9 Advanced security tips for your WordPress site

WordPress is the basis of more than 34% of all sites on the internet. That is why CMS is often the target of malicious agents, who can end up damaging and erasing entire projects. In today’s content, you will learn 9 practical WordPress Security actions to fortify and protect your website from any attempt at unwanted attacks and problems arising from it.

1. Keep Your WordPress Updated

It may seem trivial, but the first step is also one of the most important: always update the version of WordPress you are using. 

Make sure you have the most recent one, as the tool will also have resources better prepared to face any type of threat on the web. 

2. Use Creative Login and Password Credentials

Note what type of username and password you are using to log in to your WordPress website’s control panel. 

Know that if you are using something simple like admin for the user and 123456 for the password, you are at great risk of intrusion.

It is recommended that you change the administrator name and password to access the account. If you want, you can also create a new Admin, with a new username and password. And, with that, delete the old user.

To do this, follow the steps below:

  • Navigate to Users >> Add New 
  • Create a new user ( username ) and set the permission in the field Role (Paper) Administrator ( Administrator ). 
  • Then click Add New User (Add New User).
  • Log in to WordPress with the new username.
  • Return to the Users section and delete the old Admin.

As for passwords, make a combination of numbers, letters and special characters that make sense to you. The important thing is that it be variants in uppercase and lowercase letters, to reinforce security. 

3. Use Two Factor Authentication (A2F)

Two-factor authentication technology is an extra layer of security to log in to any page. With WordPress, it’s no different. 

All you need is a login and password, plus a verification application installed on your smartphone and a WordPress plugin. 

In the CMS control panel, go to Plugins >> Add New >> Google Authenticator . After you install and activate the plugin, go to Settings (Settings) and complete the 2PA enabling each user ( Use r) you have. 

If you prefer, you can also use the Wordfence Security plugin , QR Code Authenticator or WordPress 2SV .

4. Disable PHP Error Reporting

A PHP error report is useful if you are developing your own website manually. 

It is with him that you know that everything is working perfectly or something is not right in the development script (or in any part of the page programming).

It is not recommended to leave this report in front of other users, as they can take advantage of loopholes to try to break into your system. You can disable the error reporting yourself through the WordPress control panel.

If this is not possible, you can also do it through the File Manager of your hosting. There, find the config.php file . And then, edit the wp-config.php file . Use the code below (copy and paste into that folder) to turn off the report.

5. Do not use pirated themes or plugins

WordPress has a huge library of themes and plugins for you to use. So, it makes no sense to install themes and plugins of dubious origin. 

The tip here is to always avoid any manufacturer or developer that looks suspicious and circumvent any pirate function.

The danger lies in the fact that you can download pirated themes and plugins from anywhere on the web. 

But what can go unnoticed is that they can be infected with malware or hidden malicious links. And this is extremely dangerous for WordPress security.

6. Make Backups Frequently

Backing up regularly is a way for you to always have a backup and secure copy of your website. 

In the daily usability of WordPress, problems such as bugs in plugins, themes and malicious attacks can happen at any time. So, it is useful to have a secured backup. 

To create backups in WordPress, you can count on the help of two plugins:

  • VaultPress
  • BackUpWordPress

If you prefer, you can make a backup manually. For that, it is necessary to download WordPress files and export its database. In addition, you can use the backup tool of your website hosting service. 

7. Disable File Editing

WordPress has a built-in file editing feature, which makes it easier for the user to manage the site. But, along with the function, malicious agents can invade that system and lose everything. 

You can make the File Editor (File Editor) is inaccessible for any foreign user. All you have to do is insert the line of code below into the wp-config.php file .

8. Use Anti-Malware Systems

As a way to improve WordPress protection, it is always recommended to use an anti-malware system.

For that, the suggestion is to install plugins like Wordfence , which scans and makes a complete analysis of all connections that enter and leave your site.

The differential of Wordfence is that it has options for manual and automatic scans.

In addition to having several configurations for each particular case of digital infection, such as removing modified and problematic files. Outside that the plugin is free.

Other alternatives to anti-malware plugins are:

  • Sucuri Security . Protects your website from DOS attacks. It also creates a list of dangerous emails and connections, blocking access and scanning your website for malware. If something malicious is detected, you receive an email message and instructions on what to do next.  
  • BulletProof Security . It offers an additional firewall, in addition to database security. It does not offer an anti-malware system by scanning like the previous ones; on the other hand, the highlight is the easy configuration with just a few clicks. 

9. Use WordPress Security Plugins

Plugins are the most practical and quick way to add new features to a WordPress site. In terms of security, it is no different. Below are 3 suggestions for WordPress security plugins to protect your project online.

All In One WP Security & Firewall

The All In One WP Security & Firewall adds extra protection and a unique firewall for your site. It checks the page for vulnerabilities and measures, through a rating system, the security level of a website. 

Other features are:

  • Detects if any user has the name defined as “admin”, automatically changing it to a name of the user’s preference.
  • Identifies similar or equal user names, alerting to the need to change to a more appropriate and more secure name.
  • It has a password strengthening tool, to help the user to create more complex accesses.
  • Monitors incoming and outgoing connections to the site, allowing certain IP numbers to be allowed or blocked from accessing it.

RapID Secure Login

The Rapid Secure Login is a plugin alternative two – factor authentication. With it, it is possible to apply a new layer of protection with an extra password and a user access authorization code.

Other highlights are:

  • Setup and use it in a few minutes with a QR code scan.
  • It does not depend on SMS messages, susceptible to interception, to send security codes.
  • It allows you to use an additional device, such as smartphones and tablets, for backups.
  • Uses advanced 2048-bit encryption, widely used by government websites and large corporations. 

iThemes Security

The iTheme Security specializes in WordPress block any attempt to access suspects. It looks for vulnerabilities in the system, prevents continuous invasion attempts, and has its own system to reinforce extra logins and passwords. 

Other differentials are:

  • Schedules automatic scans every day for malware and security holes.
  • It has Two Factor Authentication (A2F), configured with codes from apps like Google Authenticator and Authy.
  • Function to generate strong and valid passwords, forcing the user to always create more complex combinations.
  • It has Google reCAPTCHA (protection against spammers) and the definition of temporary privileges for certain types of users and administrators.


Although there is no 100% secure system, you can always work to protect your project online. With the WordPress security tips shown above, it is possible to have a website shielded from any type of attack or malicious agent. Success on your internet journey!