings <\/strong>&rarr; <strong>General <\/strong>and update the URLs in the <strong>WordPress Address <\/strong>and <strong>Site Address<\/strong> fields.<\/p><div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/wordpress-url.png\"><img decoding=\"async\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/wordpress-url-1024x376.png\" alt=\"WordPress General Settings, highlighting the URL fields\"><\/a><\/figure><\/div><h3 class=\"wp-block-heading\" id=\"h-6-remove-unused-wordpress-plugins-and-themes\">6. Remove unused WordPress plugins and themes<\/h3><p>Keeping unused plugins and themes on the site can be harmful, especially if the plugins and themes haven&rsquo;t been updated. Outdated plugins and themes increase the risk of cyberattacks as hackers can use them to gain access to your site.<\/p><p>Follow these steps to delete an unused WordPress plugin:<\/p><ol class=\"wp-block-list\">\n<li>Navigate to <strong>Plugins<\/strong> &rarr; <strong>Installed Plugins<\/strong>.<\/li>\n\n\n\n<li>You&rsquo;ll see the list of all installed plugins. Click <strong>Delete<\/strong> under the plugin&rsquo;s name.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-delete-plugins.png\"><img decoding=\"async\" width=\"1788\" height=\"326\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-delete-plugins.png\" alt=\"Screenshot showcasing the Delete plugin button\" class=\"wp-image-43911\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-delete-plugins.png 1788w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-delete-plugins-300x55.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-delete-plugins-1536x280.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-delete-plugins-150x27.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-delete-plugins-768x140.png 768w\" sizes=\"(max-width: 1788px) 100vw, 1788px\" \/><\/a><\/figure><p>Note that the delete button will only be available after deactivating the plugin.<\/p><p>Meanwhile, here are the steps to <a href=\"\/ph\/tutorials\/wordpress-delete-theme\">delete an unused theme<\/a>:<\/p><ol class=\"wp-block-list\">\n<li>From your WordPress admin dashboard, go to <strong>Appearance<\/strong> &rarr; <strong>Themes<\/strong>.<\/li>\n\n\n\n<li>Click on the theme you want to delete.&nbsp;<\/li>\n\n\n\n<li>A pop-up window will appear, showing the theme details. Click the <strong>Delete<\/strong> button on the bottom-right corner.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-delete-theme.png\"><img decoding=\"async\" width=\"1024\" height=\"419\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-delete-theme.png\" alt=\"Screenshot showcasing the WordPress delete theme button\" class=\"wp-image-43912\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-delete-theme.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-delete-theme-300x123.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-delete-theme-150x61.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-delete-theme-768x315.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><p>Hostinger users can manage installed plugins and themes from the hPanel dashboard. Go to <strong>Websites <\/strong>&rarr; <strong>WordPress <\/strong>&rarr; <strong>Security <\/strong>and scroll down to the <strong>Installed themes<\/strong> and <strong>Installed plugins<\/strong>. Click on the trash can icon to remove inactive add-ons.<\/p><div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/hpanel-themes.png\"><img decoding=\"async\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/hpanel-themes-1024x389.png\" alt=\"Themes section in Hostinger's hPanel\"><\/a><\/figure><\/div><p><div class=\"editor\">\n                    <h4 class=\"title\">Expert Tip<\/h4>\n                    <p>When deleting a popular WordPress plugin or theme from your WordPress dashboard, you might not have the option to use a custom uninstaller, where you can choose to completely remove all of the data regarding that plugin or theme. In this case, you&rsquo;ll need to do it via an FTP client by accessing your database and removing the plugin or theme entries manually.<\/p>\n                    <div class=\"d-flex mt-40\">\n                        <div class=\"author-photo\">\n                            <img decoding=\"async\" src=\"https:\/\/secure.gravatar.com\/avatar\/3f8f936599ed4c2b54d7ab0936bd107b574c9b14778fa3dac31494176981201c?s=65&d=mm&r=g\" width=\"65\" height=\"65\" class=\"border-radius-50\" alt=\"Editor\" \/>\n                        <\/div>\n                        <div class=\"mt-auto mb-auto\">\n                            <p class=\"author-name\">Mantas S.<\/p>\n                            <p class=\"author-position\">Site Availability Engineer<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n\n\n\n<\/p><h2 class=\"wp-block-heading\" id=\"h-how-to-utilize-wordpress-security-plugins\">How to utilize WordPress security plugins<\/h2><p>The next method to improve WordPress security is by using WordPress plugins.<\/p><p>It&rsquo;s a convenient way to protect your website, but remember not to install all of these plugins at once without further consideration since <a href=\"\/ph\/tutorials\/how-many-plugins-are-too-many\">too many plugins<\/a> can slow down your site.&nbsp;<\/p><p>First, identify your needs to choose the most effective plugins for your website.<\/p><h3 class=\"wp-block-heading\" id=\"h-1-enable-two-factor-authentication-for-wp-admin\">1. Enable two-factor authentication for WP-Admin<\/h3><p>Activate <a href=\"\/ph\/tutorials\/wordpress-two-factor-authentication\">two-factor authentication (2FA)<\/a><strong> <\/strong>to reinforce the login process on your WordPress website. This authentication method adds a second layer of WordPress security to the login page, as it requires you to input a unique code to complete the login process.<\/p><p>The code is available only to you via a text message or a third-party authentication app.<\/p><p>To apply 2FA on your WordPress site, install a login security plugin like <a href=\"https:\/\/wordpress.org\/plugins\/wordfence-login-security\/\" target=\"_blank\" rel=\"noopener\">Wordfence Login Security<\/a>. Additionally, you&rsquo;ll need to install a third-party authentication app such as <a href=\"https:\/\/support.google.com\/accounts\/answer\/1066447\" target=\"_blank\" rel=\"noopener\">Google Authenticator<\/a> on your mobile phone.<\/p><p><div class=\"editor\">\n                    <h4 class=\"title\">Expert Tip<\/h4>\n                    <p>If you&rsquo;re not sure which two-factor authentication plugin to use, choose the most frequently updated and reviewed one.<\/p>\n                    <div class=\"d-flex mt-40\">\n                        <div class=\"author-photo\">\n                            <img decoding=\"async\" src=\"https:\/\/secure.gravatar.com\/avatar\/1da34b24158c9f85a4527f1af7b568a8388c01222249d52eea960cd5f6d4463c?s=65&d=mm&r=g\" width=\"65\" height=\"65\" class=\"border-radius-50\" alt=\"Editor\" \/>\n                        <\/div>\n                        <div class=\"mt-auto mb-auto\">\n                            <p class=\"author-name\">Dominykas V.<\/p>\n                            <p class=\"author-position\">Cyber Security Specialist<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n\n\n\n<\/p><p>Once you have installed the plugin and the authentication app, follow these steps to enable two-factor authentication:<\/p><ol class=\"wp-block-list\">\n<li>Go to the plugin page on your WordPress admin. If you&rsquo;re using Wordfence Login Security, navigate to the <strong>Login Security<\/strong> menu on the left menu panel.<\/li>\n\n\n\n<li>Open the <strong>Two-Factor Authentication<\/strong> tab.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-two-factor-authentication.png\"><img decoding=\"async\" width=\"1130\" height=\"758\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-two-factor-authentication.png\" alt=\"Screenshot of the WordPress two-factor authentication screen\" class=\"wp-image-43913\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-two-factor-authentication.png 1130w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-two-factor-authentication-300x201.