How to Make WordPress Site Secure: 7 Security Checklists to Follow

How to Make WordPress Site Secure: 7 Security Checklists to Follow

How to make WordPress site secure? If this is your question, then here we are going to tell you the best way to secure your website with best WordPress security checklists.

When your blog starts making money and getting traffic, then attackers will try to hack your website to change the website content and access your admin panel. So, it’s very important that you do all that you can to protect your site from hackers.

Not only hackers, even your website competitors will try to push your website down by sending thousands of bot traffic from various countries using Ddos attack, as a result your hosting will shut your account due to high CPU or ram usage, or you have to upgrade your hosting account to get high security.

How to Make WordPress Site Secure? Best Practices

To protect your website from hackers and keep your WordPress site secure, follow these few simple WordPress security checklists.

1. Hide your WordPress Login Page

The first approach of any hackers is try to get your login URL, by default WordPress will have two types of login they are login.php and admin.php.

For example, and

By using this URL the hackers will try to access these two directories admin.php and login.php. If login URL is used then the hacker will be able to see all site’s information.

So in order to keep your website secure you need to hide your website login URL and change it to a random URL which any hacker will not be able to brute force login.

For hiding your website login page, you can use a plugin security plugin like WPS login hide or perfmatters plugin which is a paid plugin.

So go and install the WPS hide login plugin and go to settings – WPS Hide Login

selecting WPS  hide login from settins

It will redirect to the general WordPress setting page, and it will show you the setting to change the login URL, enter any word like “cat” and click save changes.

Now your login URL is Save this URL on your computer or remember it. If you forgot your WPS login URL then you won’t be able to log in to your website, in that case you need to disable or delete your plugin from your hosting cPanel account.

After creating a new login URL, the old login page won’t work, and it will show you a 404 error.

changing login URL on WPS Hide login plugin

2. Change Login Username and Use Strong Password

We see most websites use the word admin as the website admin name and this is really shocking to us. When the WordPress was created and people started to use it without any worry and those were the days when website owner could sleep without worrying that someone would hack their website.

And those days WordPress users use someone’s date of birth as their password and admin as their username and to be honest their WordPress sites are safe.

But the story is not the same as always; now you have to protect your website login and username with a strong password.

When creating your website, choose a strong username and password and save it on your computer and don’t share it with anyone.

If you already have an existing website, and you can’t change your username, then install Easy Username Updater. Here is the guide on how to install a plugin from WordPress.

3. Using WP Security Plugin

To keep your website secure, WordPress advises everyone to use a security plugin. For you, we posted an article about the best security plugin for WordPress.

We are using Malcare security plugin on this blog and this blog which is too good you can download the plugin from here. Wordfence is also a good plugin but before malcare we used Wordfence for this blog which was good before the last update.

The latest version created too many issues and decreased the loading time of the website. If you’re using Wordfence and experiencing a speed issue, then check the speed of your website in Google speed test or Gtmetrix tool and deactivate it.

We thought to roll back the plugin to its previous version. But to avoid future problems we bought malcare, and it protects this site from malware, viruses, and cyberattacks.

Malcare will block the IP address after some limit login attempts and also block who attempts to do brute force attack. This plugin protects websites by putting a layer of firewall between your site and the internet. To know more about malcare you should read our Malcare review.

Solid WP


Get Solid WP to reduce your WordPress website’s risk to nearly zero & protect your site from cyberattacks and security vulnerabilities.


Malcare new

Get Malcare to secure your website from Malware and real time firewall to get complete 24/7 protection.

4. 2 Factor Authentication

Using two-factor authentication is the easiest way to secure your WordPress website. We used to get so many login attempts from hackers but after using the two-factor technology our blog is safe and secure.

When you enable Two-factor security, a security code will be sent to you via text or email. You should keep the security code safe and never share it with anyone.

Also, you can use the Google Authenticator app, which is the safest app from Google. You need to install the app on your mobile and install the plugin on your website.

To activate two-factor authentication on your WordPress website, follow these simple steps:

1) Login to your admin dashboard, and go to plugin and add new plugin and search for “Google authenticator” and install it.

