Improve WordPress Security for Free

improve wordpress security

Find out how you can improve WordPress security for free!  WordPress is the world’s most popular content management system hence naturally it attracts the undesired attention of hackers. Clearly it is important to ensure your WordPress website is secure to avoid being a victim of hacked websites. Here are some useful tips to ensure your WordPress is secure!

Disable Unused Plugins

Based on the WordPress vulnerability statistics, the most vulnerabilities are found through plugins used by WordPress. Therefore, it is important to ensure that you disable plugins you do not use frequently. If possible, make sure you use only plugins that are actively maintained by the developers to make sure your WordPress website is secure and safe all the time. Note that free plugins recorded the highest vulnerabilities count, compared to paid plugins — which is by no surprise since paid plugins offer commercial incentive to make sure the plugin is securely coded.

Once you screen through and activate only plugins that are essential to your website, make sure you keep them up-to-date at all time.

Avoid using ‘admin’ username

When you are installing WordPress for the first time, you will need to go through the step-by-step wizard on your web browser. Avoid using common username such as ‘admin’. Choose a unique username that is not easily guessed.

If you are already using your WordPress website login with ‘admin’ as the username, consider going to Dashboard -> Users -> Add New, to create another Administrator Role user, with unique username. Then, log out of your existing ‘admin’ username, log in again with the new Administrator Role user, ensure you are getting full privileges before deleting the old ‘admin’ user from your WordPress.

Use Strong Password

What is a strong password? The key aspects of a strong password are length (the longer the better); a mix of letters (upper and lower case), numbers, and symbols or special characters. Most importantly, the password should have no ties to your personal information and no dictionary words. Consider generating strong password and managing your passwords with the help of an open source password manager, such as KeePass.

Enable 2FA Login

Two-factor authentication (2FA), sometimes referred to as two-step verification or dual-factor authentication, is a security process in which users provide two different authentication factors to verify themselves. By default, everyone logs into WordPress Dashboard using their username and password. To enhance your WordPress website security, consider using 2FA login with the free Google Authenticator plugin. Once activated, your WordPress users will also need to download the Google Authenticator app for their smartphones. They will use this app to generate a code each time they wish to login to WordPress.

Use SSL Certificate for HTTPS encryption

Since you can sign and install SSL Certificates for free, why not consider encrypting your WordPress with an SSL Certificate? The immediate benefit is visitors who browse to your website will no longer be seeing the “Not Secure” notice on their browser, and most importantly any data transmitted between your WordPress website and the web browsers will be secure. You can easily install the SSL certificate onto your WordPress using the Really Simple SSL plugin.

Use a WordPress Firewall & Malware Scanner

Wordfence is a free firewall & malware scanner for WordPress website. While there is a premium version for Wordfence, the free version is a good starting point to protect your WordPress website for free. Most crucially, spend time to learn more about Wordfence to make the most out of this plugin because it is definitely not an install and forget plugin.

Correcting Server Access Control

If you are running your own VPS or Dedicated Server, by default WordPress is running on apache/apache webserver role. You should create a new user and provide this user with write permission to your WordPress directory. To do that, simply execute the following command, noting that the green text should be replaced accordingly:

adduser wordpressuser
cd /var/www/pathtoyoursite
chown -R wordpressuser .
chmod -R 750 .
chgrp -R apache .

Since for WordPress the only directory that requires write permission is the uploads directory, execute this command to grant the user with the write permission:

chmod -R 770 ./wp-content/uploads/

Create a .htaccess file inside the /wp-content/uploads to protect us from the injection of backdoors. The contents of this .htaccess file should be as follow:

php_flag engine off


<Files *.php>
deny from all


There are many methods to secure your WordPress. The list above is not an extensive one, but an essential list that you should implement, all for free.

Related Post