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-two-factor-authentication-1024x687.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-two-factor-authentication-150x101.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-two-factor-authentication-768x515.png 768w\" sizes=\"(max-width: 1130px) 100vw, 1130px\" \/><\/a><\/figure><ol start=\"3\" class=\"wp-block-list\">\n<li>Use the app on your mobile phone to scan the QR code or enter the activation key.<\/li>\n\n\n\n<li>Enter the code generated on your mobile phone app to the available field under the recovery codes section.<\/li>\n\n\n\n<li>Click the <strong>ACTIVATE<\/strong> button to complete the setup.<\/li>\n<\/ol><p>Also, download the provided recovery codes in case you lose access to the device that contains the authentication app.<\/p><h3 class=\"wp-block-heading\" id=\"h-2-back-up-wordpress-regularly\">2. Back up WordPress regularly<\/h3><p><a href=\"\/ph\/tutorials\/backup-wordpress\">Regularly creating a WordPress site backup<\/a> is an important mitigation task because it will help you recover your site after incidents, such as cyberattacks or physical damage to the data center.<\/p><p>The backup file should include your entire WordPress installation files, like your database and the WordPress core files.<\/p><p>With WordPress, backing up a site can be done using a plugin like <a href=\"https:\/\/wordpress.org\/plugins\/all-in-one-wp-migration\/\" target=\"_blank\" rel=\"noopener\">All-in-One WP Migration<\/a>. Follow these steps to create a backup file with this plugin:<\/p><ol class=\"wp-block-list\">\n<li>Install and activate the plugin.<\/li>\n\n\n\n<li>Navigate to the <strong>All-in-One WP Migration<\/strong> menu at the left menu panel.&nbsp;<\/li>\n\n\n\n<li>Select <strong>Backups<\/strong>.<\/li>\n\n\n\n<li>Click <strong>Create Backup<\/strong>.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-create-backup.png\"><img decoding=\"async\" width=\"578\" height=\"208\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-create-backup.png\" alt=\"Screenshot showcasing the WordPress Create Backup button\" class=\"wp-image-43914\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-create-backup.png 578w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-create-backup-300x108.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-create-backup-150x54.png 150w\" sizes=\"(max-width: 578px) 100vw, 578px\" \/><\/a><\/figure><ol start=\"5\" class=\"wp-block-list\">\n<li>Once the backup is created, it will appear in a list on the <strong>Backups<\/strong> page.&nbsp;<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-backups-list.png\"><img decoding=\"async\" width=\"1139\" height=\"285\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-backups-list.png\" alt=\"Screenshot of the WordPress backups list\" class=\"wp-image-43915\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-backups-list.png 1139w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-backups-list-300x75.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-backups-list-1024x256.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-backups-list-150x38.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-backups-list-768x192.png 768w\" sizes=\"(max-width: 1139px) 100vw, 1139px\" \/><\/a><\/figure><ol start=\"6\" class=\"wp-block-list\">\n<li>Download and save the backup to the storage. To do so, go to <strong>All-in-One WP Migration<\/strong> &rarr; <strong>Export<\/strong>.<\/li>\n\n\n\n<li>Click the <strong>EXPORT TO<\/strong> drop-down menu, select <strong>File<\/strong>. This will generate a backup for your site.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-export-site.png\"><img decoding=\"async\" width=\"1065\" height=\"354\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-export-site.png\" alt=\"Screenshot of the WordPress export site functionality\" class=\"wp-image-43916\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-export-site.png 1065w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-export-site-300x100.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-export-site-1024x340.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-export-site-150x50.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-export-site-768x255.png 768w\" sizes=\"(max-width: 1065px) 100vw, 1065px\" \/><\/a><\/figure><ol start=\"8\" class=\"wp-block-list\">\n<li>Once the process is complete, click the download link and save your site backup to designated safe storage, preferably not a location on the same server as your website. This is because backups stored on your web server are publicly accessible, making it vulnerable to cyberattacks.<\/li>\n<\/ol><p>In case of an incident, you can restore your WordPress site using All-in-One WP Migration&rsquo;s importing tool.&nbsp;<\/p><p>Hostinger includes a user-friendly backup feature on the hPanel dashboard with all hosting plans. Navigate to <strong>Websites <\/strong>&rarr; <strong>Files <\/strong>&rarr; <strong>Backups <\/strong>to manage your backups, including generating a new one and restoring an old version.<\/p><p>Users on the <strong>WordPress Business<\/strong> hosting plan and higher can also benefit from built-in daily backups.<\/p><div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/hpanel-backup.png\"><img decoding=\"async\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/06\/hpanel-backup-1024x587.png\" alt=\"The Backup feature in Hostinger's hPanel\"><\/a><\/figure><\/div><p><div class=\"editor\">\n                    <h4 class=\"title\">Expert Tip<\/h4>\n                    <p>I wouldn&rsquo;t recommend storing website backups on a personal computer. Instead, use storage applications like Google Drive. But if you decide to do so, the best way would be to store it in at least three locations, such as your computer, a USB flash drive, and an external storage like Dropbox.<\/p>\n                    <div class=\"d-flex mt-40\">\n                        <div class=\"author-photo\">\n                            <img decoding=\"async\" src=\"https:\/\/secure.gravatar.com\/avatar\/3f8f936599ed4c2b54d7ab0936bd107b574c9b14778fa3dac31494176981201c?s=65&d=mm&r=g\" width=\"65\" height=\"65\" class=\"border-radius-50\" alt=\"Editor\" \/>\n                        <\/div>\n                        <div class=\"mt-auto mb-auto\">\n                            <p class=\"author-name\">Mantas S.<\/p>\n                            <p class=\"author-position\">Site Availability Engineer<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n\n\n\n<\/p><h3 class=\"wp-block-heading\" id=\"h-3-limit-login-attempts\">3. Limit login attempts<\/h3><p>WordPress allows its users to make an unlimited number of login attempts on the site. Unfortunately, hackers can brute force their way to your WordPress admin area by using various password combinations until they find the right one.<\/p><p>Thus, you should limit login attempts to prevent such attacks on the website. Limiting failed attempts also helps monitor any suspicious activities on your site.<\/p><p>Most users only need a single try or a few failed attempts, so you should be suspicious of any questionable IP addresses that reach the attempt limit.<\/p><p>One way to limit the login attempts in order to increase WordPress security is by using a plugin. There are many great options available, such as:<\/p><ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wordpress.org\/plugins\/limit-login-attempts-reloaded\/\" target=\"_blank\" rel=\"noopener\">Limit Login Attempts Reloaded<\/a> &ndash; configures the number of failed attempts for specific IP addresses, adds users to the safelist or blocks them entirely, and informs website users about the remaining lockout time.<\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/loginizer\/\" target=\"_blank\" rel=\"noopener\">Loginizer<\/a> &ndash; offers login security features such as 2FA, <a href=\"\/ph\/tutorials\/what-is-recaptcha\">reCAPTCHA<\/a>, and login challenge questions.<\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/limit-attempts\/\" target=\"_blank\" rel=\"noopener\">Limit Attempts by BestWebSoft<\/a> &ndash; automatically blocks IP addresses that reach the login attempt limit and adds them to a deny list.