The Complete WordPress Security Guide – 2019

Table of Contents

WordPress as a CMS platform has grown leaps and bounds.

According to the recent statistics out of the top 1M websites, 297,629 are powered by WordPress.

WordPress generates 24% more unique visitors than Amazon per month 😱

But, WordPress is a free and open-source content management system, which makes it source code open to everybody.

This makes it easy to target and hack-able.

Although WordPress as a whole is very secure and with a strong development team it will keep your site secure.

But when it comes to WordPress security it is better if we adopt the best WordPress security practices.

So the best method of ensuring that your blog does not suffer from WordPress security issues is to PREVENT IT.

So in this article, I will be listing the best WordPress security plugins and also the best WordPress security tips to scan and check for malware and other types of dangers for your blog.

Why WordPress Security Is Important?

When we host our blogs or e-commerce websites on WordPress we create a database that stores important data of our readers and customers.

A hacker if he gains control can access this data and harm your revenue.

On the worst side, he might gain complete control of your website and ask for a ransom to give it back to you.

Your blog’s success is the result of your hard work and you cannot simply allow it to be hacked or taken away from you.

The very least you can be affected is that you install a malicious WordPress plugin and it gets redirected to another page.

All in all the cost of a hacked WordPress site is huge. To make sure you don’t have to face these issues I have compiled this post to help you out.

Common Reasons Why WordPress Gets Hacked

There are many reasons why WordPress gets hacked but there are a few reasons that are very common.

Here is a list of common reasons why WordPress security is compromised,

#1 Unreliable Web Hosting

Most blogs and small eCommerce websites are hosted on shared hosting.

I.e a single disk is used to store and transfer data for multiple websites. If your web host is not careful with handling this data, your site is at a big risk.

This can be easily avoided by selecting a reliable web host that ensures the security of your WordPress blog.

I strongly recommend selecting MilesWeb as your web host.

MilesWeb Security Features:

  1. SFTP Access – SFTP enables file transfer in a secure way between the networked hosts.
  2. Daily Backups – Website’s backup is taken once every 24 hours and can be restored free of cost.
  3. HTTPS By Default – Secures traffic between your site and its visitors (plus boosting your SEO).

#2 Weak Passwords

This reason is not only applicable to your WordPress blogs but also to your other social accounts like Facebook and Twitter. In fact, having a weak password is putting your entire digital life at risk. You are at risk of exposing your personal details.

To prevent this use of these practices to set a strong password:

  • Use a special character like @, –
  • Make use of numbers that are not related to your birth date or birth year
  • Rather than using your name as a password use combinations of your favorite activities
  • Use a special diary to store important passwords rather than digitally storing them on your mobiles / pc. Alternatively, you can use LastPassto store your passwords.

#3 Not Updating WordPress / Themes / Plugins

The WordPress community is very active. Theme and plugin developers often update their codes to the latest industry standards.

These updates include clean coding, bugs removal, adding new features and security patches.

So it becomes very necessary that every user installs all the necessary updates. Even though it’s been stressed enough that is very very essential to update only 27% of users have the latest WordPress installed.

Do not make this mistake as it could cost you your WordPress site. In terms of WordPress security, it is very essential to be updated to the latest versions of your themes and plugins.

PS: Also updating to the latest versions helps you in achieving better search rankings.

#4 Pirating Paid WordPress Themes And Plugins

  • Save

Are you a thief?

Serious allegation isn’t it? Well if you are downloading pirated or cracked WordPress themes and plugins you are supposed to be a thief. You are snatching money from a developer who must have spent countless hours coding it.

Besides it being morally wrong it can actually harm your website/blog.

Websites which offer free themes and plugins have their own agenda behind it.

These pirated copies of WordPress themes and plugins have malware hidden inside them.

These viruses can either redirect your website or blog to a random third party website. It can also place random advertisement banners all over your website. The worst thing that can happen is that your website is hacked and they ask you a ransom from you.

Why take such a big risk when you have options. I am sure this risk is not worth as your entire WordPress security is under questioning.

