improve WordPress security

WordPress’ popularity is both a blessing and a curse. On the one hand, its users have access to a gigantic library of tools to help enhance their websites. On the other, it presents a very attractive target for malicious attacks. That’s why learning how to improve WordPress security is essential.

(Chart by WordPress Charts and Graphs Lite.)

It sounds like a complicated subject – especially if you don’t have a background in web development – but it’s actually relatively simple. In fact, a few simple tweaks here and there are often enough to dramatically improve WordPress security.

In this post, we’ll present four tweaks to improve WordPress security of your website, including step by step instructions, and what makes each of them so important to your website’s safety. Let’s get started!

Why you need to improve WordPress security

As we mentioned, WordPress’ popularity paints a giant target on its back when it comes to security. This isn’t to say if you use it, you will face security breaches, but it’s always a possibility.

Some of the most common sources of WordPress vulnerabilities include:

  1. Not backing up your files. Backups are vital from a security standpoint. If you ever run into a serious security issue, having a recent backup of your site can save you lots of headaches.
  2. Vulnerable login pages. Unsecured login pages are the most common target for WordPress attackers. A good start here is to maintain high standards when it comes to username and password complexity. Reusing passwords or setting simple ones is a bad idea in general, but doubly so when it comes to WordPress.
  3. Using the default database prefixes. This is another common attack vector for WordPress, and there’s no reason to stick to default database prefixes on new installs.
  4. Outdated core files, themes, and plugins. This one is pretty simple to tackle. Don’t install unnecessary themes or plugins, and discard those that haven’t been updated in a while.

As you can see, most of the items on this list are pretty simple to deal with. A little common sense will get you far, but we’re fans of going the extra mile – so let’s discuss how to tackle each more thoroughly.

4 simple steps to improve WordPress security

We want to keep things simple, so we’ll be introducing you to several tools you can employ to protect your site from each vulnerability. When possible, we’ll also link to more advanced resources for your peace of mind. Let’s get right to it!

1. Set up a backup solution

Setting up good backup solution should always be one of your first steps after installing WordPress on a new site. Your web host might provide you with an internal solution in some cases – if you’re not sure whether yours does, take a look at your site’s cPanel or contact their support team.

Either way, we still recommend that you set up a backup solution of your own, since this will provide you with a greater degree of control. We’ve talked about backup plugins in the past, but if you want a reliable and free solution fast, you can go with UpdraftPlus:

After installing the plugin, a new option will appear under Settings on your WordPress dashboard. Here, you’ll have access to the three functions that lie at the core of UpdraftPlus – Backup NowRestore, and Clone/Migrate:

Improve WordPress security: The three core UpdraftPlus functions.

Selecting the Backup Now option will prompt you to choose whether to include your database and media files:

The UpdraftPlus backup options.

Once you’ve clicked Backup Now, and waited a few moments, it will appear on your main backup list, and you’ll have the option to use the Restore function if necessary. Easy, right? In only a few minutes, you’ve took the first crucial step in making your site more secure.

2. Secure your login pages

Before we dive any further into this topic, we want to reiterate that secure usernames and passwords are the most basic measure you can take to improve WordPress security. Don’t use admin as your username, and consider using a password manager if you don’t want to memorize a complex password.

Moving on, when it comes to more advanced measures, there are three steps you should take:

  1. Limit the number of possible login attempts, which makes it harder for attackers to brute-force their way in.
  2. Enable CAPTCHAs to combat bots.
  3. Employ a two-factor authentication solution.

The Wordfence security plugin helps with step one by enforcing good login security practices:

It also includes a number of other features, which warrant further attention. While not the only option, it’s one of the top security plugins currently available.

3. Modify the default database prefix

When installing WordPress, you have the option to set a custom database prefix. This is a solid security practice, but easy to overlook if you’re not aware of the security downsides:

The WordPress installation screen showing the database prefix settng.

Modifying the prefix of an existing install is a bit more complicated since it involves tinkering with your wp-config.php file, but it can be done. DigWP goes in depth into the process – it’s lengthy, but easy to follow. Of course, if you followed step one, you’ll have a good clean backup in case you need to roll back.

4. Manage your update settings

We’ve already touched on keeping your WordPress core files, themes, and plugins up to date. Plugins are the most complicated of the bunch – a lot of sites tend to go overboard with them, which can make update management a hassle.

Instead of constantly monitoring your plugins for available updates, we recommend using a tool to do it for you. Our favorite is Easy Updates Manager, which enables you to turn on automatic updates for your entire site:

Best of all, this plugin includes micromanagement options, enabling you to choose which parts of your site should update automatically. The plugin provides you with a simple control screen, which lets you toggle these options on or off with a single click:

Easy Update Manager's update settings.


WordPress is an amazing solution, but its popularity makes it a target for malicious attacks. While using WordPress doesn’t necessarily mean your site will come under fire, it’s always good to follow best security practices.

In this post, we’ve presented four tweaks that can help harden your site to the point where security worries (almost) become a thing of the past. Let’s go over the steps one final time:

  1. Employ a backup solution.
  2. Secure your login pages.
  3. Change the default database prefix.
  4. Manage your update settings.

Do you have any questions on how to improve WordPress security? Is your site secure? Feel free to speak up in the comments section below!