7 Security Tips for a WordPress Website

It can be very frustrating to have your website go down due to a security loophole. The bigger problem is that once a site is hacked, the task of securing it can be very daunting as there could be backdoors preventing a total escape from the hackers and despite the efforts you make to secure your website, it occurs again. The rule is to prevent it before it happens. In this post, we look at seven key tips that can help secure your WordPress website.

You will also want to read:

Automatic Update in WordPress

Changing your WordPress website location

Configuring the basic settings in your WordPress website

How to Backup Your WordPress Website Automaticaly Using Backup Plugins

How to Fix a Hacked WordPress Website

1. Use The New WordPress Secret Keys

What are WordPress Security Keys?

These are a set of random variables that improve encryption of information stored in the user’s cookies. There are a total of four security keys: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY

Why use WordPress Security Keys?

These security keys makes it very difficult to crack your password. A non-encrypted password like “username” or “wordpress” can be easily broken, but a random, unpredictable, encrypted password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination.

How to use WordPress Security Keys on my site?

If you run a self-hosted WordPress blog, you won’t have the Security Keys defined. You would need to add this yourself. It is a very simple and easy to do that, you should be able to do as long as you know how to use FTP and you can also edit it online if you know how to use the cPanel filemanager.

First, you would need to get your own unique Secret Key. WordPress has a random online generator that can give you these secret keys. We recommend that you use that rather than inventing your own.

Also read:

How to Install and Setup Your Premium WordPress Theme

How to Keep Your WordPress Website Updated

How to Manage 403 Forbidden Error in WordPress

How to Optimize and Speed Up Your WordPress Website

How to Secure a WordPress Website

Second step is to modify your wp-config.php (file). You will find this file located in your WordPress root folder (the same folder where your wp-content and other folders are stored). In your wp-config.php file on line 45, you should see something like this:

define( 'AUTH_KEY', ‘put your unique phrase here’);
define( 'SECURE_AUTH_KEY', ‘put your unique phrase here’);
define( 'LOGGED_IN_KEY', ‘put your unique phrase here’ );
define( 'NONCE_KEY', ‘put your unique phrase here’);
define( 'AUTH_SALT', ‘put your unique phrase here’ );
define( 'SECURE_AUTH_SALT', ‘put your unique phrase here’ );
define( 'LOGGED_IN_SALT', ‘put your unique phrase here’);
define( 'NONCE_SALT', ‘put your unique phrase here’);

Simply take your security key that we grabbed in step 1 and paste them accordingly in the lines.

Save your wp-config.php file, and you are done. If you were logged into your WordPress admin panel, then you will be asked to log back in again.

2. Change your Default Database Prefix value

Your WordPress Database is usually the attackers target because every information is stored in the database. Spammers and hackers run automated codes for SQL injections. It is a good practice to change the database prefix while your WordPress website is installed. Not changing your database prefix makes it easier for hackers to plan a mass attack by targeting the default prefix wp_. The smartest way you can protect your database is by changing the database prefix which is really easy to do on a site that you are setting up. But it takes a few steps to change the WordPress database prefix properly for your established site without messing things up.

Also read:

How to create a simple portfolio website with WordPress

How to create and manage a page in WordPress

How to safely disable the WordPress automatic update feature

How to update your WordPress installation


We recommend that you backup your WordPress Database before you perform anything suggested in this tutorial. It is important to keep functional backups of your site, we recommend BackupBuddy plugin for doing that. Next thing we recommend is that you redirect your visitors to a temporary maintenance page during the time of making these changes.

Steps to Change Table Prefix in wp-config.php

Open your wp-config.php file which is located in your WordPress root directory. Change the table prefix line from wp_ to something else like this wp_a123456_

So the line would look like this:


$table_prefix = 'wp_a123456_';

Note: You can only change it to numbers, letters, and underscores.

Change all Database Tables Name

You need to access your database (most likely through phpMyAdmin), and then change the table names to the one specified in wp-config.php file. If you are using the cPanel WordPress hosting, then you can find the phpMyAdmin link in your cPanel.

There are a total of 11 default WordPress tables, so changing them manually would be pain.

That’s why to make things faster, we have a SQL query that you can use.


