Skip to content

How to fully secure your WordPress website?

With over 60 million users, WordPress is the most used CMS (Content Management System) in the world (ahead of Joomla, Drupal, Magento, PrestaShop, Shopify etc.). We often hear a lot of rumors that WordPress is unsafe and that it is better to opt for another platform. At My Little Big Web, our experts in web design do not favor any platform, as only performance counts. However, we can assure you that the WordPress sites (at least the ones we create) are very safe and I will explain in this article how you too can secure your WordPress website.

Choosing your WordPress website theme

When designing your WordPress website, you must first choose a theme among the ones offered. Some are free, well known and reliable while others not so much. One of the sites I recommend to you is Theme Forest. This site offers a multitude of themes and not just WordPress ones. What I also like about this site is that it gives you a lot of information on the theme you choose (client comments, latest updates, compatibility with plugins, number of times it was downloaded etc.):

comment-securiser-son-site-wordpress-choix-du-theme-2One more tip, I prefer a paid theme where you can get support in the case of problems rather than a free basic theme because the small amount of additional money invested is really worth it. Also remember to remove the name of the theme you are using because it may have security vulnerabilities to hackers.

WordPress module choice for websites

As I said above, WordPress works with a theme (site template) and modules (applications that add functionality to your website). It’s often the case that different theme and modules are incompatible. In these cases, you must either change the theme, try to resolve the incompatibilities or change modules, which can cause you to quickly waste a lot of time.

For your information, most bugs on WordPress are due to incompatibilities between modules and/or themes. Again, you must choose the modules compatible with your theme and do not hesitate to invest a little to have a stable and regularly updated module.

The easiest way is to make a list of features you want to have on your website and look for the corresponding modules, making sure to check online if your theme is compatible with these modules (and also if the modules are compatible with each other). Also pay attention to the sites you download your modules from. I recommend you download the latest versions directly from the WordPress site.

comment-securiser-son-site-wo-rdpress-choix-des-modulesYour WordPress connection’s security settings

The first thing to do is remove the username “admin” given by default when you install WordPress. Many people leave it and say that it “should not be removed” however it is significant security vulnerability. In order to access the admin area of your WordPress site, a person needs a login and a password. Retaining the login “admin” facilitates the work of potential hackers:

comment-securiser-son-site-w ordpress-choix-des-loginsAlso remember to secure your password (do not use “admin” for the password like we have seen on some websites). Use a password with at least 8 characters, with numbers, capital letters and special characters.

While it may be tempting to use the same password for your email, your Facebook, your WordPress site (etc.), keep in mind that if you your password is hacked, hackers will try all your accounts.

Also remember to restrict the number of login attempts to prevent robots to start looking for your password. For this you can download a module such as Login Lock Down on the WordPress site that allows you to set the maximum number of login attempts.

Update WordPress, but with caution

It is very important to keep your WordPress site updated to take advantage of the latest security patches. It is important to move quickly when WordPress announces an update of its platform (or its modules), it is often said that updates are put into place for particular security vulnerability. It’s sufficient to say that like this WordPress shows the way for hackers by saying “security vulnerabilities for this or that are here on this version of WordPress.” So remember to hide the version of WordPress you are using. To this, add this line of code in the file function.php:

comment-securiser-son-site-wordpre ss-masquer-sa-version-wordpressIn the title of this section, I tell you to update your WordPress website but to be careful. Indeed, you do not need to jump on every on each and every proposed update until you have read and understood what the update consists of. It may be the case that the update does not affect you because it corrects a security vulnerability of a module you do not use. In addition, you should wait a bit before downloading the update to see if users recognize incompatibilities that will soon be corrected by WordPress. I know I advised you earlier not to wait too long before downloading updates but waiting a week is not going to jeopardize the security of your site.

For security, protect and save your WordPress database regularly

If hacked, the first thing to do is to restore the database and redisplay your website. Check with your provider to see how often you backup your data or install a module such BackWPup, which lets you to save your own database.

Also remember to change the name of your MySQL database that automatically assigns the wp_ prefix when you install WordPress.

Protect your wp-config file

By default, anyone can access your WordPress files from their browser. To correct this, enter these lines of code to your htaccess file:

<Files wp-config.php>

order allow, deny

deny from all

</ Files>

Also protect your htaccess file so that it is viewable by anyone:

<Files .htaccess> order allow, deny deny from all </ Files>


You now know how to take basic precautions in order secure your WordPress website. There are others but this article is for people wanting to manage and secure their WordPress site themselves. So I didn’t go into overly technical details and manipulations because I do not want you overload you.

Prior to updating your sensitive files and installing new security module files, take the time to back up your database because it’s often the case that the WordPress sites (and other content management platforms) are attacked by the site owners themselves – No one is immune to improper handling so take your time and do not hesitate to ask for advice if you are unsure.

If you enjoyed this article, you will surely love this one: create a website, 3 points to consider.

Happy reading!

Do not hesitate to contact us at 514 572 7758 or via our contact form if you would talk to an expert who will answer all your questions.


Cofondateur et Spécialiste Marketing Web

Diplômé d'une double Maîtrise en Marketing et Communication, Maxence cumule plus de 10 ans d'expérience en Marketing digital. Ancien employé de Microsoft, sa mission est de "mettre le Web à la portée de tous" pour aider les entreprises à améliorer leur présence en ligne.