How to Secure a WordPress Website in 2021 (Step by Step)

  • Home
  • General
  • How to Secure a WordPress Website in 2021 (Step by Step)
Feature image of how to secure wordpress websites in 2021

WordPress is one of the most popular content management systems today, making it the first choice for building websites; thus, it’s most prone to security attacks.

This article will explain some common reasons why WordPress websites get hacked and how to secure any WordPress website with practical steps.
Before we get into that;

Is WordPress Secure as a CMS?

WordPress is amongst the most secure Content management systems in the market today.

Irrespective of what people say, if appropriately managed, it can withstand every known security attack.

This comes as no surprise as WordPress does have a vast number of contributors and a developer-rich ecosystem.

Installing just WordPress (Without any third-party plugins & Themes) is guaranteed to be secure as each WordPress version before the release goes through months of testing and patching.

Other Content Management systems like Joomla do not even come close to how to secure WordPress is.
Try coding your own custom CMS, and you’ll know just how hard and expensive it is to keep things secure, which WordPress manages to do well being an open-source application.

Is Your Hosting Provider Always to Blame?

Many times, WordPress site owners who have had their websites hacked or breached in some way tend to blame the hosting company.

This is hardly ever true as hosting companies spend thousands of dollars every year to maintain and keep their servers secure.
If they didn’t, they wouldn’t be offering services.

WordPress websites get hacked due to inadequate security implementations and no WordPress administrative security knowledge.

Why WordPress Websites Get Hacked And How to Secure them?

Over the years, attackers have found ways to exploit WordPress and gain access, but these can be prevented if appropriate measures are taken.

These are some of the most common ways WordPress Websites are breached and how to solve them.
i) Using Cracked / Nulled Themes & Plugins
ii) Not updating PHP/ WordPress Version.
iii) Using Outdated Themes & Plugins
iv) Using FTP instead of SFTP or SSH
v) Using a Weak password & default Username
vi) No two-factor authentication
vii) No Activity logs

i) Using Cracked / Nulled Themes & Plugins

Nulled themes/plugins are the primary cause of WordPress sites getting hacked; using a nulled theme/plugin exposes your WordPress website to malicious scripts hidden in them.

To prevent your WordPress website from getting hacked, it is essential to only use and purchase themes/plugins from a marketplace like ThemeForest or directly from a developer’s store.To prevent your WordPress website from getting hacked, it is essential to only use and purchase themes/plugins from a marketplace like ThemeForest or directly from a developer’s store.

The nulled WordPress items provided for free on the internet will very often contain malicious code and backdoors, which can jeopardize not just your website but also an entire server.

To be super sure a WordPress theme or plugin isn’t infected with viruses and backdoors, you can run a VirusTotal Scan before uploading to your WordPress server.

ii) Not updating PHP / WordPress Version.

Using an outdated version of PHP or WordPress has the possibility of exposing your WordPress websites to security attacks.

As time goes by, every web technology is improved, and new versions are released; the same is true for WordPress and PHP.

There are older versions of WordPress currently vulnerable to a variety of known attacks, likewise PHP.

It is essential to update your website when a significant WordPress and PHP version is made available as they are built with better and improved security.

How To Update WordPress Version
Step 1: Backup Your WordPress Website
Step 2: Log in to DashBoard & Navigate to Updates Tab
Step 3: Click on the Update Button
Step 4: Wait For The New Version to be Downloaded & Installed

Step 1: Backup Your WordPress Website

Before you update your WordPress website, you should always create a backup just in case something goes wrong.

New versions of WordPress can break some plugins and themes that have not been updated to their standards, so you must have a backup to fall back on.

Some WordPress updates also might fail and leave your entire website stuck in maintenance mode, and a backup can help you resolve such issues without stress.

You can try updating your Website’s WordPress version in a staging environment and then pushing it to your live website after testing.

