How To Stay Safe From WordPress Security Risks? (Experts Round-up)


Hi WordPress Users,

I’m glad in inviting you to read this interesting expert round-up post that would offer some valuable tips to secure your WordPress blog! 

WordPress Security Vulnerabilities – More threatening phrase and make us feel unsecured as well! 

If you check the WordPress Attack Report of Last month (October 2017) provided by Wordfence, you will start thinking the ways to protect your WordPress blog/site.

Let’s come to the matter! 

I have reached 20 prolific WordPress site founders and shot the question:

Suggest the best practices to stay safe from the WordPress Security Risks!

Which WordPress Security Plugin Are You Using On Your Blog/Site?

Before checking their valuable replies, let me share some helpful WordPress security strategies to keep the intruders at bay!

# Begin with the WordPress Login Security

# Purchase Premium Themes like Genesis & high-powered hosting 

# Use any of the best security plugins

# Follow the basic security rules

# Implement the advanced safety methods (If needed)

# Block the suspicious IPs

# Get SSL Certificate

Now, have a look at the replies of 20 WordPress influentials to tighten the WordPress security

20 Active Bloggers Reveal Their WordPress Security Methods

</p> <h2>1. Akshay Hallur</h2> <p>

First, let me consider my blog. I’m hosting my blog on WPX Hosting. So, personally, I’m not using any security plugins. Why?

All WPX plans come with Malware scanning, hack removal, enterprise-level DDOS protection, free Sucuri premium plan with all WPX annual purchases.

Not everyone will be in WPX. Below are the tips I suggest. As always, hackers use 20% of the hacking methods 80% of the time.

Below tips are crafted accordingly.

Prevent brute force attack

# Change login URL – wp-login to something else.

# Change your username is something difficult to guess other than ‘admin’.

# Use lengthy passwords that are the combination of characters, numbers and upper/lower cases.

# Enable captcha for login pages

# Whitelist only your home IP and work IP to access the login page. Block rest of all. Or, alternatively, you can block China, Russia, Poland, US people from accessing your login page this is where 80% of hackers are.

# You need to create an htaccess file with some restriction code in to and place it under the wp-admin folder for this. Google for more info. XML-RPC is the leading cause of brute force attacks on WP.

# Use plugin – “Disable XML-RPC”.

Prevent script injection and script kiddies

# Never use nulled themes or plugins. Nothing is free. Karma hits you hard.

# Limit the use of plugins. If you can add some code to functions.php other than the plugin, prefer the former. Don’t ever use outdated plugins. Some WP plugins get removed from the repo, and still, on GitHub don’t install. Ex. DRP coupon.

# Install iThemes Security – Most of the others are hard on servers.

# Take special care for the wp-config.php file where your DB creds are present.

Previously, I’ve written an exhaustive WP security guide on the same.

Another tip is that if you are hosting a site on GoDaddy (it sucks big time – even for domains) or HostGator (they themselves were hacked once), chances are more of getting hacked.

They may even hack your site so that you’ll opt for their malware cleaning service. Who knows? Hosting plays a very important part. Because, in case of shared hosting, you have limited control over your servers.

Consider switching to a better host with good support.

Woohoo! You’ve made your site 80% secure. Hope you found the advice helpful.

Visit Akshay’s Blog –

</p> <h2>2. Jerry Low</h2> <p>

Here are some basic tips to step up your WordPress security:

1. Always keep your WordPress plugins and themes up to date.

2. Force users to use strong passwords.

3. Ditch the default “wp-admin” and use a custom URL for login.

4. Do regular malware scan on your personal computer and web host.

5. Stick with a hosting company with good reputation in server security.

6. No plugin is 100% safe but you eliminate the big part of the risk by sticking with the trusted ones.

7. Subscribe to WP Scan Vulnerability Database for email alerts.

8. Only allow trusted users to upload files to your site.

9. Use SSH File Transfer instead of FTP.

Many of these practices can be automated or easily implemented. For instances – by using “Easy Update Manager” you can auto-update your plugins.

WordFence adds a firewall to your site and runs regular security scan.

As of the WordPress plugins, I am using – I am actively testing new plugins and services all the time.

Right now, I use iThemes Security, Sucuri, and WordFence to safeguard WordPress sites.

