The Complete WordPress Security Guide 2019

03.12.2019 1 comment

It may sound cliché but true that numbers do not lie. Particularly if it is about WordPress.

Let us take a look at some of the statistics:

  • Globally, total number searches for the keyword “WordPress” is a whopping 37 million per month. 
  • Out of the top 100 websites in the world, 14.7% use WordPress. 
  • Nearly 297,629 of the top 1 million websites use WordPress. 
  • WordPress has a 50-60% share of the CMS market in the world.

~ Source:

The statistics above gives us a glimpse as to how large the market for WordPress has grown, and it is growing even faster every day.

Bigger growth and opportunities in the virtual world bring in an even bigger threat. Security threat, to be precise. Malicious threats are constantly trying to sneak into WordPress sites to make things go haywire.

So, if you have a WordPress website, one of the first things that should be in your checklist is WordPress security.

In this post, we would talk about how to make WordPress more secure, and improving security by use of WordPress plugins and other measures for a proactive approach.

Before getting into the security part, let us talk about some basics of WordPress. In simple words, WordPress is an open source system to manage content. It is also the easiest to use. Even a beginner can learn the basics and manage a WordPress website.

The content management system in WordPress allows users to post and manage blogs without any knowledge of programming.

What Will Change in WordPress in 2019

Security Update

As WordPress is the fastest growing CMS, changes and upgrades happen every year.

So, what are the changes in 2019 that you need to know?

First, a major update is from the WordPress support team. The company, as part of its ongoing security improvements, rolled out a change effective from January 10, 2019. This is about users’ gateway account, where specific characters will be replaced with spaces if sent to the gateway.

Going forward, transactions containing certain characters listed (see the table below) will be replaced with space (‘ ‘) before the transactions are saved in the WordPress systems or passing the transaction data to the back-end payment processor.

 Invalid Character Inputs

Char Representation ASCII Value(s)
Non-printable characters 0 – 31

What Should You Do?

You do not have to take any action if your systems do not send any of the listed characters in transaction data. If your systems use these characters, then you must remove them right away. 

WordPress 5.1 Beta 1

WordPress always enhances itself and thriving for better. After WordPress 5.0 in 2018, now WordPress 5.1 Beta 1 is available. However, the company does not recommend to run it right now on production sites as the version is still in the development phase. The 5.1 version will be available from Feb. 21, 2019.

The WordPress 5.1 Beta 1 features Site Health Check that focuses on security, stability and performance improvements in the entire WordPress system. The software will prevent bad code from running and will allow users to log an issue in their Dashboard. 

For testing the new version, you can try the WordPress Beta Tester plugin or download from the WordPress itself here.

Preparing for WordPress Security in Easy Steps (No Coding)

WordPress security can be confusing for users, particularly for beginners. Questions that naturally crop up are – “How to secure my website?” “Which steps to follow?” “Is it complex?”

In this section, we will talk about getting ready for WordPress security for which no coding knowledge is required. Let us begin.

Step 1: Use SSL for Website

After building your WordPress website, the first thing you should do is to buy Secure Sockets Layer or SSL protection.

SSL encrypts all the data or information sent to and from your website. In this way, the data that visitors share while signing into your site remains secure.

Also, keep in mind that from July 2018, Google has started flagging websites without SSL as unsafe. That is why you need to get the SSL for your site right away.

Also, if you find any website URL suspicious, put in on the Google search, and see if the search result is showing an alert.

Use SSL for Website


If a site is safe, the site URL will start with https:

with https

A website that does not have SSL certificate will begin with http.

Step 2: Use a Reputable Hosting Service Provider

Another important step is choosing a reputable hosting service provider that ensures a secure environment for your website.

There are numerous leading hosting service providers such as Blue Host, Hostgator, GoDaddy and others from which you can buy your hosting plan. Secure hosting takes care of the issues like daily backups and regular updates with their proprietary security technology.

Step 3: Change the ‘Admin’ User ID & Make a Strong Password

When you buy a WordPress domain, you will receive a default user name that says ‘admin’ and hackers are well aware of it. This is why keeping this user name is a huge security threat.

