Top 7 tricks to secure your WordPress website

WordPress is the most popular blogging CMS and If you are running site in WordPress then its security should be your primary concern. Today in this article I am going to explain you top 5 tricks to secure your WordPress website that most administrators do not notice to do.

1. Don’t use “admin” username:

The default username for the account which is created with every installation of WordPress is the admin. This is one of the Most common reason behind WordPress attack. You should have to stop using it. You should create a new user using your WordPress admin panel and assign administrator roles to it. After that delete your default user.

2. Move your wp-config.php file to other location:

Did you know wp-config.php is one of the most important file in WordPress. Database Name, Username and password all things are stored in this file. So you have to secure this file from hacker to secure a site. WordPress have default structure that wp-config.php file is available in the root folder which everybody knows. But did you know that we can move wp-config.php file to a custom location. Moving a file to custom location will help you to secure your website from an attacker.

3. Use Secrete Keys:

Since WordPress 2.6, there are four Security keys have been added to make WordPress more Secure.These Security keys refer to Four authentication keys and four hashing salts(random bits of data) that add an extra layer of security to your cookies and passwords.
This security keys is available in wp-conifg.php file look for text similar to.

* Authentication Unique Keys and Salts.
* Change these to different unique phrases!
* You can generate these using the {@link secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to login again.
* @since 2.6.0
define('AUTH_KEY', '1D!.oN^N4,<>DrvhH;%znFmVp_[8!WR:v9MH=re,k0QP|jUF-7}GR2M~8HBD;^>E');
define('SECURE_AUTH_KEY', 'Zl]l_;pbiE+O_,R)x{%|`wljwQ,;#zfwS~A==]aV*2!w89<yKURit7JWbi_^9fhX'); define('LOGGED_IN_KEY', '7>!.E)=EFU7UQm`>-X%/B7-[N<G1K--?WrJewh|&<%cGuS$YJ<+t%@)Vr-T0j{)a'); define('NONCE_KEY', 'jslBN54_wB~=.cE,0q^ HC%!GF0 %dvw>_Lb>Fwy/|lpWy{=|.i$Iit4IZz,~/!g');
define('AUTH_SALT', '{,b?=H3Fk(wwM-e54U]Wp_[2 {mu-qK.xUm6e#go~*d=fAsKNas~M -Yz.1%i6[C');
define('SECURE_AUTH_SALT', 'dc~iMX5c,!<4TO/zRiUD0g;e^/^d=?!G~+1_l?_e2Y-l8YoqX$ ?$-58BQ:Mmq#f'); define('LOGGED_IN_SALT', 'a3C#~Ou)e>4}%8<r~O=^Zd%EIqEuh3Ax?U!HtI%]O%[I0auSqg=:aq!GArNua');
Note: This is sample key so don’t copy this.
Manual setup
1. Visit
2.Copy the randomly generated string and paste into your wp-config.php file

4. Change Login Error Message:

When you enter wrong username or password, WordPress login screen will inform you whether you have enter wrong username or password.

invalid Usename WordPress  Invalid Password WordPress
So if hacker gets one thing(username or password) right then it is easy to gain another to access your site. Therefore, it is recommended to display the custom error message.
Open your functios.php from your theme folder and paste the following code.
function failed_login() {
return 'The login information you have entered is incorrect.';
add_filter('login_errors', 'failed_login');

5. Hide WordPress Version Number:

By default, anyone can find Which version WordPress website you are using if they know how.
If you are using older version WordPress this, not good things because the hacker will be able to target specific security vulnerabilities that have since been patched by more recent updates.
To Learn How to hide WordPress version information open functions.php file from your theme folder and paste following the code

// hide version
/* Hide WP version strings from scripts and styles
* @return {string} $src
* @filter script_loader_src
* @filter style_loader_src
function phplesson_remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
$src = remove_query_arg('ver', $src);
return $src;
add_filter( 'script_loader_src', 'phplesson_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'phplesson_remove_wp_version_strings' );
/* Hide WP version strings from generator meta tag */
function phplesson_remove_version() {
return '';
add_filter('the_generator', 'phplesson_remove_version');

6. Limit Access via IP Address:

You can limit to access your wp-admin panel to only those authorized IP address which you have allowed.
To do this you have to create .httacess file inside wp-admin. If there are already available open it and paste following the code.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny, allow
deny from all
# whitelist Syed's IP address
allow from
# whitelist David's IP address
allow from
# whitelist Amanda's IP address
allow from
# whitelist Muhammad's IP address
allow from
# whitelist Work IP address
allow from
Note: if you want to access your wp-admin area from another place then change IP address or add the new IP address to the .httaccess file.

7.Keep your WordPress site and plugins up-to-date:

It is really important to keep your WordPress files and all plugins updated to their latest versions because after releasing the new version, WordPress also release the bugs and exploits of the previous version. If you don’t update your WordPress files which will cause your WordPress site insecure.
That’s all for now I hope this article help you to secure your WordPress site. If you think I’ve missed something or you have any other tips to secure WordPress then share it in the comments below. That will help every WordPress users. Don’t forget to share this article with your friends if you think this is helpful for them to secure WordPress site/blog.

Happy Coding!!!