Visit Jerry’s Site –

</p> <h2>3. Pradeep Kumar</h2> <p>

WordPress is open source and at the same time, it’s also vulnerable sometimes. But, we can prevent it easily, we just need to do the right things properly.

If you have a WordPress blog, then make sure to buy a reliable web hosting server, it is very important.

A good secure server can solve half of your problems. After that, make sure you use a good updated theme/plugin, don’t ever think about using a pirated/nulled one just because you get it for free.

Last but not least, use a strong password which will take years to crack. Whatever I mentioned now, you might probably know that, but are you following that? 

To be honest, I’m not using any security plugin at the moment, but, what you can do is, you can install a security plugin and make a note of all the ‘things’ they request you to do for securing your blog.

Then do them manually one by one if possible. For example, you can change your database table names into something secure or you can restrict other IP addresses from accessing your blog’s login page, etc.

There are many like this, but you just need to pick the ones you are comfortable with, that’s all.

Visit Pradeep’s Blog –

</p> <h2>4. Mohan Raj</h2> <p>

I’m using iThemes security plugin for most of my blogs.

1. You don’t need another plugin and even their free version is enough to safeguard from most common, and advanced WordPress vulnerabilities. Just follow the setup guide after installing the plugin. Keep a proper backup before working with iThemes plugins.

2. Enable automatic update of new WordPress versions. WordPress releases severe security updates and it should be updated on the time to safeguard our sites. If I’m out of town or don’t have an immediate internet connection, automatic updates are somewhat lifesaver for me.

3. Stop using nulled products ie. Themes and Plugins. It’s not only a Vulnerability but also affects your SEO rankings. The nulled products are not really free. The hackers might be added malicious code that gives backlinks from your site to sites related to Gambling and Casino which surely hurts your SEO rankings.

4. Another problem faced by people using nulled products is Redirection. Once you start using such themes, your site will be redirected to some malware site or third party advertiser sites or some random popups appears on your sites. So at any cost, avoid nulled products.

5. Go for a Managed hosting solutions with good customer support. The $5 unmanaged hosting from DigitalOcean, Linode, and Vultr might tempt you a lot but solving vulnerabilities on our own takes your valuable time even hours/days.

Focus on creating great content & promoting it, rather than managing the servers. If you’re an online marketer and don’t have an in-house developer, managed hosting solution is a must for you.

Visit Mohan’s Blog –

</p> <h2>5. Ravi Chahar</h2> <p>

WordPress is one of the best platforms to use but you have to do it better. There are many practices which are required to harden the security.

For a WordPress newbie, it can be a little bit tricky to do everything manually. That’s why I recommend a security plugin like All In One Security. There are many other options

  • WordFence
  • Sucuri
  • iTheme Security

But you know that configuring iTheme Security can be overwhelming. So I prefer All In One Security.”

You should take the instant actions just after installing WordPress.

1. Always change the default Admin username

2. Change the database table prefix

3. Disable WordPress directory browsing

4. Disable login with an email address (Use your custom username).

5. Remove the “Lost Password” link and recover it from the database when required

6. Limit the login attempts

And if you’re the only one accessing your website from a particular IP address then you should blacklist all the other IPs so that no one from using any other IP address can log in.

If you go deeper, there are many other things which can be done. If you’re afraid to do all the things mentioned above manually, you should just install a security plugin.

Visit Ravi’s Blog –

</p> <h2>6. Anil Agarwal</h2> <p>

Here are the top 3 WordPress security tips I recommend everyone to protect their sites.

1. Make sure to use a proper hosting service. I had used HostGator in the past but when my site got hacked (with bad links pointing to another site), the HostGator support team didn’t help me. Not only I lost a lot of time and money but I also went through a ton of pain.

So use great and customer friendly hosting team (I recommend WPX hosting) even if their hosting is expensive.

2. Always backup your sites. I use VaultPress and it’s worth every penny. If you’re not using any plugins or tools (there are a ton of free plugins available to backup your WP sites), you’re doing a big mistake. Make sure to do daily or weekly backups of your files just in case if you lose all your data.

3. Don’t install nulled themes or plugins. Most beginners search for nulled or pirated themes and install on their sites. This causes so much damage as most of those theme or plugin files contains malicious codes to grab your links.

So avoid them at all costs and go with the premium WordPress products!

