Must Have WordPress Security - Step by Step Guide

Posted in Tutorials by admin on 05 May 2017

Security should be a top concern for Wordpress site owners. As the most popular web publishing platform on the internet, it is targeted by hackers and spammers. But it does not mean you have to sit idly and wait for a disaster.

You may ask yourself why would anyone bother to attack your website if your site is not competent enough and you have low traffic? The fact is that great majority of hackers and spammers are not looking to steal your data or delete important files. What they intend to do is to use your server to send spam emails and that is a big NO NO.

When it comes to website security, do not suspect your website is well secured because you have not been hacked in the past. Better safe than sorry.

Below you will find a simple guide to properly setup basic WordPress security using the free plugin called All In One WP Security & Firewall.

Stay up to date

For both functionality and security reasons, it’s important to stay updated. This refers to both your plugins and themes.

wordpress update

All In One WP Security & Firewall


Analyzing a plugin or theme’s popularity is always a secure way to better ensure you aren’t installing malevolent code into your WordPress site. A plugin/theme that’s largely popular isn’t naturally less likely to be targeted by hackers but is more likely to be updated and maintained with security patches regularly. Go to the “Plugins” section and search for the ”All In One WP Security” plugin and install it.

install screen

After installation just go to WP security plugin dashboard. You will see that All In One WP Security also uses a security point grading system to measure how well you are protecting your site based on the security features you have activated. All In One WP Security plugin uses security grading system which indicates how well you are protecting your site against the malicious content.

AIOWPS dashboard

Backup first

It is a good method to take a backup of your .htaccess file, database, and wp-config.php file before activating the security features. This plugin allows you to backup those resources with ease.

backup menu

Database backup

To create a new DB backup just click on the button that says “Create DB backup now”

database backup

Enable automated scheduled backups, it is a matter of personal preference, but giving yourself a little space to breathe is good enough. Set your backup time interval to every 4 weeks and save the settings on the button below.

Backup htacces file

Your ".htaccess" file is a key component of your website's security and it can be modified to implement various levels of protection mechanisms.

Click the button that says Backup .htaccess File to backup and save the currently active .htaccess file.

backup htaccess

Backup wp-config.php

Your "wp-config.php" file is your primary configuration file and one of the most important files in your WordPress installation. It contains details of your database and other critical components. Click the button that says backup wp-config.php file to download it.

backup wp-config

Change username

From a security viewpoint, changing the default "admin" username is one of the first and smartest things you should do on your site. Be extremely careful when choosing the admin name, cause when WP logs you out and you forgot your name.

change username

Change display name

When you submit a post or answer a comment, WordPress will usually display your "nickname". By default, the nickname is set to the login (or user) name of your account. Make sure to change it.

change display name

Check your password strength

Poor password selection is one of the most common weak points of many sites and is usually the first thing a hacker will try to exploit when attempting to break into your site. This section contains a useful password strength tool which you can use to check whether your password is sufficiently strong enough.

password strength

Login lockdown

This is useful if someone tries multiple times to enter your site. Just enable it, and set max logins attempts to 10 and time period to 60min.

enable user login lockdown

Force logout

This is useful if someone already enters your site, and it’s a good practice to kick those people out. Set timing to 60min. Be careful, it will also log you out after a set time period.

force logout

Change DB prefix

Your database is the most important part of Wordpress site. Change the default WordPress table prefix from "wp_" to something else. You can add value yourself or set random one.

change db prefix

Install basic firewall settings and block access to debug files

The features in this tab allow you to activate some basic firewall security protection rules for your site. Just enable it and move on. If you wish, you can take a backup of your .htaccess file before proceeding.

install basic firewall

Block fake google bots

A bot is a piece of software which runs on the Internet and performs automatic tasks. Google bots have a unique identity which cannot easily be forged and this feature will identify any fake Google bots and block them from reading your site's pages. You can verify google bots here:

block fake google bots

Prevent hotlinks

A Hotlink is someone displays an image on their site which is actually located on your site by using a direct link to the source of the image on your server, this can cause leaking of bandwidth and resources for you because your server has to present this image for the people viewing it on someone else's site. This feature will prevent people from directly hotlinking images from your site's pages by writing some directives in your .htaccess file.

prevent hotlinks

Add login captcha

This feature allows you to add a captcha form on the WordPress login page.

To log in you need to answer a simple mathematical question. The plugin will not allow login, even if you entered the correct username and password.

add login captcha

Spam prevention

Adding a captcha field in the comment form is a great way to block off spammers and bots.

spam prevention

This is it. You have basic WordPress security up and running. Be sure that you export this setting so when you install this plugin you can just import them and be done in 5 seconds.

Check your Dashboard again to see what is your current security standing, and that’s it!

final dashboard


Don’t be that person who finds WordPress security important only when is too late. Even basic WordPress security is a large step to save you money, but more importantly, to save you from that painful realization when you find out that your site is hacked, especially by some random bot that was cruising around. When it comes to website security, it pays off in the long run to be safe than sorry, and with this free and effective plugin, you will be ready to rise the wall and fend off those pesky bots and hackers.