WordPress security is a topic of huge importance for every website owner.

Maybe you’ve even had your site hacked or infected with malware. WordPress, makes it easy for you to blog, sell digital or tangible products, update your website, and so much more. But like every other type of software, WordPress can be vulnerable to attack if you aren’t paying attention to your website security.

Since WordPress holds such a large piece of the CMS market share, it comes with extra security concerns. It’s a popular target for hackers because it offers them many potential victims to pick from. Their goals can include stealing personal information, adding malware, making a website unavailable to users or to send spam email —the list goes on.

Is WordPress Secure?

When it comes to WordPress security, most users refer to the WordPress core. The answer to that question is yes. The WordPress core is absolutely secure. Also, it wouldn’t be an exaggeration even if I declare WordPress core as 100% secure. Anything in isolation is safest, but that not what its meant for.

So where does the problem arise?

When you start customizing WordPress. When you start installing plugins, themes, customized code and what not. That’s where the vulnerabilities start getting in.

wordpress security

How to Protect Against WordPress Security Issues

You need to approach your website’s security proactively because by the time you notice that something’s gone wrong, it’s too late. Avoid any inconvenience and spare yourself some energy and money by taking measures to prevent a cyber attack.

There are multiple ways to prevent or deter hackers. You have to target any vulnerabilities and take the necessary steps to get them in good shape. To get started, you don’t need any prior security knowledge, just some basic familiarity with WordPress.


  • WordPress updated to the latest version.
  • Theme and plugins updated to the latest version.
  • Inactivate and delete unused plugins. Don’t just leave them inactivated.
  • Always use safe and complicated passwords.
  • Your WordPress hosting service plays the most important role in the security of your WordPress site.
  • Create Backups Regularly & Automatically

Next level

  • If you don’t use file editing, disable it. Add define('DISALLOW_FILE_EDIT', true); in your theme’s functions.php.
  • Make sure directory listing is off, add Options All -Indexes to .htaccessif you are using Apache.
  • Depending on your hosting sometimes PHP error reporting can be on. Add this to your wp-config.php

ini_set('log_errors','On'); ini_set('display_errors','Off'); ini_set('error_reporting', E_ALL );

  • Install Limit Login Attempts plugin.
  • Create a user with administrator privileges and delete user “admin”.
  • Disable comments, use a plugin or delete the contents of comments.php in your theme.
  • Password Protect WP-Admin and Login
  • Disable Directory Indexing and Browsing
  • Disable XML-RPC in WordPress
  • Automatically log out Idle Users
  • Add Security Questions to WordPress Login


WordPress security is one of the crucial parts of a website. If you don’t maintain your WordPress security, hackers can easily attack your site. Maintaining your website security isn’t hard and can be done without spending a penny.

Don’t just set up a few WordPress security measures once and never give another thought to your website’s safety. The technology you’re using to power your online business is constantly changing and evolving. The smartest thing you can do is stay up to date on these changes, then you’ll be armed with the knowledge you need to protect your business.

secure wordpress


  • Kristine

    To disable the notices completely, you’ll have to add the following line into your settings.php or php.ini file: ini_set(‘error_reporting’, E_ALL

    • Aidin Bakuchi
      Aidin Bakuchi

      Thanks for your comment. but it mostly depends on hosting configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *
You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>