Visit Anil’s Blog –

</p> <h2>7. Ashley Faulkes</h2> <p>

# To keep your WordPress website nice and safe you definitely need a security plugin. I usually use the iThemes plugin, although there are plenty of others like Sucuuri which will do just as good a job.

# The trick is to reduce as many security issues as possible. And there are quite a lot with WordPress. For example, if you don’t need XMLRPC, that is a big hole in your site, so turn it off. The same goes with the recent introduction of the REST API in WordPress.

# You can also harden your site (which means make it more secure) by reducing access to certain files (ie. wp_config) and adding code to directories where it is not needed (like wp_uploads). It may sound complex, but the plugins all have sections with this stuff, so it is pretty straightforward.

# If you want to get really serious, especially if you only work in a specific country/countries, you can also block a lot of known hacker countries with an IP blocker.

So, what are you waiting for, get out there and install a security plugin NOW :>

Visit Ashley’s Website –

</p> <h2>8. Shane Barker</h2> <p>

1.  We all know the basics such as picking long passwords with capital letters, special characters, and numbers. You probably already know that you shouldn’t use the default “Admin” username. Create a new user with pick a username that has capital letters. Provide this new user with admin privileges and then delete the old default admin user.

2.  Other basics you should know are to limit the number of login attempts available after entering the wrong password and to automatically log out idle users. You should remove password hints and add security questions to further enhance the security of your WordPress account.

3.  Your WordPress installation should always be up to date as older versions can be prone to hacking and security issues. And of course, you should only download plugins from trusted sources and keep them updated with the latest versions.

4.  One of the plugins I like to use is Rublon WordPress extension, which enables you to have a two-factor authentication and improve your WordPress security. What I like about it is that it’s different from traditional two-factor authentication plugins in that you don’t need to enter an OTP every time you want to log in. The plugin allows you to confirm your identity through a Rublon code scan or by clicking on a link.

5.  Sucuri is also a powerful security plugin for WordPress users. The plugin can audit security activity and monitor file integrity. It also conducts Malware scanning remotely and has an effective security hardening capability, which significantly improves the safety of your WordPress account and your content.

6.  There’s also BulletProof Security, which can improve your firewall security and your database security as well as your login security. This plugin can be used for limiting the number of failed login attempts (which has been mentioned earlier as an important security basic). It blocks fake traffic, code scanners, and security scanners and does a lot more.

Visit Shane’s Site –

</p> <h2>9. Adeel Sami</h2> <p>

Well, I am the big fan of Sucuri’s WordPress plugin. Having it up and running on my blog makes me feel like secured beyond my imaginations. 🙂

Then comes my self-consciousness…

This is the one best practice I keep on my toes at the time of installing any plugin.

And I look at just one thing; “Compatible with your version of WordPress“, so that kind of proves that the target plugin is somewhat secured, nope?

Oh… And one more thing!

I am subscribed to the newsletters from Sucuri and WordFence as these two are the best sources to find out which plugins or WordPress things are vulnerable and need quick action to secure your WordPress sites.

Visit Adeel’s Blog –

</p> <h2>10. Jyoti Chauhan</h2> <p>

WordPress despite being the most popular CMS on the planet isn’t really as secure as we’d want it to be, and that’s a truth I’ve had to learn the hard way.

Anyway, some of the most basic security measures almost everyone can take without shelling out a single buck from their pockets are:

1. Updating WordPress & Plugins Frequently

WordPress in itself is vulnerable, but not as much as its Plugins, which are developed by individual developers or groups of them.

It’s comparatively easier to hack into a WordPress site using a backdoor in the plugin rather than hacking into WordPress directly. Hence, do update your plugins whenever possible.

Also, you should grab the new version of WordPress as soon as they come up because they always are a better version than the last, and have better security and fixed security loopholes.

2. Use themes and plugins only from trusted sources

A mistake most of us make in our early days is going with free, nulled themes.

Well, those who give-away those themes for free don’t do so out of their good-heartedness, but because most often than not, the themes/plugins are infused with a backdoor which they can exploit anytime they want.

Hence, it’s always the best choice to go with themes from Themeforest or any other source and pay for it instead of risking months of hard work.

3. Check & Verify Plugin on the WordPress Vulnerabilities Database is a Sucuri sponsored platform which has a list of all the known plugins which have vulnerabilities.

