No matter what CMS you use for your website, security should be a top priority. However, if you are using WordPress, security should be an even higher priority.

In general, WordPress is a secure content management system, but because it is open source, it is vulnerable to various critical vulnerabilities. Fortunately, you can easily achieve WordPress security by taking the right steps.

This post covers the complete steps you need to take to secure your WordPress site.

1. Backup Regularly Your WordPress Website

No one is completely safe from hacking on the internet, so the best thing you can do for your WordPress website is to plan ahead for possible scenarios. This way, you’ll be prepared in case your website is ever hacked.

If you have good backups, you won’t have to worry about losing any important data if your website is hacked. You can just delete the hacked version and restore your website from the backup.

Having a backup can prevent complete disaster if something like a hack were to occur.

The purpose of a backup is to have a copy of your website’s data in case something goes wrong, like if your website is hacked. You should create backups often, and how often you need to backup your website will depend on how often you make changes to the website’s content.

Keep multiple backups of your data, with the date and time included in the file name. In case a hack is not discovered for days, you will need a backup from a previous date.

Hence, to make your backups more functional, you should include the following files and folders in your backup:

1. The WordPress Files

  • The Core Installation
  • WP Plugins
  • WordPress Themes
  • Images and Files
  • JavaScript and PHP scripts, and other code files
  • Additional Files and Static Web Pages

2. The WordPress Database

It is extremely important to include the WordPress database in the backup as it stores crucial information like details of posts, pages, comments, tags, users, categories, custom fields, etc.

You should test the functionality of your backup as part of the process. Ultimately, you need to make sure that the backup will allow you to quickly and fully recover your website if necessary.

(If you have automatic backup, please turn on the function.) You should back up your data with a date and time to keep it organized. If you have automatic backup, turn on the function to make things easier.

Backup of The WordPress Database

If you’re backing up your WordPress database, you can use the MySQL command line or an administrative interface like phpMyAdmin.

You can take backups manually, through cPanel, cloud, etc. We have covered a few methods here:

How to do Manual backup of WordPress

Follow these steps to take a backup manually –

  • Compress your website files
  • Download it to your local device
  • Store it remotely
  • Build a backup manager with files name, backup date & time as a parameter

Backing up data manually can be tedious and time consuming, requiring careful monitoring of each file download and management of the backup process.

If you’re looking for a free backup solution that offers full backup capabilities, BackWPup is a good option. Alternatively, you can use a WordPress plugin like Updraftplus or Backupbuddy, which will automate the entire backup process and is easy to use.

WordPress Backup Through CPanel 

Another option is to backup through Cpanel. Here is how you can do this:

  1. Log into your cPanel control panel.
  2. Click on the “Backup” icon.
  3. Select “Generate / Download a Full Backup”.
  4. Select “Home Directory” in “Backup Destination” and enter your email address, before clicking the “Generate Backup” button.
  5. You’ll receive an email when the backup is ready.
Cloud Backup of Your WordPress

The most convenient way to back up a WordPress website is by using a cloud service such as Amazon S3, Dropbox, or Stash.

2. Enhance Security by Updating CMS, Plugin and Themes to Latest Versions

After creating a backup plan, the easiest way to secure your website is to regularly update it. Updates for the core CMS, plugins and themes often include security improvements, so keeping your website up to date should help to improve its security.

of all websites use WordPress. If you keep your website up to date, it will reduce your risk of being hacked. WordPress is the most popular website platform and is constantly updating to make sure that their websites are secure.

Updating your website can sometimes break some functionalities. To avoid this, it is good practice to take a backup beforehand and put your website in the maintenance mode before initiating an update.

 Moreover, the WordPress core has three different types of updates:

  • Core development updates, known as the “WordPress 5.7”
  • Minor core updates, such as maintenance and security releases
  • Major core release updates

You only need to update the major core releases of WordPress; the minor releases are automatically updated in the back end. Be sure to update your themes and plugins as well.

with the click of a button. Use our WP hardening plugin to address 12+ issues with just a few clicks. This includes things like stopping user enumeration, disabling XMLRPC, and hiding version numbers.

