Protect and Secure your WordPress Site from hackers: WordPress Security Guide 2025

1. Introduction to WordPress Security Course: Greetings everyone. I am Szen Pradan, and I'm excited to welcome to our W Pass security course. With so many popular websites using War Press, it's clear that it's a great platform. But with popularity, comes the risk of hack and brute force attacks. That's why this course is all about making your Wpress site more secure. Here's what we will cover in this course. Popular sites using War Press. See examples of famous sites using Worprass. Disable directory listing, stop people from seeing your website files. Disable JCN API, safe from a potential security risk. Limit login attempts. Make it harder for hackers to break into your site, add recapture to the log in page, add an extra layer of security, block access to the login page by country or IP. Control who can try to log into your website, change the default WP thats AdminRL, hide your login page from attackers. Additionally, you will also learn how to get notified when someone accesses your press dashboard, get notified when a plug in is activated or deactivated, prevent specific plug in installation on your war press, Confuse bots by interchanging the log in fields for Unam and password. Add custom fields to your press login page and many more. Who is this course for? This course is for anyone who knows the basics of Wordpress. You don't need to be a tech expert. We will explain everything in simple, easy to follow steps. Take away from this course. By the end of this course, you will know how to secure your Worps site using just a few lines of code? We will not be using any plugins. Let's get started and make your Worps website safe and secure. 2. Add an extra page to access the WordPress login page - wp-admin: Things everyone. Here is how you can add an extra password layer to protect your press, something like this. Now, to do that, log into your press. We are already logged in. Now go to Appearance and theme file T. Click on theme functions, scroll down, and now we will add some custom codes here. Here is the code we are going to use. Copy this code. And paste it here. Now, the only modification we need to do this code is set the custom password. For now, the default password is 123456, but you can use any number or Alphabets for the password. The code might look big, but it is mostly CSS for the password input area. This is all done, date file, so the file has been updated. Now let's open WPS admin in incognito mode. So you will say this. Let me input a wrong password. It will say incorrect password. So only the right password will give you access to the WPS AI, and then you can log in to your dashboard. Now, if you forgot a password, there is no way to access the site using WP admin. In that case, you will have to use a C panel or FTP. We will be using a C panel, and we are already logged in. Go to File Manager, and locate your website files. Go to Public Underscore S TML. So here are all our files. Here, go to WP content. Go to Themes. We are using the 2021 theme. And find functions dot PHP, right click and click on Edit, and dit, scroll down, and you will find the code we added earlier. You can see the password from here or simply delete the whole code and save it. Now you can directly access WP Albin. The code is seen here, but let me refresh this to update this file. So it is gone. So we recommend using this only if you have access to the root files using C panel or FTP. Thank you very much. 3. WP plugin that Secures Login with an App: Hi, guys, so here is a very useful plugin to enhance your Wordpress security. This is a secure login authorization plugin, and you can download it from WordPress repository. This plugin basically prevents unauthorized logins. Even when someone knows you username and password, they won't be able to login unless it has been authorized. Now to use it, go to settings. It has a very simple interface. Before starting anything, first make sure to download the app. You can scan this QR from your mobile, or this is the app download link. Currently only available for Android users. Once the app is installed, go back to the settings. So this is how the app looks like. In the app, we first need to add the website URL and secret key, tap on this scan icon and scan the QR code. So this has been done, and okay, before doing anything, make sure to do this. Now on the website, turn on the enable logging authorization and save changes, and you might be logged out, as you can see. Let me go to slash WPD ASAM now on the app, tap on Verify. So the connection is verified. The website and secret key are auto saved. If you tap here, you can see the saved site and you can use it or delete it. Anyway, now we need to authorize users to log in. Let's add the user demo. And this is in minutes. Let me authorize it for a few minutes authorize. By the way, you can also specify the IP if you want. So the user has been authorized. Now let's try to log in from the PC. So the demo user only has 1 minute on the site. After that, the user will be automatically logged out. Let me go