Hence, either update the plugin if you find one which matches this list and you’ve got installed on your site, or delete the plugin completely if no update is available.

4. Use a WordPress Security Plugin

Finally, using a WordPress security plugin never goes out of fashion. I personally use and recommend Wordfence, it’s free but complete with all the features you’d expect with a premium plugin. Some examples are customizable security alerts, recovery tools, and anti-brute force algorithm etc.

Visit Jyoti’s Blog –

</p> <h2>11. Dave Schneider</h2> <p>

All our team members have their own logins that we regularly change, so there is no one set of login credentials for our WordPress.

All these accounts have different access authority. We also regularly review our plugins to make sure they’re always updated, and so we can flag any inactive ones that we have to get rid of.

Another service we’ve used to protect our WordPress account from vulnerabilities is Sucuri. Sucuri adds another layer of security to our account by filtering for IP addresses.

So even if for example, an unauthorized user could get access to any of our login credentials, that user still won’t be able to log in if he/she is on an IP address that we haven’t whitelisted.

Visit Dave’s Website –

</p> <h2>12. Zac Johnson</h2> <p>

1.  WordPress security is something that everyone should be concerned about. Whether it’s updating to the latest WordPress platform or making sure that you have a secure enough password that can’t easily be guessed by an individual or software, these are all important components to keeping your website or blog safe. Even just making sure your login name isn’t set as the default of ‘admin’ can help protect your site from simple vulnerabilities and attacks.

2. At the same time, I highly recommend going with a premium and trusted web hosting companiesShould you need to contact the hosting company directly if you are locked out of WordPress or having any database issues, you want to be able to get in touch with someone right away. This means having someone immediately answer your ticket support question, email or chat support, or picking up the phone right away.

3. It’s also important to make sure that you have security in your WordPress plugins as well. One of my favorite plugins and services for accomplishing this is Sucuri. It’s also important to make sure you have all of the necessary email verifications, and CAPTCHAs in place to make sure automated hackers and software can’t break into your WordPress site and gain control over all of your content and user permissions.

4. Again, this can all be better managed through better choices when choosing your web host. Don’t sacrifice your valuable website or online business to save just a few dollars a month and hosting.

Visit Zac’s Blog –

</p> <h2>13. Joe Daley</h2> <p>

Out of the box, WordPress is a pretty safe and secure platform, but you never know when something might happen that is out of your control or if a hacker might be able to find their way in.

One of my best recommendations is to make sure your WordPress themes and plugins are always updated to the latest version, and I also recommend investing some time and money into a third-party WordPress management service.

This is ideal for anyone that might want to continually make changes to their WordPress site, but they don’t have the technical, design or WordPress skills to accomplish it.

Many of these are available for less than $50 per month, yet ideal for anyone that wants to create a website or business using WordPress.

Visit Joe’s Site –

</p> <h2>14. Srish Agrawal</h2> <p>

A great way to make sure your WordPress site is always up and running is to go with a reliable web hosting solution.

There are many different hosting services out there, but they aren’t all the same in reference to security and how they can protect your site.

For just a few dollars extra per month, you can also set up daily backups, so if anything does happen to your site, you’ll have a backup available that can be restored at any time.

It’s also important to make sure you go with a web host that has great customer support.

This is key for in the event you do have a disaster or problem, that you can get in touch with someone from support as soon as possible.

Visit Srish’s Site –

</p> <h2>15. Tim Bourquin</h2> <p>

Being that we currently run a number of WordPress sites ourselves, what we have found is that it’s usually a good idea not to upgrade to the latest version on the same day it comes out.

More often than not, there are going to be openings and potential vulnerabilities in these updates that haven’t been caught yet. It’s best to wait for the WordPress Community to find them and fix them before updating.

There is really no rush to use to the latest WordPress update, especially when it first comes out. This is just one simple way to keep your site protected and a good rule of thumb to remember for future updates.

Visit Tim’s Site –

</p> <h2>16. Ninja Master</h2> <p>

If you want to keep your WordPress site safe at all times, only use trusted WordPress themes and plugins. Even though there are plenty of free themes and plugins to choose from, it’s not worth jeopardizing your site just to save a few dollars.

Also, be sure to read the reviews on whatever plugins or themes you might be using. Some of the best plug-ins out there haven’t been updated in a long time and using these can actually put your site at risk.