WordPress plugin showing the Google Authenticator security plugin

2) Click “Activate” and go to the plugin settings, and it will show you QR code, open Google authenticator app on your phone and scan the code.

Now your WordPress website is configured with two factors. When you sign your website with your username and password, a second screen will appear, and it will ask you to enter the 2-factor code.

To get the code you need to open your Google authenticator app on your Android or iPhone. It will generate six-digit code, copy that code and paste it in the code section and click Login in.

2-factor showing the second screen to enter the code from Google authenticator app from mobile

Even if hackers steal your login credentials, he/she cannot log in to your website without entering the two-factor code. By this way, you protect from security vulnerabilities.

5. Use SSL Certificate

The SSL certificate secures the website by encrypting the traffic between browser and server. This will prevent anyone from spying on your website’s information, including login credentials, or block attackers by creating a fake version of your website.

If you’re running an ecommerce blog, you must install the SSL certificate to show you’re trusted and keep private and safe the information stored on the website like credit card and password.

After installing the SSL certificate your website will go from HTTP to HTTPS. Read our article to know why https is important for website.

Amazon is using the SSL certificate and it is showing that the connection is secure for users and the certificate is valid

By installing the SSL certificate you’re promising your customers that you won’t share their sensitive information or data with any third party websites.

6. Secure Hosting Provider

If you are a beginner to start a blog, it is better to choose a web hosting company that has the best web server so that you do not have problems or security issues. If you don’t know how to select the web host for your WordPress website then you should check this best WordPress hosting for Beginners and small businesses.

Choose a web hosting which provides site security protocols like preventing Ddos attacks, providing backups, detecting and removing malicious code.

Ensure your website server locations are always monitored, hardware are properly protected, and they are regularly updated with proper software.

7. Update Themes & Plugins

It doesn’t matter whether you’re using free or paid WordPress themes or plugins. But you should always install the theme from the WordPress directory or download it from the official theme marketplace.

You need to update the theme and plugins regularly to keep your website safe. We advise that you never install any nulled product from third-party sites because some malicious scripts will be used to hack your password and website admin.

8. Use Backup and Restore Plugin

The last tips on how to make WordPress site secure are by using installing the best backup plugin for WordPress. If you’re too concerned about your Website security, then use a backup and restore plugin.

A backup will take backup of your complete website daily, weekly or monthly. If the hacker got access to your website and fully deleted your website, you can easily fix it by using the old version of your website.

After restoring to your older version, you can change your default login page, username and password. So you can prevent your website from hacking.


I hope that you now know how to make WordPress website secure using the suggested best practices. If you implement these security measures, you will have peace of mind knowing that your website information and data are safe and secure.

Google likes secure websites and your blog SEO will increase which benefits your blog traffic as well. So keep in mind to follow the above instructions.

In summary, here are the WordPress security checklist to keep your WordPress website secure.

  • Hide your WordPress login page
  • Change your admin username and password
  • Use security plugin
  • 2-factor authentication app
  • Use SSL certificate
  • Use secure web hosting
  • Use the backup and restore plugin

More WordPress Guides

Related Posts

Photo of author

Abdullah Prem

I am Abdullah Prem from India, with over 10 years of experience in blogging. I happily work from home and teach people how to start blogging through my easy guides. I am an expert in writing about WordPress, Hosting, Themes, and online money-making ideas. I have been featured in popular tech sites like, Cloudways, Business2Community, Leadpages, GoodFirms, and ShareThis.

The tools I use on this blog

Cloudways: I am using this hosting on this blog. Try Cloudways

SEMrush: My all-in-one SEO tool to perform various SEO tasks. Try SEMrush

Generatepress: I use this theme on this blog, the super fastest theme. Try Generatepress

Omnisend: Using this email marketing tool, budget friendly. Try Ominisend

WP Rocket: I use this superfast cache plugin to increase my website loading speed within seconds. Try Wp Rocket

Elementor: I know nothing about coding, but I create beautiful websites. Try Elementor

Leave a Comment