to the plugins and set things. And if the user wants to use the site for long, simply turn this off and save changes. So when this is turned off, the app cannot verify as it requires the connection. So as soon as I turn on and save changes, I will be allocated the earlier minutes. So you can also increase the time from here. Let's add 12 minutes for now and authorize. So the earlier minutes has passed, so let me login again. And this time, I am authorized for 12 minutes. You can also force logout and users simply type the user and tap on force Logout. So this is done. Now on the site, if I click on Dashboard, I will be logged out. Even the correct details, I will not be able to login. So this is the main feature of this plugin. Let me quickly authorize it. And login. Now, let's briefly talk about its other features. You can hide this plugin too. Save changes. So the plugin will not be hidden from the settings but from the plug in list. To hide it from here, go to Plug in Access, and this will list all admin users of the website. Now, if you want to authorize only for test users, enable it and save changes. So we have blocked ourself. You can access the back end, but not find the plugin from the settings, and it is hidden from the plugins too. So only test user can access it. Let me open it a new tab and try to log in with test. I will also have to authorize Test User even for the test users, the plugin is hidden from the plug in list, but you can find it in the settings. So if you want to completely hide the plug in, make sure to hide it and revoke the access too. If this is off forall, then all admin user can access it. Now go to Reset Plug in URL. This is a safety URL, if in case you lose the secret key, all you have to do is paste it in the URL. You do not need to login, and this URL will not change unless you deactivate and activate the plugin. But if you use the Reset URL, this will also reset the secret key. You do not have to login, so I will log out. And now piss the URL. So the plugin settings has been reset. So if I refresh the space, everything has been restored to default, and this secret key has changed. This URL will remain the same. But if you want to change it, deactivate and activate the plugin. This is for safety purposes, and this has changed. Anyway, please do give it a try. Thank you very much. 4. Without Plugins Change wp-admin URL: Greetings everyone. In today's video, we will quickly learn how you can change the default Verps Admin URL without using any plugins. Now, this is our DMO website. And if you go to WPS admin or WPS login dot PHP, then the login page will open. As you know, this is a default URL for every Verps website. So for security reasons, it will be a good idea to change it. So let's quickly log in to the dashboard. Since we are not using any plugins, we will add custom codes to theme functions. Go to appearance and the file editor. Click on them functions, scroll down. We will add some codes here. So here is a simple code that can change the WPS login dot php URL. All you have to do is write any secret word here. Please note, this is case sensitive. Anyway, so only using this word will give access to the login page. You must be careful for the upper or lower case used. Copy this and paste it here. Update file. It is updated. Now when someone tries to use WP admin or WPS log in, they will be redirected to the home page. Let's taste it in incognitor mode. So I'm using the WPS admin. You can see it is redirected to the home page. Let's try with WPS login. It is again redirected. To access the dashboard, go to WPS login dot PHP, Q mark, my secret string is equal to Nepal. Please note Nepal's case sensitive. Now you can use the credentials to log in. Please note this is not a foolproof method. Like if you log out, it again goes back to the homepage. So there are much restriction using this code. But for those who do not want any complicated plug ins, this works great. Of this video was ful, thank you very much. 5. Limit login attempts to WP login (no Plugins): Greetings everyone. In today's video will quickly learn how you can limit login attempts to access orper dashboard. Basically, when someone makes a failed attempt to log in to your site, then that IP address will be blocked for a specified time, and a message will be sown. Something like this. Let's get started. Now to add a limit log in attempt to a Vpos website, let's first go to OAS word. Go to WPS A in. In a normal scenario, a hacker can try to access the website multiple times. And this could lead to a boot force attack. So let's limit the login attempts by blocking that IP address, which makes several wrong attempts. For that, let me log in with the right password. So we are in the dashboard. By the way, there are a few plugins that can limit login attempts. However, we will use some simple codes, go to appearance and theme file editor, and go to theme functions. Scroll down. So we will add some code here. Here is the code, which will limit log in attems on Vpras, and this code will be provided. The 60 here means the blocking time for a failed login atoms in seconds. These