A good way to see what the most vulnerable plugins on the market today are is to simply start searching through Google for them.

Speaking of which, right now is a great time to update any plugins or WordPress themes on your site right now.

Visit This Ninja’s Blog –

</p> <h2>17. Sam Hurley</h2> <p>

Tip #1: ACTIVATE two-step authentification This needs no introduction. All the biggest tech brands offer this security measure and you can use it for WordPress, too… Force not only a password — but a special code to be entered on login.

This code will be sent to your mobile, to prevent unauthorized access to your admin area. You can choose from a variety of plugins to do the job!

Tip #2: ALWAYS update WordPress to the latest version Such a simple action can protect you from many threats.

The team behind WP are constantly publishing new patches to rectify flaws. Despite this, I can’t count the number of times I have seen client sites NOT updated … Even after many months. Keep on top of it.

Tip #3: DON’T use tons of plugins Many third-party plugins become outdated and vulnerable to attack — Some are even manipulated to create backdoors for hackers to take a degree of control over your website.

Remain vigilant and try to custom-develop as much as you can. Too many plugins can also dramatically affect site speed.

BONUS: A great multi-purpose security plugin to try: Jetpack

Visit Sam’s Website –

</p> <h2>18. Nirav Dave</h2> <p>

WordPress provides air-tight security through constant updates for all its software. Nevertheless, it could be vulnerable to potential hacks and other malicious cyber threats.

Thus, here are my Top 3 best practices that can help you keep your WordPress website safe and secure.

1. Update Outdated WordPress Plugins and Themes

Updating your WordPress plugins and themes should be on the top of your WordPress security checklist. It is one of the best practices that will ensure that your site is protected from all harm.

Also, always install a plugin from the WordPress plugins repository or from reputable brands, as this would ensure that your site’s security is not compromised.

2. Use a Strong Password

One of the major reasons for a hacked website is a weak password. It leaves your site vulnerable to phishing, malware and other potential threats. Thus, ensure that you make use of a strong password made up of numbers, symbols, and other characters.

Also, if you are managing more than one website then it is best that you use different passwords for each. Plus, you can easily manage all your passwords through the use of this amazing tool called LastPass.

3. Take a Regular Backup of Your WordPress Website

Don’t just rely on your web hosting provider when it comes to backing up your WordPress website.

It is important that you take a regular backup of your entire WordPress site as well as the database so that you can get your site up and running in no time, in the event your website gets hacked. Further, backing up your WordPress site is easy thanks to plugins like BackUpWordPress and BackWPup.

4. Use a Reliable Host

Lastly, website security also largely depends on the web hosting that you are using to run your website. A reliable web host offers security in the form of SSL certificate, password protection, IP blocking, advanced spam and virus protection.

Thus, a good web host is another factor that can help keep your site safe. An example of good and reliable web hosting provider is SiteGround. Now, here are a few WordPress Security Plugins that I use for my website.

iThemes Security – This plugin helps you generate strong passwords for your site. Protect your site against spammers through the use of Google reCAPTCHA. Automatically scans your site daily for malware and other malicious threats.

In short, it is the best WordPress security plugin when it comes to protecting your website from security loopholes and other vulnerabilities.

Wordfence Security – This plugin helps you scan your website for malware. It also offers you other benefits like login security through two-step authentication process along with protection from brute force attacks.

Sucuri Security – Offering you features like blacklist monitoring, website firewall, file integrity monitoring, malware scanning, and more, the Sucuri Security plugin keeps a track of all the activities on your site and sends you an alert in case of any security breach.

Visit Nirav’s Site –

</p> <h2>19. Erik Emanuelli</h2> <p>

1. Choose Alphanumeric Passwords. Make it as difficult as you can (you can always note it offline).

2. Make Regular Backups.

3. Be sure to erase unnecessary applications and files, and unused or unusable scripts.

4. Hide Back End Address.

5. WordPress is easily attackable, but you can improve your site security by installing special plugins to safely change the URL of the login form page to anything you want.

I use Wordfence WordPress Plugin!

With more than a million active installs, this is one of the most popular WordPress security plugins. It includes login security, IP blocking, security scanning, and WordPress firewall and monitoring.

