WordPress Security Guide

The Ultimate WordPress Security Guide – Step by Step

Protect your WordPress website from security threats, and how to recover if your site has been hacked.

WordPress security should be at the top of every website owner’s priority list.

Over 40% of all websites run on WordPress. It’s far and away the most popular content management system (CMS) available.

Popularity brings a constant stream of unwanted attention. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.

In our comprehensive guide to WordPress security, we’ll show you how to protect your site, including:

  • Password settings and brute force attacks
  • Admin access and user permissions
  • Version control and updating plugins
  • Choosing the right secure plugin
  • Malware scanning
  • Secure web hosting
  • Distributed denial of service attacks (DDoS)

We’ll then take you step-by-step through a number of simple preventative measures. We’ll demonstrate how to fix a hacked WordPress site and what actions you should take if the worst case scenario should occur. 

WordPress security guide

It’s a massive guide, so here’s some shortcuts for you:

➡️ How to protect your WordPress Admin login

  • How to change wp admin url in WordPress
  • Change your Admin username / Create a new administrator profile
  • Strong password generators
  • Two-factor authentication
  • Brute force attacks
  • Limit Login attempts with StackProtect
  • Automatically log out idle users
  • Security questions on login

➡️ WordPress user permissions

  • User roles and responsibilities
  • How to change permissions in WordPress

➡️ What you can change in the WordPress Admin menu

  • Latest PHP version
  • Latest WordPress version
  • Update plugins
  • Security keys
  • Disable File editing
  • Disable PHP file execution
  • Move the wp-config.php file
  • Disable Directory Indexing and Browsing
  • Disable XML-RPC in WordPress

➡️ Secure your database

  • Database prefix
  • Backups
  • Monitor audit logs
  • Strong passwords

➡️ Scan for malware

  • 20i’s free scanner
  • Other options

➡️ WordPress security plugins

  • Do I need a security plugin?
  • Best WordPress security plugins
  • What do they offer and how do they differ?
  • Which plugin should I choose?

➡️ SSL certificates

➡️ DDoS protection

➡️ Secure web hosting

  • What does a great web host provider look like?
  • 20i secure web hosting – product features

➡️ What to do if your site has been hacked

  • How would I know?
  • My website has been hacked: what should I do first?
  • How do I fix a hacked WordPress website?

How to protect your WordPress Admin login

Any WordPress site’s Admin login is likely to be the first place any hacker worthy of the name will look, as it’s very easy to find.

All you need to do is type in the domain name of your site followed by either /wp-admin or /wp-login.php and there it is.

A cybercriminal also knows the default username given by WordPress is ‘admin’. As a result, they can start making brute force attacks on your website within seconds.

So, what measures can you take to make to secure your WordPress login page?

How to change the wp admin URL in WordPress

Changing your wp admin URL is pretty straightforward and immediately adds a layer of security, making it more difficult for anyone seeking to gain entry to your site via this route.

Every hacker knows that domain.com/wp-admin is the default route to a WordPress login page but would they know that the route to YOUR website is yoursite.com/ilovemyfavouritefood or even yoursite.com/onlyiwillknowthis?

All of this is made possible by using a plugin called WPS Hide Login. It’s free, very easy to use and works not by rewriting any existing files but by simply intercepting a page request and rerouting to a URL location which you can choose once the plugin is installed.

Make a note somewhere of your new URL in the event you should ever forget it in the future. Important if you’ve chosen something quite elaborate and inventive!

Unfortunately this action will likely only deter the most amateur criminal from trying to sneak into your website via the backdoor. More work will be needed to make your site more secure.

ℹ️ A note for 20i users: changing the WordPress Admin URL circumvents a lot of the 20i platform rules relating to /wp-admin and /wp-login.php, including our own brute force protection. So while it can be a good step, it should only be done alongside the other techniques mentioned in this post and not alone.

Change your admin username / create a new administrator profile

If every hacker knows the default username for the primary user of a WordPress website is ‘admin’, it stands to reason that one of the first things you should do is…change it.

