How to secure WordPress with plugins on WordPress
Secure your WordPress site by installing essential security plugins like Wordfence or Sucuri, configuring firewall settings, and enabling two-factor authentication. Regular security scans and malware monitoring help protect against threats.
Prerequisites
- WordPress admin access
- Basic understanding of WordPress dashboard
- Backup of your website
- FTP access (recommended)
Step-by-Step Instructions
Install a comprehensive security plugin
Wordfence Security or Sucuri Security. Click Install Now and then Activate. These plugins provide firewall protection, malware scanning, and login security features.Configure firewall settings
Enabled and Protecting. Configure Rate Limiting by setting login attempts to 5 failures in 20 minutes. Enable Block fake Google crawlers and Block hosts who violate Google crawling guidelines.Enable two-factor authentication
Two Factor Authentication plugin by going to Plugins > Add New. After activation, go to Users > Your Profile and scroll to Two Factor Authentication section. Select Email or Time Based One-Time Password (TOTP) and click Enable. Configure your preferred 2FA app like Google Authenticator or Authy.Set up malware scanning
daily or weekly. Enable Email alerts for scan results by checking Send email summary of scan results in the scan options.Configure login security measures
reCAPTCHA v2. Set Lock out after to 5 failed login attempts within 20 minutes. Enable Immediately lock out invalid usernames and add common usernames like admin, administrator to the blocked list.Install SSL and security headers plugin
Really Simple SSL plugin from Plugins > Add New. After activation, the plugin will automatically detect your SSL certificate and configure HTTPS redirects. For additional security headers, install HTTP Headers plugin and configure Content Security Policy, X-Frame-Options to SAMEORIGIN, and X-Content-Type-Options to nosniff.Set up database security and backups
WP Security Audit Log to monitor all changes to your site. Go to Audit Log > Settings and enable Login/Logout Events and Content Changes. Install UpdraftPlus for automated backups. Configure backups to run daily for database and weekly for files, storing them on Google Drive or Dropbox.Monitor and maintain security settings
blocked attacks, successful logins, and file changes. Regularly review Live Traffic logs to identify suspicious activity. Update all plugins, themes, and WordPress core immediately when updates are available through Dashboard > Updates.Common Issues & Troubleshooting
Security plugin causing site to load slowly
Go to your security plugin settings and disable Real-time file system monitoring or reduce Scan frequency. Consider excluding large directories like /uploads/ from continuous monitoring.
Locked out of WordPress admin after enabling security features
Access your site via FTP and rename the security plugin folder in /wp-content/plugins/ to temporarily disable it. Alternatively, add your IP address to the Whitelist via the plugin's emergency recovery options.
Two-factor authentication not working
Check that your server's time is synchronized correctly. Go to Settings > General and verify the Timezone setting. Clear your 2FA app's cache and re-scan the QR code if using TOTP authentication.
False positive malware alerts
Review the Scan Results carefully and mark legitimate files as Ignore. Add trusted file paths to the Exclusions list in your security plugin settings to prevent future false alerts.