Google Cloud Compute Engine

How to Secure your WordPress in 2019

Disclosure: This post may contain affiliate links, which means we may receive a commission if you click a link and purchase something that we recommended.

Pinterest LinkedIn Tumblr

How to Secure your WordPress in 2019. WordPress is the most widely used Content Management System in the internet world. Because of its popularity and Open Source, many hackers began to target WordPress websites.

If you don’t take the precautions you will end up with your site hacked. In this guide, we will share the Best Effective Tips to keep your WordPress website secure.

01. Choose a Good Host

Hosting is the most important aspect in the website security. If your host is vulnerable to attacks, you cannot secure your site.

While there are many hosting companies out there we recommend going for Google Cloud Platform. Google Cloud is one of the best and cheapest Cloud hosting provider in the market.

02. Installation security tips

You can follow some basic security steps while installing WordPress.

  • Never use admin as your username.
  • Never use wp_ as database prefix.
  • Use a strong password.

Once you have installed WordPress create a new user with the Administrator role and then delete the old user. By this way, you will not have the User ID 1.

03. Don’t use Nulled Themes

Premium themes look more professional with more customizable options and good support. So many will try to get those premium themes for free.

There are many sites which provide cracked or pirated or nulled themes, available by illegal means. These themes will have a back door planted by the hacker who cracked the theme. These nulled themes provide a way for the hacker to access the core of your website and destroy the database or your admin credentials.

So, protect your website by spending a few bucks.

04. Don’t use Outdated Plugins

You cannot increase the functionalities of your website without plugins. There are many free plugins available for WordPress. Some plugins are not actively maintained and some are poorly coded and are hacked.

So, it’s better to avoid such plugins.

05. Use WordPress Security Plugin

A security plugin can take care of your site’s security by regularly checking what is happening on your site.

Sucuri is one of the best security plugin to scan for malicious code and to prevent Brute Fore Attacks to your WP-Admin by limiting login attempts.

06. Block your Admin Area with GeoIP

This is one of the effective methods to block a visitor from different countries to access the admin page.

With this method, you can redirect the visitor who is trying to access the admin page to your home page. This can be achieved by a small piece of code in your Nginx configuration.

Outside your server block
geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allow_visit {
default no;
US yes;
Inside your server block 
location ~* /(wp-login.php) {
if ($allow_visit = no) {
rewrite ^(.*) permanent;

fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_read_timeout 300;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
include fastcgi_params;

location /wp-admin {
location ~ /wp-admin/admin-ajax.php$ {
allow all;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
include fastcgi_params;

location ~* /wp-admin/.*.php$ {
if ($allow_visit = no) {
rewrite ^(.*) permanent;

try_files $uri =404;
fastcgi_split_path_info ^(.+.php)(/.+)$;
fastcgi_read_timeout 300;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;

This configuration will allow admin access only from certain countries.

07. Restrict Admin with HTTP Basic Authentication

You can also secure your admin page with HTTP Basic Authentication. This setup will prompt the visitor to enter username and password to authenticate. If authenticated they can view the admin login page.

Follow this guide to set up HTTP Basic Authentication in Nginx.

Add this code inside the location block you just created above.

auth_basic           "Administrator Area";
auth_basic_user_file path/to/your/.htpasswd;

So, once this set up is done, when a visitor tries to access the admin page, he will be checked for geo location. If he passes that check the HTTP Authentication check will prompt to enter username and password. If he still passes this check WordFence Plugin will limit the login attempts.

So, if still some one passes all these security steps, he will first try to access the functions.php file to edit it and add a malicious code into your website.

Finally, we shall disable the editor in your Admin area.

08. Disable File Editing

There are two editing options provided by WordPress for Themes and Plugins. Once your site is live you need to disable the file editing method.

Paste the following code in your wp-config.php file.

define(‘DISALLOW_FILE_EDIT’, true);

09. Common Security Tips

These are some common security tips to be followed.

  • Use an SSL Certificate for encrypted transfer of data.
  • Keep your WordPress core, Plugins and Themes to the latest version.
  • SFTP instead of FTP.
  • Protect your DNS server with DNSSEC.
  • Implement web server securities like ClickJacking, Mime Sniffing, Hotlinking, Content Security policy, Referrer Policy
  • Remove meta generator names.


Security is one of the crucial parts of a website. If you don’t maintain your WordPress security, hackers can easily attack your site. Maintaining your website security isn’t hard and can be done without spending a penny.

Some of these solutions are for advanced users but if you have any questions feel free to post your comments below.

Write A Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.