This, again, is a fairly simple procedure. In the main dashboard you can create a new user, which will also allow you to generate a new (unique) username. Then you can delete the original user and, at the same time, say goodbye to ‘admin’.

You could use the unique email ID – which is created alongside any new profile – as your new username. This would add an extra layer of security against any brute force attacks.

If the user profile you’re deleting was initially assigned the role of administrator (usually the case if it was the first user generated), remember to re-assign this role to the new user you’ve created.

On deletion of the old profile you should also choose ‘attribute all content to’ the new Administrator profile in order to transfer and save any historical site content.

If you’re using 20i WordPress Hosting, you can create and manage users from your WordPress Tools dashboard.

Strong password generators    

Choosing a strong password is a simple way to protect your WordPress site from a potential cyber attack.

Due to the sheer number of passwords we use for different websites, it is becoming more prudent to try and steer clear of passwords littered with upper case, lower case, numbers and symbols – because they’re harder to remember. 

But easy-to-remember passwords are easy to guess.

So we’d recommend using an online tool, which will create a random password for you.

This site basically does all the heavy lifting by generating a secure password, based on your requirements.  You’ll also find a strong password generator for you to use in My20i.

A password manager, such as 1Password, LastPass or Dashlane will store all of your passwords for you in a secure environment, so you don’t have to remember them.

Two-factor authentication

Two-factor authentication (2FA) is becoming more common across a host of websites: mainstream sites like Google, Facebook and Twitter are using it now. As the name suggests, this involves a two-step process.

First, a user provides their usual login details to a website. Second, they’re asked to input a passcode. This is sent via another source: usually text, phone app or email.

2FA is proving to be quite an effective layer of security as it’s nigh-on impossible for crims to have access to both components required for this process. So it really is something you should look to install for your WordPress site.

ℹ️ You can implement 2FA for your 20i account within your control panel. Instructions on how to do this can be found here: 2FA, or you can log in right away to our security details page.

Brute force attacks

Essentially, a brute force attack is when a criminal tries to guess what your username and password are.

It’s an automated attempt to take advantage of any weak online passwords. As these attacks are automated, they can run into tens of thousands each day.

This is precisely why it’s essential you take appropriate steps to create a strong username and password along with implementing two factor authentication.

These measures should help prevent any brute force attack on your WordPress website.

Limit login attempts with StackProtect

There are also special plugins and online tools available which will limit the number of incorrect login attempts made on your site. 

Rather than use a plugin, at 20i we use an automated security tool called StackProtect.

StackProtect monitors all requests to common login pages. It blocks any criteria matching malicious activity. This powerful software has the capacity to block millions of attempts each day.

Automatically log out idle users

It’s so easy for a user to become distracted when working on a website: leaving a page open whilst away from a desk, for example.

This could allow an opportunist hacker the equivalent of an open goal to make changes. It poses an unexpected security risk. 

You’ll note that pretty much all financial websites will automatically suspend any session once activity ceases for more than a few minutes.

For a WordPress website, there are a number of security plugins – specifically Inactive Logout and BulletProof Security – which are designed to give you the same functionality. 

Both are free and offer a range of parameters which will allow you to choose a specific timescale before logging a user out of a session, along with bespoke message settings.

Security questions on login

For additional peace of mind you can also add one or more security questions during the wp-admin login process by installing the WP security questions plugin. 

Once installed, just visit your settings page and activate the plugin to configure the range of specific security questions you wish to set for users.

WordPress Security user permissions

WordPress user permissions

Another way to get a more secure WordPress website is by controlling user permissions.

WordPress user roles and responsibilities

If your site is for your sole use then you will automatically have full administrative access. So user permissions and the various roles available don’t really require any further thought.

As your website user base begins to grow it’s important to consider who else you grant full administrator access to. You can allocate six standard user roles, each with different levels of seniority and capability:

  • Administrator (can do everything – recommended to be assigned to just one user, usually the website owner)
  • Editor (main responsibility is overseeing site content)
  • Author (main responsibility is creating content)
  • Contributor (allowed to read, edit and delete their own posts only)
  • Subscriber (allowed to read posts only)
  • Super Admin (can do everything across a network of associated WordPress sites, including deleting a site if necessary)

The more users given full Administrator access, the more vulnerable your WordPress website could be to cyber attacks.