<\/li>\n<\/ul><p>One of the risks of implementing this WordPress security measure is getting a legitimate user locked out of WordPress admin. However, you shouldn&rsquo;t be worried about that, as there are many ways to <a href=\"\/ph\/tutorials\/fix-locked-out-of-wordpress-admin-issue\">recover locked-out WordPress accounts<\/a>.<\/p><h3 class=\"wp-block-heading\" id=\"h-4-change-the-wordpress-login-page-url\">4. Change the WordPress login page URL<\/h3><p>To take a step further to protect your website from brute force attacks, consider changing the login page&rsquo;s URL.<\/p><p>All WordPress websites have the same default login URL &ndash; <strong>yourdomain.com\/wp-admin<\/strong>. Using the default login URL makes it easy for hackers to target your login page.<\/p><p>Plugins like <a href=\"https:\/\/wordpress.org\/plugins\/wps-hide-login\/\" target=\"_blank\" rel=\"noopener\">WPS Hide Login<\/a> and <a href=\"https:\/\/wordpress.org\/plugins\/change-wp-admin-login\/\" target=\"_blank\" rel=\"noopener\">Change wp-admin Login<\/a> enable custom login URL settings.&nbsp;<\/p><p>If you use the WPS Hide Login plugin, here are the steps to change your WordPress login page URL:<\/p><ol class=\"wp-block-list\">\n<li>On your dashboard, go to <strong>Settings<\/strong> &rarr; <strong>WPS Hide Login<\/strong>.<\/li>\n\n\n\n<li>Fill in the <strong>Login URL<\/strong> field with your custom login URL.<\/li>\n\n\n\n<li>Click the <strong>Save Changes<\/strong> button to finish the process.<\/li>\n<\/ol><h3 class=\"wp-block-heading\" id=\"h-5-log-idle-users-out-automatically-nbsp\">5. Log idle users out automatically&nbsp;<\/h3><p>Many users forget to log out of the website and leave their sessions running. Hence, letting someone else who will use the same device access their user accounts and potentially exploit confidential data. This especially applies to users who use public computers in internet cafes or public libraries.<\/p><p>Therefore, it&rsquo;s crucial to configure your WordPress website to log inactive users out automatically. Most banking sites use this technique to prevent unauthorized visitors from accessing their sites, ensuring that their client&rsquo;s data is safe.<\/p><p>Using a WordPress security plugin like <a href=\"https:\/\/wordpress.org\/plugins\/inactive-logout\/\" target=\"_blank\" rel=\"noopener\">Inactive Logout<\/a> is one of the easiest ways to log out idle user accounts automatically. Aside from terminating idle users, this plugin can also send a custom message to alert idle users that their website session will end soon.<\/p><h3 class=\"wp-block-heading\" id=\"h-6-monitor-user-activity\">6. Monitor user activity<\/h3><p>Identify any unwanted or malicious actions that put your website in danger by tracking activities in your admin area.&nbsp;<\/p><p>We recommend this method for those who have multiple users or authors accessing their WordPress website. That&rsquo;s because users may change settings that they should not, like altering themes or configuring plugins.<\/p><p>By monitoring their activities, you will know who is responsible for those unwanted changes and if an unauthorized person has breached your WordPress website.<\/p><p>The easiest way to track user activity is by using a WordPress plugin, such as:<\/p><ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wordpress.org\/plugins\/wp-security-audit-log\/\" target=\"_blank\" rel=\"noopener\">WP Activity Log<\/a> &ndash; monitors changes on multiple website areas, including posts, pages, themes, and plugins. It also logs newly added files, deleted files, and modifications to any file.<\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/aryo-activity-log\/\" target=\"_blank\" rel=\"noopener\">Activity Log<\/a> &ndash; monitors various activities on your WordPress admin panel and lets you set rules for email notifications.<\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/simple-history\/\" target=\"_blank\" rel=\"noopener\">Simple History<\/a> &ndash; in addition to recording activity log on WordPress admin, it supports multiple third-party plugins like <a href=\"https:\/\/wordpress.org\/plugins\/jetpack\/\" target=\"_blank\" rel=\"noopener\">Jetpack<\/a>, <a href=\"https:\/\/wordpress.org\/plugins\/wp-crontrol\/\" target=\"_blank\" rel=\"noopener\">WP Crontrol<\/a>, and <a href=\"https:\/\/wordpress.org\/plugins\/beaver-builder-lite-version\/\" target=\"_blank\" rel=\"noopener\">Beaver Builder<\/a>, recording all activity related to them.<\/li>\n<\/ul><h3 class=\"wp-block-heading\" id=\"h-7-check-for-malware\">7. Check for malware<\/h3><p>The AV-TEST Institute registers over <a href=\"https:\/\/www.av-test.org\/en\/statistics\/malware\/\" target=\"_blank\" rel=\"noopener\">450,000 new malware<\/a> and potentially unwanted applications (PUA) every day. Some malware even have a polymorphic nature, meaning they can modify themselves to avoid security detection.<\/p><p>Thus, it&rsquo;s crucial to regularly <a href=\"\/ph\/tutorials\/wordpress-malware-removal\">scan your WordPress site for malware<\/a> since attackers always develop new types of threats.<\/p><p>Fortunately, many great <a href=\"\/ph\/tutorials\/wordpress-malware-scanner-plugins\">WordPress malware scanner plugins<\/a> can check for malicious software and improve WordPress security.<\/p><p>Our experts recommend these <a href=\"\/ph\/tutorials\/wordpress-security-plugins\">security plugins<\/a> to install on your site:<\/p><ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/wordpress.org\/plugins\/wordfence\/\" target=\"_blank\" rel=\"noopener\">Wordfence<\/a> &ndash; a popular WordPress security plugin with real-time malware signature updates and alert notifications that inform if another site has blocklisted yours for suspicious activity.<\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/bulletproof-security\" target=\"_blank\" rel=\"noopener\">BulletProof Security<\/a> &ndash; helps secure your WordPress website with an idle session logout feature, hidden plugin folders that aren&rsquo;t visible in the WordPress plugins section, and database backup and restoration tools.<\/li>\n\n\n\n<li><a href=\"https:\/\/wordpress.org\/plugins\/sucuri-scanner\" target=\"_blank\" rel=\"noopener\">Sucuri Security<\/a> &ndash; one of the best security plugins on the market, offering various SSL certificates, remote malware scanning, and post-hack security action features.<\/li>\n<\/ul><p><div class=\"editor\">\n                    <h4 class=\"title\">Expert Tip<\/h4>\n                    <p>If your WordPress website is infected with malware, follow these key points:<br>\n1. Be sure to always have your wp-admin area accessible, perform a scan, and get rid of the malware.<br>\n2. Make sure that your plugins, themes, and WordPress core software are up to date.<br>\n3. Check for vulnerabilities in your database to see if your plugins or themes are listed there as a risk. <\/p>\n                    <div class=\"d-flex mt-40\">\n                        <div class=\"author-photo\">\n                            <img decoding=\"async\" src=\"https:\/\/secure.gravatar.com\/avatar\/3f8f936599ed4c2b54d7ab0936bd107b574c9b14778fa3dac31494176981201c?s=65&d=mm&r=g\" width=\"65\" height=\"65\" class=\"border-radius-50\" alt=\"Editor\" \/>\n                        <\/div>\n                        <div class=\"mt-auto mb-auto\">\n                            <p class=\"author-name\">Mantas S.<\/p>\n                            <p class=\"author-position\">Site Availability Engineer<\/p>\n                        <\/div>\n                    <\/div>\n                <\/div>\n\n\n\n<\/p><h2 class=\"wp-block-heading\" id=\"h-how-to-secure-wordpress-without-using-plugins\">How to secure WordPress without using plugins<\/h2><p>It&rsquo;s also possible to enhance your website security without using plugins. Most of these tasks will involve tweaking your site&rsquo;s code, but no need to worry &ndash; we&rsquo;ll show you how to do it step by step.<\/p><h3 class=\"wp-block-heading\" id=\"h-1-disable-php-error-reporting\">1. Disable PHP error reporting<\/h3><p>The PHP error reporting displays the full information about your website&rsquo;s paths and file structure, making it a great feature for monitoring your site&rsquo;s PHP scripts.