1. Use a reputable hosting provider (Most important) –
Just by opting for a reliable and solid hosting provider, your WordPres site will be more or less secured. This is the most important step out of all.
When the base is solid, the built up is solid.
If you ever decide to build a website for your client or for your own self, don’t compromise on the hosting ever.
There are two type of hosting –
- Shared (A single server space divided into multiple accounts)
- VPS/Cloud (Own server space basically)
Now, since the shared hosting plans are compartively cheaper most of the newbies are inclined towards it.
By no means I am trying to convey that shared hosting plans are bad option but it does comes with drawbacks. Mainly SPEED & SECURITY.
The IP address is divided amongst multiple users. Even if there is a case of one of the sites getting compromised it could affect the entire server thus your site.
Whereas, a VPS gives us a dedicated hosting space to host our own WP files with a dedicated IP address that solely belong to the single user.
Not only it provides a hardened security system but the loading speed of the site is significantly curtailed i.e. FASTER LOAD TIME.
You can always choose the plan according to the budget of the project.
I personally use a cloud-based hosting provider popularly known as Digitalocean. It gives a free 60 days trial with a top-up of $100 for the news users.
I have hosted nearly all of my clients sites and even my own on Digitalocean.
As far as pricing goes, it’s arguably the cheapest cloud hosting provider out there.
The initial plan starts at merely $5 and goes as high as $1760 for the biggest of the companies. For the starters, $5 just works fine.
Here’s some quick recommendations –
- Siteground – One of the most popular hosting providers. The plan starts at $6.99/per month. It provides special hosting plans for WordPress and Woocommerce.
- Inmotion – Another top-notch hosting brand. Includes multiple plans as per our requirements. Live chat support (I love that). Plan starts at $9.99 per month. Need to take 1 year or more. Great and safe option overall.
2. WordPress Security Plugin – (Free works great too)
The first plugin I ever install in any of my client’s sites is a security plugin. All in WP Security is my all-time favorite.
With more 900,000 + active installation this is one of the top choices for many developers.
This plugin solely provides tons of features which can make any WP site very much secured.
Lets dive into the list of functionality the plugin provides which we can use of –
1a. Custom Login URL – (Must used feature)
WordPress provides us with their dashboard and login URL which is the default for every WP site.
The default login URL looks something like this
Now this paves quite an easy path to access the login page of your site for the hackers.
This can be prevented by changing the default URL of wp-admin to any custom URL of our liking.
2b. Adding Google Recaptcha –
Google Recaptcha is the best way to prevent spam comments and brute force attacks.
It forces the users to prove themself that “They are not a bot” 🤖.
Head towards Recaptcha and create free v2 keys as per the plugin requirement.
3c. File Permission –
A. Disable PHP File Edit – By default we can access and edit our WordPress files through the dashboard and make changes to the files directly.
We can disable this with the help of All in One WP Security.
B. Disable WP File Access – With this feature on, prevent access to readme.html, license.txt, and wp-config-sample.php.
C. File Read/Write Permissions – This feature will scan the critical WP core folders and files and will highlight any permission settings which are insecure.
4d. Change Database Prefix –
Our MySQL database is the most vital asset in our project. It contains vital pieces of information like user data and passwords.
Once compromised, it could lead to trouble. The common form of attack is SQL injection attack.
Now, one simple trick can make it more secure. Again, the default prefix used is
We gotta change it to any random prefix.
Our whole purpose here is to change the default settings to customized settings.
Adding an increased layers of security to prevent attacks by the hackers.
3. Install an SSL Certificate –
A Single Sockets Layer encrypts all the sensitive information such as login credentials, transactional information, card numbers.
Now, this technology changes our site from HTTP to HTTPS i.e it creates a secure link between the client(browser) and the server.
All the data transmitted between a browser and the web servers are encrypted.
Once you have installed an SSL certificate, heads towards the plugins tab, and install Really Simple SSL. Activate and let it do its job.
Now, you can acquire an SSL certificate at the price range of $50 to $200 per year.
However, many web hosting companies provide an SSL certificate for free. So you don’t have to shed any extra cost for that.
These free certificates are basically acquired from the popular free SSL certificate provider site Letsencrypt, which is completely reliable and safe to use.
4. Regular Maintenance of WordPress, Themes, and Other Plugins –
I always tell my clients building a website may be a one-time thing but keep running a website requires the care. Regular care.
Either you can learn to maintain the site by gathering some knowledge about how to and when to update the necessary plugins and WordPress to their respective versions or let the expert do its work and handle the maintenance part.
Updates are released regularly by their respective authors in order to enhance the plugin functionality and tackling its vulnerabilities.
Also, there are continuous server updates which have to be taken care of.
Those updates are more or less handled by the hosting companies but few are not and needed to be done manually. For instance, upgrading to the latest version of the PHP.
You can always check how’s your site health right now by going to
Tools -> Site Health
and check out the list of things that needs your attention and start solving it one by one.
5. Stay away from nulled themes and plugins –
Now, as a human nature we love free items.
Similarly, as a beginner, we try to save some money and look out of alternative of the paid themes and plugins.
Though there is a huge repository of free themes and plugins in WordPress. Sometimes you only need this much and more often than not we require more flexibility, more customization options, more features.
Those things won’t come with the free options. You got to pay. Period!
Now in my quest to finding a premium I stumbled across sites which gave away nulled themes/cracker theme for FREEEEE!
Being tempted with so many paid items at a free cost made me opt for them just to save few bucks.
I deciced to go for a nulled theme of famous BeThemes.
Within a week the site showed pornography content. 🤦♂️. I learned my lesson.
I realized it’s time to delete everything and start afresh though now while shelling little money for a genuine product.
Sites who provide Nulled themes claims that all the files are genuine and not altered. Please don’t believe that BS.
An authentic product in our case Themes and Plugins always works the best. It comes with 6 months of technical support as well from the theme authors.
If you ever want to look for a theme start with – Themeforest.