How To Easily Secure Your WordPress Site for Free

How To Easily Secure Your WordPress Site for Free

It goes without saying — WordPress security is vital. The importance of having a secure site can’t be understated if you want to be protected against malware, avoid being hacked, and stay high-ranking on Google.

The good news is that there are easy steps you can take to secure your WordPress site — for free!

To get started, check out this quick video. Then, we’ll go through more detailed information in this article.

If your site isn’t secure or gets hacked, information, such as passwords and personal information is vulnerable. Hackers can steal user info and use it for malicious purposes.

Plus, your site can lose its good reputation. If your site is not secure and becomes vulnerable, you can get blocklisted by Google, and your ranking could even take a nosedive in the SERPs. Yuck!

This article explores the top cost-saving measures you can implement to stop hackers in their tracks, keep bots aways, and stay ranking high on Google.

We’ll look at how to boost security from the WordPress admin and also with the help of our free security plugin, Defender.

defender with free security.
Defender is pretty stoked about free security!

Here’s what I’ll be covering:

  1. Quick and Easy Ways to Secure Your Site in the WordPress Admin
  2. Keeping Your Site Secure by Noticing Outdated Plugins and Themes
  3. Creating Secure and Strong Passwords
  4. Some Other Security Tweaks to Consider in the Admin
  5. Securing Your Site for Free with Defender

By the time you read this, you’ll have plenty of ways to keep your WordPress site secure for free.

So, put your wallet away. You won’t be needing it here.

1. Quick and Easy Ways to Secure Your Site in the WordPress Admin

We’ll start with some essentials to avoid any unfortunate security issues. Some of these precautions may be obvious to you, but they’re worth mentioning.

An Updated WordPress is a Secure WordPress

One of the most important precautions you can take is to keep your WordPress, plugins, and theme updated.

Where the WordPress updates are in the admin.
Where you can see all of the updates needed in the WordPress dashboard. The number in the red circle indicates the number of updates available.

WordPress is regularly installing updates to keep things current. On top of that, themes and plugins frequently are updated and maintained.

If themes and plugins are not maintained properly, they’ll become outdated and a security risk by becoming vulnerable to bugs. It’s essential to keep all of these elements of WordPress up to date.

WordPress makes all of this quick and easy to do. By clicking on the Updates tab in the dashboard, you’ll see a detailed look at what needs updating.

Plus, you can enable automatic updates for all new versions of WordPress from here, so you don’t even need to worry about doing it manually.

The WordPress updates.
You can see the current version of WordPress and the option of enabling automatic updates.

Keeping tabs on your WordPress version, themes, and plugins is a crucial part of keeping your site secure. It doesn’t cost a dime to do, and is easy to maintain.

Good news if you’re a WPMU DEV member… all plugins, themes, and WordPress files automatically update with our Automate feature (which comes free with The Hub) — so you’re already taken care of!

2. Keeping Your Site Secure by Noticing Outdated Plugins and Themes

It’s important to point out that you don’t want to use any outdated plugins or themes to begin with. Fortunately, WordPress gives notification for plugins and themes that haven’t been updated.

For example, if you are searching for a plugin on and see this towards the top of the plugin’s page…

The message for an outdated plugin in WordPress.
A sure sign that this plugin is not maintained well.

…you’ll want to avoid that plugin. Similarly, an outdated theme will display the same type of message.

The sign of an outdated theme.
Two years is a long time to go with no update.

Avoid any plugins or themes that aren’t updated to begin with.

Chances are, the developers who created them have abandoned it, and it will not be updated soon.

If you do find that you have outdated themes and plugins, delete them. Even if they’re not in use, they’re not worth having around and are susceptible to bugs.

3. Creating Secure and Strong Passwords

One of the most frequent hacking attempts is with passwords. So it’s becoming more common these days with any online account to use a strong password, and the same is true with WordPress.

Make your passwords unique, with characters, numbers, and letter combinations that would be extremely difficult ever to replicate. You should do this with your FTP accounts, hosting, email, and database as well.

WordPress will automatically create a strong password for you in the admin. You can choose to create your own or use their suggestion.

The WordPress generated password.
A new password is easily created by going to User > Profile > Set New Password.

Plus, don’t give your account information to anyone and grant them access (I think we all know better, but still, I had to mention it…). You can set up users and roles in WordPress for others, but keep your passwords private.

Also, change your passwords regularly. It’s suggested that every 30-days or so is a good time frame for generating a new password.

4. Some Other Security Tweaks to Consider in the WordPress Admin

You can take a few other free security precautions when it comes to WordPress.

Logging out of your account when not in use, deleting spammy comments, and limiting roles for other users are some other easy ways to stay secure.

Beyond the admin, you’ll see that there’s a ton that can be accomplished with the help of a plugin when it comes to beefing up your security.

5. Securing Your Site for Free with Defender

The majority of security precautions you can implement for free can be handled easily with our very own plugin, Defender.

Defender can stop brute force attacks, SQL injections, cross-site scripting XSS, and tons more like malware & antivirus scans, IP blocking, security log, and two-factor authentication login security.

An image of Defender.
Defender is here to help!

When it comes to a free security solution, Defender is a perfect option to keep your site safe and secure! Plus, it’s all easily manageable as he makes security a breeze.

Here’s a breakdown of what Defender can do to stop any hackers or bots that are up to no good.

Security Tweaks

Defender mentions security recommendations you can make to improve site security, like disabling XML-RPC, hide error reporting, disabling trackbacks & pingbacks, and more.

Many of the recommendations can be handled in one-click and bulk by way of the Security Recommendations area.

Defender's security recommendations.
All of the tweaks are suggested in the Security Recommendations area.

