The Ultimate WordPress Security Guide – Step by Step (2024)

WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.

If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this video, we will share all the top WordPress security tips to help you protect your website against hackers and malware.

0:00 What we’ll cover
0:31 Always keep things up-to-date!
1:24 What’s your hosting provider?
2:33 Back things up
4:22 Security plugins
5:43 Web app firewalls
6:51 HTTP & SSL
8:17 Change default admin settings
9:35 Disable file editing options
10:41 Disable PHP
11:42 Limit login attempts
12:55 Enable 2-factor authentication
14:11 Change database prefix
15:28 Disable file indexing and XML RPC
17:34 Idle logout

Links to Stuff Mentioned in this Video

►WP Login Lockdown
►Inactive Logout
►How to Disable XML-RPC in WordPress (Secure Method)
►How to Disable Directory Browsing in WordPress
►How to Password Protect Your WordPress Admin (wp-admin) Directory
►The Ultimate WordPress Security Guide – Step by Step (2024) Article

Top Resources

⚡Use Promo Code WPBVIP⚡

►Best WordPress Contact Form Plugin
►Best WordPress Analytics Plugin
►Best Lead Generation Plugin
►Best WordPress SEO Plugin
►Best Theme Builder for WordPress

Related Videos
►WordPress Tutorial – How to Make a WordPress Website for Beginners
►WordPress Gutenberg Tutorial: How to Easily Work With the Block Editor
►What is SEO and How Does it Work?
►How to Install a WordPress Theme

If you liked this video, then please Like and consider subscribing to our channel for more WordPress videos.

Follow us on Twitter:

Check out our website for more WordPress Tutorials

#WPBeginner #WordPress #WordPressTutorial

Here's a scary fact over 30,000 websites Are hacked every single day and 43% of Those websites are targeted at small Businesses do you want your website to Be part of that 30,000 that get hacked Every single day I'm assuming not well If not then you've come to the right Video because in this video I'm going to Give you Amazing Security tips that will Harden your website security and the Best part is all of these are easy to Implement so all you have to do is watch The video till the end and Implement Those tips I'm going to give you so Let's begin The first step you should keep in mind With regards to WordPress security is Always keep your WordPress versions up To date for example I'm here inside my Website I'm checking out the post I want To add new post everything that you do If a new version of WordPress is Available you'll see a notice right here You can see it right here and if you Don't see it let's say you have a Min Version update coming then you can just Go to the dashboard settings and go to Updates here and you'll see a notice and You can also manually check or I say Force check if a new version of WordPress is available so you see my Current version 6.4.1 you'll see a Button here where it'll show you hey Check for updates so whenever there's an

Update usually what you should do is the First thing you should do is back up Your website and then update to the Latest version this will ensure that you Have the latest features the best Performance and most importantly the Best security that WordPress has to Offer so go to website right now or Maybe after watching this video and Check if you have any pending updates And update to the latest version the Next thing to remember when it comes to WordPress Security is to pay attention To the hosting provider now you might Not consider hosting as an essential Part of your WordPress security but it's Absolutely critical to have the right Hosting provider otherwise the security Of your website might be compromised now There hundreds of things to discuss in This but the easiest way I can tell you To how to make sure that your WordPress Host that you're choosing is secure is To go for a hosting provider that has High reputation for small and medium Websites we recommend that you go for Sround hostinger or blue host all of Them have great pricing plans great Solutions great offerings and you most Of the time we'll also get a domain name For free if you use our referal link Which will be linked Down Below in the Description of this video apart from This if you have plans of making a very

Big website or you're looking for Managed hosting Solutions then we Recommend WP engine now the essential Idea is pick a hosting provider that has A great reputation in the market and is Known for its good customer service and Security features once again if you're Just starting out want to build a small Business website or just a personal Website go for Bluehost hostinger or Side ground any of these options I'll Place links on the screen links are also In the description go check them out They have fantastic offers fantastic Pricing I'll see you in the next one the Next security tip to keep in mind is to Always always create backups of your Website now backing up your website is Like having an insurance policy it won't Prevent your website from being hacked But as you might might have realized Already nothing is 100% secure anyway Protected government agencies big social Media networks everything can be hacked So if the case arises your website might Be hacked at least you will have backups To restore your website and you can get Back your control of your o website Using the backups now there are many Solutions out there uh your host might Also provide your hosting provider might Also provide backup Solutions but we Recommend using a dedicated plugin for Backups there are few advantages of this

