blog featured wordpress hacked

Best Ways To Improve Wordpress Security in 2020 (Guide)

Written by: Rafal Kukla | Published on: 5 February 2020 | Edited on: 6 April 2023

WordPress security should be on your list of top concerns when operating a Wordpress site. Website security and cybersecurity are topics of enormous importance in 2020, especially as the number of malware attacks and website hacking incidents has increased in recent years.

In this post we will show you why and how you should improve your WordPress site's security.

Why should you pay attention to your websites security?

For big tech companies and large organisations, outsourcing their WordPress site management to a professional organisation or hiring a Wordpress security specialist is vital. Websites can be taken down by hackers and malware, and this could leave you out of business.

It's a scary thought, especially if you don't have a clue where to start and how to ensure your WP site has watertight security. If not taken seriously, your website could end up blacklisted. If your site is blacklisted, it could lose its search engine ranking. Your site could be permanently removed from search engines like Google. Blacklisting is already happening, and sadly Google blacklists around 10k websites per week because of other people's adverse actions.

If your income and working life depend upon your Wordpress site, then you need to start paying more attention to the security of your website.

How to improve your Wordpress site's security

In this guide, we will try to assist you in making positive changes to help you to protect your sites against malware and hackers in the future.

Keep your Wordpress site up to date

Keeping your Wordpress updated can be challenging, especially as you can't update everything you need using a single update. Wordpress will automatically install minor updates, but for significant updates and releases, manual updates will be necessary.

If you have installed a theme or plugins on your site, you will also need to ensure that you are hosting up to date versions. This can be a challenge for some but as the updates can be quite regular, ensuring you are up to date is essential to keeping your site running at its best.

Updating your themes, plugins and Wordpress essentials is crucial for the security and overall performance of your website. You must ensure everything on your site is up to date!

Ensure you have strong passwords

The most common hacking method used to get in to and take over sites on Wordpress is password hacking. It would help if you were careful whom you share your login password with. Ensure that you don't have your password written down on an unsecured laptop/computer or in a place where prying eyes could lay hands on it.

Ensure you use a professional company like ForgetWP to manage your Wordpress site and hosting and be weary of ging out your login details overseas freelancers who have not been accredited for their work. You should not give access to your Wordpress admin to anyone but your Wordpress Site Manager, unless necessary.

Change and secure the passwords and login permissions for all of the following:

  • Wordpress Hosting Site
  • Domain Hosting Site
  • FTP Accounts
  • Databases
  • Email addresses that are in use/advertised on the site and email addresses that include your URL, e.g.

You will need to learn to use strong passwords that are longer and more complex than the ones you usually choose to use. If you struggle to keep track of your passwords, we highly recommend using a password manager.

What other measures should you take to protect your Wordpress site:

If you can't afford to get your Wordpress site managed by a company like us, we highly recommend taking the following actions to improve the security on your website (no code required)

I. Backup your work

Once your site is complete, or every time you update it, we highly recommend you backup your site. Government websites and sites like Forex have been hacked. This is not something that is going to go away or something you can ever be immune to.

Imagine losing everything and not having a backup copy. You would have to rebuild your entire site because of malware or a hacker!

What is the best way to back up your Wordpress site?

  1. The easiest way to backup a Wordpress site is by picking the right Managed Host (in ForgetWP we do that as part of our care plans)
  2. If your budget doesn’t stretch to a Managed Hosting Plan the second-best alternative would be to install a plugin.
  3. Finally, not the best of solutions but if you have no alternative then save a backup on your computer or external hard drive.

What backup plugins are available on Wordpress?

Here is a list of some of the best Wordpress plugins that you can install to assist you in backing up your WP site;

What cloud sites could I use to store backed-up versions of my Wordpress site?

One of the most Recommended cloud sites:

II. Add a firewall

A web-based firewall for your websites like a DNS website firewall or an application firewall can help to block malicious traffic before it impacts your site. Firewalls like DNS level firewalls route website traffic through a proxy server and only directs genuine traffic to your site. Application firewalls come in the form of plugins that can be easily added to your site. The benefit of application firewalls is that they can survey the traffic once it reaches your server and before your content loads. It can also help reduce server overload in case of a DDOS attack, and although it is not as effective as a DNS firewall, it can help to prevent minor attacks.

III. Enable SSL

SSL stands for Secure Sockets Layer. Enabling SSL will encrypt all data transfers between your website and the end-user. SSL encryption makes it harder for someone to pry around the site, get into the backend of your site and steal information. Once enabled, your site address will appear as as opposed to and there will be a padlock next to your URL showing visitors that your site is secure.

IV. Other suggestions to improve your Wordpress site's security

  • Change the default username from "ADMIN" to a unique username that no one would guess.
  • Disable your file editing so that no one can edit anything on your site without you knowing about it.
  • Disable your sites PHP file execution in directories such as your uploads.
  • Limit the number of times that someone can try to login to the site.
  • If hackers are trying to crack your password, this will prevent them from cracking your password as they won't have enough attempts available to keep trying.
  • Add two-factor authentication and set it up to a secure mobile phone.
  • Change your database prefix name so that hackers can't guess what it is. (Please be aware that any errors made when doing this process yourself can ruin your website.)
  • Password protect both your admin and login pages, this will help prevent people from being about to DDoS your admin area and gain access to your login page.
  • Disabling the XML-RPC in Wordpress is vital. It is enabled by default in Wordpress 3.5 but disabling it can significantly decrease the risk of hackers attempting to guess your passwords. It will stop multiple attempts to break your password.
  • Set up auto log out which will automatically log out those who have been idle on the site for an extended period of time.
  • Add security questions with the wrong answers if necessary to prevent anyone from guessing to be able to get access to your site if they get past the password stage or try to change something significant on your site without your permission.
  • Download a Wordpress security plugin to scan your site for malware and vulnerabilities. If any warning appears, make sure you fix them.


There are a lot of loose ends that you can tie up by applying all of the security measure mentioned above. It's a huge take to undertake. If you would like an easier, simpler way, take a look at our Wordpress Care Plans and let us handle everything for you.

Author Rafal Kukla
Helping customers grow with Technology. Providing Managed IT Services to frustrated #Apple users and #WordPress website owners since 2016.