&nbsp;<\/p><p>However, showing your website&rsquo;s vulnerabilities on the backend is a serious WordPress security flaw.<\/p><p>For example, if it displays a specific plugin on which the error message has appeared, cybercriminals could use that plugin&rsquo;s vulnerabilities.&nbsp;<\/p><p>There are two ways to disable PHP error reporting &ndash; via the PHP file or your hosting account&rsquo;s control panel.<\/p><p><strong>Modifying the PHP File<\/strong><\/p><p>Follow these steps to modify your PHP file:<\/p><ol class=\"wp-block-list\">\n<li>Open your site&rsquo;s <strong>wp-config.php<\/strong> file using an FTP client such as <a href=\"\/ph\/tutorials\/ftp\/filezilla-ftp-configuration\">FileZilla<\/a> or your hosting provider&rsquo;s File Manager.<\/li>\n\n\n\n<li>Add the following code snippet to the file. Make sure to add it before any other PHP directive.<\/li>\n<\/ol><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">error_reporting(0);\n@ini_set(&lsquo;display_errors&rsquo;, 0);<\/pre><ol start=\"3\" class=\"wp-block-list\">\n<li>Click <strong>Save<\/strong> to apply the change.<\/li>\n<\/ol><p><strong>Changing PHP settings using the control panel<\/strong><\/p><p>If you don&rsquo;t want to code, disable the PHP error reporting via your hosting provider&rsquo;s control panel. Here&rsquo;s how to do so via <a href=\"\/support\/1583483-comprehensive-guide-to-hpanel-at-hostinger\/\">hPanel<\/a>:<\/p><ol class=\"wp-block-list\">\n<li>From your hPanel dashboard, navigate to the <strong>Advanced<\/strong> section. Then, click <strong>PHP Configuration<\/strong>.<\/li>\n\n\n\n<li>Go to the <strong>PHP Options<\/strong> tab, uncheck the <strong>displayErrors<\/strong> option.<\/li>\n<\/ol><div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/03\/hpanel-advanced-phpconfigurations-displayErrors.png\"><img decoding=\"async\" width=\"1122\" height=\"578\" src=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/03\/hpanel-advanced-phpconfigurations-displayErrors.png\" alt=\"The displayErrors option in hPanel's PHP options menu\" class=\"wp-image-80627\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/03\/hpanel-advanced-phpconfigurations-displayErrors.png 1122w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/03\/hpanel-advanced-phpconfigurations-displayErrors-300x155.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/03\/hpanel-advanced-phpconfigurations-displayErrors-1024x528.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/03\/hpanel-advanced-phpconfigurations-displayErrors-150x77.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/03\/hpanel-advanced-phpconfigurations-displayErrors-768x396.png 768w\" sizes=\"(max-width: 1122px) 100vw, 1122px\" \/><\/a><\/figure><\/div><ol start=\"3\" class=\"wp-block-list\">\n<li>Click <strong>Save<\/strong>.<\/li>\n<\/ol><h3 class=\"wp-block-heading\" id=\"h-2-migrate-to-a-more-secure-web-host\">2. Migrate to a more secure web host<\/h3><p>Multiple WordPress security measures won&rsquo;t matter much if the hosting environment is prone to cyberattacks. Your hosting provider should guarantee a safe space for all your website data and files on their server, so it&rsquo;s critical to choose the one that has an excellent security level.<\/p><p>If you think your current web hosting company is not secure enough, it&rsquo;s time to <a href=\"\/ph\/tutorials\/how-to-migrate-wordpress\">migrate your WordPress website<\/a> to a new hosting platform. Here&rsquo;s what you need to consider when searching for a secure web host:<\/p><ul class=\"wp-block-list\">\n<li><strong>Type of web hosting <\/strong>&ndash; shared and WordPress hosting types tend to be more vulnerable to cyberattacks than other types of hosting due to resource sharing. Select a web host that also offers <a href=\"\/ph\/vps-hosting\">VPS services<\/a> or dedicated hosting to isolate your resources.<\/li>\n\n\n\n<li><strong>Security <\/strong>&ndash; a good hosting provider monitors its network for suspicious activity and periodically updates its server software and hardware. They also need to have server security and protection against all types of cyberattacks.<\/li>\n\n\n\n<li><strong>Features <\/strong>&ndash;<strong> <\/strong>regardless of the hosting type, having automatic backups and security tools for preventing malware is a must-have feature to safeguard your WordPress site. In the worst-case scenario, you will be able to use it to restore a compromised website.<\/li>\n\n\n\n<li><strong>Support <\/strong>&ndash; choosing a hosting company with a 24\/7 <a href=\"https:\/\/support.hostinger.com\/\" target=\"_blank\" rel=\"noopener\">support team<\/a> with excellent technical knowledge is essential. They will help you protect your data and tackle any technical and safety problems that may occur.<\/li>\n<\/ul><p>Hostinger&rsquo;s WordPress hosting offers the essential resources and features needed to protect your WordPress website, such as a web application firewall and a malware scanner like <a href=\"http:\/\/monarx.com\" target=\"_blank\" rel=\"noopener\">Monarx<\/a>. We also provide virtual private servers and <a href=\"\/ph\/cloud-hosting\">cloud hosting service<\/a> if you prefer to keep resources isolated.<\/p><figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.trustpilot.com\/reviews\/6453d9fec10c1f62ec0718c8\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" width=\"1024\" height=\"472\" src=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/08\/WP-Price-1024x472.png\" alt=\"\" class=\"wp-image-91640\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/08\/WP-Price.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/08\/WP-Price-300x138.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/08\/WP-Price-150x69.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/08\/WP-Price-768x354.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><h3 class=\"wp-block-heading\" id=\"h-3-turn-file-editing-off\">3. Turn file editing off<\/h3><p>WordPress has a built-in file editor that makes editing WordPress PHP files easy. However, this feature can become a problem if hackers gain control of it.<\/p><p>For this reason, some WordPress users prefer to deactivate this feature. Add the following line of code to the <strong><a href=\"\/ph\/tutorials\/wp-config-php\">wp-config.php<\/a> <\/strong>file to disable file editing:<\/p><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">define( 'DISALLOW_FILE_EDIT', true );<\/pre><p>If you want to re-enable this feature on your WordPress site, simply remove the previous code from <strong>wp-config.php<\/strong> using an FTP client or your hosting provider&rsquo;s File Manager.<\/p><h3 class=\"wp-block-heading\" id=\"h-4-restrict-access-using-the-htaccess-file\">4. Restrict access using the .htaccess file<\/h3><p>The <strong>.htaccess<\/strong> file ensures that WordPress links work properly. Without this file declaring the correct rules, you will get many <a href=\"\/ph\/tutorials\/how-to-fix-error-404\">404 Not Found errors<\/a> on your site.&nbsp;<\/p><p>Furthermore, <strong>.htaccess<\/strong> can block access from specific IPs, restrict access to only one IP, and disable PHP execution on particular folders. Below we&rsquo;ll show you how to use <strong>.htaccess<\/strong> to harden your WordPress security.<\/p><p><div><p class=\"important\"><strong>Important!<\/strong> Always back up your existing .htaccess file before making any changes to it. This can help you to restore your site easily if anything goes wrong.<\/p><\/div>\n\n\n\n<\/p><p><strong>Disabling PHP Execution in Specific Folders<\/strong><\/p><p>Hackers often upload backdoor scripts to the <strong>Uploads <\/strong>folder. By default, this folder only hosts uploaded media files, so it shouldn&rsquo;t contain any PHP files.<\/p><p>To secure your WordPress site, disable the PHP execution in the folder by creating a new <strong>.htaccess<\/strong> file in<strong> \/wp-content\/uploads\/<\/strong> with these rules:<\/p><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">&lt;Files *.php&gt;\ndeny from all\n&lt;\/Files&gt;<\/pre><p><strong>Protecting the wp-config.php File<\/strong><\/p><p>The <strong>wp-config.php<\/strong> file in the root directory contains WordPress core settings and MySQL database details. Thus, the file is usually a hacker&rsquo;s primary target.