How to Secure Your WordPress Site (Security 101)

Think of your website like a house. You don’t just need a strong front door; you need to make sure you aren’t leaving the windows open.

Hackers love “vulnerabilities”—tiny holes in the code of old plugins or themes.

Action: Check your Dashboard > Updates weekly.
Pro Tip: Enable “Auto-updates” for minor releases, but always manually check major updates to ensure your layout doesn’t break.

If your username is “admin” and your password is “password123,” a bot will break in within minutes.

Change the Username: Never use “admin.” Create a new user with a unique name, give them “Administrator” rights, and delete the old “admin” user.
Enable 2FA: Use a plugin like WP 2FA or Wordfence. Even if someone steals your password, they can’t get in without the code on your phone.
Limit Login Attempts: By default, WordPress allows infinite guesses. Use a plugin to lock someone out after 3 failed tries.

A dedicated security plugin acts as a firewall and a virus scanner.

Wordfence (Highly Recommended): It includes an endpoint firewall and a malware scanner that specifically looks for WordPress-related threats.
Sucuri: Excellent for high-traffic sites and offers a cloud-based firewall.

You can prevent people from even looking at your core configuration files by adding a few lines of code to your .htaccess file:

Apache

# Block access to wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

# Disable Directory Browsing
Options -Indexes

This prevents hackers from seeing the list of files in your folders, which is like closing the curtains so people can’t see your valuables.

Security isn’t 100% foolproof. If things go wrong, a backup is your “Undo” button.

Plugin: UpdraftPlus is the industry standard.
Rule: Store your backups off-site (e.g., Google Drive or Dropbox), not just on your web server. If the server gets hacked, your backup stays safe.

Digita Skills