Think carefully about the roles and user permissions you allow. In short, don’t give admin access unless absolutely necessary. 

Good practice here would be to have one user assigned as an Administrator. Then create a finite number of users well versed in the functionality of your website as editors.

How to change permissions in WordPress

Each role you assign does not need to be written in stone and, in reality, is likely to be an ever-evolving process.

If you’d like to have the capability to change the user permissions for your site, the Capability Manager Enhanced plugin allows you to manage the roles allocated on an ongoing basis.

Once installed, on your main dashboard go to ‘Users’ and then ‘Capabilities’. From there you can select a specific user role and alter the permissions for that role as required. The plugin also gives you control over creating new customised roles should the need arise.

ℹ️ As part of WordPress Tools, 20i users have a list of all current users in their My20i dashboard – their name, username and role. You can also use it to create new users for both standard and custom roles. If you manage lots of WordPress websites, you can do the same in bulk, through the 20i WordPress Manager.

WordPress Security website hosting Admin menu with WordPress tools

What you can change in the WordPress Admin menu?

There are a number of actions you can take which can protect your WordPress website from potential security vulnerabilities.

Get a more secure WordPress website by using the latest PHP version

WordPress is built on the PHP programming language. All PHP files within your WordPress install can be identified by the .php extension.

You don’t need to know how to code using the PHP scripting language to create a WordPress website. But you do need to perform periodic updates to ensure your site is using the latest PHP version.

Each new PHP version will provide features designed to improve both the stability, speed and security of your website. It will also fix any bugs that have crept into the system.

As with operating systems, PHP does not provide security support for all the different versions. If your site’s running on an older version, not only are you missing out on new features, but you’ll be exposed to more security vulnerabilities and system bugs. Your site may also be slower.

PHP usually releases a new version regularly whilst often phasing out an older version at the same time. Each version can usually expect to receive full security support for at least two years once a new version has been released. The latest PHP version, released in November 2020, is 8.

The process for changing your PHP version will vary depending upon the hosting provider you’re using.

ℹ️ If you’re a 20i customer, this is very straightforward. Simply go to your My20i account and select ‘Manage Hosting’ followed by your hosting package and then select the latest PHP version. Upgrades usually take no more than 60 seconds to complete. Our WordPress platform is locked to a specific version to optimise performance. Again, our WordPress Manager allows you to do this across a number of WordPress websites, in a single click.

Latest WordPress version

Updating the version of WordPress your site is currently using is just as important as updating to the latest PHP version. It’s for the exact same reasons: security, speed, new features and bug fixing.

You can check which version of core WordPress your website is currently using by going to the Updates page on your main dashboard.

Minor updates tend to happen automatically, but for major updates you should keep a check on this page. When required, you simply need to click on the ‘Update Now’ button.

ℹ️ 20i’s suite of WordPress Tools includes a WordPress version checker, which detects if a version is out of date. Users on our Managed WordPress Hosting will always get updates automatically by default, unless you opt out.

Update plugins

Most sites are hacked through a failure to update plugins. The thousands of plugins available present a very large ‘attack surface’ for potential hackers with criminal intentions, so it’s essential that you keep an eye on this.

Don’t ignore the Updates page in WordPress Admin. When plugins need to be updated, you’ll get a notification at the top of the page. If you click on that it will take you to the Updates page. The ‘Update Now’ button appears next to each plugin and theme when necessary.

On the Plugins page, you can also choose to enable automatic updates: worthwhile if you’re don’t log in to WordPress Admin very often.

ℹ️ You can also update plugins and themes through My20i, using our suite of tools for WordPress and WordPress Manager.

Remove unused plugins

It’s also best practice to limit the number of plugins you have installed on your website. Only keep those which you actively use and remove any which are no longer necessary.

