How to secure a WordPress website

How to secure a WordPress website

Today we will discuss the best methods about How to secure a WordPress website, and also how to maintain the highest possible security.

Most of the time, when we talk about a compromised website, it is a page based on a CMS (content management system, such as WordPress, Joomla, Drupal, etc.), which has either not been secured since installation. or has not been updated.

While physical security can help prevent phishing attacks on a smartphone, it can’t prevent attacks in a business environment. Here, additional tools are needed, such as Identity Governance and Administration (IGA), which helps security personnel track users within on-site and cloud-based systems. Only the right users are allowed to access sensitive systems and data.

The following ideas I will cover today.

  • How to install WordPress so that you have a secure website from the beginning?
  • How to keep your website secure. Best practices.
  • How to save your local backup and how to restore your website.
  • Recommended plugins to increase the security of your website.

How to install WordPress so that you have a secure website from the beginning?

The following scenario is given: you are passionate about photography, you have a whole collection of pictures that you want to share with your friends, and why not, with the entire online community. The best solution is to make a website, but you are not a very technical person and this subject is beyond you.

In a short internet search, you discover WordPress, the most popular CMS, for which you do not have to be an internet power user. You install it, choose a theme proposed by WordPress, and start publishing pictures. A few days later, when you try to add more pictures to your website, you notice that everything has changed, and now it is a phishing page, of a famous bank in Romania.

Unfortunately, your website has been compromised, and now someone is using it to steal some people's confidential data.

In order not to end up in this situation, I suggest you read the recommendations presented below. 

Services web hosting from Hosterion come up with a quick solution for installing WordPress using Softaculous.

Here are some recommendations for a Softaculous installation:

  • Change the username "admin". Use a unique name;
  • Activate the "Loginizer" plugin. This plugin will block brute force attempts;
  • Enable automatic updating of CMS, theme, and plugins by accessing the "Advanced Options" tab.
If you are looking for how to reduce the server response time to rank higher on search results then you can read about it here.

How to keep your website secure. Best practices

If you have a WordPress-based website and want to ensure increased security, I recommend you check out the steps below, Or refer to WP Tech Support professionals for more help.

Change the username "admin". Fortunately, there are several solutions to this.

You could change it directly from the WordPress admin panel by adding a new user + deleting the current user:

The first step is to access "Users" -> "Add new" from the WordPress administration page.

Add new user

Please note that to delete the original user, you must log in and log in to the administration page with the previously added user. Also, in order not to lose the content added so far, I recommend that you check the attributes all content to : (new user).

delete wordpress user

Another method is to use the Username Changer plugin. After installing it, all you have to do is go to the "Users" tab and select "Username Changer".

The plugin is intuitive, but if you can't handle it, you can contact us and we will help you with its installation and configuration.

Another precaution is to block access to the wp-admin page. For this we will use "Directory Privacy" from the control panel:

how to block wordpress login
Where we have the following:

user: the user of the cPanel account

root_folder: the path to the folder where you installed the website

Additionally, we need to add a .htaccess file in wp-admin, which contains the following:

AuthName "Admins Only"
AuthUserFile /home/user/folder_radacina/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user adm1nstr8r
ErrorDocument 401 default

After these settings, accessing the login page in the WordPress admin panel should show you the following window:

Wordpress authentication

In addition to the recommendations mentioned above, you can even change the address you log in to in the WordPress admin panel. Most bots scan after these pages (domain.tld / wp-login.php or domain.tld / wp-admin) and try to force brute force authentication.

You can change the address of these pages using the WPS Hide Login plugin. After you have installed this plugin, you need to go to Settings.


When it comes to plugins, it is very important to check how often they are updated, but also how popular they are. A plugin that is not updated often can cause you security breaches. This information is available on the official WordPress page but also in the administration panel, Plugins section. These things will help you to know how to secure a WordPress website.

How to activate your local backup and how to restore the website

In case you didn't already know, at Hosterion save a backup of the entire hosting account every night, which is kept on our servers for a period of 30 days. Even so, we recommend that you save a local backup before each major website upgrade (whether it's a WordPress upgrade or a plugin/theme).

To do this, you have two possibilities:

  • Using wizard backup from cPanel.
  • Using an FTP client (fillezilla, winscp, etc).

To back up your website using the wizard backup option in cPanel, you need to follow the steps below:

  • You log in to the control panel
  • Click on "Backup" or "Backup"
  • Select "Download a Full Website Backup" or "Download a full site backup"
  • When the backup is complete you will receive a notification on the email address entered, at which point you can start downloading the hosting account backup
  • Access the Home Directory and it will open a window for downloading the backup.

To download a backup using an FTP client (such as Filezilla or WinSCP), I recommend that you first make an archive from the File Manager by following the steps below:

  • You log in to the control panel.
  • Click on "File Manager".
  • Go to the folder where you installed WordPress.
  • Select all files using the "Select All" button.
  • From the top menu, you choose to compress.

Later, you can connect via FTP to the server where your account is hosted and you can download the archive.

In addition to backing up files, it is very important to save a database backup as well. The easiest way is to use "Backup Wizzard" in cPanel.

  • You log in to your cPanel account
  • Access the "Backup Wizzard" option
  • Access "Backup"
  • From "Select Partial Backup" -> "Mysql Databases"
  • From the list of available databases, click on the database used by your website.

After these steps, the database should be downloaded in the format "database_name.sql.gz"

To restore your data, I recommend that you follow the steps below:

  • You log in to your cPanel account.
  • Access the "Backup Wizzard" option.
  • Access "Restore".
  • Click Home Directory -> add the saved backup using the cPanel backup option.
  • Go back to the previous menu -> Click on Mysql Database -> add the previously saved sql.gz archive.

If you have a backup saved via FTP, all you have to do is delete all the current files and replace them with the ones downloaded via FTP.

To restore the database, you can use Wizzard Backup, following the steps described above.

Below, I will leave you with a list of plugins that I recommend (plugins that have been used in this post):

If you find this topic interesting, do not hesitate to leave us a comment with your opinion. If you have any questions or additions related to the security of your website then you can contact me by leaving a comment below.

Post a Comment

Previous Post Next Post