The first Advantage being more control Over when you backup how you backup how Frequently you backup and offside Backups that means backups that are not Present on your server so by chance if Your server gets hacked or the hosting Provider itself gets hacked you will Still have backups available elsewhere So if the case arises you can't have Access or the hosting compan is Completely compromised you can at least Take your website to another hosting Provider and start your website there so This is why having a dedicated plug-in Having offside backups are important now There are many plugins AV in the market Who offer this service but our word goes To duplicator it's a fantastic plugin This is a quick demonstration of how Duplicator Works how it looks like you Can create scheduled backups you can go Into this create manual backups create Extensive schedules watch backup how It's backup and I've done a complete Video on showing how duplicator works And how you can create backups with it So I'll show it on the screen here and I'll also link that video in the Description of this video so you can go Check it out after you watch this video And figure out if duplicator is the Right plugin for you regardless of if You choose duplicate to backup website Always have backups I always have

Offside backups so if anything goes Wrong you'll have peace of mind that you Can get back or get your website up as Quickly as possible regardless of the Solution regardless of the current Situation your website is in all right On to the next one the next security tip To keep in mind is to install a security Plugin now security plugin acts like an Antivirus butt for you website similar To how antiviruses protect your computer From getting hacked so they'll block all Vulnerabilities a security plugin on Your website does the same thing it'll Find out all the vulnerabilities that You have and notify you it'll also Notify and check if you have any kind of Infections on your website existing on Any of your files and if any Plug-In or Any service external request tries to Change the WordPress files it'll also Protect against this so anything that Happens on a website which has the Potential of getting your website hacked A security plugin will protect you Against that and our recommendation or The best plugin that we found that we Also use on our website is sukri which Is a fantastic security solution for WordPress this is a free plugin on WordPress so you can start using the Service for free and the free version is Great or good enough for most websites They also have a premium offering with

More services more more I'd say uh more Better Solutions and it's absolutely Worth it if you have business critical Website just check out the premium Version and definitely upgrade to it so It'll provide you tons of features You'll have security uh activity you'll Have file Integrity monitoring you'll Have remote malware scanning you'll have Block list monitoring and security Hardening post hack security actions and Tons of features even in the free Version it's a fantastic solution Definitely check out security and just Install on your website you'll be Thanking me Later the next security tip you should Follow is also use a web application Firewall now what's the difference Between a web application firewall and a Security plugin a web application Firewall acts like a firewall so before The request come to your site any kind Of malicious activity that can be Detected and prevented a web application Firewall is responsible for that similar To how your computers also have Firewalls that filter requests coming to Your computer in the first place a web Application firewall protects your Website the same way now there are many Solutions out there that provide the web Application fire functionality that I Just mentioned but the best one on the

Market is cloud flare now with Cloud Flare s which I was mentioning in the Previous point also offers a web Application firewall that you can Configure right on WordPress so it's Your choice if you want to go to Cloud Flare or you want to use sck now to make The decision- making process easier you Can choose anyone but if you want to go Into the depths and details of what the Differences are what the pros and cons Are we have a detailed article on our Website which does the comparison for You so I'll link that in the description Of this video you can go check it out Read it and figure out which of these Solutions is the best one for you so Make sure to have a security plugin Which is C and then choose what web Application firew would you like to Choose so or Cloud flare and let me know In the comments which one do you Choose the next security tip to keep in Mind is to always use an SSL or move to The https version of your website this Offers two advantages the https version Is obviously more secure that means the Data of your customers and the data of Your website will be more secure and the HTP version provides a very bad Experience especially in Google Chrome Let me give you an example this is a Sample website that I've created for use Now look at this what do you see here

Not secure why does Google say this Because I'm not using https on your Website so if you're creating website And you don't have https or SSL not Installed every time any visitor comes To your site they'll see this now think Of this is this conf confidence Inspiring no will users edit the credit Card info here no will users trust this Information maybe no that's why using an SSL and moving to the https version is Absolutely critical for new websites now Thankfully if you have a new website or You're just planning to create a website You don't have to do anything if you Just go to the link in description let's Say you build a website with Blu host or Hostinger they'll provide you an SSL Certificate Co completely free you'll Not need to configure it it'll be added To your account automatically and by Default when you just add your domain Name name to your account it will Automatically be created with https so You won't have to do anything unless you Have an old website which was built with HTTP in that case I'll link a couple of Tutorials down in the description on how To move from HTTP to https and then Secure your website and have a better Impression on your Visitors the next security tip I have to Offer you is to always change the Default username something from admin

