How to Improve WordPress Website Security Using Plugins

Posted on February 9th, 2025

WordPress is the most widely used platform for building websites, powering 43.2% of all sites on the internet. Unfortunately, because it’s so popular, it also attracts hackers who take advantage of its security weaknesses. However, this doesn’t mean that WordPress itself is unsafe. Many security issues arise from users not being aware of best practices. To avoid becoming a target, it’s important to take steps to secure your site before problems arise.

In this article, we will explore simple ways to boost your WordPress security and protect your website from different online threats. We’ll cover helpful tips and methods that can be used with or without plugins. Some of these strategies can also work on other website platforms.

General Best Practices to Improve Website Security

In this part, we’ll cover six easy WordPress security tips that don’t need any advanced skills or big expenses. Even beginners can do these simple tasks, such as updating WordPress and deleting themes you no longer use.

Step 1: Update WordPress Version Regularly

WordPress regularly releases updates to improve site performance and security, helping protect your website from online threats.

Keeping your WordPress version up to date is one of the easiest ways to boost your site’s security. However, 35.3% of WordPress sites are still using older versions, which makes them more vulnerable.

To check if you have the latest version, log in to your WordPress admin area and go to Dashboard → Updates in the left menu. If your version is outdated, it’s a good idea to update it right away.

We also suggest updating the themes and plugins on your site. Old themes and plugins might not work well with the updated WordPress version, causing errors and security risks.
To avoid using outdated software, you can set up automatic updates. If you’re using Interserver, you can easily enable this from the hPanel dashboard.
Go to Websites → WordPress → Security, scroll down to the Automatic Updates section, and toggle on “Enable automatic updates” for WordPress core updates.

You can also enable automatic updates for themes and plugins by clicking “Show advanced settings” and choosing “Yes” for both options.

Then, click Apply Settings.

Step 2: Use Secure WP-Admin Login Credentials

A common mistake many users make is choosing easy-to-guess usernames like “admin,” “administrator,” or “test.” These usernames increase the chance of your site being attacked through brute force methods. Attackers often use this approach on WordPress sites that don’t have strong passwords. To reduce this risk, it’s important to choose a unique and strong username and password.

If you want to create a new WordPress admin account with a different username, follow these steps:

1. From your WordPress Dashboard, go to Users → Add New.
2. Create a new user and set the role to Administrator.
3. Choose a strong password and click the “Add New User” button when you’re finished.

Make sure your password includes numbers, symbols, and a mix of uppercase and lowercase letters. Also, aim for at least 12 characters, as longer passwords are much harder to guess.
If you need help creating a strong password, you can use online tools like 1Password. They also offer password management services, so you can store your strong passwords safely and not worry about remembering them.

Once you’ve created a new WordPress admin username, you’ll need to delete the old one. Here’s how:

1. Log in using the new admin account.
2. Go to Users → All Users.
   
3. Find the old admin account you want to remove. From the Bulk Actions dropdown menu, select “Delete” and click Apply.

It’s also important to check the network you’re using before logging in. If you’re connected to a Hotspot Honeypot (a network set up by hackers), your login details could be stolen. Even public Wi-Fi networks, like those in a library or café, may not be secure. Hackers can intercept your connection and steal your data, including login details. To keep your information safe, we recommend using a VPN when on public networks. A VPN adds encryption to your connection, making it much harder for hackers to steal your data and protecting your online activities.

Step 3: Set Up Safelist and Blocklist for the Admin Page

Locking down your URL helps protect your login page from unauthorized IP addresses and brute force attacks. To do this, you’ll need a web application firewall (WAF) service for WordPress, such as Cloudflare or Sucuri. With Cloudflare, you can set up a rule to block access to certain URLs. You can choose which URLs to lock down and specify the range of IP addresses that are allowed to access them. Anyone outside that range won’t be able to reach those URLs.

Sucuri offers a similar feature called URL path blacklist. You can add the login page URL to the blocklist, preventing anyone from accessing it. Then, you can create a safelist of trusted IP addresses that can still access the page. Another way to limit access is by editing your site’s .htaccess file. Go to your root directory to find the file. Before making any changes, it’s important to back up the current .htaccess file. If something goes wrong, you can restore your site easily.

By adding a rule to the .htaccess file, you can restrict access to your wp-login.php page to only one IP. This will prevent attackers from trying to access your login page from other locations.