Rather use these websites to buy themes/plugins for as low as 10$:

  • Mythemeshop.com – FREE and premium WordPress themes and plugins
  • ThemeForest – WordPress Themes
  • CodeCanyon – WordPress Plugins

Best WordPress Security Plugins 2019

Plugins have always helped to manage our WordPress blogs easily. Now with WordPress security plugins, securing our blogs/websites becomes easy.

But before I list the best WordPress security plugins for 2019, let’s learn the must-have features these plugins should have.

We can then compare the best WordPress security plugins at our leisure.

These plugins ensure bulletproof security from hackers and all other dangers.

Important Features For WordPress Security Plugins:

  1. Web Application Firewall
  2. Two-factor authentication
  3. Password auditing
  4. Hacker protection
  5. Brute force protection
  6. Malware scanning
  7. Check for spamvertising

#1 WordFence Security Plugin

  • Save

WordFence is probably the best plugin that protects your WordPress blog. With over 100 million+ downloads it made it to the number 1 position in this list.

The two main features this security plugin provides are:

  1. WordPress Firewall
  2. WordPress Security Scanner

Under these two features are a hundred more features which will help you protect your blogs securely.

You can check out the plugin here.

#2 IThemes Security

  • Save

Formerly known as Better WP Security it is one of the most popular security plugins of all time.

It is a feature packed security plugin which offers all the features we discussed before.

iThemes provides 30+ ways to protect your website.

I personally use iThemes to protect BloggingWand because of the easy to understand UI.

You can check out the plugin here.

#3 Sucuri Security

  • Save

If not the best, it is one of the most trusted security plugins of all time. It provides users with the most important features that are necessary to protect the blog.

It has the following features built into it:

  1. Strong firewall to protect against DDoS attacks
  2. Suspicious activity monitoring
  3. Alerts for hacks and potential dangers for your blog
  4. Offers a high-speed CDN to improve performance

You can check out the plugin here.

DIY WordPress Security Tips

In this section, we will be protecting our WordPress blog from potential dangers that the above-listed plugins don’t.

Be careful these changes that we will be making will affect databases and include making changes in the core template files.

(Take regular backups using Updraftplus.)

Make sure you have backed up your blog so as not to brick your website.

#1 Deny PHP File Execution In Certain WordPress Directories

Usually /wp-content/uploads/ directory houses .php files that are sometimes seen as WordPress core files. But these are not and hackers can gain access to these files and make all sorts of changes to your blog/website.

So here’s a way to stop the execution of these PHP files.

Find the .htaccess file in your file manager and add this code to it:

[html]<Files *.php> deny from all </Files>[/html]

#2 Limit Login Attempts

This will ensure no unwanted .php files are executed through a selected WordPress directory.

WordPress has no restrictions on the number of times you can try logging in with a wrong password. This is a huge risk to security as brute force attackers can easily crack your password.

To prevent this from happening you can install this very light plugin called Limit Login Attempts Reloaded

This plugin will restrict the number of logins per IP and also shows you a log of all the failed logins.

  • Save

Customize the settings according to your need and you are good to go.

You can check out the plugin here.

#3 Change Login Notifications

Make it a little harder by changing your login notifications.

Login errors can be changed so as to make the hackers guess whether they have entered the wrong username or password.

You can do this by making changes in your functions.php file.

You can find this file by going into Appearance > Theme Editor and then from the dropdown chose functions.php

Copy and paste this code after the last line,

[php]function remove_all_login_errors( $error ) { return "Incorrect login information"; } add_filter( ‘login_errors’, ‘remove_all_login_errors’);[/php]

After this whenever you input a wrong password or a wrong username, it will generate the same login error: “Something is wrong!”.

Backup Is The Ultimate WordPress Security Solution

Have you ever heard the phrase “A stitch in time saves nine?”

Similarly, regular backups can save your blog at critical times.

Therefore you need a solid solution for your backup needs. A solution which can be trusted and comes in handy when we need it the most.

