Intermediate
How to secure WordPress with plugins on WordPress
Quick Answer
Secure your WordPress site by installing essential security plugins like Wordfence or Sucuri, configuring firewall settings, and enabling two-factor authentication. Regular security scans and malware monitoring help protect against threats.
Prerequisites
- WordPress admin access
- Basic understanding of WordPress dashboard
- Backup of your website
- FTP access (recommended)
1
Install a comprehensive security plugin
Navigate to Plugins > Add New in your WordPress dashboard. Search for
Wordfence Security or Sucuri Security. Click Install Now and then Activate. These plugins provide firewall protection, malware scanning, and login security features.Tip
Wordfence offers more granular control while Sucuri provides excellent cloud-based protection
2
Configure firewall settings
Go to Wordfence > Firewall (or your security plugin's firewall section). Click Manage Firewall and ensure Web Application Firewall Status is set to
Enabled and Protecting. Configure Rate Limiting by setting login attempts to 5 failures in 20 minutes. Enable Block fake Google crawlers and Block hosts who violate Google crawling guidelines.Tip
Start with medium security settings and adjust based on your site's traffic patterns
3
Enable two-factor authentication
Install the
Two Factor Authentication plugin by going to Plugins > Add New. After activation, go to Users > Your Profile and scroll to Two Factor Authentication section. Select Email or Time Based One-Time Password (TOTP) and click Enable. Configure your preferred 2FA app like Google Authenticator or Authy.Tip
Always set up backup codes in case you lose access to your 2FA device
4
Set up malware scanning
In your security plugin dashboard, locate the Scan section. Click Start New Scan to perform an initial malware scan. Configure Scheduled Scans to run
daily or weekly. Enable Email alerts for scan results by checking Send email summary of scan results in the scan options.Tip
Schedule scans during low-traffic hours to minimize performance impact
5
Configure login security measures
Go to Wordfence > Login Security or equivalent section. Enable CAPTCHA for login forms by selecting
reCAPTCHA v2. Set Lock out after to 5 failed login attempts within 20 minutes. Enable Immediately lock out invalid usernames and add common usernames like admin, administrator to the blocked list.Tip
Consider hiding your wp-admin login page using a security plugin's stealth mode feature
6
Install SSL and security headers plugin
Install
Really Simple SSL plugin from Plugins > Add New. After activation, the plugin will automatically detect your SSL certificate and configure HTTPS redirects. For additional security headers, install HTTP Headers plugin and configure Content Security Policy, X-Frame-Options to SAMEORIGIN, and X-Content-Type-Options to nosniff.Tip
Test your site thoroughly after enabling SSL to ensure all resources load correctly over HTTPS
7
Set up database security and backups
Install
WP Security Audit Log to monitor all changes to your site. Go to Audit Log > Settings and enable Login/Logout Events and Content Changes. Install UpdraftPlus for automated backups. Configure backups to run daily for database and weekly for files, storing them on Google Drive or Dropbox.Tip
Change your WordPress database table prefix from the default 'wp_' to something unique for added security
8
Monitor and maintain security settings
Set up Security Notifications in your plugin dashboard to receive alerts for
blocked attacks, successful logins, and file changes. Regularly review Live Traffic logs to identify suspicious activity. Update all plugins, themes, and WordPress core immediately when updates are available through Dashboard > Updates.Tip
Create a security maintenance schedule to review logs and update security settings monthly
Troubleshooting
Security plugin causing site to load slowly
Go to your security plugin settings and disable Real-time file system monitoring or reduce Scan frequency. Consider excluding large directories like
/uploads/ from continuous monitoring.Locked out of WordPress admin after enabling security features
Access your site via FTP and rename the security plugin folder in
/wp-content/plugins/ to temporarily disable it. Alternatively, add your IP address to the Whitelist via the plugin's emergency recovery options.Two-factor authentication not working
Check that your server's time is synchronized correctly. Go to Settings > General and verify the Timezone setting. Clear your 2FA app's cache and re-scan the QR code if using TOTP authentication.
False positive malware alerts
Review the Scan Results carefully and mark legitimate files as Ignore. Add trusted file paths to the Exclusions list in your security plugin settings to prevent future false alerts.
Ready to get started with WordPress?
Put this tutorial into practice. Visit WordPress and follow the steps above.
Visit WordPress →