RENAME table `wp_commentmeta` TO `wp_a123456_commentmeta`;


RENAME table `wp_comments` TO `wp_a123456_comments`;



RENAME table `wp_links` TO `wp_a123456_links`;


RENAME table `wp_options` TO `wp_a123456_options`;



RENAME table `wp_postmeta` TO `wp_a123456_postmeta`;


RENAME table `wp_posts` TO `wp_a123456_posts`;



RENAME table `wp_terms` TO `wp_a123456_terms`;


RENAME table `wp_term_relationships` TO `wp_a123456_term_relationships`;



RENAME table `wp_term_taxonomy` TO `wp_a123456_term_taxonomy`;


RENAME table `wp_usermeta` TO `wp_a123456_usermeta`;



RENAME table `wp_users` TO `wp_a123456_users`;

You may have to add lines for other plugins that may add their own tables in the WordPress database. The idea is that you change all tables prefix to the one that you want.

The Options Table

We need to search the options table for any other fields that is using wp_ as a prefix, so we can replace them. To ease up the process, use this query:


SELECT * FROM `wp_a123456_options` WHERE `option_name` LIKE '%wp_%'

This will return a lot of results, and you need to go one after another to change these lines.

UserMeta Table

Next, we need to search the usermeta for all fields that is using wp_ as a prefix, so we can replace it. Use this SQL query for that:


SELECT * FROM `wp_a123456_usermeta` WHERE `meta_key` LIKE '%wp_%'

Number of entries may vary on how many plugins you are using and such. Simply change everything that has wp_ to the new prefix.

Backup and Done

You should now be ready to test the site. If you have followed the above steps, then everything should be working well. Now, you should make a new backup of your database just to be on the safe side.

3. Rewrite some rules in .htaccess

.htaccess controls your web server’s configuration, which means that you can use it to create specific rules for your WordPress website’s domain to give significant boost to security. The best feature by far is IP range blocking.

Plugins like BulletProof Security and Wordfence have this feature built-in, so you don’t have to worry your head over it. Other than that, add this code to .htacces file (before #Begin WordPress) to secure the core wp-includes.php file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
# BEGIN WordPress.

Also read:

The Many Uses to Which You Can Put Your WordPress Website

What you should know about optimizing your WordPress website for speed

WordPress Search Engine Optimization Tutorial

4. Disable XML-RPC

XML-RPC used to be great until someone figured out how to use the system.multicall to execute multiple methods inside a single HTTP request. That means that any security provided by login attempt filters is rendered useless.

The temporary solution is to delete the xmlrpc.php file. You can disable it with this code (which goes into your .htaccess file):

<Files xmlrpc.php>
Order Deny,Allow
Deny from all

Plugins like Disable XML-RPC will do the same. The simplest solution is to file.

5. Disable PHP error reporting

WordPress recommends that Error logs should not be located in the publicly accessible portion of your server.

Just disable it by a simple snippet in your wp-config.php file:

@ini_set('display_errors', 0);

6. Advanced Monitoring

This can be achieved with a plugin called WP Security Audit Log which lets you keep an audit of every single change made on your WordPress website. It does a lot including keeping records of your daily log, support for reverse proxies and security firewalls, attacker identification (via IP address), configurable security alerts based on user roles and critical activity status. Note: You need some programming skills to make the best use of it.

7. Keep pace with Sucuri and WordFence

These two are top in WordPress security services. WordFence plugin developer claims credit for discovering the SSRF vulnerability. The two highly efficient, well optimized, and extremely user friendly plugins are well-known providers of enterprise grade security solutions for WordPress websites. At least one of these plugins is a requirement for general security, monitoring, blacklisting, scanning, and keeping your site safe from attackers.


Security is key to a stable website. Taking it lightly can hurt and destroy your entire efforts for a long time. This article is a guide to the basic steps required to secure your website. The recommendations made here are not absolute and so you can still take additional steps to secure your website. However, be careful not to fall to the tricks of some hackers who have also been involved in developing plugins. Check out user reviews and be sure of the functionality of a plugin before you proceed to use it.

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

How to Secure a WordPress Website

How to Secure WordPress with Unique Admin UsernameMost applications use "admin" as username and...

How to Fix a Hacked WordPress Website

WordPress is unquestionably the world's most popular content management system used for creating...

How to Backup Your WordPress Website Automatically Using Backup Plugins

Keeping a healthy backup for your website is a golden rule. You cannot run a website, especially...

Basic Guide to WordPress Security

WordPress is the most popular blogging platform in the world today. It is also the most popular...

Top 5 Security Issues with WordPress and How to Fix Them

WordPress leads as the most popular content management system (CMS) on the Internet today...