It will provide a smaller ‘attack surface’ to nefarious hackers: fewer plugins, fewer vulnerabilities. Doing this may also help speed up your site – always good!

WordPress is very efficient at providing email notifications to website owners when new updates are available. Hackers can find version numbers in a website’s source code, preying on those sites still operating on older, unsupported versions. So install new versions as soon as you can. 

ℹ️ 20i’s WordPress Tools suite also includes a plugin management tool. You’ll be notified if any plugins on your site need updating or become inactive and require deactivating. 

Security keys

A website uses cookies to correctly identify a user when they log in with their username and password. Hackers with bad intentions will look for these cookies in your database in order to decipher the passwords and gain access.

To add an extra layer of protection, WordPress uses security keys and salts to guard the cookies. It encrypts all of the passwords stored in your site’s database, making them much more difficult to crack.

So, for example an encrypted password might look like this ‘36g489bd34hg72ed98s0rf’. As you can see this is a significantly harder password to decipher than ‘123456’. There are four security keys – AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY, all with corresponding salts.

You don’t have to invent these passwords yourself, WordPress provides a random generator which does this for you.

Once generated, you just need to paste each security key password into the wp-config.php file which can be found in your website’s root folder (usually from line 45 onwards). We recommend that you change your security keys and salts on a regular basis.

Disable file editing

WordPress provides a built-in code editor that allows you to edit your theme and plugin files from your Admin dashboard. To view these files you need to click on the ‘Appearance’ tab followed by ‘Theme Editor’. For plugins go to ‘Plugins’ and then ‘Plugins Editor’.

It’s recommended to remove both these code editors from your site. If a hacker gained access to your dashboard they could use these editors to launch malware or DDoS attacks. Or simply take all of your data.

To disable them all you need to do is add this line of code to your wp-config.php file, above the line which says ‘That’s all, stop editing! Happy publishing’:

define( ‘DISALLOW_FILE_EDIT’, true );

Once you’ve saved these changes, both these file editors are disabled and will no longer show on your Admin dashboard.

Disable PHP file execution

WordPress keeps a number of directories open for you on your website so you can easily upload new themes, plugins and other content such as videos or images. If hacked, these directories can become a security risk and used to upload a number of malicious files. These files are made to look like the standard core files used by your website.

20i users have the luxury of knowing that PHP scripts are blocked at platform level.

If you’re using different hosting you can prevent this from happening by disabling PHP file execution in those directories where they wouldn’t be needed. All you need to do is to create a .htaccess file in a text editor such as NotePad and copy this line of code into it:

<Files *.php>
	deny from all

Save the file and upload it to /wp-content/uploads/ on your website, which you can do via your web host’s FTP client or File Manager.

Disable directory indexing and browsing

Disabling directory indexing and browsing ensures that your website’s files can’t be looked at by those seeking to gain access for malevolent purposes. 

This is a very quick and simple fix. Remember the .htaccess file mentioned earlier? Well, if you open that up once more in your text editor all you need to do is add the following line into the document:

Options -Indexes

Save the file and upload it back onto your server – and you’ll have a WordPress website that’s more secure.  

Directory indexing is disabled by default at 20i.

Disable XML-RPC in WordPress

If you use the WordPress app to update and add content remotely to your website then the XML-RPC remote procedure call software is a useful feature which should remain enabled on your site.

If you don’t do this, we recommended that you disable it, if only to block another line of attack for cyber criminals.

The simplest way to do this is to install the Disable XML-RPC plugin. XML-RPC will be disabled once it’s activated. If circumstances change and you need to re-enable XML-RPC, simply reverse the process and deactivate the plugin.

ℹ️ At 20i, we block all attempts by default. However, we whitelist applications with a good reputation that need to use it legitimately: like Jetpack. You’re protected as standard with 20i and don’t need to use the above plugin.

Secure your WordPress database

Secure your database

Database prefix

If you’re familiar with the file configuration of WordPress sites you’ll know that the database file begins with the prefix ‘wp_’ followed by your site name – ‘wp_yourwebsite’.