<\/p><p>Protect this file and keep WordPress secure by implementing these <strong>.htaccess<\/strong> rules:<\/p><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">&lt;files wp-config.php&gt;\norder allow,deny\ndeny from all\n&lt;\/files&gt;<\/pre><h3 class=\"wp-block-heading\" id=\"h-5-change-the-default-wordpress-database-prefix\">5. Change the default WordPress database prefix<\/h3><p>WordPress database holds and stores all crucial information required for your site to function. Therefore, hackers often target the database with SQL injection attacks. This technique injects harmful code into the database and can bypass WordPress security measures and retrieve the database content.<\/p><p>Over <a href=\"https:\/\/bitninja.io\/blog\/the-most-common-types-of-cyberattacks-4-sql-injection-attacks\/\" target=\"_blank\" rel=\"noopener\">50% of cyberattacks<\/a> consist of SQL injection, making it one of the biggest threats. Hackers execute this attack because many users forget to change the default database prefix <strong>wp_<\/strong>.<\/p><p>Let&rsquo;s take a look at two methods that you can implement to protect your WordPress database from SQL injection attacks.<\/p><p><div><p class=\"important\"><strong>Important!<\/strong> Before proceeding, make sure to back up your MySQL database.<\/p><\/div>\n\n\n\n<\/p><p><strong>Changing table prefix<\/strong><\/p><ol class=\"wp-block-list\">\n<li>From your <strong>hPanel dashboard<\/strong>, navigate to the <strong>File Manager<\/strong> and open the <strong>wp-config.php<\/strong> file. Alternatively, use an FTP client to access the file.<\/li>\n\n\n\n<li>Look for the <strong>$table_prefix<\/strong> value within the code.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/table-prefix-example.png\"><img decoding=\"async\" width=\"769\" height=\"191\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/table-prefix-example.png\" alt=\"Screenshot displaying the $table_prefix value within the code\" class=\"wp-image-43924\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/table-prefix-example.png 769w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/table-prefix-example-300x75.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/table-prefix-example-150x37.png 150w\" sizes=\"(max-width: 769px) 100vw, 769px\" \/><\/a><\/figure><ol start=\"3\" class=\"wp-block-list\">\n<li>Replace the default WordPress database prefix <strong>wp_<\/strong> with a new one. Use a combination of letters and numbers to create a unique prefix for the website.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/table-prefix-changed.png\"><img decoding=\"async\" width=\"774\" height=\"181\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/table-prefix-changed.png\" alt=\"Screenshot showcasing a changed $table_prefix value\" class=\"wp-image-43925\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/table-prefix-changed.png 774w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/table-prefix-changed-300x70.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/table-prefix-changed-150x35.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/table-prefix-changed-768x180.png 768w\" sizes=\"(max-width: 774px) 100vw, 774px\" \/><\/a><\/figure><ol start=\"4\" class=\"wp-block-list\">\n<li>Click <strong>Save &amp; Close<\/strong>.<\/li>\n\n\n\n<li>Moving back to the <strong>hPanel dashboard<\/strong>, go to the <strong>Databases<\/strong> section and click <strong>phpMyAdmin<\/strong>. Then, open the site&rsquo;s database by clicking <strong>Enter phpMyAdmin<\/strong>.<\/li>\n<\/ol><div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/02\/hpanel-databases-phpmyadmin-highlighted.jpg\"><img decoding=\"async\" width=\"1024\" height=\"431\" src=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/02\/hpanel-databases-phpmyadmin-highlighted.jpg\" alt=\"The Databases phpMyAdmin section in hPanel with the Enter phpMyAdmin button highlighted\" class=\"wp-image-78205\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/02\/hpanel-databases-phpmyadmin-highlighted.jpg 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/02\/hpanel-databases-phpmyadmin-highlighted-300x126.jpg 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/02\/hpanel-databases-phpmyadmin-highlighted-150x63.jpg 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/02\/hpanel-databases-phpmyadmin-highlighted-768x323.jpg 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><\/div><ol start=\"6\" class=\"wp-block-list\">\n<li>If you have multiple databases, find the database&rsquo;s name in the <strong>wp-config.php<\/strong> file. Look for the following block of code:<\/li>\n<\/ol><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">\/\/ ** MySQL settings - You can get this info from your web host ** \/\/\n\/** The name of the database for WordPress *\/\ndefine( 'DB_NAME', 'MySQL Database' );<\/pre><ol start=\"7\" class=\"wp-block-list\">\n<li>Scroll down to the bottom and click on the <strong>Check all<\/strong> button.<\/li>\n<\/ol><figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/04\/phpmyadmin-checkall-highlighted.png\"><img decoding=\"async\" width=\"1024\" height=\"300\" src=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/04\/phpmyadmin-checkall-highlighted-1024x300.png\" alt=\"The phpMyAdmin interface, the Check all button is highlighted.\" class=\"wp-image-83043\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-checkall-highlighted-1024x300.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-checkall-highlighted-300x88.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-checkall-highlighted-150x44.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-checkall-highlighted-768x225.png 768w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-checkall-highlighted.png 1392w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><ol start=\"8\" class=\"wp-block-list\">\n<li>Click on the <strong>With selected:<\/strong> drop-down menu and select the <strong>Replace table prefix <\/strong>option.<\/li>\n<\/ol><figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/04\/phpmyadmin-replacetableprefix-highlighted.png\"><img decoding=\"async\" width=\"1024\" height=\"740\" src=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/04\/phpmyadmin-replacetableprefix-highlighted-1024x740.png\" alt=\"The phpMyAdmin interface, the Replace table prefix button is highlighted.\" class=\"wp-image-83044\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-replacetableprefix-highlighted-1024x740.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-replacetableprefix-highlighted-300x217.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-replacetableprefix-highlighted-150x108.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-replacetableprefix-highlighted-768x555.png 768w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/04\/phpmyadmin-replacetableprefix-highlighted.png 1364w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><ol start=\"9\" class=\"wp-block-list\">\n<li>Enter the current prefix along with a new one, and select <strong>Continue<\/strong>.<\/li>\n<\/ol><div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2017\/02\/phpmyadmin-replacetableprefix-continue-highlighted.png\"><img decoding=\"async\" width=\"974\" height=\"432\" src=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2017\/02\/phpmyadmin-replacetableprefix-continue-highlighted.png\" alt=\"The Replace table prefix table on phpMyAdmin. The Continue button is highlighted\" class=\"wp-image-83045\" style=\"width:731px;height:324px\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2017\/02\/phpmyadmin-replacetableprefix-continue-highlighted.png 974w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2017\/02\/phpmyadmin-replacetableprefix-continue-highlighted-300x133.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2017\/02\/phpmyadmin-replacetableprefix-continue-highlighted-150x67.