# Block IPs for login Apache 2.2
<files /wp-login.php>
order deny,allow
allow from MYIP
allow from MYIP2
deny from all
</files>
# Block IPS for login Apache 2.4
<Files "wp-login.php">
Require all denied
</Files>

You should add this rule between the # BEGIN WordPress and # END WordPress lines, as shown below.

This rule will still work even if you don’t have a fixed IP, because you can limit logins to the common range used by your internet service provider (ISP).

You can also use this rule to block access to other secured URLs, like /wp-admin.

Step 4: Use Trusted WordPress Themes

Nulled WordPress themes are illegal copies of paid themes. While they might seem like a cheap option, they come with a lot of security risks. Most nulled themes are modified versions of the original themes. Hackers often add dangerous code, such as malware or spam links, and they can create backdoors for future attacks on your WordPress site.

Since nulled themes are unauthorized, you won’t get any support from the developers. If something goes wrong, you’ll have to figure out how to fix it on your own. To stay safe, always choose themes from the official WordPress repository or trusted developers. You can also find many premium themes on reliable theme marketplaces like ThemeForest and Envato.

Step 5: Install SSL Certificate

SSL (Secure Sockets Layer) protects the data exchanged between websites and visitors by encrypting it, which helps prevent data theft by hackers. Websites with SSL certificates use the HTTPS protocol instead of HTTP, so it’s easy to spot them. Most hosting providers offer SSL with their plans. For instance, Interserver gives free lifetime Let’s Encrypt SSL certificates for all its WordPress hosting plans. Users can check their SSL status by going to Websites → Security → SSL in the hPanel dashboard.

For those not using Interserver, plugins like Really Simple SSL or SSL Insecure Content Fixer can make SSL setup easy with just a few clicks. The premium version of Really Simple SSL also allows you to add HTTP Strict Transport Security headers, which forces the use of HTTPS on your site.

After setting up SSL, be sure to update your site’s URL from HTTP to HTTPS. Go to Settings → General and change the URLs in the WordPress Address and Site Address fields.

Step 6: Remove Unused WordPress Plugins and Themes

Leaving unused plugins and themes on your site can be risky, especially if they’re not updated. Outdated plugins and themes can make your site vulnerable to cyberattacks, as hackers may use them to break into your site.

Here’s how to remove an unused WordPress plugin:

1. Go to Plugins → Installed Plugins.
2. You’ll see all the plugins listed. Click “Delete” under the plugin’s name.
3. Remember, you need to deactivate the plugin first before you can delete it.

To delete an unused theme, follow these steps:

1. From your WordPress admin dashboard, go to Appearance → Themes.
2. Click on the theme you want to remove.
3. A window will pop up showing the theme details. Click the “Delete” button at the bottom-right.

If you’re using Interserver, you can manage your plugins and themes from the hPanel dashboard.

How to Utilize WordPress Security Plugins

Another way to boost WordPress security is by using plugins. While plugins are an easy way to protect your site, be careful not to install too many at once. Having too many plugins can slow down your website. Start by figuring out what your site needs, then choose the most useful plugins to improve its security.

Step 7: Enable Two-Factor Authentication for WP-Admin

Enable two-factor authentication (2FA) to make the login process on your WordPress site more secure. This adds an extra layer of protection by requiring you to enter a unique code to log in. You’ll receive the code via a text message or through an authentication app on your phone.

To set up 2FA on your WordPress site, install a login security plugin like Wordfence Login Security. You’ll also need to download an authentication app, such as Google Authenticator, on your phone. After installing the plugin and authentication app, follow these steps to set up two-factor authentication:

1. Go to the plugin page in your WordPress admin. For Wordfence Login Security, click on the Login Security option in the left menu.
2. Open the Two-Factor Authentication tab.
3. Use the app on your phone to scan the QR code or manually enter the activation key.
4. Enter the code generated by the app in the field under the recovery codes section.
5. Click the ACTIVATE button to finish the setup.

Make sure to download the recovery codes provided, just in case you lose access to the device with the authentication app.

Step 8: Back Up WordPress Regularly

Creating regular backups of your WordPress site is important because it helps you recover if something goes wrong, like a cyberattack or damage to your hosting server. The backup should include all your WordPress files, such as your database and core files.

To back up your site using a plugin like All-in-One WP Migration, follow these steps:

1. Go to the All-in-One WP Migration menu in the left sidebar.
2. Click on Backups.
3. Click on Create Backup.
   
4. Once the backup is made, it will appear in the list on the Backups page.
   
5. To save the backup, go to All-in-One WP Migration → Export.
6. In the EXPORT TO drop-down menu, select File. This will start generating the backup file.
   
