WordPress is the most popular content management system (CMS), powering more than 30% of all websites. However, as it has become more widespread, hackers have taken notice and are starting to target WordPress websites. Regardless of what type of content your website offers, you are no exception. If you do not take certain precautions, you could get hacked. Like everything else that has to do with technology, you need to check the security of your website.
In this tutorial, we will give you our top 10 tips to keep your WordPress website secure.

1. Choose a good hosting company

The easiest way to protect your website is to choose a hosting provider that offers multiple layers of security.
It may seem tempting to opt for a cheap hosting provider because if you save money on hosting your website, you can spend it elsewhere in your business. However, don’t be tempted to go this route. This can and often will lead to nightmares. Your data could be completely deleted, and your URL could be redirected to another location.
If you pay a little more for a quality hosting company, your website will automatically come with extra layers of security. Another benefit: with good WordPress hosting, you can speed up your WordPress website considerably.
While there are many hosting companies out there, we recommend WPEngine. They offer many security features, including daily malware scans and access to support 24/7, 365 days a year. And as icing on the cake, the price is reasonable as well.

2. Do not use nulled themes

WordPress premium themes look more professional and have more customizable options than free themes. But you could argue that you get what you pay for. Premium themes are programmed by highly skilled developers and tested to pass multiple WordPress tests right out of the box. There are no restrictions on how you can customize your theme, and you get comprehensive support if something goes wrong on your site. Most importantly, you get regular theme updates.
However, some websites offer fake or cracked themes. A fake or cracked theme is a hacked version of a premium theme that is available through illegal means. They are also very dangerous for your website. These themes contain hidden malicious codes that can destroy your website and database or log your administrator credentials.
Even though it might be tempting to save a few bucks, you should always avoid nulled themes.

3. Install a WordPress security plugin

It’s time-consuming to regularly check your site’s security for malware, and if you do not regularly update your knowledge of programming practices, you may not even notice that you are looking at malware written into the code. Fortunately, others have realized that not everyone is a developer, and have developed WordPress security plugins to help. A security plugin takes care of your site’s security, scanning for malware and monitoring your site 24/7 to regularly check what’s happening on your site.
Sucuri.net is an excellent WordPress security plugin. It offers security activity checking, file integrity monitoring, remote malware scanning, blacklist monitoring, effective security hardening, post-hack security measures, security notifications, and even a website firewall (at an extra cost)

4. Use a strong password

Passwords are a very important part of website security and unfortunately are often overlooked. If you use a simple password, such as “123456, abc123, password”, you need to change your password immediately. While this password is easy to remember, it is also very easy to guess. An advanced user can easily crack your password and gain access withoutmuch effort.

It is important that you use a complex password, or better yet, one that is automatically generated and contains a variety of numbers, nonsensical letter combinations and special characters like % or ^.

5. Disable file editing

When you set up your WordPress website, there is a code editor feature in your dashboard that allows you to edit your theme and plugin. You can access it by going to Appearance > Editor. Another way to find the plugin editor is to go to Plugins > Editor.
Once your website is live, we recommend that you disable this feature. If hackers gain access to your WordPress admin area, they can insert subtle, malicious code into your theme and plugin. Often, the code is so inconspicuous that you will not notice it until it’s too late.
To disable the ability to edit plugins and the theme file, simply add the following code to your wp-config.php file.

6. Install SSL certificate

Nowadays, Single Sockets Layer, SSL, is beneficial for all types of websites. Originally, SSL was needed to make a website secure for certain transactions, like processing payments. Today, however, Google has recognized its importance and gives websites with an SSL certificate a weightier place in its search results.
SSL is mandatory for all websites that process sensitive information, such as passwords or credit card data. Without an SSL certificate, all data is transferred between the user’s web browser and your web server in clear text. This can be read by hackers. When using an SSL certificate, the sensitive data is encrypted before it is transferred between the browser and your server, making it harder to read and making your website more secure.
For websites that accept sensitive information, the average SSL price is $70 to $199 per year. If you do not accept confidential information, you do not need to pay for an SSL certificate. Almost every hosting company offers a free Let us Encrypt SSL certificate that you can install on your website.

7. Change your WP login URL

By default, the address for logging into WordPress is “yoursite.com/wp-admin”. If you leave this address as default, you can be a target of a brute force attack to crack your username/password combination. If you allow users to register for subscription accounts, you may also get a lot of spam registrations. To prevent this, you can change the administrator login URL or add a security question on the registration and login page.
Pro-Tip: You can protect your login page even better by adding a 2-factor authentication plugin to your WordPress. When you try to log in, you’ll also need to authenticate to gain access to your site – for example, with your password and an email (or text). This is an advanced security feature that prevents hackers from accessing your website.
Pro Tip 2: You can also check which IPs have the most failed login attempts, and then block those IP addresses.

8. Limit login attempts

By default, WordPress allows its users to log in as many times as they want. While this may be helpful if you often forget which letters are capitalised, it also opens you up to brute-force attacks.
By limiting the number of login attempts, users can make a limited number of attempts until they are temporarily blocked. This reduces the chance of a brute force attack because the hacker is locked out before he can finish his attack.
You can easily enable this with a WordPress plugin to limit login attempts. After you install the plugin, you can change the number of login attempts via Settings > Login Limit Attempts. If you want to enable login attempts without a plugin, you can do that as well. You can find the full instructions here.

9. Hide Wp-config.php and .htaccess files

While this is an advanced process to improve your website’s security, if you are serious about security, it is a good practice to hide your website’s .htaccess and wp-config.php files to prevent hackers from accessing them.
We strongly recommend that this option is implemented by experienced developers, as it is essential to back up your website first and then proceed with caution. Any mistake can make your website inaccessible.
To hide the files after the backup, you need to do two things:
First, add the following code to the wp-config.php file,
order allow, deny deny from all
Similarly, add the following code to your .htaccess file,
order allow, deny deny from all
Although the process itself is very simple, you must make a backup copy before you start, just in case something goes wrong in the process.

10. Update your WordPress version

To ensure the security of your website, it is advisable to keep your WordPress up to date. Every time you update, the developers make some changes, often including updates to security features. By keeping your site up to date, you protect yourself from becoming a target for already identified loopholes and exploits that hackers can use to gain access to your website.
For the same reasons, it’s also important to update your plugins and themes.
By default, WordPress downloads minor updates automatically. However, you need to perform major updates directly from your WordPress admin dashboard.