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2017\/02\/phpmyadmin-replacetableprefix-continue-highlighted-768x341.png 768w\" sizes=\"(max-width: 974px) 100vw, 974px\" \/><\/a><\/figure><\/div><p><strong>Updating prefix values in the tables<\/strong><\/p><p>Depending on the number of WordPress plugins installed on your site, you may need to update some values in the database manually. Do this by running separate SQL queries on tables that are likely to have values with the <strong>wp_ <\/strong>prefix<strong> <\/strong>&ndash; these include the <strong>options <\/strong>and <strong>usermeta <\/strong>tables.<\/p><p>Use the code below to filter all values that contain the following prefix:<\/p><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">SELECT * FROM `wp_1secure1_tablename` WHERE `field_name` LIKE '%wp_%'<\/pre><p><strong>wp_1secure1_tablename<\/strong> contains the table name in which you want to perform the query. Meanwhile, <strong>field_name<\/strong> represents the name of the <strong>field\/column<\/strong> where values with <strong>wp_ <\/strong>prefix most likely appear.<\/p><p>Here&rsquo;s how to manually change the prefix value:<\/p><ol class=\"wp-block-list\">\n<li>From the <strong>phpMyAdmin<\/strong> dashboard, navigate to a table with the prefix value that you want to update. For example, open <strong>wp_1secure1_usermeta<\/strong>.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/phpmyadmin-table-list.png\"><img decoding=\"async\" width=\"981\" height=\"426\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/phpmyadmin-table-list.png\" alt=\"Screenshot of a phpMyAdmin table list\" class=\"wp-image-43930\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-table-list.png 981w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-table-list-300x130.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-table-list-150x65.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-table-list-768x334.png 768w\" sizes=\"(max-width: 981px) 100vw, 981px\" \/><\/a><\/figure><ol start=\"2\" class=\"wp-block-list\">\n<li>Navigate to the <strong>SQL<\/strong> tab at the top menu bar.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/phpmyadmin-sql-top-menu.png\"><img decoding=\"async\" width=\"1024\" height=\"285\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/phpmyadmin-sql-top-menu.png\" alt=\"Screenshot showcasing the to menu of phpMyAdmin\" class=\"wp-image-43931\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-sql-top-menu.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-sql-top-menu-300x84.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-sql-top-menu-150x42.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-sql-top-menu-768x214.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><ol start=\"3\" class=\"wp-block-list\">\n<li>Enter the code above in the SQL query editor to filter the values containing <strong>wp_<\/strong>, and click <strong>Go<\/strong>. Be sure to modify the information according to your actual table and field names.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/sql-query-editor-select-from.png\"><img decoding=\"async\" width=\"1024\" height=\"385\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/sql-query-editor-select-from.png\" alt=\"Screenshot of the SQL Query Editor with the SELECT * FROM code in use\" class=\"wp-image-43932\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/sql-query-editor-select-from.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/sql-query-editor-select-from-300x113.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/sql-query-editor-select-from-150x56.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/sql-query-editor-select-from-768x289.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><ol start=\"4\" class=\"wp-block-list\">\n<li>The filter results will appear. Click the <strong>Edit<\/strong> button next to the targeted field.<\/li>\n<\/ol><figure class=\"wp-block-image size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/phpmyadmin-edit-button.png\"><img decoding=\"async\" width=\"1510\" height=\"698\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/phpmyadmin-edit-button.png\" alt=\"Screenshot showcasing the Edit button in phpMyAdmin\" class=\"wp-image-43933\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-edit-button.png 1510w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-edit-button-300x139.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-edit-button-1024x473.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-edit-button-150x69.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/phpmyadmin-edit-button-768x355.png 768w\" sizes=\"(max-width: 1510px) 100vw, 1510px\" \/><\/a><\/figure><ol start=\"5\" class=\"wp-block-list\">\n<li>Change the prefix value, and click <strong>Go<\/strong>. Perform steps 4 and 5 to all filtered values.<\/li>\n<\/ol><figure class=\"wp-block-image size-large\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wpsecure-capabilities.png\"><img decoding=\"async\" width=\"1024\" height=\"340\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wpsecure-capabilities-1024x340.png\" alt=\"Screenshot of the wp_1secure1_capabilities code being entered\" class=\"wp-image-43934\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wpsecure-capabilities.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wpsecure-capabilities-300x99.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wpsecure-capabilities-150x50.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wpsecure-capabilities-768x255.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><ol start=\"6\" class=\"wp-block-list\">\n<li>Repeat from step 1 for the rest of the tables within the database to update all values with<strong> <\/strong>the<strong> wp_ <\/strong>prefix.&nbsp;<\/li>\n<\/ol><h3 class=\"wp-block-heading\" id=\"h-6-disable-xml-rpc\">6. Disable XML-RPC<\/h3><p>XML-RPC is a WordPress feature for accessing and publishing content via mobile devices, enabling <a href=\"https:\/\/wordpress.org\/support\/user-manual\/building-your-wordpress-community\/trackbacks-and-pingbacks\/\" target=\"_blank\" rel=\"noopener\">trackbacks and pingbacks<\/a>, and using the Jetpack plugin on your WordPress website.<\/p><p>However, XML-RPC has some weaknesses that hackers can exploit. The feature lets them make multiple login attempts without being detected by the <a href=\"\/ph\/tutorials\/website-security-software\">security software<\/a>, making your site prone to brute force attacks.<\/p><p>Hackers can also take advantage of the XML-RPC pingback function to perform DDoS attacks. It allows attackers to send pingbacks to thousands of websites at once, which can crash the targeted sites.<\/p><p>To determine whether XML-RPC is enabled, run your site through an XML-RPC validation service and see whether you receive a success message. This means that the XML-RPC function is running.<\/p><p>You can disable the XML-RPC function either by using a plugin or manually.<\/p><p><strong>Disabling XML-RPC using a plugin<\/strong><\/p><p>Using a plugin is the faster and simpler way to block the XML-RPC feature on your website. We recommend using the <a href=\"https:\/\/wordpress.org\/plugins\/hostinger\/\" target=\"_blank\" rel=\"noreferrer noopener\">Hostinger Tools<\/a> plugin. It can automatically turn off some of the XML-RPC functionalities, preventing hackers from performing attacks using this WordPress security flaw.<\/p><p><strong>Disabling XML-RPC manually<\/strong><\/p><p>Another way to stop all incoming XML-RPC requests is by doing it manually. Locate the <strong>.htaccess <\/strong>file in your root directory and paste the following code snippet:<\/p><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\"># Block WordPress xmlrpc.php requests\n&lt;Files xmlrpc.php&gt;\norder deny,allow\n deny from all\n allow from 000.00.000.000\n&lt;\/Files&gt;<\/pre><p>To allow XML-RPC to access a particular IP, replace the 000.00.000.000 with the IP address or delete the code line altogether.<\/p><h3 class=\"wp-block-heading\" id=\"h-7-hide-the-wordpress-version\">7. Hide the WordPress version<\/h3><p>Hackers can break into your site easier if they know which version of WordPress you&rsquo;re running. They can use that version&rsquo;s vulnerabilities to attack your site, especially if it&rsquo;s an older WordPress version.