Updating WordPress core, themes, and plugins can be done in two ways: manually and automatically. Both methods are explained below.


Core Update

go to the Updates page inside the WordPress admin panel and simply click the Update Now button next to the WordPress version.

The WordPress website can be easily updated. Since WordPress automatically installs all the minor patches, there is no need to update the major version. To do this, go to the Updates page inside the WordPress admin panel and simply click on the Update Now button next to the WordPress version.

  1. Log into your wp-admin
  2. Go to the Updates section.
  3. See if there are updates are available. If there are, update all of them.

Themes and Plugins Update

step by step: 1. Login to the WordPress Dashboard. 2. In the Dashboard, go to the Updates tab. 3. In the Updates tab, select the themes and plugins you want to update. 4. Click on the Update Themes or Update Plugins button to update the selected themes and plugins, respectively.

To update your themes and plugins, login to your WordPress Dashboard and go to the Updates tab. In the Updates tab, select the themes and plugins you want to update, then click on the Update Themes or Update Plugins button.

  1. Log into your wp-admin
  2. Go to the Updates section.
  3. See if there are updates are available. If there are, update all of them.

Core Update

define( ‘WP_AUTO_UPDATE_CORE’, false ); As we’ve talked about, WordPress usually installs security patches automatically. But, you can stop it from happening by going into the wp-config.php file and adding or changing the following code: define( ‘WP_AUTO_UPDATE_CORE’, false );

define( 'WP_AUTO_UPDATE_CORE', true )

You should check the updates section in your WordPress backend regularly for major updates, and initiate the updates if they are available.

Themes and Plugins Update

Themes and plugins can be updated automatically by using filters. The best place to put a filter is in a must-use plugin. However, WordPress does not recommend putting filters in the wp-config.php file. This is because putting filters in the wp-config.php can create conflicts with other parts of the code.

to your wp-config.php file. In order to automatically update themes and plugins, you need to add the following code to your wp-config.php file.

add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

3. Secure Your Login Procedures

The most fundamental step to securing your website is keeping your accounts safe from malicious login attempts. To do this:

  • Use strong passwords. We used to think there would be flying cars in the future, but as of this year, people are still using “123456” as a password. Make sure that all users with accounts on your WordPress backend are using strong passwords to log in. You might want to use one of our recommended password managers to generate strong passwords and keep track of them for you.
  • Enable two-factor authenticationTwo-factor authentication (2FA) requires users to verify their sign-on with a second device. This is one of the simplest, yet most effective tools to secure your login. Here’s how to add two-factor authentication in WordPress.
  • Don’t make any account username “admin”: Chances are, this will be the first username attackers will plug in during a brute force login attempt. If you’ve already created a user with this name, create a new administrator account with a different username.
  • Limit login attempts: Placing a cap on the number of times a user enters the wrong credentials in a certain amount of time will prevent hackers from brute-forcing a login. Some hosting services and firewalls might take care of this for you, but you can also install a plugin like Limit Login Attempts for the job.
  • Add a captcha: You’ve likely seen this security feature on many other websites. They add an extra layer of security to your login by verifying that you are indeed a living person. You can use plugins to add a captcha to your site. reCaptcha by BestWebSoft is one we recommend — see our guide to enabling Google reCaptcha in WordPress.
  • Enable auto-logout: While you should remember to log out of your WP account when finished, auto-logout prevents strangers from snooping in your account if you forget. To enable auto-logout on your WordPress account, try the Inactive Logout plugin.

4. Use Secure WordPress Hosting

Security should be a top priority when choosing the service that hosts your website.

Think about using services that have put protections in place for your information, and that can quickly bounce back if an attack happens. Check out our list of recommended WordPress hosting providers.