When you first set up a WordPress site you should take the option to rename the database table prefix. It doesn’t need to be anything complex – you could use your name initials – ‘yourinitialswp_’ or ‘wpyourwebsiteinitials_’ will be fine.


Performing regular backups of our WordPress site data is one thing we all know we should do but it’s surprising how many site owners let this important task fall by the wayside. It’s not the most thrilling job in the world but it simply has to be done.  

ℹ️ If you use 20i for your website hosting, first of all – thank you! And second of all, you can perform backups of your database and site files quickly and easily through the control panel in your 20i account. If you’re on our WordPress Hosting this is done automatically every day, but you can also create a backup on demand.

If you’re a 20i Reseller, you can set up Timeline Backups or Timeline Backups Pro.

Monitor audit logs 

Keeping a close eye on your WordPress website’s audit log is an effective way of checking user activity and making sure they’re not doing anything which would be outside the permissions you’ve set. If you have lots of users or if you’re managing a number of websites this can become quite a cumbersome task. 

The WP Activity Log plugin does all the hard work for you by creating a handy reference log of all the activity happening on your site. Everything from a user who’s forgotten their password to more malicious login attempts will show here. 

With 20i you can view your site’s audit log in your My20i account control panel. 

Strong passwords  

Set a strong password for your database: it’s good practice. When setting the database password make sure you apply all the principals as for the main login – the more complex you make your password, the harder you make it to hack. 

Remember, you can always use an online strong password generator tool to create one for you.

If you’re with 20i you can use the password generator tool included with the hosting package.

Malware scans to secure WordPress sites

Scan for malware

All of the measures mentioned so far in this guide will go a long way to securing your WordPress website. But, if you want to be even more proactive you can regularly scan for any malware that may have sneaked onto your site.

20i’s free on-demand automatic scanner

If you’re using 20i as your hosting provider, we include free malware scanning as part of the package. This software automatically scans your site for malware on a daily basis. It can also conduct a scan ‘on-demand’, should you identify any suspicious activity on your site. 

Once each scan is complete, we’ll compile a report on the results which you can view in your My20i control panel. If any malware is spotted we’ll send you an email notification immediately, along with the recommended steps to take. Once complete, you can run another scan to make sure everything has now been fixed. 

Our WordPress Checksum tool works in a similar way (again – you’ve guessed it – part of WordPress Tools and the 20i WordPress Manager!). It checks that your installation matches the official WordPress repository, and can often find core files that have been changed by malware and auto-replace them for you.

Other malware scanning options

Many other WordPress hosts offer similar malware scanning facilities, so if you’re not with 20i you should check with your provider to find out what their package includes and whether there’s a charge to use it. 

If you’d prefer to adopt a more ‘hands-on’ approach, there are a number of online providers that will be able to perform this service for you, such as Google, Sucuri SiteCheck and WPScans.

WordPress security plugins

WordPress security plugins

Do I need a security plugin?

The quick answer is: no, not in every case.

It depends on what you’re using WordPress for: if it’s just a small blog then you almost certainly don’t need one if you follow the tips in the post. And there are other factors to consider.

More plugins mean longer loading times. Longer loading times lead to fewer people taking the time to read your posts, buy your product or browse your services. Google knows this, so they reward faster-performing sites by giving them higher positions in the search engine results. Performance can affect your bottom line, and security plugins can make loading times longer and conflict with other functions.

So that might be an argument to not use a security plugin. 20i provide a range of secure hosting features like the Web Application Firewall (WAF), brute force login protection and more. So if you’re 20i user you don’t really need one.

What are the best WordPress security plugins?

You may not get similar protections at other hosts, so in this section we’re going to take a closer look at some of the best WordPress security plugins currently available.

The first tip for security plugins is to make sure, whichever you choose, that you select one from a reputable source. Don’t download a paid plugin from a site offering it for free!