For example this is a typical website And most users when they're starting out They would keep a very simple username Like admin now most hackers realize this And they try to get your website by Guessing your password so what you Should do is change this to something More secure use something that cannot be Easily guessed here's how to do it go Into add users in the website go to the Dashboard users add new user create a New user so enter username enter email You can use the same email everything Else and just uh make it a administrator On the website so instead of using the Role as subscriber just go and choose The administrator so this user will now Also become the administrator and then You can delete the old user with the Admin username on the same topic I have Another tip make sure to use secure and I say complicated passwords now now hard To remember but you have to have this us A security or a password manager if you Have to like one password or last pass But it's absolutely critical that you Have good passwords and WordPress does a Great job of suggesting very secure Passwords which you can see on the Screen here so you can also use this Kind of password just add to your last Passord one pass account and it'll Immediately be saved inside the account And you don't won't have to remember it

So two things I I just told you change The default admin username to something Else and also use a secure Password the next security feature you Should be aware of and you should enable On your website is disable file editing Options let me explain so this is the Built-in file editor inside WordPress You can check all of your theme files Available here and you can manipulate Them right here now it's a great feature For developers but not so for common People who don't understand what they're Doing now by accident this somebody can Modify this and any administrator you Have on your site has access to to this So they can intentionally or Unintentionally mess up your website This a good idea to disable this Functionality altogether because there Are other ways to manage and modify code Snippets if you need to so what I would Suggest is you take this this piece of Code which I'm going to place on the Screen take a screenshot to just make a Note of it somewhere and add it to your WP config file now if you don't want to Do that and you might be thinking H You're telling us how to disable file Editing and you want us to edit files in The first place I understand the irony Of that statement so what you can is the Plugin I mentioned in my previous Example or previous Point sukri plugin

Has a built-in feature for this just go Into that feature enable it and you'll Automatically disable all the file Editing options inside WordPress so That's the tip for You the next security implementation you Should do on your website is disable PHP Execution in certain directories now let Me explain what this means PHP or PHP is The building block of WordPress and PHP Files are executed whenever any kind of Plugin is used or any kind of let say Page is loaded there are certain Directories where where there's no Requirement for PHP files to exist and Execute for example your uploads Directory will only the media exists so It's a good idea to prevent any PHP from Executing in those directories in the First place now regardless of if you Understood my explanation or not all you Have to do to make it happen is take This piece of code which I'm going to Highlight on the screen I'm going to Keep it there so that you can take a Screenshot or use it as a reference just Add it to your HT access file now if you Don't know what HT access is you don't Want to mess with files no worries you Don't have to do this if you don't want To do it this way the plugin I mentioned Already scky already has this feature as I mentioned in my previous example well If you want to disable file editing

Feature just use the hardening feature Similar to that or I say exactly like That just enable the hardening feature Inside sukri and what happens is uh Sukri will automatically disable this From happening making your website more Secure the next security feature you Should Implement on your website is to Limit the number of login attempts now Think about this if you try a password a Couple of times three times and you've Forgotten it you'll just reset it right You won't try to log in 10 20 30 times That's kind of behavior that you expect From somebody trying to get un Authorized access to your website so to Essentially prevent them just limit the Number of attempts you give anyone to Log into your site and then log them out So how do you implement this feature on Your website there two different ways First of all if you're a premium suur User then the security access firewall In suur already will have this feature They'll automatically detect if Somebody's trying to do this and lock Them out you can see this description Here so if after watching this video you Decide that Su premium is few then You'll have this feature already Otherwise there's another plugin that You can use to do this it's called login Log down you don't have to pay for this Is completely free it has some premium

Features well in the free version you'll Be able to just install it go to Settings and limit the number of Attempts that you give someone before You lock them out while there's no hard And fast tool I'd say limit of five Login attempts is generous where anybody Canot remember the password after five Attempts should either be forced to re Uh reset their password or be completely Logged out of logging into your website So make sure to use this plugin and also Use Sly if you have uh the premium Version and secure your Website the next thing to implement on Your website is enable two Factor Authentication now what is two Factor Authentication your password is one Factor authentication there's one factor Required before anybody can log into Your website if they have your password They can login two Factor authentication Multiplies the security by multifold by Enabling a second Factor authentication Usually it's a one-time password Delivered through an SMS or a lesson app And sometimes it's an authentication Code that can only be accessed with Google Authenticator or ATI Now setting This up is out of the scope of this Video but what you can do is use the Same plugin called WP loog login log Down use the premium version of the Plugin and use the two Factor

