Web Application Security (15 Simple Tricks to Secure Your WordPress Website in 2018)

Web application security is a segment of information security that deals with website, website application and website services.

When you see two or more developers talking about wordpress, what they are nagging about is the security flaws of wordpress but what they have forgotten is that wordpress is a secured open source but it is what the website owners do with the open source that shows how secured or unsecured its gonna be.

We all know that the pitfall of open source is the security risk of it yet we can still secure such open source.

It is actually your fault if your wordpress website got hacked overnight because I will be asking you what you are doing to prevent your website from being hacked.


| Want to start an eBusiness and Grow it Globally with free IT, Legal, Internet Discounts,3 Months SME Startup Course, ePayment Integration, Biz Development Services, Free Website, Free SMS Units/Portal all done for you within 30 Days?

Start Here>> Click  >>> Start a Digital Business in Nigeria


Today, I want to list 15 tricks that you can use to secure that your wordpress website and no single attack can affect it

Before listing all the 15 tricks, I will subdivided them into 5 parts

  1. Login Page Security (Brute Force Attack Prevention)
  2. Admin Dashboard Security
  3. Database Security
  4. Hosting Setup Security
  5. Themes and Plugin Security



  1. Everyone knows the login page to the backend of any wordpress which can either be “wp-login.php” or “wp-admin.php”. What any potential hacker needs is to put it at the end of your domain name: domainname.com/wp-login.php and the login form to access your wordpress dashboard will be shown.

What I always tell people is to change it completely by using available plugin that changes the default login page to another one that you can customized like “grant_access.php”.

Popular plugin for this task is https://wordpress.org/plugins/better-wp-security  which is free.


  1. Using website lockdown and ban users


Website lockdown is an extendable features of wordpress that enables you to set the total number of invalid login and once the users exceed the count, the page is no more accessible to them again, so by so doing, you are reducing the number of password guessing and possible attacking from the hackers.

Popular plugin for this task is https://wordpress.org/plugins/login-lockdown which is free.


Do you want to learn how to get over 10,000 website traffic TODAY: On-Page SEO: Comprehensive Guide to Land Google No 1 Position



  1. Using 2-Factor Authentication


This method is not common among website users due to its complexity but it is the best and reliable means of securing your website from attacks. 2-Factor Authentication is the type of two ways of protecting website by setting two different layers of passcode that needs to accurate before the access can granted. It can be regular password with security questions asked in step by step. You need to know the two before you can be granted permission.

Learn and Earn More-   Embedding media in HTML5

Popular plugin for this task is https://wordpress.org/plugins/miniorange-2-factor-authentication which is free.

  1. Password Changing Frequently

It is good and better when you are changing your wordpress login password frequently because no one knows the place where the password can be breached and since we are changing regularly, then we don’t need to be afraid of any data breach.

Popular plugin for this task is https://wordpress.org/plugins/password-generator



We all know that the juicy part of a wordpress powered website is the admin dashboard page where all the website functionality resides and the aim of every hackers is to gain access to the juicy page.


Listed below are the ways you can secure the admin dashboard from being hacked.


  1. Wp-admin directory


As I said, wp-admin directory is the heart of any wordpress website and the first point of action should be how it will be secured and protected from any potential hacking. My best way of securing the wp-admin is to password-protect the directory by using two factor authentication system or even not be accessible to the public with logging in.

The popular plugin for the task is https://wordpress.org/plugins/askapache-password-protect/


  1. Installing SSL


Once you are about to go online with that wordpress website you have built, the first thing to do is to install SSL on the domain name so that all the data and information transferred will be encrypted.

Many website hosting platforms offer free ssl to use like https://www.siteground.com/codeinwp-special?afcode=b1d0f6820e046c19802d21f3b46eb61d&campaign=letsencrypt once you buy a hosting plan.



Do you want to learn how website security works: Ethical Hacking and Website Security



  1. Changing Admin Username


It is now becoming steady practices among new wordpress users now by still using default wordpress username “admin” when doing installation and they will not even bother to change it. Let me tell you something today, if you left your username as admin then you just made the job of the hacker to be half done since he will not be thinking of knowing the username again just only the password.

Whenever you are doing any new wordpress installation, always make sure that you are not using “admin” or anything guessable by the hacker.