<\/p><p>Luckily, it&rsquo;s possible to hide the information from your site using the WordPress Theme Editor. Follow the steps to do so:<\/p><ol class=\"wp-block-list\">\n<li>From your WordPress dashboard, navigate to <strong>Appearance<\/strong> &rarr; <strong><a href=\"\/ph\/tutorials\/wordpress-theme-editor\/\">Theme Editor<\/a><\/strong>.&nbsp;<\/li>\n\n\n\n<li>Choose your current theme and select the <strong>functions.php<\/strong> file.<\/li>\n<\/ol><figure class=\"wp-block-image size-large\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-theme-functions.png\"><img decoding=\"async\" width=\"1024\" height=\"474\" src=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2022\/01\/wordpress-theme-functions-1024x474.png\" alt=\"Screenshot showcasing the functions.php file being edited\" class=\"wp-image-43936\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-theme-functions-1536x711.png 1024w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-theme-functions-300x139.png 300w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-theme-functions-150x69.png 150w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-theme-functions-768x356.png 768w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2022\/01\/wordpress-theme-functions.png 1695w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><ol start=\"3\" class=\"wp-block-list\">\n<li>To remove the version number from the header and RSS feeds, paste the following code to the <strong>functions.php<\/strong> file:<\/li>\n<\/ol><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">function dartcreations_remove_version() {\nreturn '';\n} add_filter('the_generator', 'dartcreations_remove_version');<\/pre><ol start=\"4\" class=\"wp-block-list\">\n<li>WordPress generator meta tag also displays the WordPress version number. Add this line to get rid of it:<\/li>\n<\/ol><pre class=\"EnlighterJSRAW\" data-enlighter-language=\"php\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">remove_action('wp_head', 'wp_generator');<\/pre><ol start=\"5\" class=\"wp-block-list\">\n<li>Click <strong>Update File<\/strong> to save the changes.<\/li>\n<\/ol><h3 class=\"wp-block-heading\" id=\"h-8-block-hotlinking\">8. Block hotlinking<\/h3><p>Hotlinking is the term used when someone displays your website&rsquo;s asset, usually a picture, on their website. Every time people visit a website with hotlinks to your content, it uses up your web server resources, slowing down your site.<\/p><p>To see if your content was hotlinked, type the following query in Google Images, replacing <strong>yourwebsite.com<\/strong> with <strong>your domain name<\/strong>:<\/p><pre class=\"wp-block-preformatted\">inurl:yourwebsite.com -site:yourwebsite.com<\/pre><p>To <a href=\"\/ph\/tutorials\/hotlinking\">prevent hotlinking<\/a>, use an FTP client, a WordPress security plugin, a <a href=\"\/ph\/tutorials\/what-is-cdn\">CDN<\/a>, or edit the control panel&rsquo;s settings.<\/p><h3 class=\"wp-block-heading\" id=\"h-9-manage-file-permissions\">9. Manage file permissions<\/h3><p>Prevent hackers from gaining access to your admin account by determining which users can read, write, or execute your WordPress files or folders.&nbsp;<\/p><p>You can use your web host&rsquo;s File Manager, FTP client, or via command line to <a href=\"https:\/\/support.hostinger.com\/en\/articles\/1583244-how-to-set-access-rights-for-files-and-folders\" target=\"_blank\" rel=\"noopener\">manage file and folder permissions<\/a>.<\/p><p>Generally, permissions are set by default, which may vary depending on different files or folders. Specifically for the <strong>wp-admin<\/strong> folder and <strong>wp-config<\/strong> file, make sure only to allow the <strong>Owner<\/strong> to write it.&nbsp;<\/p><div class=\"wp-block-image\"><figure class=\"aligncenter size-full is-resized\"><a href=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/03\/filemanager-permissions.png\"><img decoding=\"async\" width=\"760\" height=\"940\" src=\"https:\/\/www.hostinger.com\/tutorials\/wp-content\/uploads\/sites\/2\/2023\/03\/filemanager-permissions.png\" alt=\"The Permissions window on the File Manager\" class=\"wp-image-80355\" style=\"width:380px;height:470px\" srcset=\"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/03\/filemanager-permissions.png 760w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/03\/filemanager-permissions-243x300.png 243w, https:\/\/www.hostinger.com\/ph\/tutorials\/wp-content\/uploads\/sites\/44\/2023\/03\/filemanager-permissions-121x150.png 121w\" sizes=\"(max-width: 760px) 100vw, 760px\" \/><\/a><\/figure><\/div><h2 class=\"wp-block-heading\" id=\"h-why-do-you-need-to-secure-a-wordpress-website\">Why do you need to secure a WordPress website?<\/h2><p>If your <a href=\"\/ph\/tutorials\/launch-a-wordpress-site\">WordPress site<\/a> gets hacked, you risk losing important data, assets, and credibility. Furthermore, these security issues can jeopardize your customers&rsquo; personal data and billing information.<\/p><p>The <a href=\"https:\/\/www.comparitech.com\/vpn\/cybersecurity-cyber-crime-statistics-facts-trends\/\" target=\"_blank\" rel=\"noopener\">cost of cybercrime damages<\/a> can reach up to <strong>$10.5 trillion per year <\/strong>by 2025. Surely you don&rsquo;t want to become a hacker target and contribute to that.<\/p><p>Based on <a href=\"https:\/\/wpvulndb.com\/\" target=\"_blank\" rel=\"noopener\">WPScan Vulnerability Database<\/a>, these are some of the most common types of <a href=\"\/ph\/tutorials\/wordpress-security-issues\">WordPress security vulnerabilities:<\/a><\/p><ul class=\"wp-block-list\">\n<li><strong>Cross-site request forgery<\/strong> (<strong>CSRF<\/strong>) &ndash; forces the user to execute unwanted actions in a trusted web application.<\/li>\n\n\n\n<li><strong>Distributed denial-of-service<\/strong> (<strong>DDoS<\/strong>) <strong>attack<\/strong> &ndash; incapacitates online services by flooding them with unwanted connections, thus rendering a site inaccessible.<\/li>\n\n\n\n<li><strong>Authentication bypass<\/strong> &ndash; gives hackers access to your website&rsquo;s resources without verifying their authenticity.<\/li>\n\n\n\n<li><strong>SQL injection<\/strong> (<strong>SQLi<\/strong>) &ndash; forces the system to execute malicious SQL queries and manipulate data within the database.<\/li>\n\n\n\n<li><strong>Cross-site scripting<\/strong> (<strong>XSS<\/strong>) &ndash; injects malicious code that turns the site into a transporter of malware.<\/li>\n\n\n\n<li><strong>Local file inclusion<\/strong> (<strong>LFI<\/strong>) &ndash; forces the site into processing malicious files placed on the web server.<\/li>\n<\/ul><p>We recommend reading our other article to learn more about <a href=\"\/ph\/tutorials\/hacked-wordpress\">identifying and fixing a hacked WordPress site<\/a> to help minimize data and financial loss.<\/p><p><div class=\"protip\">\n                    <h4 class=\"title\">Suggested Reading<\/h4>\n                    <p>Check out our guide about <a href=\"\/ph\/tutorials\/web-application-security\">web application security<\/a> and protect your site from cyber attacks.<\/p>\n                <\/div>\n\n\n\n<\/p><h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2><p>Cyberattacks may come in different forms, from malware injection to DDoS attacks. WordPress websites, in particular, are common targets for hackers due to the CMS&rsquo;s popularity. Therefore, WordPress website owners must know how to secure their sites. <\/p><p>However, securing a WordPress site is not a one-time task. You need to continuously reassess it since cyberattacks are ever-evolving. The risk will always be there, but you can apply WordPress security measures to reduce those risks.<\/p><p>We hope this article has helped you understand the importance of WordPress security measures and how to implement them.<\/p><p>Feel free to leave a comment if you have any questions or more WordPress security tips.<\/p><h2 class=\"wp-block-heading\" id=\"h-how-to-improve-wordpress-security-faq\">How to improve WordPress security FAQ<\/h2><div class=\"schema-faq wp-block-yoast-faq-block\"><div class=\"schema-faq-section\" id=\"faq-question-1643114501278\"><h3 class=\"schema-faq-question\">Does WordPress need a firewall?