How to make your WordPress site more secure

In the world of computing and internet, with the rise of new and advanced software and tools, security has become the top priority for everyone. Whether you are a software developer or a beginner to computer, you must take time to learn how to keep yourself and your data secure. This involves everything from checking your everyday use software to tools and plugins that you use only occasionally.

WordPress is a platform that, in its original form, is very secure and almost impossible to hack. But the users have to install plugins and themes for one reason or the other. While doing so, most of us install plugins and themes from resources other than WordPress repository and that is okay since many great plugins and themes are built and provided by independent companies. This comes with the risk that a security bug or a poorly coded theme or plugin can make your website vulnerable to attacks. Even if you are not using such a thing, it is clever to keep your website under extra layer of security to avoid any danger in the first place. In this short guide, we will discuss some quick tips and plugins that will help you achieve this higher level of security with great ease.

Tips to Harden WordPress Security

1. Hide / Customize Incorrect Password Error

When an incorrect username or password is entered, WordPress tells if the username is incorrect or the password. This can make it easier for hackers to guess the login details especially in case of easy passwords.

Luckily, there is a quickly function you can use to customize or completely hide the login error. Simply copy this function to your theme’s functions.php file and then try to input incorrect username to check error message.

 add_filter('login_errors','login_ message');

function login_message( $message ){
 $message = "Wrong details! Try again!";
 return $message;

Once you have placed this, the default error message will not show. Instead, you will see this message “Wrong details! Try again!”. You can even define an empty message like this:

$message = "";

This will show nothing so an attacker cannot know if your username is correct or not and your login page is more secure!
NOTE: It’s important to manually write all quote marks since some character set cause problems if you simply copy and paste the code.

2. Add Captcha on Login Page

Adding captcha on login page is a great way of keeping brute force attacks away from your website. You do not need to get the custom code and implement it yourself. Simply get a good plugins like and set it up in a few clicks only.

3. Limit Login Attempts

The idea behind a brute force attack is to keep trying different combinations of characters until the passwords is discovered. With a captcha on your page, it is usually impossible for hackers to brute force but what if someone is manually trying to guess your password or knows it partially from somewhere? In such a case, captcha is not very effective since the user can still type it and keep trying.

The best way to avoid this is to limit the login attempts so that the chance of someone to guess your passwords are even thinner. You can use this popular plugin which has many options to give you control over number of login attempts.

4. Never Use Default ‘admin’ Username

Most people leave the default username ‘admin’ which makes it super easy for hackers to get started. To avoid this, never use this username, instead, make a more random username which should include numbers as well as letters. It is even better to use both upper and lower case letters for an even stronger username. Remember, guessing username is the first step for a hacker, if it is hard to guess, you don’t need to worry about anything else!

5. Move wp-config to Parent Directory

It is a trick not used by many people but is probably the quickest way to make your site much more secure. If you move wp-config.php file to the parent directory of your WordPress install, it will still function fine. But now, if a hacker even gets access to your WordPress installation directory for some reason, he cannot get database and other most sensitive information that is saved in wp-config.php file.

All-in-one Solutions:

If you are looking for more like all-in-one type of options that can get a lot done for you in a single package then keep reading for some of the best WordPress security plugins available today!

1. iThemes Security

If you are looking for an amazing all-in-one WordPress security plugin and do not want to spend time searching for one plugin or the other, then you can install iThemes Security right now and forget everything else!


iThemes Security is considered among few of the best security plugins and has tons of features to make your website more secure without slowing it down. The simple and easy-to-use interface provides many options including tracking users activity, 2-factor authentication, password expiration, banning IP addresses, check for malicious codes and a lot more. To summarize, it really is a complete package providing almost everything you might need to make your WordPress site super secure.

Current Active Installs: 600,000+

2. Wordfence

Wordfence is another plugin that provides most security features in a single plugin. It includes many useful options including 2-factor authentication, scanning and verifying core files, firewall to block fake bots, scan for threats and malwares and many other features. The list is just too long which shows how powerful Wordfence is.


Current Active Installs: 700,000+

3. Sucuri Security

Sucuri Security is a plugin that has many great security features that most others lack. It includes Security Activity Auditing, Remote Malware Scanning, Blacklist Monitoring and much more. It is very effective and amazing because it scans all events taking place in your website and scans them for malware or any other type of infecting material.


Current Active Installs: 100,000+

All of these plugins are powerful and have their own features. It is best to try them and see what fits your specific needs the best. It is important to keep your WordPress security up to date by having one of these security plugins as well as installing latest versions of WordPress core, themes and plugins.

Leave a Reply

Your email address will not be published. Required fields are marked *