Skip to content

WordPress Recommended Security Steps

You are here:
Estimated reading time: 2 min


WordPress is the simplest, most popular way to create website or blog. In fact, WordPress powers over 42% of all the websites on the Internet. And it is also the same reason why it is also the number one platform that gets targeted with website exploitations and attacks.

Here are the standard security steps that we do here in Mega Cat Studios to prevent these exploitations and/or to minimize the attacks.

Plugins To Install

Although WordPress provides a dashboard page to make all the edits and changes that you’d want into the website, it doesn’t limit us from there. You can actually see and edit the code base of the whole site and also its database. BUT you shouldn’t make edits on the code base and to the database!

  • Because one small mistake could crash the whole site.
  • And it’s not easy to maintain the changes that was made because you’d be the only one that know the changes, and most likely, you’ll also forget it too after a few months. So, no one will know the changes that had been made in the code base in the future!
  • finally, it can cause an issue when updating the WordPress version of the website and can crash the whole site.

So, the solution for making changes in the WordPress sites are called Plugins! In plugins, you can do almost everything that you’d need to be done in WordPress.


First step is BACKUP, nothing will matter if the site goes down and it needs to be restored if we don’t have a backup.

The plugin that we have used in the company for making backups in our WordPress sites is UpdraftPlus.

It creates backups of the website itself and also its database.

Install this into the website and create backups of the website monthly.

Limit Login Attempts Reloaded

Second is login security. Hackers doesn’t find new wordpress sites manually to hack but they already have automated scripts & bots on the internet that scans the whole web and once it is found, it will automatically brute force attack the website.

Limit Login Attempts Reloaded is usually preinstalled in the wordpress sites and have been setup already because of this reason. but if ever there’s none yet, install it immediately and always use strong passwords in the user accounts, especially admin accounts.

All-In-One Security

Next is install an all-purpose security like All-In-One Security for extra security features. Other security plugin that is recommend is WordFence, a more hands on security plugin that sends notifications if there’s high rate of attacks and if there’s security updates to plugins installed and theme.


For inserting custom codes, without touching the source code, install WPCode.

aside from creating your own codes and inserting it to the website safely, it also has a library of most common scripts that are used in WordPress websites.

Enable these scripts from the library to put a cherry on top on our security:

  • Disable Login Error Messages

  • Disable wp_xmlrpc

  • Disable REST requests

Optional: WPS Hide Login

Usually, brute force bots have a list of common WordPress admin page login URLs that they will try to attack once they discover it from your website. One way of preventing this from happening is changing the admin login URL.


That is all for our security setup standard to our WordPress sites. Depending on the situations, you might need additional features that aren’t available in the plugins listed here.  Remember you can always search a plugin that has the feature you’re looking for and/or create it your own and insert it using WPCode.

Was this article helpful?
Dislike 0
Views: 3
Back To Top