Articles on: WordPress
This article is also available in:

Securing your WordPress Website

ℹ️ Note: This article applies to our Web, WordPress, and Reseller Hosting packages.


WordPress is the most popular content management system (CMS) in the world — which also makes it an attractive target for malicious actors. In this article, we explain how to effectively secure your WordPress website.



🔄 Perform updates


Why: Outdated versions of WordPress, themes, or plugins often contain known security vulnerabilities.

How:

  • Log in to your WordPress dashboard
  • Go to Dashboard > Updates
  • Install updates for WordPress, your themes, and plugins


📌 Tip: Update your site at least once a month, or enable automatic updates.


🔑 Strong passwords and usernames


Why: Default users like "admin" are easy targets.

How:

  • Use a password manager to generate complex passwords
  • Create a new user via Users > Add New
  • Delete the old "admin" account


🛡️ Security plugins


Why: These plugins protect against attacks and scan your site for vulnerabilities.

Recommended plugins:


Install via Plugins > Add New.


🔒 SSL/TLS certificates


Why: An SSL certificate encrypts the connection between your website and the visitor.

How:

  • Install a (free) SSL certificate via your hosting package
  • Use the Really Simple SSL plugin to force HTTPS on WordPress


💾 Regular backups


Why: If something goes wrong, you can quickly restore your site.

How:

  • Your hosting package makes automatic daily backups
  • Create an extra manual backup before major changes via a plugin or manually via FTP


📌 Always create a backup before performing updates or maintenance!


🚫 Limit login attempts


Why: Brute-force attacks try to guess your password endlessly.

How:

  • Use a security plugin that supports login protection
  • Set a limit on failed login attempts


Recommended plugins: Limit Login Attempts Reloaded, Wordfence


✂️ Disable XML-RPC


Why: This outdated feature is often exploited for attacks.

How:

  • Add the following filter to your theme’s functions.php file:


add_filter('xmlrpc_enabled', '__return_false');


  • Or use a plugin such as Disable XML-RPC-API


🛡️ Hide WP-Admin


Why: The default login URL ( /wp-admin) is easy to guess.

How:

  • Use a plugin like WPS Hide Login
  • Choose a unique login URL such as /admin-panel or /login-dey2qw


🔐 Two-Factor Authentication (2FA)


Why: A second layer of protection prevents misuse of leaked passwords.

How:

Install a 2FA plugin such as:


  • WP 2FA
  • Google Authenticator
  • Duo Two-Factor Authentication


📌 After activation, you will log in using an extra code on your phone or app.


🗂️ Check file permissions


Why: Incorrect file permissions can expose sensitive files.

How:

  • Log in via an FTP client (such as FileZilla) or the File Manager in DirectAdmin
  • Ensure folders are set to 755 and files to 644


📌 Extras for WordPress Hosting customers


Do you have a WordPress Hosting package with xYnta? Then you can easily:


  • View your site's security status
  • Apply security measures such as enabling 2FA, adjusting file permissions, and more
  • Automatically detect and resolve outdated plugins and vulnerabilities


📎 More info: Securing your WordPress website (WordPress Hosting)

Updated on: 20/05/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!