two means two failed attempts before that IP is blocked. You can change this to three atoms or five. Also, you can change these 60-120 or th 600, et cetera. This will be in seconds. And this is a message that will app after two failed login attems. Anyway, copies code. And P two theme functions. I will make two attempts for now. This is 60 seconds, and this is the message. Update file. The file has been updated. Let me quickly log out, and let's try to log in with the wrong password. So two wrong attempts have been made. As you can see, this message will appear, and the IP address would be blocked for 60 seconds. Sometimes you might also see 429 error. This actually is from your hosting server for security and is not because of the code. This should work in a few hours for your IP. If it is urgent, you can simply change the internet connection, use VPN, or talk to your server to its the IP. So you can see with the VPN, it works all good. Anyway, we hope this video was useful. Thank you very much. 6. Block access to the login page by country: Greetings everyone. In today's video we quickly learn how you can block access to workplace log in pay by country. So to restrict access to the log in page, let's quickly go to our WP DS Admin of our Demo website. Currently, this pace can be accessed from any country. For now, we are using the IP address of the USA. This is currently the United States. Let me open this page in a different country. So it works here too. And this other page is using Nepal's IP address. Let me show you. This is from Nepal. Now, we will make this log in page only accessible from US, and we will block access of it from all other countries. To do that, let me quickly log in. We are in the dashboard. Since we are using some custom codes, go to Appearance and theme file editor. Go to theme functions, scroll down, and we will add some codes here. Here is the code we will use. In this code, mention the country short form here. This means only IP from US will be able to access the login page. Any other country will not be able to access it. For other countries, they will be redirected to this URL. Let me add our URL. It is done, copy it, and paste it to the theme functions. Now any codes written here might be updated on theme updates. Instead, you can also create your own plug in or use ME plugins. Anyway, update file. The file has been updated. Now the login page should not be accessible from Nepal. Let's try to refresh this. You can see we are redirected to the homepage. Let me quickly try it. So we are redirected because we are trying to access it from Nepal. Let me log out from here. So this page can only be accessible from the USA. You can see of this video was useful, thank you very much. 7. Block access to the login page by IP: Greetings everyone is a quick way to secure word press by only allowing specific IP to access your log in base. We will use the theme function and not the SDs file. Now, this is our DMO website. If you go to WPS Admin, this log in base opens, and this opens from any IP address. So we will block access to all the IP addresses, except for the one specified. For that, let me quickly log in to the dashboard. So we are in the dashboard. Go to appearance and theme file editor. Go to theme functions, scroll down, and we will add some codes here. Here is the code. This code will allow access to only these IP addresses to your login page. Access from all of the IP will be directed to this URL. Let's first change this link. I will simply add the home URL. Now you need to find the public IP address to white list. For that, Google, what's my IP. Now, this is our IP. Copy this and replace it here. If you want to add more IP, you can add it here by adding commas. For now, we will only use one IP. Delete this. Now copy the code. This part is for description, and paste it here. Update file. The file has been updated. Now, open the site on a different IP to check if this works or not. So it has been redirected to the home page. Let's again try, so we are redirected again. It is because of the different IP. So this is how you can protect your Wpers website from unauthorized access to the login page. Thank you very much. 8. Add reCAPTCHA to wp login page - NO PLUGIN: Greetings everyone, and today's video, we'll quickly learn how you can add recapture to your Workers log in page. Basically, something like this. Let's get started. Now we want to add a capture to our login page. So we want the capture to be here. To do that, we first require a side key and a secret key. So let's get these keys. For that, go to google.com slash Recapture Slash Admin. You were required to log in with a Gmail. Let me quickly log in. So from here, we can create all the required keys. We will be using this version two. I am not a robot checkbox. Please note the code we are using will only work for version two and not work for version three. Anyway, give any level name at the domain name. Make sure to remove STTPS and click on Summit. So here is our side key and the secret key. So to add them to our website, let's log in to our dashboard into the credentials. So we are