How To Make Your WordPress Website Secure

In this article you will learn how to make your WordPress website secure and safe from hackers, malware or viruses.

As a blogger, security of your blog is of utmost important to you.

But still many bloggers failed to take corrective measures to ensure that their blog is safe from hackers or viruses.

Many bloggers think that now that their blog has SSL certificate nothing more is required to be done.

If you are among them, beware, your blog is as much vulnerable to security threats as a blog without SSL certificate.

Let's see why security of your blog is important and what you can do make your blog or website safe from hackers, viruses or malware.

Why security of your website is important?

You must ensure security of your website from the day it became live on internet. Let's see some of the reasons why it is important to secure your website-

  • To protect your website from hackers and prevent them from stealing important information such as credit card details or any other bank account information.
  • To protect your website from viruses and malware. Once affected by these it will be very difficult to recover it. Even if it is possible to recover you may have to pay huge amount of money.
  • To protect users from phishing emails that can be sent using the website.
  • If your website has an SSL certificate and opens with HTTPS they your website may rank higher in the search engines in comparison to your competitor sites which does not have SSL certificate.

How To Make Your WordPress Website Secure

Let's see some important tips that can make your website secure.

1. Update your WordPress website

WordPress regularly releases new updates adding new features as well as fixes to bugs and vulnerabilities. So, make it a habit to update WordPress to its latest version whenever an update is available.

Also, make sure that plugins you are installing are compatible to the latest WordPress version. Don't use plugins which are not compatible to the WordPress version you are using.

See an example below.

Compatible plugins

Check compatibility of plugins before installing

Like WordPress, plugin developers also releases new updates to a plugin providing new features or fixes to bugs and vulnerabilities. So, always update your plugins as soon as an update is available. 


Before updating plugins always check if any WordPress update is available. If it is available, update WordPress first. After completion of WordPress update, now you can update your plugins.

2. Take backup of your Website

Before updating your website to latest version of WordPress make sure to take a backup of your site in case something goes wrong. If an update goes wrong and if you have a backup you can always go back to restore your website.

You can use plugin like UpdraftPlus to backup your website. I also use this plugin for my blog. You can schedule UpdraftPlus to take backup of your website daily, weekly or monthly. It also has an option to store your backup to cloud or third party sites like Dropbox, Google Drive, etc.

Other alternatives of UpdraftPlus are BackupBuddy or VaultPress.

Webhosting companies like a2hosting also perform backup of your website automatically. In case anything goes wrong and your website is not functioning normally you can always restore your website by using your working version of your website from backup files.

3. Add SSL certificate to your website

An SSL certificate makes your website secure by encrypting the information shared between your user's browser and your server.

Thus, if your website accepts payments from your users via credit card, net banking or any other type of information such as bank account details, user id, email or password then an SSL certificate helps to encrypt these information which makes it difficult for a hacker to steal.

If your website doesn't have a SSL certificate installed then when a user visits your site in Google Chrome it will say that your site is insecure.

Thus, to build trust among your users you must install the SSL certificate in your site.

After adding SSL certificate to your website a padlock sign is added just before your site address in a web browser like Chrome.

Also, now your blog or website will open with HTTPS instead of HTTP. For example, https://technicalwall.com.

Many hosting companies like Bluehost, a2hosting provides free SSL certificate to their users. I am using a2hosting.com for this blog and my blog already has an SSL certificate installed. If your current host doesn't provide this certificate then you can consider moving to Bluehost or a2hosting.

Or, you can also install free SSL certificate yourself in your blog. This certificate is provided by Let's Encrypt.

To know how to install free SSL certificate yourself read one of our article-

How to create free SSL certificate?

4. Create strong password

Don't use simple words like name of any person, city or place. Always use combination of special characters (like @, *, /, !), numbers and letters.

Ideal password length should be between 8 to 12 characters. Don't store your password online as it get leaked.

Also use 2-factor authentication for login. For example, I use always use 2-factor authentication for each of my websites.

5. Install security plugins for your WordPress website

To prevent hacking attempts on your site you can use the following security plugins-

  • Wordfence
  • Sucuri
  • iThemes Security
  • Bulletproof Security

These security plugins addresses the security vulnerabilities that are inherent in each platform. It will foil any additional types of hacking attempts that could threaten your website.

6. Secure the .htaccess file from unauthorized access

Users can have unauthorized access to your .htaccess file and they must be stopped from misusing it. To do this we just need to add a security code to this file. 

To perform this step, login to Cpanel and open File Manager.

File Manager

File Manager in a2hosting cPanel

When you open the File Manager it may be possible that you are not seeing any .htaccess file under public_html directory.

Sometimes it is kept hidden for security purposes. If you want to see the hidden files, in the File Manager, select Setting at the top right and select the check box to enable Show Hidden Files (dotfiles).

Enable hidden files in File Manager

Enable hidden files in File Manager

After enabling this option, now you can see the .htaccess file in public_html folder.

.htaccess file

.htaccess file

Now select the .htaccess file and select Edit. Now add the following code before #End WordPress and click on SaveChanges.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

Adding security code in htaccess file

Adding security code in htaccess file

The above code will restrict any unauthorized access to your .htaccess file.


I hope that you liked the above mentioned tips. Follow all the tips to make your website secure.

If I have missed any important tips on securing a website please comment below.

This page uses affiliate links. When you click an affiliate link and make a purchase, we get a small compensation at no cost to you. See our Privacy Policy and Disclaimer for more info.

  • Hi Mamta, great article.
    Well I do know some of these tips but regarding securing .htaccess is new to me. I will definitely add it to my to-do list.
    Thanks for this informative article

  • >
    Share via
    Copy link
    Powered by Social Snap