I can’t tell the countless now of times I have checked my website log and “admin” keeps on pop up in the log.

Guess what would have happened, if I have used admin as the username.

  1. Monitor Your Files
Learn and Earn More-   Affordable Norton Antivirus, Bitdefender, AVG Softwares:Abuja, Portharcourt, Lagos, Kaduna, Nigeira and Worldwide delivery


This is another overlooking stage of securing wordpress website nowadays. Do you know that many plugins has been injected with malicious codes by fetching a malicious file from another source and replace it with the one that you have inside your wordpress files. If you are monitoring the size of the files, then you can easily say when a file has being compromised.

Popular plugin used in monitoring files is https://wordpress.org/plugins/wordfence/



All of your website’s data is inside the database and securing them is as crucial as anything.

  1. Changing the WordPress table prefix

During the process of installing the wordpress content, we are presented with the option of changing the prefix name for the table e.g. “wp_” to another one that we like but we always neglect it and proceed with the default table prefix. If you have already done the mistake before now, you can use this plugin to rename the table prefix: https://wordpress.org/plugins/wp-dbmanager/ but make sure that you backup all your databases before you use it


  1. Backing Up of Website Regularly


It is good and better to always backup your WordPress website regularly to prevent the story that touches the heart.


It is safe to have a backup of your website so that you can have a restoring point when anything happens.

Popular plugin you can use is https://wordpress.org/plugins/backupwordpress/


Do you want to learn how website security works: Ethical Hacking and Website Security


  1. Setting Strong Username, Password, Database name when configuring your WordPress Website


Setting powerful and strong password for the database is a must because nobody wanted to be the victim of brute force login.

When setting that password, username and database name, always choose a name that is not guessable.



When you are about to put your website into public domain, then hosting comes in and you will start to be researching on the best hosting plan to use.


  1. Wp-config File Protection


Wp-config is a file that contains all your website configuration variables like username, password and database name. You need to protect as much as you can so that nobody can read it.

The best way to do it now is to move that config file to the upper level directory and the happy news is that due to the current wordpress architecture, the structure can still access your config file at the upper level



Do you want to learn how website security works: Ethical Hacking and Website Security



  1. Disallowing File Update/Edit

If your wordpress user can access the wordpress dashboard, then they can edit any files on the dashboard which means that any hacker who gain access to your dashboard can also gain edit your files as well.

Learn and Earn More-   Facts about native advertising you never knew

The perfect solution is to disable the file edit option by adding a single line of code at the end of your wp-config.php file


                define(‘DISALLOW_FILE_EDIT’, true);


  1. Disallowing File Directory Listing

Another thing that you needed to do to secure your website is to not allow file directory access to be done.

For example, let say you created an image directory “images’ and someone types domainname.com/images, all the images inside the images folder will be displayed to the visitor and the best way to prevent it is by either disallowing it from .htaccess file or by dropping “index.html” file inside the images folder.


Themes and plugins are the essential flavors of the wordpress website since they are the building blocks of the website and securing them should not be neglected.


  1. Updating Regularly

Themes and plugins should be updated regularly since they are always updated per version by the developers who developed them and the initial version might have gotten a bug or loophole that needed to be patched so that any wordpress website using it will not be put into risk of being hacked.


If the developers can do their own part, then tell me why ours will be delayed.



No matter the wordpress website you are building today or built in the past, it is good to follow the steps by steps on how to secure that your website.


Do you want to learn how website security work: Ethical Hacking and Website Security


Thanks for reading!


| Want to start an eBusiness and Grow it Globally with free IT, Legal, Internet Discounts,3 Months SME Startup Course, ePayment Integration, Biz Development Services, Free Website, Free SMS Units/Portal all done for you within 30 Days?

Start Here>> Click  >>> Start a Digital Business in Nigeria




Author: SouTech Team
Soutech Ventures is primarily an Information Technology Firm, which was created to be the numero uno in business promotion development & implementation, eBusiness & IT systems integration and consultancy industry of the Nigerian Economy and to partners worldwide. Our Core strengths are - Tech Trainings and Certifications - Data Analytics and Cybersecurity Solutions - Software Development & Deployment for SME & Govt. - Tech Internship, HR & Partnerships
WhatsApp chat