First, change the user name to something that only you can remember. The next step is choosing a strong password with combination capital letters, small letters, and special characters. The reason to choose a strong or a very strong password is simple. First, it will prevent hackers to crack your password through brute-force method. Even hackers get into your site, they will find it tough to crack the password.

Generally, it safer to choose passwords comprising a minimum of 12 characters with symbols and characters that are difficult to guess.

You can change the default user name by using a WordPress plugin or the Users link of WordPress website dashboard. Change the User ID

If you click All Users, you will see the current user (s) name. Though you cannot change user name from here, you can delete the user names.


You can add a new user name by clicking Add New.

Step 4: Put a Limit on Login Attempts

WordPress has no limit when it comes to the number of times users can attempt to log in, and this may pose a threat as hackers can use many combinations to crack the password.

To prevent unauthorized login attempts, you need to limit the number of attempts, you can simply install a plugin like Limit Login Attempts or WP Limit Login Attempts.

Step 5: Implement 2-Factor Authentication (2FA)

Using 2-factor authentication (2FA) will provide an additional layer of security to your login credentials. This type of authentication requires a piece of second-factor information that only a user can provide. For example, verifying a passcode sent to the registered cell phone will make it virtually impossible for a hacker to log in and steal the user information.

Step 6: Add Security Questions to WordPress Login Screen

Add a security question and answer to your WordPress login screen. It will make your login security foolproof.

You can search on the Add New plugin page with the keyword “security question,” and it will pull up relevant plugins. Check their ratings/reviews and install one.

WordPress Login Screen


Step 7: Prevent Phishing

Phishing is a popular technique among hackers to lure users into a malicious website. First hackers will send an email to users with a link to sign in to a service. However, they sign into a harmful website and collect personal information such as password and credit card number.

To prevent phishing, the first thing you should do if you receive emails with a link, check the domain name carefully and do not simply login to provide any personal data.

Prevent Phishing

WordPress Security Tips for DIY Users

Here are a few basic do-it-yourself (DIY) tips if you are WordPress user.

  • Install Quality WordPress Security Plugins:

We all know that plugins are the most useful features of WordPress. There are thousands of open source plugins available on the WordPress repository. However, before installing a security plugin, check ratings and feedback to learn about it.

Install the following types of plugins to keep security threats at bay:

  • WordPress Antivirus: There is a wide range of WordPress plugins available offering features such as firewall, virus and malware scan. Install one to provide complete security to your site.
  • WordPress Backup: Get daily or weekly data backup of your site to avoid any data loss in the case something wrong happens. With complete backup, you can regenerate your website with all the important databases and files. You can use any of the popular plugins like Jetpack,  BackWPUp or BackupBreeze.
  • Change Comment Settings

In your WordPress site’s admin page, go to Settings >> Discussion where you will see the comment settings.

Change Comment Settings


  • Uncheck the option that says, “Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.” This a common source of spam.
  • Enable “Comment author must fill out name and email” as it will let you know about the source of the comment.
  • In the “Automatically close comments on articles older than” option, choose the number of days after which comments will automatically be closed. This will filter out spams to a large extent.

You can also install plugins like Akismet to filter spammy comments.

WordPress Security Checklist

The breakdown of WordPress security issues is shown in the screenshot below:

wp statistic

Source: Wordfence

Here is a checklist that you can follow for WordPress security:

WordPress Security Checklist

Source: TradePub (Free Database) ______________________________________________________________________________

Written by:

Sanjeev loves everything about WordPress. Always in constant search for new tools and Plugins keeps him hungry all the time. He spends his day brainstorming new ideas about new plugins and themes on WPeka and CyberChimps.  You can follow him on his personal WordPressblog.

1 comment

Your comment was successfully sent and awaits moderation.

Server is not replying. Please try later.

You already have this product in your basket

Please delete it before you add a new copy.

You added this product in your basket.

Thank you for Your choice.