Choosing a WordPress theme to build your online presence (and business!) is indeed a blessing.

We bet that as soon as you read the previous sentence, you thought “Why would I need WordPress security tips then?”

Hold on for a second. We’ll get to that part.

The truth is that WordPress offers a ton of possibilities. There are thousands of themes available that are easy to customize, responsive and SEO-friendly. In addition to this, WordPress has a very active community that won’t leave you hanging. There’s a reason why 32,2% of all websites use WordPress!

HOWEVER. A thing that no one can ignore is the fact that WordPress is often a victim of (brutal) hack attacks.

If you have been a true WP follower, lover and an active member in the community, then you know that one of the ways WordPress managed to overcome security challenges was by making security updates go automatically. But, that was not merely enough.

The bad news is that even nowadays WordPress sites are still not completely hacker-proof.

Yes, unfortunately, all WordPress sites are vulnerable and prone to security breaches. Random hack attacks happen all the time! And there are multiple reasons for that. A security breach can occur due to a vulnerability in a hosting provider or theme or just because you used weak login information.

So, to make sure your newly-built website has what it takes to scare the hackers away, you need a bit more than trusting the platform to do all the work by itself.

In the following text, we are going to name all the steps you should take to protect your WP site. We promise that all of the mentioned WordPress security tips you can set up or do in 10 minutes or so, without making (significant) changes in the code:

Disclaimer: Themes Kingdom team is not affiliated with any of the mentioned plugins nor do we earn a commission if you end up purchasing any of the tools through referral links in this blog post. We merely wanted to name some services that can help you protect your WordPress website.

Tip 1: Find a good hosting provider

Did you know that, according to, 41% of sites were hacked through a security vulnerability on their hosting platforms? Yes, you have read that right! Almost half of all the WP sites had security breaches thanks to their hosting providers.

As you can see, a hosting company can affect your chances of going under a hacker attack. If you don’t want to gamble, we suggest you check out our article on how to choose the right hosting provider. Some of the most critical factors you need to have in mind when picking a hosting company are:

  • optimized hosting for WordPress,
  • malware scanning options,
  • a firewall built-in.

Tip 2: Carefully choose the right WordPress theme

There are thousands and thousands of WordPress themes. In this sea of templates, it can get hard to choose the right one for your business.

That is why we wrote an article that explains the steps of picking the right WordPress theme that will make your competitors jealous.

But, aside from those tips, we also have one or two more.

If you have read the article, you might remember that we mentioned you should ALWAYS check for the theme’s support. Not only will quality support help you solve all the potentials bugs and glitches, but they will also keep your theme updated. And you already know that having an updated theme means that you don’t have to deal with security holes. This is one of the quickest WordPress security tips, for sure.

Tip 3: Update your WordPress regularly

Although it may seem intimidating, this is one of the quickest tips from our list of WordPress security tips.

As soon as you see an announcement that the new WP version is available (in the top portion of your Dashboard panel), update your website that second.

Why should you do it straight away? Because a click on that “Update Now” button means that you are going to get a new WP version and with every new release comes improved security. Guys behind WordPress take care of all security vulnerabilities and bugs with each new version that comes out.

Tip 4: Update your plugins

Just like you would update WordPress, you should update all your plugins. All you need to do is go to the Plugins section in your Dashboard, then Installed Plugins and check them all. If a particular plugin should be updated, WordPress will let you know. Also, if there is a plugin you don’t use often or don’t use at all, be sure to uninstall it 一 there is no need for plugins to lay around and weigh down your website.

Keep in mind that having too many of these tools can actually lower your security level.

Tip 5: Be careful with whom you trust

Sometimes, WordPress security tips are not just about updates and being tech-savvy.

One of the benefits of WordPress is the fact that many users can manage a site. Unfortunately, this is, at the same time, the downside of WordPress. Sure, it takes a village to raise a child (or a website), but in this case, if the village is not careful enough when it comes to security, “the child” is pretty much doomed.

So, be careful. Even if you trust the people that are helping you build a business, keep in mind that WordPress offers six user roles for a good reason. Check out our WordPress vs. Joomla vs. Drupal article to get to know user roles a bit better.

You Can't Always Trust the Users, but You Can Always Trust Mulder

Tip 6: Rename the login URL

This is one of the quickest WordPress security tips out there.

A login URL is the one you use when you want to log into your admin dashboard. You know, the /wp-login.php or /wp-admin part of the URL?

Although this is an easy login URL to remember, it’s also the one hackers know a bit too well. So, why wouldn’t you play with their minds a bit? Change this URL to or whatever suits your personality the best. Guessing a custom login URL is much harder than choosing between the two most commonly used ones.

Tip 7: Add security questions

Adding a security question or two in the login screen is one of the WordPress security tips that will make any hacking attempt fail miserably.

Security questions are the ones you can add to your login screen to answer each time you want to log in. The best thing about them is that you can be creative with the questions. For example, you can add questions like Who is your favorite superhero? or What was the name of your imaginary friend?. Literally, any question only you or a handful of people can answer. These questions will act as additional security guards.

You can add these security questions by installing and activating the WP Security Question plugin and configuring the settings. If you got lost somewhere in the middle, we would advise you to read this article on

Tip 8: Limit the number of login attempts

As you might know, by default, WordPress users can log in as many times as they want which represents a significant security vulnerability.

Think about it for a second. Why would any user on your website have the possibility to attempt to log in more than, let’s say, three times? If users know their usernames and passwords, they are probably not going to be that reckless to make mistakes more than 3 times.

So, how can you limit the number of login attempts? To do so, all you need is the right plugin. Install the Login LockDown plugin, then choose Settings and Login Lockdown Options and decide how many attempts a user can have.