in the dashboard. Since we are not using any plugins, we will add codes to theme functions, go to appearance and theme file Edita. Go to theme functions. Scroll down, and we will add some codes here. Here is the code we are going to use. Despite it may look complicated, it is very simple. All you have to do is add a site key and the secret key. Let's copy this code and paste it here. Now let's add the site key, likewise, add the secret key. All done, date file. It is updated. Now let's open WP Ds admin in incognitor mode. So you can see here is I am not a robot button. So to access the dashboard, you must fill in all these options. Of this video was, thank you very much. 9. Confuse bots, prevent brute Force attack by inter-changing the login fields for username & password: Guys, here is how you can fool the bot and prevent brute force attacks on a workers website. To explain further, let me open Chrome and go to the login page of our demo site. This is the default login page, so we will be modifying this. Basically, let's fool the bot by changing the user name to password and password to user name. So we will exchange this, which will confuse the bot and make it difficult to access your website with the heat and trial method. Anyway, let's be log in to the dashboard. We are on the dashboard now to change the user name to password and vice versa. We will add some codes. For that, go to appearance and theme file editor. Then go to theme functions. Scroll down, and let's add our codes here. Now, here is the code we are going to use. This code basically replaces the position of user name and password. It does not modify the core press files. Now copy the code. And paste it here. Update the file. So it is done. Now let's open the login page in incognitive mode. Now you can see, this is the password, and this is the log in user name. We have interchanged the positions. This should confuse the bot. Anyway, to log in, first enter the password, and then use the name below. We are logged in. If you want the deft login page, go to appearance and theme file editor. Go to theme functions, and remove the code we added. Update the file, so it is done. This is a default. Use an EN password. Of this video was useful to you. Thank you very much. 10. Add custom fields to your WordPress login page: Greetings everyone. In today's video, we'll quickly learn how you can add a custom field to your warpas log in page. This can be extremely useful in terms of workpa security. So this is the default or Pas log in page, and now we have added our own custom feel here. Let's get started. Now to add the custom field to our log in page, let's first open our demo website and go to let's learn worpres.com last demo slash WP Sabin. So this is the default Worpres log in page. We will add our custom field here with our own questions and our own answers. To do that, let's first log in. So we are in the dashboard. To add custom fills, we will be using simple codes. Go to appearance and theme file editor. Go to theme functions, scroll down, and we will be adding some custom codes here. Now here is the code. On this part of the code. You can write answers to your questions, and it is mandatory to be filled, or else it will show an error saying, incorrect answer, please try again. And this code will add question fields to the login page. This is the que Let me write a custom question here. You can write any question. Now write the correct answer here. I will write Nepal. This field will be added, and the answer must be Nepal to log in. Now copy this code. And paste it into the theme functions. Update file. It has been updated. Now let me open the login page in incognitor mode. You can see a new field is added here. Let's try to log in using the correct details, but the wrong answer. So this will be sown. You will need to write the correct answer to Login. So here you can see. So this will protect against good force attacks on your website, as Bot would not have any idea about this new field. Anyway, we hope this video was useful. Thank you very much. 11. Check if these files or directories are visible? Disable Directory listing: Greetings everyone. In today's video, we'll quickly learn how you can disable directly listing on a Worpress website. Basically, we will disable this, so it gives a four oh three error. Let's get started. If you're using Worpress, please check this on a website. Open the browser and go to your domain name Slash WP Dash includes slash CSS. If you see all these files and the directory list. This means the directory listing is enabled on your website. Exposing all this information could be a security risk. If you Google directory listing risk, you can find more information on it. Anyway, now to disable this, we will have to write a simple code on the dot SDs file. To access the SDs file, you can either use the C panel, FTP or a ps plug in. Let's first use the C panel. Let me quickly log into the C panel. Into the credentials, So we are in the C panel. Go to file manager and locate your website files. Here are all our website files. Here, the SD as file is hidden. You see the hidden files, go