7. Once the process is finished, click the download link and save the backup to a safe location. Make sure to save it somewhere other than your website’s server, as backups on the server can be accessed by attackers.

If something happens, you can easily restore your site using All-in-One WP Migration’s import tool. If you’re on the WordPress Business hosting plan or higher, you get automatic daily backups included.

Step 9: Limit Login Attempts

WordPress lets users try logging in as many times as they want, which can be risky. Hackers can use automated tools to try different password combinations until they find the right one and gain access to your site. To protect your site, you should limit the number of login attempts. This helps prevent attacks and makes it easier to spot suspicious activity.

Most users only need one or two attempts to log in, so if an IP address hits the limit, it’s worth investigating. You can limit login attempts by using a plugin. Some good options are:

• Limit Login Attempts Reloaded – lets you set a limit on failed attempts, blocks or safelists IP addresses, and notifies users about the lockout time.
• Loginizer – adds extra security features like 2FA, reCAPTCHA, and challenge questions during login.
• Limit Attempts by BestWebSoft – automatically blocks IPs that exceed the login attempt limit and adds them to a deny list.

While limiting login attempts can sometimes lock out legitimate users, don’t worry. There are simple ways to recover locked-out accounts in WordPress.

Step 10: Change the WordPress Login Page URL

To make your website more secure from brute force attacks, consider changing your login page URL. By default, all WordPress sites use the same login URL – yourdomain.com/wp-admin. This makes it easy for hackers to target your login page. Plugins like WPS Hide Login and Change wp-admin Login allow you to set a custom login URL.

If you’re using the WPS Hide Login plugin, here’s how to change your login page URL:

1. From your dashboard, go to Settings → WPS Hide Login.
2. In the Login URL field, enter your new custom login URL.
3. Click the Save Changes button to complete the process.

Step 11: Log Idle Users Out Automatically

Many people forget to log out of websites, leaving their sessions open. This can allow others using the same device to access their accounts and potentially misuse sensitive information, especially on public computers like those in libraries or internet cafes. To prevent this, it’s important to set up your WordPress site to automatically log out users who have been inactive for a while. This is a common security feature used by banking sites to protect user data from unauthorized access.

A simple way to do this is by using a WordPress plugin like Inactive Logout. This plugin automatically logs out inactive users and can even send a warning message to let them know their session is about to end.

Step 12: Monitor User Activity

To keep your website safe, it’s important to track activities in your WordPress admin area. This is especially useful if you have multiple users or authors on your site, as they may change settings they shouldn’t, like altering themes or plugins. By monitoring these activities, you can see who made certain changes and if any unauthorized person has accessed your site.

One of the easiest ways to track activity is by using a plugin, such as:

• WP Activity Log – tracks changes in various areas, including posts, pages, themes, and plugins. It also records when files are added, deleted, or modified.
• Activity Log – monitors actions in the WordPress admin panel and allows you to set up email notifications for specific activities.
• Simple History – records activities in the WordPress admin and works with third-party plugins like Jetpack, WP Crontrol, and Beaver Builder to log any actions related to them.

Step 13: Check for Malware

The AV-TEST Institute tracks over 450,000 new malware and potentially unwanted applications (PUA) daily. Some types of malware are even polymorphic, meaning they can change themselves to avoid being detected by security systems. This highlights the importance of regularly scanning your WordPress site for malware, as attackers are constantly creating new threats.

Luckily, there are many effective WordPress malware scanner plugins available to help protect your site. Here are some recommended security plugins:

• Wordfence – a well-known WordPress security plugin that offers real-time malware updates and alerts if your site gets blocklisted due to suspicious activity.
• BulletProof Security – adds features like automatic logout for inactive users, hidden plugin folders, and tools for database backup and recovery.
• Sucuri Security – a top security plugin that provides SSL certificates, remote malware scanning, and tools for dealing with security issues after a hack.

Conclusion

Cyberattacks can happen in many ways, from malware infections to DDoS attacks. WordPress websites are often targeted because of how widely used the platform is. Because of this, it’s important for WordPress site owners to understand how to protect their sites. Securing your WordPress site is not something you do just once. It requires ongoing attention because cyber threats are always changing. While risks will always exist, you can take steps to reduce them by following WordPress security practices.

We hope this guide has helped you realize the importance of securing your WordPress site and how to take action. If you have any questions or additional security tips, feel free to leave a comment!