With this in mind, here’s a list of the ten best security plugins that offer lots of different features to ensure the bad guys don’t break through to your WordPress website:

  • Wordfence Security
  • iThemes Security
  • Sucuri Security
  • All In One WP Security & Firewall
  • Defender Security
  • WP Hide & Security Enhancer
  • VaultPress
  • MalCare Security
  • SecuPress
  • BulletProof Security

What do they offer and how do they differ? 

Wordfence Security is arguably the most comprehensive, all-in-one WordPress security and firewall plugin currently available today.  There’s a free and premium package, both of which offer a significant level of protection for your website. It has a strong web application firewall (WAF) and malware scanning feature. It also uses 2FA to defend against brute force attacks (a feature not common on free plugins). 

Unlike other plugins, it not only tracks attempts to hack your website but also where this traffic is coming from (Google crawlers, humans or bots).

iThemes Security has both a free and premium version. Unlike Wordfence it doesn’t include a firewall but does have a malware scanner. This plugin takes a deep dive into a wide variety of security measures already talked about in this guide such as, hiding the login page, removing ‘admin’ as a username and changing the database prefix. 

Sucuri has both a free and premium version. It’s a very popular security plugin although its free version is regarded as having a more basic malware scanning feature than both Wordfence or iThemes. Sucuri’s paid version does include a powerful firewall feature.

The All In One WP Security & Firewall is available as a free plugin and considered extremely user-friendly. It has basic firewall protection and also secures your site against spam comments in your blog. It’s good for beginners, yet it also lets you choose from three levels – basic, intermediate or advanced, depending upon your experience.

Defender Security is a very simple plugin to use, available in both free and premium versions. The premium version includes cloud backups with 10GB of storage and audit logs to monitor user activity. If your site is hacked it even provides access to expert advice to help you get it back online as soon as possible.

The WP Hide & Security Enhancer does exactly what it says – it hides the fact that you’re using WordPress as your content management system from potential hackers. It also hides the name of the themes and plugins used by your website. No one will know you’re using WordPress, therefore, they won’t know where to start trying to break into it. It’s available as a free plugin only and is very easy to use.

VaultPress is part of the JetPack suite of products and is available as a premium-only plugin. It offers malware scanning as part of its features, but uses its own web servers to do this. So scanning doesn’t affect the performance of your own site. It also offers premium plans that can automatically fix security issues that it discovers.

MalCare, as the name suggests, provides a significant focus upon malware scanning and detection. Like with VaultPress, this plugin uses its own servers for all its scanning and offers a ‘one-click removal’ feature to rid your site of any malicious files it finds. It’s available as a premium plugin only.

SecuPress is available both as a free and/or premium plugin. It has lots of features, including an impressive firewall. However, what sets it apart from other security plugins is the protection of your website’s security keys. It also offers a ‘one-click solution’ to all issues arising from a malware scan.

BulletProof Security is available both as a free or premium plugin. It’s generally seen as being better suited to the more advanced user but does come with a very easy to use setup wizard to help beginners. It also offers idle session logouts and email notifications of any failed login attempts.

Which WordPress security plugin should I choose? 

All of the security plugins outlined above will serve your website well with the primary task of helping to keep it protected from any unwanted visitors. 

Deciding which one is right for you may need to involve some trial and testing. But before that it would be wise to first check what your web host offers as part of their hosting package.

Once you know this, you’ll be able to discount those plugins that duplicate what your host offers and one which compliments the protection you already have in place.

SSL certificates for Web and WordPress Security

SSL certificates 

Acquiring an SSL (Secure Socket Layer) certificate means a website can run on HTTPS (Hyper Text Transfer Protocol Secure) rather than HTTP. An HTTPS site is identified by a padlock symbol next to the website address in a browser. It’s purpose is to secure the safe passage of data between a browser and a web server.  

Many hosting providers will include a free SSL certificate within their overall package and 20i is no exception.

We include wildcard SSLs for free through Let’s Encrypt, which covers all subdomains of a website under one certificate.

We offer two premium SSL certificates for larger ecommerce websites where more credibility may be required. They’re known as Simple SSL and Extended SSL. Extended SSLs are the highest class of certificate currently available, providing additional security that the website’s owner is a legitimate company while also offering a warranty.

