According to Internet Live Stats, over 100,000 websites are hacked each day. Yes, you read that right. 100,000. 

WordPress Website Most Secure

WordPress Websites are the most used and popular Content Management System, hosting 35% of the market from the web according to the platform. As an open-source platform, WordPress is particularly attractive to hackers, who target sites of all size, industry, and content. The threat is real, and once a hacker sinks their claws into your website, the mess can cripple you.

So, How do you make your wordpress website secure? Here are 5 tips!

1. Choose A Strong Hosting Company

Choose A Strong Hosting Company

First things, first: it’s important to choose a website host you trust AND who uses current script languages.

Fact: “74.5% of WordPress websites are using PHP versions that are no longer supported.” ?

Hosting servers are the crucial element for making your WordPress website secure. Paying a little more for a quality server will provide you with extra layers of security. They always offer updated versions of PHP, which is essential.

Pro Tip: You should avoid opting for free hosting providers. Those are the first sites hackers will target because they are less secure.

2. Lock Down That WordPress Admin URL

The fact that WordPress is so common and its default admin login url so well-known makes it especially vulnerable to hackers. As the platform is widely used, most of it knows the default URL, even the hackers and auto script generators. Fun fact: By changing the login URL, you make yourself less of a target and prevent your wordpress website from such attacks.

To change your default login URL and keep bad guys out, move the WordPress login page to a unique URL of your choice. We suggest using WPS hide login, which is free to use. Once you download and activate it, just follow the steps below:

A) Click on WPS Hide Login from the Settings tab in your left sidebar.

B) Add your new Login URL path in the Change Login URL field.

C) Add a redirect URL in the Redirection URL. This page will trigger when someone tries to access the standard wp-login.php page.

D) Click on SAVE

Click on SAVE

3. Make Your wp-config.php File Hard To Find

By default, your wp-config.php is placed in the root directory of your WordPress Installation. But you can move this to a non-www accessible directory. While this is an advanced process for improving your site’s security, if you’re not kidding about your safety, it’s an excellent practice to conceal your site’s .htaccess and wp-config.php files to keep hackers from getting to them.

(If you’re a YellowFin Digital client, don’t worry! We’ll automatically take care of all of this for you while creating your website.)

To hide the files, you need to do two things:

  1. Navigate to your wp-config.php file and add the following code:

       <Files wp-config.php>

       order allow,deny

       deny from all


  1. In the same way, as above, add the following code to your .htaccess file.

      <Files .htaccess>

      order allow,deny

      deny from all


This way, the hackers won’t be able to find the root files of your website or inject the malicious code. 

Pro Tip: Always take backup of the root file before you move to another directory.

4. Install Top-Quality Security Plugins

When you are using WordPress CMS, it’s likely that you use ready plugins and themes. Hackers know that. Often you notice that you get emails of new versions released on the plugins/themes you are using on the wordpress website. The main reason developers provide new updates is to correct security vulnerabilities found in older versions. There are many code functions that are deprecated now by WordPress; so, avoid using them in your code. 

It’s tedious work to check your site security for malware and malicious code routinely. To minimize this headache, there are several plugins that you can choose to protect your website.

A security plugin takes care of your site security, filters for malware, and screens your site 24/7 to routinely check the health of your site. Click here  to find a great list of plugins to choose from.

Pro Tip 1: We suggest using Security or Wordfence security plugins. They are free to use, secure, and most trusted.

Pro Tip 2: You should block your website access in a few countries where you don’t have your target audience. This makes your site more secure because nobody can open your site from those blocked countries.

5. Update Your WordPress Version

WordPress regularly releases its new version update. Your wordpress website must be updated with the latest version of WordPress. Staying up with the latest version is a best practice to keep your site secure. With each update, developers roll out a couple of improvements, and more often, it includes security features. It’s simple and relatively easy to update your WordPress Website. By default, WordPress automatically downloads small updates, but for major releases, you will need to update it from your website backend admin dashboard.

Step 1: Log in to your admin panel. If there is a new update, you will see this message.

Update Your WordPress Version

Step 2: On the top left corner, click on the “Updates” menu item. Here you will see all updates notifications, including plugins and themes that your site uses.

Update Your WordPress Version

Pro Tip: If you are updating plugins and themes, we suggest taking a backup beforehand. You can use BackupBuddy plugin to take backups.



Making your wordpress website secure is a crucial part of your business. If your website is hacked, your business can get affected. To restore the hacked wordpress website, lost data can cost you thousands of dollars. You can make your website most secure by following above all tips without spending a penny.

And if you need any assistance, you can always  contact us  to speak with our award-winning team members!