Securing your WordPress Website
ℹ️ Note: This article applies to our Web, WordPress, and Reseller Hosting packages.
WordPress is the most popular content management system (CMS) in the world — which also makes it an attractive target for malicious actors. In this article, we explain how to effectively secure your WordPress website.
Perform updates
Strong passwords and usernames
Security plugins
SSL/TLS certificates
Regular backups
Limit login attempts
Disable XML-RPC
Hide WP-Admin
Two-Factor Authentication (2FA)
Check file permissions
Extras for WordPress Hosting customers
Why: Outdated versions of WordPress, themes, or plugins often contain known security vulnerabilities.
How:
Log in to your WordPress dashboard
Go to Dashboard > Updates
Install updates for WordPress, your themes, and plugins
📌 Tip: Update your site at least once a month, or enable automatic updates.
Why: Default users like "admin" are easy targets.
How:
Use a password manager to generate complex passwords
Create a new user via Users > Add New
Delete the old "admin" account
Why: These plugins protect against attacks and scan your site for vulnerabilities.
Recommended plugins:
Wordfence Security
Solid Security (formerly iThemes Security)
Install via Plugins > Add New.
Why: An SSL certificate encrypts the connection between your website and the visitor.
How:
Install a (free) SSL certificate via your hosting package
Use the Really Simple SSL plugin to force HTTPS on WordPress
Why: If something goes wrong, you can quickly restore your site.
How:
Your hosting package makes automatic daily backups
Create an extra manual backup before major changes via a plugin or manually via FTP
📌 Always create a backup before performing updates or maintenance!
Why: Brute-force attacks try to guess your password endlessly.
How:
Use a security plugin that supports login protection
Set a limit on failed login attempts
Recommended plugins: Limit Login Attempts Reloaded, Wordfence
Why: This outdated feature is often exploited for attacks.
How:
Add the following filter to your theme’s functions.php file:
Or use a plugin such as Disable XML-RPC-API
Why: The default login URL ( /wp-admin) is easy to guess.
How:
Use a plugin like WPS Hide Login
Choose a unique login URL such as /admin-panel or /login-dey2qw
Why: A second layer of protection prevents misuse of leaked passwords.
How:
Install a 2FA plugin such as:
WP 2FA
Google Authenticator
Duo Two-Factor Authentication
📌 After activation, you will log in using an extra code on your phone or app.
Why: Incorrect file permissions can expose sensitive files.
How:
Log in via an FTP client (such as FileZilla) or the File Manager in DirectAdmin
Ensure folders are set to 755 and files to 644
Do you have a WordPress Hosting package with xYnta? Then you can easily:
View your site's security status
Apply security measures such as enabling 2FA, adjusting file permissions, and more
Automatically detect and resolve outdated plugins and vulnerabilities
📎 More info: Securing your WordPress website (WordPress Hosting)
WordPress is the most popular content management system (CMS) in the world — which also makes it an attractive target for malicious actors. In this article, we explain how to effectively secure your WordPress website.
Perform updates
Strong passwords and usernames
Security plugins
SSL/TLS certificates
Regular backups
Limit login attempts
Disable XML-RPC
Hide WP-Admin
Two-Factor Authentication (2FA)
Check file permissions
Extras for WordPress Hosting customers
🔄 Perform updates
Why: Outdated versions of WordPress, themes, or plugins often contain known security vulnerabilities.
How:
Log in to your WordPress dashboard
Go to Dashboard > Updates
Install updates for WordPress, your themes, and plugins
📌 Tip: Update your site at least once a month, or enable automatic updates.
🔑 Strong passwords and usernames
Why: Default users like "admin" are easy targets.
How:
Use a password manager to generate complex passwords
Create a new user via Users > Add New
Delete the old "admin" account
🛡️ Security plugins
Why: These plugins protect against attacks and scan your site for vulnerabilities.
Recommended plugins:
Wordfence Security
Solid Security (formerly iThemes Security)
Install via Plugins > Add New.
🔒 SSL/TLS certificates
Why: An SSL certificate encrypts the connection between your website and the visitor.
How:
Install a (free) SSL certificate via your hosting package
Use the Really Simple SSL plugin to force HTTPS on WordPress
💾 Regular backups
Why: If something goes wrong, you can quickly restore your site.
How:
Your hosting package makes automatic daily backups
Create an extra manual backup before major changes via a plugin or manually via FTP
📌 Always create a backup before performing updates or maintenance!
🚫 Limit login attempts
Why: Brute-force attacks try to guess your password endlessly.
How:
Use a security plugin that supports login protection
Set a limit on failed login attempts
Recommended plugins: Limit Login Attempts Reloaded, Wordfence
✂️ Disable XML-RPC
Why: This outdated feature is often exploited for attacks.
How:
Add the following filter to your theme’s functions.php file:
add_filter('xmlrpc_enabled', '__return_false');Or use a plugin such as Disable XML-RPC-API
🛡️ Hide WP-Admin
Why: The default login URL ( /wp-admin) is easy to guess.
How:
Use a plugin like WPS Hide Login
Choose a unique login URL such as /admin-panel or /login-dey2qw
🔐 Two-Factor Authentication (2FA)
Why: A second layer of protection prevents misuse of leaked passwords.
How:
Install a 2FA plugin such as:
WP 2FA
Google Authenticator
Duo Two-Factor Authentication
📌 After activation, you will log in using an extra code on your phone or app.
🗂️ Check file permissions
Why: Incorrect file permissions can expose sensitive files.
How:
Log in via an FTP client (such as FileZilla) or the File Manager in DirectAdmin
Ensure folders are set to 755 and files to 644
📌 Extras for WordPress Hosting customers
Do you have a WordPress Hosting package with xYnta? Then you can easily:
View your site's security status
Apply security measures such as enabling 2FA, adjusting file permissions, and more
Automatically detect and resolve outdated plugins and vulnerabilities
📎 More info: Securing your WordPress website (WordPress Hosting)
Updated on: 20/05/2025
Thank you!