Authentication feature here once you set It up you'll have an app on your phone Which will give you a code every 30 Seconds or 60 seconds which you'll have To enter your website after you enter Your password so anybody even gets your Password they won't be able to log to Your website without having that code And that's how it makes it more secure Now WB login logd down is not the only Plugin that does this there 100 plugins Probably out there but this is a plugin We recommend so you can use this if you Have any other plug-in choices in m and You have already seen some other plugins Offering this and you find them more Competitive or better to suited to your Needs go ahead but the bottom line is That you should have two Factor Authentication enabled on your site if You want to secure It the next thing to implement on your Website to harden it security is change The database prefix whenever WordPress Creates new tables or even uses a Database it has a prefix to the name of The table which is usually Wpor now in alone this is not enough for Somebody to hack your website but it's Like somebody knowing the first four Digits of your Social Security number Not ideal in any case unlike your social Security number you can actually change The prefix to make it harder for anybody

To discover information about your Website which can then lead to your Website being hacked Now Fair B warning Changing the uh prefix of your database Tables and your database is not for the Faint-hearted it is a little bit of a Technical process so only continue and Only do this if you think you can pull It off and you have some level of Reasonable skills if you think you can Do that then this is a blog post you Should follow it's a step-by-step Process on how to change this it's also An accompanying video I link the entire Article in the description of this video So you can go here watch the video or Just follow the written instructions and Change the database tables now you can Already see from here that this is not Something that is easy to do you'll have To change a lot of things and there's a Risk to your website getting corrupted Or uh broken if you don't do everything Correctly so if this is not something You think you can do I would not let you Attempt it or I would not recommend that You attempt it only do it if you think This is very easy to do and you Understand what you're doing all right Two features back toback that you need To disable your website to harden its Security the first one is disabling file Indexing and the second one is disabling XML RPC let me demonstrate what these

Are so this is an example of what you See on the screen is uh a file indexing Feature now if anybody goes to your Website or at least the path of website And they access any kind of directories Usually this is what happens if this Feature is not disabled now you might Think what's the hard thing or what's The problem with this now this is where Hackers can find out outdated plug-in Versions out updated files less secure Files and then they'll find ways to hack Your website so this might not be enough But this can give them the right tools And information to hack your site so the First thing you should do is disable This feature so that this does not Happen the second feature is called XML RPC and it's a programmatical way to Connect with your website and this Bypasses a lot of security features We've been talking about so you should Disable both of them as well now how to Disable them that's very easy all you Have to do is add a few pieces of code Or a couple of code Snippets to your HD Access file now the first piece of code Is you have to copy this called options Hyphen indexes and all you have to do is Just go to all inone SEO which is a Fantastic plugin this will allow you to Edit your HD access file so make sure The free plugin aiio SEO is installed on Your website and once you have that

Inside all SEO go to the tools section Inside the tools you have HD access Editor all you have to do is just come Here and paste this piece of code and You should be done just save your Changes and everything is fine the next Feature that is disabling XML RPC also Has to done be done in a certain way let Me show you you what piece of code you Need to copy and paste on your Site so to disable XML RPC request you Have to copy this piece of code and add Add it to your HDX file don't worry I'll Leave a link down to this block post so You can find this specific piece of code And just copy paste it I'm just going to Demonstrate how to do this I just copy It here and again once again I'll go Into AI SEO inside all SEO I'll go to Tool section which has the HT access Editor this is the piece of code that I Pined just to disable the file indexing Feature now all I'll do is just do this And save my changes and and once the Changes are saved both XML RPC and file Indexing will be disabled on your Website the next feature you should Implement on your website is an idle Logout feature which means that if users Are idle for x amount of time they'll Automatically logged out now think about This if I'm working on my computer Logged into my site I go away and grab a Coffee in the next 20 minutes when I'm

Just having my cup of tea or not on my Desk somebody has access or can get Access to my website directly and my Computer and when your team grows more More people will have access to your Website so the risk keeps growing th More people have access to your site so The security feature you should Implement is hey if somebody's not doing Anything for let's say 5 minutes 10 Minutes automatically log them out and The feature is very easy to implement With this plugin called inactive log out Just implement this feature or I say uh Just install it it's a free plugin and Once the plugin is installed you can Choose the amount of time somebody has To be idle before they logged out it has A couple of exciting features other Features as well for example you can Have a countdown of 10 seconds so let's Say somebody's just looking at the Screen and thinking about something or Reading something they will you see a Warning that they're about to be logged Out so you can click away and then Prevent that from happening there's some Other features as well but overall it's A very uh useful plugin if you want to Implement this feature which will save Your website and protect your website From unauthorized access just by Accident by logging out users who are Not doing anything all right so that's

All the security tips I have for here Today make sure to implement all those And Harden new website security did you Like this video then let me know in the Comments otherwise you can just like Share and subscribe and do all that good Stuff before watching another video on The internet my name ISJ you're watching WB beginner and I'll catch you in the Next video take Care

You might like