Tip 9: Log out inactive users

While we are on the topic of logging in, it’s a good idea to mention inactive users.

It’s not uncommon that a user logs in, spends some time on a website and wanders off to do read a post, watch a video or do something similar in another tab. There’s nothing wrong with that, except the fact that it’s much easier to hack into an active user account and that is why you should think about limiting the time inactive users spend on your website.

If you want to log out inactive users automatically, all you need to do is install and activate the Inactive Logout plugin. The plugin is very intuitive, we are sure you won’t have any issues setting up all the parameters.

Tip 10: Change your password often

Well, this is one of the most apparent WordPress security tips!

Just like you change your Instagram or Facebook password from time to time, you should remember to change the one you use to login to your website. We recommend you to do this step at least four times a year.

Bonus tip: A strong password is between 10 and 15 characters long and includes numbers, capital letters, and symbols. If you are having a hard time coming up with the perfect password, you can always rely on the Strong Password Generator to help you.

Super bonus tip: This tip goes without saying, but be sure not to set your username as Admin. Having “Admin” as a username makes it unbelievably easy for hackers to log in. If you forgot to do this step during the installation, we would suggest you create a new admin, with a new username, and delete the old one. Or just use the WPVN – Username Changer plugin.

Tip 11: Change the login error message

Let’s talk about one of the WordPress security tips, you probably never thought about doing.

If you ever entered a wrong username or password, then you know that WordPress automatically puts out an error message suggesting that the mistake is made either in the password or the username section. If you ask us, that’s TMI that hackers can’t wait to get their hands on.

So, instead of showing a default error message, change into something like “Wrong! Try again, doll!”. The most important thing is that the error message doesn’t specify what the problem is.

To do this step, use the code snippet down below and place it in your functions.php file. For, example, you can add:

function custom_error_message() {
    global $errors;
    $err_codes = $errors->get_error_codes();

    // Invalid username.
    if ( in_array( 'invalid_username', $err_codes ) ) {
        $error = 'Wrong! Try again, doll!';

    // Incorrect password.
    if ( in_array( 'incorrect_password', $err_codes ) ) {
        $error = 'Wrong! Try again, doll!';

    return $error;


Tip 12: Do the backup often

If all of these WordPress security tips seem like too much work, remember that this is the one tip you absolutely need to do.

Backup is the process of saving all your site’s content and data in one place. If a hacker attack occurs 一 God forbid 一 you need to be prepared.

Additionally, when it comes to backup, there is one more thing you should know. We would highly suggest you save full site backups not only to your hosting account but also to some remote location, a cloud service, like Amazon or Dropbox. By doing this step, you will make sure all the website data is secure and placed somewhere hackers won’t care to look for.

In the end, all that is left to answer is how often you should do the backup. There is no universal answer to this question, but if we had to mention a number, we would have to say once a day. Thankfully, you don’t have to go through this torture every day by yourself 一 there are plugins like VaultPress, BackUpWordPress or BackWPUp that can help you.

Tip 13: Install a firewall on your website

A firewall is, as you might know, a security tool that will help your site protect from viruses, malware, and hack attacks. That is why it is essential to have a tool that will scan your site daily and make sure you are protected 365 days a year.

When it comes to installing a firewall on your site, we would advise you to check iThemes Security plugin. This plugin will scan your site for malware automatically, each day and if a problem occurs, an email will be sent to you with the details. This plugin also offers two-factor authentication (an authorization code that is sent to your mobile phone which allows you to log into your site), password security, password expiration, Google reCAPTCHA and many more.

Bonus tip: You have might noticed that all of our WordPress themes are Jetpack optimized and there’s a good reason for that. If you really want to boost your security level, we would advise you to do a bit of research on Jetpack. You’d be surprised what this tool has to offer!

Tip 14: Don’t be cheap!

If you have invested in a premium WordPress theme, you might be looking for a way to minimize additional costs, and that is perfectly understandable. But, choosing the plugins is not the place to be cheap.

Never, and we mean NEVER, buy premium plugins for free.

Remember that all those sites that offer free premium plugins are probably illegal and that you are considering downloading something from an illegal website. How do you think that is going to go? Not well!

Tip 15: Secure the wp-config.php file

The wp-config.php file is the one file that contains all the information related to your WordPress installation. Since it is one of the most vital files of your site, you need to make sure you protect it from hackers.

According to, all you need to protect it is to add the following piece of code in your .htaccess file:

<Files wp-config.php>

order allow,deny

deny from all


And that’s it!

Bonus Tip: Use the SSL encryption

Well, we had to include one more, which will take a bit more than 10 minutes to complete. Fifteen minutes tops.

All you need to know about the SSL (Secure Socket Layer) is that it is encryption your website uses to protect admin data. Adding this step is extremely important because not only are you going to secure your data but you will also make sure you rank higher in Google since Google favors sites that use SSL.

So, how can you get an SSL certificate? Well, you can buy one from a third-party company, or you can ask your hosting provider. Here’s an in-depth article on how to do so.

Live prosper and protected

The best thing about the previously mentioned WordPress security tips is that it will probably take you longer to read this article than to apply each tip individually. 🙂

These are genuinely the tips you can do in less than 10 minutes.

We hope that, after reading this post, you are more aware of the fact that your site’s security is one of the most significant elements to consider if you want your site to live long and prosper.

So, be sure to stay protected and good luck!

2 thoughts on “ 15 quick WordPress security tips ”

  1. Pingback: Top 8 tips to reduce shopping cart abandonment - Themes Kingdom
  2. Pingback: How to speed up a WordPress site - Themes Kingdom

Leave a Reply

Your email address will not be published. Required fields are marked *