<\/h3> <p class=\"schema-faq-answer\">Setting up a website firewall is necessary as it helps guard your WordPress site against hacking attempts or other forms of cyberattacks by blocking unwanted traffic. Since WordPress doesn&rsquo;t have a built-in website firewall, you can set it up by downloading a plugin like Sucuri.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1643114529387\"><h3 class=\"schema-faq-question\">Is<strong> WordPress easily hacked?<\/strong><\/h3> <p class=\"schema-faq-answer\">As a platform, WordPress is a secure and safe to use. WordPress security is not only about the technology but also about the <a href=\"https:\/\/www.metacompliance.com\/blog\/cyber-security-awareness\/cyber-security-risk\" target=\"_blank\" rel=\"noopener\">human factors<\/a>. No matter how safe the platform is, your site can easily be hacked if you don&rsquo;t take other security measures (use strong passwords etc).<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1643114531883\"><h3 class=\"schema-faq-question\"><strong>Why is my WordPress not secure?<\/strong><\/h3> <p class=\"schema-faq-answer\">If your browser shows that your WordPress site is not secure, that means your site doesn&rsquo;t have an SSL certificate or the SSL isn&rsquo;t configured correctly. Consider installing one or switching to HTTPS to fix the issue.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1643114533400\"><h3 class=\"schema-faq-question\"><strong>Is a security plugin necessary for WordPress?<\/strong><\/h3> <p class=\"schema-faq-answer\">Yes, installing a hack scanner security plugin such as Jetpack and Sucuri can help protect your site for the long term. Remember to only install the necessary ones as having too many plugins can break your site.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1643114594241\"><h3 class=\"schema-faq-question\"><strong>How do I secure my WordPress site without plugins?<\/strong><\/h3> <p class=\"schema-faq-answer\">Start by making sure that you use a <a href=\"\/ph\/wordpress-hosting\">secure WordPress hosting<\/a>. Then, configure your site for better WordPress security: manage file permissions, disable PHP error reporting and XML-RPC, restrict access to <strong>wp-config.php<\/strong>, and block hotlinking from other websites.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1643114595308\"><h3 class=\"schema-faq-question\"><strong>&#8203;&#8203;Why does WordPress get hacked so much?<\/strong><\/h3> <p class=\"schema-faq-answer\">Many WordPress sites get hacked because the site owner doesn&rsquo;t use enough security measures. This leaves sites with various vulnerabilities that open the way for potential attackers. Attackers also regularly target WordPress-powered websites because it&rsquo;s used by almost half of the existing websites.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1643114631508\"><h3 class=\"schema-faq-question\"><strong>Why is my WordPress site being attacked?<\/strong><\/h3> <p class=\"schema-faq-answer\">Your WordPress site might have security vulnerabilities like outdated plugins, weak passwords, and unprotected access to the <strong>wp-admin<\/strong> directory. Apply regular website maintenance and use our <strong>WordPress Security Checklist<\/strong> to ensure you&rsquo;ve applied sufficient security measures to your site.<\/p> <\/div> <div class=\"schema-faq-section\" id=\"faq-question-1643114632314\"><h3 class=\"schema-faq-question\"><strong>What is the best WordPress security plugin?<\/strong><\/h3> <p class=\"schema-faq-answer\">We recommend Wordfence or Sucuri as the best WordPress security plugins. Both are similar, offering malware a WordPress scanner, web application firewall, and traffic monitoring. Sucuri is great if you have an online store, but if you&rsquo;re looking for a free plugin, then Wordfence is a great option.<\/p> <\/div> <\/div>\n","protected":false},"excerpt":{"rendered":"<p>WordPress is the most popular content management system (CMS), with 43.2% of all websites running on its software. Unfortunately, its popularity attracts all sorts of cybercriminals who exploit the platform&rsquo;s security vulnerabilities. This doesn&rsquo;t mean that WordPress has a terrible security system, as security breaches can also happen due to the users&rsquo; lack of security [&#8230;]<\/p>\n<p><a class=\"btn btn-secondary understrap-read-more-link\" href=\"\/ph\/tutorials\/how-to-secure-wordpress\">Read More&#8230;<\/a><\/p>\n","protected":false},"author":172,"featured_media":126654,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"WordPress Security: 22 Ways to Keep Your Website Safe","rank_math_description":"WordPress security breaches happen due to a lack of security awareness. Learn the best tips and methods to keep your WordPress site safe.","rank_math_focus_keyword":"wordpress security","footnotes":""},"categories":[22632],"tags":[],"class_list":["post-694","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-wordpress"],"hreflangs":[{"locale":"en-US","link":"https:\/\/www.hostinger.com\/tutorials\/how-to-secure-wordpress","default":0},{"locale":"pt-BR","link":"https:\/\/www.hostinger.com\/br\/tutoriais\/como-aumentar-seguranca-no-wordpress","default":0},{"locale":"fr-FR","link":"https:\/\/www.hostinger.com\/fr\/tutoriels\/securiser-wordpress","default":0},{"locale":"es-ES","link":"https:\/\/www.hostinger.com\/es\/tutoriales\/como-mejorar-la-seguridad-wordpress","default":0},{"locale":"id-ID","link":"https:\/\/www.hostinger.com\/id\/tutorial\/cara-mengamankan-wordpress","default":0},{"locale":"de-DE","link":"https:\/\/www.hostinger.com\/de\/tutorials\/wordpress-sicherheit-verbessern","default":0},{"locale":"it-IT","link":"https:\/\/www.hostinger.com\/it\/tutorial\/sicurezza-di-wordpress","default":0},{"locale":"nl-NL","link":"https:\/\/www.hostinger.com\/nl\/tutorials\/wordpress-beveiliging","default":0},{"locale":"pl-PL","link":"https:\/\/www.hostinger.com\/pl\/tutoriale\/jak-zabezpieczyc-wordpress","default":0},{"locale":"ja-JP","link":"https:\/\/www.hostinger.com\/jp\/tutorials\/how-to-secure-wordpress","default":0},{"locale":"en-UK","link":"https:\/\/www.hostinger.com\/uk\/tutorials\/how-to-secure-wordpress","default":0},{"locale":"en-MY","link":"https:\/\/www.hostinger.com\/my\/tutorials\/how-to-secure-wordpress","default":0},{"locale":"en-PH","link":"https:\/\/www.hostinger.com\/ph\/tutorials\/how-to-secure-wordpress","default":0},{"locale":"es-MX","link":"https:\/\/www.hostinger.com\/mx\/tutoriales\/agregar-meta-descripcion-wordpress-9","default":0},{"locale":"es-CO","link":"https:\/\/www.hostinger.com\/co\/tutoriales\/agregar-meta-descripcion-wordpress-9","default":0},{"locale":"es-AR","link":"https:\/\/www.hostinger.com\/ar\/tutoriales\/como-mejorar-la-seguridad-wordpress","default":0},{"locale":"pt-PT","link":"https:\/\/www.hostinger.com\/pt\/tutoriais\/como-aumentar-seguranca-no-wordpress","default":0},{"locale":"en-IN","link":"https:\/\/www.hostinger.com\/in\/tutorials\/how-to-secure-wordpress","default":0},{"locale":"en-CA","link":"https:\/\/www.hostinger.com\/ca\/tutorials\/how-to-secure-wordpress","default":0},{"locale":"en-AU","link":"https:\/\/www.hostinger.com\/au\/tutorials\/how-to-secure-wordpress","default":0},{"locale":"en-NG","link":"https:\/\/www.hostinger.com\/ng\/tutorials\/how-to-secure-wordpress","default":0}],"_links":{"self":[{"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/posts\/694","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/users\/172"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/comments?post=694"}],"version-history":[{"count":127,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/posts\/694\/revisions"}],"predecessor-version":[{"id":126649,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/posts\/694\/revisions\/126649"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/media\/126654"}],"wp:attachment":[{"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/media?parent=694"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/categories?post=694"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostinger.com\/ph\/tutorials\/wp-json\/wp\/v2\/tags?post=694"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}