It’s suggested to take care of all of the recommended security tweaks; however, some might not be practical for your WordPress site.


Our best pro WP tools in one bundle

Try free for 7 days
30-day money-back

If you ever need to revert a tweak, you can do so with the Revert option.

You can get a detailed look at all of the recommended tweaks in the drop-down menu.

There, you’ll be able to see an overview of the vulnerability, status, how to fix, an option to ignore, and also an action button that’s unique to the suggested fix.

For more information, be sure to check out this detailed look at security tweaks with Defender.

Security Scans

Malware Scanning is a great resource for keeping your site protected. It checks your WordPress core files for suspicious code.

This tool compares your WordPress install with the master copy in the WordPress directory, reports any changes, and enables you to restore the original file in a click.

New Defender scan.
Start a new scan in one click or have one scheduled.

The scan results are viewed directly on Defender’s dashboard. You can get a detailed look at the results under View Report, showing the suggested fixes for each issue.

From there, you can take care of them in bulk.

Take care of all of your issues in bulk.

You can also create a new scan in one-click and get notified of reports via email — even if no issues are found.

Malware scanning and taking care of security issues has never been easier. Get an inside look at one-click malware scanning in Defender.

2-Factor Authentication

Make the accounts for you and your users even more secure with 2-factor authentication.

With Defender, you can choose the user roles you want to enable 2-factor authentication in one-click from the dashboard.

2fa users and roles.
Select as many user roles as you want for 2-factor authentication.

You’re also able to enable a Lost Phone feature if a user can’t access their mobile device.

Additionally, customize the App Title that appears in the Authenticator app, view active users, and customize the email copy for two-factor authentication emails.

Plus, you can choose what app to use for 2FA. You can pick between Google Authenticator, Microsoft Authenticator, and Authy.

Two-factor authentication is an excellent line of defense against hackers and a welcome added layer of protection.

Read more about Defender’s 2FA here.

Firewall, 404 Detection, and IP Management

Your WordPress site is safely protected with Defender’s firewall and IP management. With it, you can manually block specific IPs, set automated timed & permanent lockouts, import a list of banned IPs, and more.

Firewall in Defender.
Defender tells you all of the lockouts your site has had in the past 24 hours and more — right in the dashboard.

Defender will lock out users after a specified set number of failed login attempts. You’re able to customize the amount of failed logins and timeframe of the lockout.

Plus, you can customize the lockout message.

Defender image showing lockout.
Defender will let the culprit know what’s up.

Also, enable 404 Detection, which will keep an eye out of IP addresses that are repeat offenders trying to access a web page that doesn’t exist.

It will then temporarily block them from accessing your WordPress site.

Like with the failed logins, you can add a customized message and choose the duration of time for the lockout. Additionally, you can add files, folders, and file types you want to ban automatically.

As for the IP banning, you choose which IP addresses you want to ban from accessing your WordPress site in a Blocklist.

Likewise, you can choose any IPs you want to exempt from any ban rules in the Allowlist.

Other IP management features include:

  • The ability to view active lockouts
  • Option to ban countries you don’t want traffic from
  • Customized lockout message users will see
  • Import and export of blocklist and allowlist

Not only that, Defender logs all IP lockouts with detailed information, time, and date of occurrence.

From there, you can click on the dropdown of individual occurrences and instantly ban the IP or add it to the allowlist.

Want this IP added to the blocklist? Do so in one-click.

Firewall and IP management will keep your site in check from any suspicious IPs looking to cause havoc. For more, be sure to read our article, How to Create a Powerful and Secure Customized Firewall with Defender.

Login Protection

Quickly limit login attempts to stop users from trying to guess passwords. It’s easy with Defender’s Login Protection.

With this, you can also permanently ban IPs or trigger a timed lockout after a set amount of failed attempted logins.

This feature is under the Firewall category in the dashboard. Choose the threshold of how many attempted failed logins the user has and the amount of time for the lockout.

The login protection area in Defender.
In this example, it’s set at five failed logins within 300 seconds for a lockout. The lockout will remain for 300 seconds.

You can add a customized message that explains the lockout. Also, add banned usernames by adding them in the system.

For more on Login Protection, check out this article.

Login Screen Masking

To prevent hackers and bots from discovering your login screen, you can change your default URL.

With login screen masking, you’ll add a new URL slug to login from. And you can redirect traffic to any visitor or bot that tries to visit the default WordPress login.

Where you choose a new slug.
Choose any new slug that you’d like.

This is a great way to prevent hackers and bots from even getting close to your login area. Just like any villain, if they can’t find the door, there’s not much chance of them getting in.

WordPress Security is Priceless

As you can see, there is a lot you can do to secure your WordPress site for free! You don’t need to spend your hard-earned cash on security — especially with the help of our plugin, Defender.

It takes time and dedication to implement what we discussed. The more you devote to your WordPress security, the harder it is for hackers and bots to take advantage of your site and cause chaos.

Plus, your site won’t get blocklisted by Google and maintain its good reputation.

On that note, for an overview of Defender’s security features, check out this quick video.

And for more on security, be sure to read our Ultimate Guide to WordPress Security and Getting the Most Out of Defender.

Take advantage of these free resources and sleep well, knowing you’ve stepped up your security game to keep your site safe.

Have you protected your WordPress site with our free version of Defender? What do you think? Let us know in the comments!

N. Fakes

N. Fakes Nathanael Fakes is a blog writer and cartoonist at WPMU DEV. He’s worked with WordPress for over a decade. Beyond WordPress, he’s a published author, syndicated cartoonist, and donut enthusiast. Connect with Nate on Instagram and learn more about his work on his comics website.