Once such solution is UpdraftPlus

  • Save

What Does UpdraftPlus Do?

UpdraftPlus is the best when it comes to backing up your blog on time.

UpdraftPlus has the following features even in the FREE version:

  1. Backup: Complete manual or scheduled backups of all your WordPress files, databases, plugins and themes
  2. Set Schedules: Backup schedules every 4, 8 or 12 hours, daily, weekly, fortnightly or monthly
  3. Restore: Restores backups directly from your WordPress control panel

I recommend you upgrade to the premium version which gives you 13+ premium features such as password protecting your backups.

You can check out all the premium features here.

What To Do If Your WordPress Site Is Hacked?

If you are the unfortunate one whose blog got hacked simply try and go through these steps.

You must hurry and take quick actions to have any chance of reviving your blog. The more the delay the lesser the chances of reviving you blog.

So here are a few things you can try and get back your blog,

#1 Restore The Latest Backup

That’s why having a backup is crucial as it will save your blog and help you quickly recover your blog.

UpdraftPlus has a built-in cloud service to further increase the speed of restoration,

This is the best way of getting back your hacked WordPress site. Take regular backups and you should be fine.

#2 Hire A Professional

Finding out the exact reason why your blog got hacked can be a tedious and time-consuming task.

You can quickly hire professional help and get your blog online ASAP.

Get professional help at an affordable price at Fiverr

Do a quick search in Fiverr “WordPress Security” and hire a seller by seeing the reviews he has got.

Time is very important when your website gets hacked. So don’t waste any time and spend a few bucks to get back your website.

#3 Contact Your Host

A good host can help you out with your restoration.

Either they will have a backup of your website or they can guide you to several methods to get back your website.

Raise a ticket saying its urgent and get a quick response.

Give them all the details they need so that they can help you in a better way.

#4 Uninstall Suspected WordPress Theme And Plugins

The most popular way of hacking WordPress is through plugins.

If you still have access to your admin page, go to the installed plugins page and deactivate the plugins you have installed recently. If you cannot find your solution there try deactivating the recently updated plugins.

If your blog is still being redirected or facing other hacking issues change your WordPress theme to an official WordPress theme.

This should help you figure out which plugin or theme has affected your blog.

Quick Tips After Restoring Hacked WordPress Blog

After having successfully restored your blog make sure you do not repeat the same mistake.

To ensure your WordPress security here are a few quick tips you can implement.

  1. Change the password
  2. Deactivate recent plugins and check their source
  3. Uninstall any pirated plugins and themes
  4. Take a backup
  5. Install a security plugin
  6. Follow all the security tips mentioned above


WordPress security is a serious matter and it cannot be underestimated at any cost.

To make sure you are always protected follow this in-depth article and you should be fine.

REMEMBER: Having a backup is the best way to protect and have the ability to restore your blog. Install UpdraftPlus and forget about backup worries.

Please be kind enough to share this article as it took a lot of efforts to compile all the information.

Happy Blogging 🙂

  • Save

What Others Have Also Read

17 thoughts on “The Complete WordPress Security Guide – 2019”

  1. J

    I am on a few entrepreneurial Facebook groups and there seems to be a trend of WP security issue.s I will be sharing these WordPress security plugins and best WordPress security tips to scan and check for malware and other types of dangers for their blogs as well! Thanks.

  2. I’m still learning more about blogging, and this is a great read. I hope to be able to take my blogging to the next level next time.

Leave a Comment

Your email address will not be published. Required fields are marked *

Enroll In My Free
Blogging Course

Hey I am Tanmay Kapse, a pilot and a passionate blogger from India. Want to grow as a blogger? Sign Up Today

About Tanmay Kapse

Hey this is Tanmay Kapse, owner of BloggingWand. I am a A320 pilot and a professional blogger and an affiliate marketer. I post articles on blogging and SEO tips to help you build a successful blog

Enroll In 10+ Hours FREE Blogging Course

A 10+ hours video course to help you start a winning blog.

*We hate spam too

Share via
Copy link