If you’ve just launched a new WordPress website (or even if you’ve had one for a while), one thing you cannot ignore is security.
WordPress powers over 40% of the internet — which unfortunately makes it a favorite target for hackers.

But don’t worry — protecting your site isn’t complicated if you follow the right steps.
In this guide, I’ll walk you through exactly how to secure your WordPress website properly, even if you’re just getting started.

Let’s dive in!

1. Essential First Steps (Critical for a New Website)

• Use a Secure Hosting Provider
  Choose a reputable hosting company that offers WordPress-specific security (e.g., Cloudways, Kinsta, SiteGround).
• Keep WordPress Core, Themes, and Plugins Updated
  Always apply updates ASAP — vulnerabilities are patched via updates.
• Install a Security Plugin
  Examples:
  • Wordfence
  • Sucuri Security
  • iThemes Security
  • All In One WP Security & Firewall
• Change Default “admin” Username
  Never use “admin” as your username. Create a unique administrator account.
• Use Strong Passwords Everywhere
  Force strong passwords for:
  • Admins
  • Editors
  • Users
    (Use a password manager like Bitwarden, 1Password.)
• Limit Login Attempts
  Plugins like Limit Login Attempts Reloaded help block brute-force attacks.
• Install SSL Certificate (HTTPS)
  Must have! SSL encrypts data between visitors and your server. → Most hosts provide free SSL with Let’s Encrypt.

---

2. Strengthen Admin Area

• Change Login URL
  Hide your yoursite.com/wp-login.php with plugins like WPS Hide Login.
• Use Two-Factor Authentication (2FA)
  Add a second login step (like OTP via email or an authenticator app).
• Enable Auto Logout for Idle Sessions
  Auto logout inactive users after a certain period.
• Restrict Admin Area Access by IP
  In .htaccess or via plugins, allow admin dashboard access from only your IP address.
• Disable File Editing via Dashboard
  Add to wp-config.php: define('DISALLOW_FILE_EDIT', true);

---

3. File and Server Protection

• Set Correct File Permissions
  • wp-config.php → 400 or 440
  • Folders → 755
  • Files → 644
• Secure wp-config.php File
  Move it one level up from the WordPress root directory if your host allows.
• Disable Directory Listing
  In .htaccess add: Options -Indexes
• Protect .htaccess and wp-config.php
  Example for .htaccess: <files wp-config.php> order allow,deny deny from all </files>
• Disable PHP Execution in Certain Folders
  (like /uploads/, /wp-content/) by adding this .htaccess inside those folders: <Files *.php> deny from all </Files>

---

4. Protect Plugins and Themes

• Only Install Trusted Plugins/Themes
  • From WordPress.org or reputable developers
  • Avoid “nulled” (pirated) plugins — they are full of malware.
• Delete Unused Themes and Plugins
  Deactivate and delete them, don’t just disable.
• Regularly Review Installed Plugins
  Fewer plugins = smaller attack surface.

---

5. Web Application Firewall (WAF)

• Use a WAF at the hosting or plugin level.
  Some options:
  • Cloudflare (free basic firewall)
  • Sucuri Firewall
  • Wordfence Firewall

---

6. Backup Your Website Regularly

• Automate Daily or Weekly Backups
  Tools:
  • UpdraftPlus
  • BlogVault
  • BackupBuddy
• Store Backups Offsite
  (Dropbox, Google Drive, or an external server — not just on your web server.)

---

7. Monitor and Audit

• Monitor Website Activity Logs
  See who logs in, what changes they make, plugin installations, etc.
  (Plugins like WP Activity Log)
• Scan for Malware Regularly
  Wordfence, Sucuri, MalCare offer regular scanning.
• Set Up Alerts
  Get email alerts for login failures, file changes, or unusual activity.

---

8. Bonus Pro Tips (for even better protection)

• Geo-block high-risk countries (if not serving them) using Cloudflare or a WAF.
• Prevent Hotlinking (people embedding your images) via .htaccess.
• Use CAPTCHA on Login, Registration, and Comments
  (Like Google reCAPTCHA)
• Security Headers
  Add headers like Content Security Policy (CSP), X-Frame-Options via plugins or server configuration.
• Regularly Pen-test Your Website
  Use tools like WPScan, or even hire ethical hackers for vulnerability assessments.

---

9. Block Access via .htaccess (Apache Servers)

1. Edit your .htaccess file (located in your WordPress root directory).
2. Add the following code to block direct access to the /wp-includes/ directory and disable directory listing:

# Block access to wp-includes
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Disable directory listing
Options -Indexes

1. Save the file and test by visiting https://shabair.com/wp-includes/. You should see a 403 Forbidden error.

---

Quick Checklist for Securing a New WordPress Website

Here’s a super simple starter plan:

• Install free SSL certificate (HTTPS).
• Install Wordfence security plugin.
• Hide login URL and limit login attempts.
• Set strict file permissions.
• Set up daily backups (UpdraftPlus).
• Enable two-factor authentication (2FA).
• Monitor site activity with a security plugin.

---

Final Thoughts

Website security isn’t optional anymore.
The internet is filled with bots and hackers constantly looking for vulnerabilities.
By following the steps above, you’ll protect your WordPress website from 99% of common attacks — and sleep easier at night.

And remember: it’s always cheaper (and less stressful) to prevent an attack than to recover from one. 🛡️

Stay safe, and happy building!

---