Distributed denial of service protection Security from DDoS

DDoS protection

Have you ever heard of a website traffic jam?

That’s basically what a ‘Distributed Denial-of-Service (DDoS) attack is. When a large corporate website is ‘brought down by hackers’ then more often than not it’s due to a DDoS attack. The aim of such attacks is to flood a website’s server with more traffic than it can cope with, until eventually it grinds to a halt and breaks.

These attacks aren’t designed to hack into your database files and remove any information. They’re there to cause havoc with your day-to-day business by shutting-down your site. They can happen to any website (not just large ecommerce sites) at any time.

At 20i we recognise the threat of such attacks and what harm they could cause to your WordPress site, which is why we have our own DDoS protection tool to guard against it.

Part of our every hosting package, 20i’s 1 Tbps+ DDoS protection provides ever-present cover. It filters out malicious traffic but allows genuine users through, leaving your website’s online presence uninterrupted.

Secure web hosting and WordPress hosting

Choose a secure web host

We’ve talked about a lot of vulnerabilities that can be encountered every day by WordPress websites and the security measures that you, the owner, can take to prevent them from happening. But one of the most important aspects is your web hosting.

The best secure hosting providers will know about security vulnerabilities and will have developed their platforms sufficiently to cover all aspects of website security.

So, what does a great secure web hosting provider look like? Here’s three key things to look out for: 

  • A great hosting provider will make the security of your website their number one priority. This will be an ever present aspect, which should feature significantly in the package they can tailor for you. This isn’t meant to worry you. On the contrary, if your web host is willing to readily discuss their security features, this should give you the confidence that they’re ahead of their competitors. 
  • A great web host will take the practice of server hardening very seriously, ensuring all their software and hardware is constantly up to date with the latest WordPress changes. 
  • A great web host understands there is no such thing as a 100% foolproof security platform, so has a range of tools ready to deploy if a hack occurs.

Taking all of the above into account we believe we may know of a web host provider who ticks all of these boxes (and more). Guess who? ?

20i secure hosting

20i web hosting comes with a range of industry-leading free security features for your WordPress website. These include:

  • Automatic malware scanning (and on-demand scanning)
  • 20i’s Web Application Firewall
  • 20i’s brute force login protection – StackProtect
  • Two-factor authentication
  • Email scans
  • Hotlink protection
  • PCI compliance
  • DDoS protection
  • Secure password creation
  • File permissions checker
  • Free SSL certificate
  • Backups
  • Access to web hosting experts if you have a problem

It’s fair to say a number of 20i’s security features should ring quite a few bells with the vulnerabilities outlined in previous sections of this guide. Let’s take a closer look at some of them in more detail. 

20i’s web application firewall (WAF) goes further than other traditional firewalls by blocking the use of web forms to insert malicious code. The 20i WAF checks all browser-to-server requests looking for any sign of cross-site scripting, path traversal and all other types of attacks. These inspections are completed in less than a millisecond. 

StackProtect is 20i’s protection against any and all brute force attacks made against your WordPress website. By using Google’s latest reCAPTCHA software, it monitors for malicious login attempts and blocks millions of requests each day. 

In addition, our email scanning protection checks all emails sent and received to detect any virus and spam content, using three different layers of inspection. One to check for mail from any known spam networks, one to check any known malware signatures and one to check content for any spam-like characteristics. 

Ever evolving

All of these tools are very much seen as ever-evolving features. A team of security experts work hard to ensure they’re regularly updated to stay ahead of the hacking community. 

The really great news is that all of this is completely free. At 20i we believe that secure hosting should not be a ‘nice to have’ or treated as an ‘optional extra’ to tag on to the end of your website’s hosting package. Security should be included without question and without charge. 

You can find out more about 20i’s secure Managed WordPress Hosting packages here.

WordPress website hacked - what to do?

What to do if your WordPress website has been hacked

Cybercriminals are in an arms race against security measures. So there’s always a chance that your site will get hacked. If you’re prepared for it, you can mitigate the damage.

