Maintaining a website is a complex job. You are responsible of everything related to your website, including security issues. If you are not using a dedicated server, half of the technical aspects related to your website security has been handled by your WordPress hosting provider. You don’t need to bother to think about the server configuration to make your website secure.
One thing to note. Your hosting provider has no responsibility of securing your application (website). You need to take care of it yourself. If you use WordPress, there are some technical basics you need to know to make your website secure. For instance, you should not use a common username “admin” (and password as well). Using a very predictable username and password is the first thing you need to avoid.
The following are 6 of the basic tips to secure your WordPress site.
1. Use a strong password
You need a password to login to your WordPress dashboard. As mentioned earlier, you should not use a password that is easily predicted by someone else other than you. There are at least 6 rules to create a secure password:
- Use at least 8 characters
- Use a combination of different characters
- Use at least one uppercase
- Never use common information in your password
- Never use the same password twice
- Check your password strength
You can use a password manager to store your password if you have too many different passwords to remember. To figure out if you have created a strong enough password, you can use a password strength checker.
2. Prevent directory browsing
WordPress puts together the required files under directories, according to their use and type. For instance, all script files of WordPress plugins are put together under the wp-content/plugins
directory.
You should not let the public to have access to the directories of your WordPress. Generally, the default configuration of a web hosting service doesn’t allow the public to perform a directory browsing on your website. You can figure out if the hosting provider you use has applied this configuration by typing yourwebsite.com/wp-includes
. If you see the following outcome,

You can add the following line to the .htaccess file on your server (Apache) to prevent directory browing.
# Prevent folder browsing.<br>Options All -Indexes
Or, add the following line of your website is running on Nginx.
# autoindex off;
.htaccess itself is a hidden file. Make sure to enable the “show hidden files” option to find this file.
3. Keep your WordPress core files, themes and plugins updated
The WordPress system notifies you for every new version of WordPress itself, theme and the plugins. Not only the latest version of WordPress, themes and the plugins offer new features. They commonly also comes with new bug fixes and security updates. Making sure that you have updated your plugins and WordPress core is another simple thing to make your website one step securer. If you use a plugin or theme from marketplaces like Themeforest, we suggest you to install a companion plugin to check the new update of the plugin you use.
If you bought a plugin or theme from Themeforest, we suggest you to install Envato Market plugin as it allows you to effortlessly update your theme/plugin if a new version is available.
4. Change the default table prefix
On the WordPress installations step, you were asked whether you want to use the default table prefix (wp_). For better security, you should not use the default table prefix. Instead, you can use a securer table prefix like wp_VzTkxSgv7uL_
or other random text. The major security issue regarding default table prefix is SQL injection.
What if you have already installed WordPress with default table prefix?
You can change the table prefix of your WordPress by editing the $table_prefix
line on the wp-config.php file. Here is the more detailed instruction on how to change the WordPress table prefix.
5. Protect the “wp-admin” directory
WordPress uses the “wp-admin” directory to store all files related to site administration. Protecting this directory with a password can add an additional security layer to your website. Whoever trying to access a file under this directory will be asked to enter a password. If you use a hosting service that has cPanel feature, you can add protect a directory with a password by right-clicking the directory and select Password Protect.

6. Hide login error message
If you enter the wrong username or password on the login page of your WordPress site, you will see a login error message. There is an option to reset your login password if you entered the wrong password. Hackers might use this error message to try to get your login information (username and password). You can disable the login error message to minimize the chance of hackers to illegally get your login information. You can simply add the following code to the functions.php file of your WordPress to disable the login error message.
function no_wordpress_errors(){ return 'Something is wrong!'; } add_filter( 'login_errors', 'no_wordpress_errors' );
You can find the functions.php file on the directory of the theme you use.
Final words
There are lots of ways to secure your WordPress site. As mentioned earlier, you don’t need to bother to think about server configuration if you use a hosting service or VPN instead of a dedicated server. It is your hosting provider part to take care of the server configuration. Your part is to make sure that you have applied basic security technicals as we have covered above.
We also strongly recommend you to regularly backup your WordPress site just in case something bad suddenly happens. Be it caused by technical issues on the server or hacker attacks.