Step 2: Log in to DashBoard & Navigate to Updates Tab

Login to your WordPress Dashboard, and just under the Dashboard Tab (First Tab on the left navigation bar), select the Updates sub-tab.

Step 3: Click on the Update Button

Once the tab content loads, you should see your current WordPress version and if a new version is available.
If a new version is available, an update button will be visible, which triggers the update process.

Click on the Update Now button and wait for the process to complete (automatically).

Step 4: Wait For The New Version to be Downloaded & Installed

Once the Version update process is complete, you should be greeted with a welcome screen for the version, which gives you a breakdown of all new features.

To remain safe, you should update your Site’s WordPress version as regularly as possible. They always come with security patches and new security policies that help protect your WordPress website from unknown threats.

iii) Using Outdated Themes & Plugins

Every day, Websites like WPScan & ThreatPress report newly discovered vulnerabilities in WordPress Themes and plugins, after which developers of affected items fix and roll out an update to all their WordPress users.

Leaving your themes/plugins outdated for even an extra day after an update is made available could lead to a security breach.

The WordPress team introduced the plugin auto-update feature to combat this very security issue; enabling this feature or regularly updating all WordPress resources should keep your website protected from various cross-site and injection attacks.

It’s essential for running updates to be a part of your Website administrative tasks; it’s a route hackers take to gain illegal access to WordPress websites.

iv) Using FTP instead of SFTP or SSH

Connecting to your WordPress server using a pure FTP connection is a sure way to get hacked.

These days it’s straightforward for attackers to use standard FTP vulnerable techniques like sniffing, spoofing, and brute-forcing to breach your server.

FTP is not secure as it relies on clear-text usernames and passwords for authentication with no encryption of any sort.

It’s just like HTTP but for file transfer.

Once a hacker gains access with FTP, they can edit your WordPress files and add malicious code to grant them access to your WordPress website (backdoors) and possibly every other website on that server.

It is advisable to always opt-in for SFTP or SSH for file management purposes, as these are built secure and have no common vulnerabilities.

v) Using a Weak password & Default Username

Bruteforce attacks are widespread when it comes to what attackers will try to access your WordPress backend.

Using a weak password makes the chances of getting hacked exponentially higher.

Passwords related to your website (i.e., websitename2021) are easy to crack as Bruteforce technology has improved over the years with dictionaries of common passwords from millions of compromised websites.

Couple a weak password with the default WordPress username (admin), and the chances of getting hacked increases.

Not only should your Administrative account’s username be unique, but it should also be hidden from prying eyes.

Creating an extra author account for managing and publishing content works well to hide your admin username.

The best solution to this problem is having a strong password spanning several unique symbols, numbers, and words that do not relate to anything about you.

A security plugin like WP Limit Login Attempt can further increase how secure your site is when faced with brute-forcing attacks.

vi) No two-factor authentication

Two-factor authentication is a feature that keeps your WordPress website secure by adding an extra step to the login process.

Instead of the traditional username and password approach, you can add an Email or mobile number OTP (one-time password), which completely shut down anyone trying to gain illegal access.

Wordfence offers an excellent Two-factor Authentication for WordPress, which is easy to configure for use.

vii) No Activity logs

An activity log is an excellent way to keep track of what and who have gained access to your site; it keeps track of all actions taken on your WordPress website’s back end.
From New logins, file tempering to IP tracking.

It keeps a record of all the changes that occur on your website. With an activity log, you can be sure no one has gained access to your website apart from you or your staff.

This is an essential addition to WordPress security as it helps you track when and how attackers gain access if they ever do.

WP Activity Log has all the features you’d need to have a proper activity logging system in place for any WordPress website.

It also comes with a few advanced features like triggers that make detecting breaches easier.

4 Easy Steps You Can Take to Secure Any WordPress Website

i) Change Your Password
ii) Install WP Login Limit
iii) Enable Auto Update For all plugins
iv) Install & Configure WordFence

STEP 1: Change Your Password

The First thing you can do to secure any WordPress is changing from an easy password to something more complex.