5. Update Your Version of WordPress

The WordPress software is regularly updated to eliminate vulnerabilities found in older versions. Check for updates regularly and install them as soon as possible to keep your website secure.

Back up your site and check that your plugins are compatible with the latest version of WordPress. Update your plugins accordingly. You can find more instructions in our guide on updating WordPress plugins.

Update your plugins and then follow the instructions on WordPress’ website.

6. Update to The Latest Version of PHP

One of the most important steps you can take to keep your WordPress website secure is to upgrade to the latest version of PHP. WordPress will notify you on your dashboard when an upgrade is ready.

Updating your PHP version is easy. Just follow these steps: 1. Log in to your hosting account. 2. Click on the “Upgrade to PHP 7.3” button. 3. Follow the instructions on the screen. That’s it! You’ve successfully updated your PHP version.

7. Install One or More Security plugins

We strongly suggest that you install one or more security plugins on your website.

These plugins can automate many of the tasks related to security, including scanning your website for signs of infiltration, modifying files that could leave your site vulnerable, resetting and restoring a WordPress site, and preventing content theft such as hotlinking.

You don’t need to take this step if you’re using HubSpot’s Content Management System, which provides malware scanning and threat detection. Some other reputable plugins cover almost everything on this list.

When you are choosing which plugins to install, it is important to make sure that they are from a reliable source and will not cause any security issues. Here is a list of recommended WordPress security plugins.

8. Use a Secure WordPress Theme

It is not advisable to use a WordPress theme that has not been tested and is not compliant with WordPress standards as this could lead to vulnerabilities on your website.

To determine if your theme is compatible with WordPress, copy your website’s URL into W3C’s validator.

If you find your current WordPress theme is not compliant, you can search for a new theme in the official WordPress theme directory. All themes in this directory have been verified to be safely compatible with WordPress software.

HubSpot provides a list of recommended WordPress themes for users to choose from, or users can search another credible theme marketplace for a desired theme.

9. Enable SSL/HTTPS

SSL is the technology that encrypts connections between your website and visitors’ web browsers to keep traffic between your site and visitors’ computers safe from unwelcome interception.

If you want to use WordPress, you need to enable SSL. If you’re using CMS Hub, SSL is free and included in the platform, so you don’t need to do anything else.

If you are using WordPress, you may want to consider using a dedicated SSL plugin to improve your website’s SEO and the visitors’ first impression of your site.

If a website does not follow the SSL protocol, Google Chrome will warn the user and this will directly reduce website traffic.

To check if your WordPress site is using the SSL protocol, go to the homepage of your site. If the URL starts with “https://”, it means your connection is secure.

If the URL for your website begins with “http://”, you will need to obtain an SSL certificate for your website.

10. Install a Firewall

A firewall acts as a barrier between the network that hosts your WordPress site and all other networks, preventing unauthorized traffic from accessing your network or system.

Firewalls protect your site from malicious activity by preventing direct connections between your network and other networks.

To protect your WordPress site, we recommend installing a Web Application Firewall (WAF) plugin. The CMS Hub comes with WAF within the platform.

Choose a firewall and plugin that best fit your needs after carefully considering all options.

11. WordPress Security Audit

Even if you have applied all of the necessary security measures to your website, it is still important to regularly check for new vulnerabilities and issues. A premium security audit can help you with this.

Astra will assess your website for possible vulnerabilities in order to provide you with a detailed report of our findings.

A website security audit is a comprehensive review of your website’s source code, plugins, and themes to identify any security vulnerabilities. The audit also looks for any backdoors or loopholes that could be exploited by attackers.


The security measures listed in this guide are essential for keeping your WordPress site secure. You need to be diligent in applying and maintaining these measures to keep your site safe from online threats. Following these WordPress security tips will help ensure that your website remains protected.

About the Author Brian Richards

See Brian's Amazon Author Central profile at

Connect With Me

Share your thoughts

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}