How would I know my site’s been hacked?

There’s a number of signals that would suggest your website has been hacked. Some of the key indicators would be:

  • You’re unable to log in with your password/username
  • New content has mysteriously appeared on your site without your knowledge
  • You receive a notification from your hosting provider or security plugin of malicious activity
  • Your website is redirecting to other websites (dating, gambling sites etc.)
  • A Google search of your WordPress website returns with a ‘This site may be hacked’ message
  • A website user alerts you to unusual content and/or activity on the website

ℹ️ At 20i, our automatic malware scanning tool would notify you immediately. You would get an email alert and control panel notification if any suspicious activity was identified. You can also run a further check using the WordPress Checksum Report tool to clarify whether your site’s core files match with the official WordPress repository. If they don’t then it’s likely that your site has been hacked and the Checksum can replace the hacked files.

If my website has been hacked, what should I do first?

The first thing to remember is that there’s a process and a fix for this – so try to remain calm!

Then, if you’re able to do so, move your website offline into maintenance mode. This will prevent any more users noticing that your website has been hacked. You can then take steps to fix your website and put it back online.

How do I fix a hacked WordPress website?

Before you take any further steps, change all of your passwords on the website. Following this, make contact with your web hosting provider and request all information about the hack to find out where on your site the malware has been placed. 

We can highlight this through a Checksum Report and Malware Scan. We’ll provide you with prompts that will help you remove the offending malware from your core WordPress files. Our support team can also help with this.

Once this is complete you can then restore your website using the most recent backup taken before the malware appeared. Diligent website owners will be able to call upon a backup taken very recently. This is why regular backups are so important!

You can now begin to check if all is now fixed internally by requesting a fresh scan for any remaining malware (before doing this it’s worth checking to see if any old themes or plugins need to be removed). Keep repeating this step until all malicious files are gone and the scan reports are clean. 

Finally, you should perform a full rundown of the security best practices outlined throughout this guide before putting your website back online:

  • Check user permissions and roles – are they all as they should be?
  • Review usernames and admin logins
  • Change passwords again – make sure they’re ‘strong’
  • Update any plugins and/or themes
  • Check that the latest PHP and WordPress versions are installed
  • Re-install your security plugins and 2FA
  • Change your secret keys
  • Remove any unused plugins and disable any functionality on your WordPress website that’s not necessary

The comprehensive guide to WordPress security: conclusion

The measures outlined in this guide are aimed at giving WordPress website owners the best possible chance of preventing the very real threat of a cyber attack.

Unfortunately new vulnerabilities appear all the time, so we can’t say that these best practices will definitely stop a hacker with criminal intentions from breaking into your site. But they can – and will – reduce their chances of success significantly.

Take control of your WordPress security now: it’s a good habit to develop.

Managed WordPress Hosting


  • Excellent post on security for WordPress Mike, thanks for sharing your expertise on this topic. I’d have to agree that Wordfence offers one of the best all round coverage in terms of price vs what you get. Some of the others offer similar or cheaper options but at the cost of features while others charge a lot more for the same.

    As you mentioned though, you don’t necessarily need a security plugin at all depending on hosting security options and even without that, there’s a good chance your site won’t be affected anyway. However, it’s always better to be safe than sorry to save a lot of potential headaches down the road.

  • Hi,
    many thanks for this helpful article, and giving the fact that many of the security measures has been taken care of by 20i platform and to avoid conflict of activities between 20i platform and the plugins, for those of using 20i for WordPress and still want to take advantage of changing ‘Admin Url’ and path for ‘Theme and Plugins’ , can we make use of the ‘wp-hide-security-enhancer plugin’ and how best can we use it that won’t affect 20i security rules on our website ?

    • Hi – If you want to use a plugin like ‘wp-hide-security-enhancer’ on the 20i platform there is nothing stop you from doing that. If you change the URL from /wp-login, our WordPress login-specific brute force rules will no longer apply, but the more general security rules are still active and protecting the site.