Visit Erik’s Blog –

</p> <h2>20. Santhosh Veer</h2> <p>

Here are the Tips to Secure your WordPress Site

1. Choose Cloud-Based Hosting servers

I would Suggest Digitalocean, Linode & Google Cloud For Managed Cloudways

2. Avoid Nulled themes and Plugins past 6 Months

Most of the bloggers are Facing Vulnerability attacks due to Nulled themes & plugins

3. Use Strong Passwords

I recommended this Site to create strong & Secure passwords for your website

Other Useful Tips

* Hide your Admin Email, and Username from your WordPress site

* Hide your WordPress login Errors – Add this Below code to your theme’s functions.php to hide the login errors

function no_wordpress_errors(){
return 'Something is wrong!';
add_filter( 'login_errors', 'no_wordpress_errors' );

Disable Email login – add this below line on themes functions.php file

remove_filter( 'authenticate', 'wp_authenticate_email_password', 20 );

* Change the WordPress Admin Login URL – Recommended plugin – WPS Hide Login

* Get regular backup and updates

* Disable File directory listing – Add this below Rule on HTACCESS File

Options -Indexes

- Clean up your WordPress Header

// ******************** Clean up WordPress Header START ********************** //

remove_action('wp_head', 'rsd_link'); //Remove XML-RPC RSD link
remove_action( 'wp_head', 'wlwmanifest_link'); // Remove wlwmanifest link
remove_action( 'wp_head', 'wp_shortlink_wp_head'); //Remove shortlink

//Remove relation links
remove_action('wp_head', 'rest_output_link_wp_head', 10); 
remove_action('wp_head', 'wp_oembed_add_discovery_links', 10); // 
remove_action('template_redirect', 'rest_output_link_header', 11, 0);

//Remove WordPress version number
function awts_remove_version() {
 return '';
add_filter('the_generator', 'awts_remove_version');

// ******************** Clean up WordPress Header END ********************** //

* Use HTTPS(SSL) For WordPress Blog – Extra Security layers for your WordPress site

* If you Host your WordPress site on Unmanaged Cloud servers (Own setup) Harden your site security by Enable Firewall and Fail2ban to Protect your site from DDOS attacks

* Use Latest PHP versions recommended PHP versions 7.0 & 7.1

* Disable Trackbacks and use Limit Login Attempts WordPress plugin

Visit Santhosh’s Blog –

Wrapping Up

Hackers can easily take control of your WordPress site!

Don’t let your site down for any security reason. Execute the best strategies and keep your WordPress site safely.

I hope that I have done my best in gathering the useful strategies from the active bloggers & Site founders to keep your WordPress secure! 

Do you have anything to share? Are these WordPress security tips shared by the experts useful?

How do you protect your WP site? Leave your comments below so that it would help the WordPress users!

by Nirmala
Nirmala is an avid blogger, WordPress enthusiast who has been blogging since 2010. She loves to write useful WP tips & tricks on this active blog.

10 thoughts on “How To Stay Safe From WordPress Security Risks? (Experts Round-up)”

  1. Hello Nirmala,

    Thanks for this expert roundup post on wordPress security. Security is a big challenge for blog owners as hackers and spammers are always try to sneak to your site. The tips shared by some WordPress experts here is very helpful. Every blog owner have o follow some precautionary steps to secure their blog.

    Have a great day 🙂

  2. People in India tend to download themes from unreliable sources thus letting the bugs to enter the website and affect its working. I think themeforest is a good option for downloading wp themes.

  3. A wonderful source of information. These security tips are really awesome. Especially I come to know about the code to cleanup Header. You did a wonderful job as many of us are not that aware of these technical details. Thank you very much. Tweeted.

  4. Finally I got a value-packed article on WordPress Security. After reading article, I think my WordPress Blog will become more secure.

    Thank you so much Nirmala Mam for writing this article…

    Before reading this article, I was don’t know how to secure a WordPress blog but now I can say by reading this article, that I got some valuable security tips.

  5. Hi,

    Thanks for this WordPress security tips article. I always though about writing compelling content but have never articulated what’s the best way to engage your audience in a more personal level. And sure enough what you mentioned about meaning and fascination really adds spice to the post.

    I can see how it can help differ you from everyone else as a write and blogger. Great idea and I can’t wait to apply that on my writing. 😉

    Thanks for sharing!



Leave a Comment