A good password should include a string of random characters ranging from symbols, numbers to letters.

Make sure your password is nondescript and nondefinitive. You can also use the default WordPress password generator, which follows a secure password standard.

STEP 2: Install WP Login Limit

Steps on how to set wp login

Still on login protection, limiting login attempts is a good way to stop brute-force attacks for good.

The lesser Login attempts an attacker has, the harder it will be to crack through.

Navigate to the Plugins repo on your WordPress dashboard and search for WP LIMIT Login Attempt, then Install and activate the plugin.

After activating the plugin, it automatically limits login attempts on your WordPress site to 5 tries per IP address, which is more than enough for an admin to log in but way too small for an attacker to brute-force.

STEP 3: Enable Auto Update For all Plugins

This is the most crucial step on this list and, if avoided, will possibly leave your website vulnerable.

First, you have to make sure you are using WordPress 5.6 as the auto-update feature is only available on this version.

Navigate to your Installed plugins sub-tab under the Plugins tab.

You’ll see the option to enable/disable auto-update at the right side of every plugin for all listed plugins on the right side of every plugin.

Make sure you turn this on for all plugins to avoid using outdated plugins with possible vulnerabilities.

You can also save time by doing this using the Bulk Edit Option on your plugin page, simply highlight all plugins, select enable auto-update, and click apply.

If you have any Nulled / Cracked plugins, you should remove them immediately from your WordPress website(s).

Also, do not install plugins that have not been updated for over 7-8 months, as these have most likely been abandoned and will often have loopholes hackers can exploit.

It’s all about updating WordPress resources (Plugins & Themes) as often as possible; it plays a significant role in keeping WordPress Secure.

STEP 4: Install & Configure WordFence

No WordPress website is entirely secure without a full-fledged security plugin, there are many in the market right now, but none come close to what WordFence offers.

For this step, you’ll need to install the WordFence Security Plugin, which comes with a powerful WAF (Web Application Firewall) that filters script requests and prevents all forms of injection/cross-site attacks.

Navigate to the Plugin repo and search for Wordfence.

Once you find the plugin, click on the install button and activate it. You can also install WordFence Login Security as an alternative to the two-factor authentication & Login limit plugins we recommended in previous steps that offer both features and even more.

Activate the WordFence Plugin and follow the simple setup wizard, and after that, your WordPress website should be secure enough to survive waves of attacks without any breaches.

Why Do We Recommend WordFence?

Apart from the fact that WordFence is Free, it also offers many advanced security features that no other plugin can for free.

Some of the features WordFence include; a Web Application Firewall (WAF), WordPress EndPoints Protection, Integrated Malware Scanner, Brute Force Protection (Login Attempt Limiter), Themes/Plugin integrity Checker (Vulnerabilities & Authenticity), Security Threat Check & Notification, File Scanner, Two Factor Authentication, Bot protection (Captcha), IP Blacklisting, And Activity Logging (Monitor Visits & Hack Attempts).

It’s more like a full-fledged security suite that can implement a bulk of all security recommendations on any WordPress website in a couple of clicks.

You should install WordFence or another Full-fledged Security Plugin as this acts as a safety net for WordPress security.


This article has explained some common reasons why WordPress websites get hacked and how you can keep your WordPress websites secure.

We hope you found this guide informative and useful in improving your WordPress websites’ general security level.

As long as you take security seriously for all your WordPress websites and follow the tips in this guide, you can rest assured that attackers will hardly be able to breach your website backend.

Over here at VPSmalaysia, we take Server security very seriously and offer Servers optimized for WordPress security and performance with a 24/7 support team to help if you ever run into any issue.

Today, you can opt-in for one of our Web Hosting Plans and never worry about server security again while following this guide to keep your website safe from WordPress attackers.

If you have any questions about WordPress security, please do not hesitate to leave a comment below or contact our support team.