to settings, click on so hidden files and save. Now, here is the ST Axs file, right click and click on Edit. Edit again. Now we need to write a simple code here. Type options, space, Das indexes. That's about it and save changes. L et me refers this. So it now displays 43 forbidden. This code will disable director listing. Now, for those who do not have access to the C panel, we can also do it using the orper dashboard. So first, let me delete this and save the changes. I will refresh this, so it is enabled. Let me close this all and let me log into the Verp tase board, WPS Amin. Enter the credentials, go to plug ins and add new and search for file manager. This is the plug in, install it, and activate the plug in. The plug in has been activated. Week the WP file manager here. And here, we have all our website files. Find SD xs here. Right click, and click on Code Editor. And here, you can simply write options that's indexes. However, please be careful while making the changes to STX S by using this plug in. Because if there are any mistakes here, your website will not be accessible, and you will either have to use FTP or C panel to revert the changes. Anyway, let me save this. It is done. Now, if I refers this, it will show forbidden. So this is how you can disable directly listing on a website. Thank you very much. 12. Disable Json API: Greetings everyone. In today's video, we will quickly learn how you can disable WP JS API without using any plugins. So basically, as the sites User name is exposed. So we will make this pace inaccessible. Let's get started. If you own the WPs website, open your domain and go to SS WPs J, SAS WP, Slash V two Slash uses, and Press Center. If you are seeing this, means your user name is exposed. For instance, here is our user name and author name. You can also check with the V one or only slash WPs. Anyway, we will disable this as this can be a security risk. To do that, let me log in to WP WP Amin, and enter the credentials. Here is the exposed user name. And write the password. We are in the P dash word. To disable and API, we need to add a simple code to the theme functions. Go to appearance and theme file editor. Go to theme functions. Scroll down. We need to add some code here. Here is the code which has been provided. Copy this and paste it here. Update file. The file has been updated. Now let me refers this. Now this shows a 44 error. Even if I open it in incognitor mode, it is not accessible. So please check it on a website and disable it. Thank you very much. 13. Prevent specific plugin installations on your WordPress: Greetings everyone. In today's video, we will quickly learn how you can prevent plug in installation on your workers website. So basically, we will restrict all uses to install any plug in on the website as it cannot be activated. Let's get started. Now, sometimes it might be very useful to stop plug in installation to your press, especially when you are using a frencer, and of course, if you do not want him to install any plug ins. Any way to do that, log into your Wp dashboard, I am already logged in. Let's go to plug ins. There are no plug ins. Let me install one. I will add a file manager plug in. This plug in provides access to all the press files and folders. Install it. And activate it. Here, anyone could activate the plug in like this. To prevent installing any plug ins, we need some codes. This code will stop everyone to install any new plug ins. The code will check if the plug in is already active or not. If active, it will deactivate it. And if someone tries to activate the plug in, it would not be activated. And so this message. And this code can be used to prevent the installation of multiple plugins. Let's first use the code for a single plug in. Copy the code. And go to appearance and theme le dita. And go to theme functions. Scroll down and pace the code here. On this code, we need to replace this line with the plug in folder and plug in name. Now the easiest way to do this is on the plug ins, right click and go to inspect. Click here and hover to the plug in. We want this data plug in details. Double click on it. Copy it and replace it here. So it is done. Update file. Let me refresh the plug in page. So you can see the plug in has been deactivated, and if I try to activate it, this message will be displayed, which is this one. Let me delete the plug in. Now let me try to resell the plug in as normally as it would have been done. If I try to activate it, this uro message will be displayed, and the plug in cannot be activated. Now this code works for one plug in. Let's try to install another plug in and restrict its activation. I will install this plug in. I will activate it. So now, let's restrict both of these plugins. Let's find the Tata plug in name as earlier. Here is the data plug in. Copy it. This code was for a single plug in. We will use this code now. Replace the plug in details here. Likewise, also get the Data plug in for a file manager. And add it here. Now copy this code and paste it here. However, please only use one code. So I replace the code here. Update file. So it is done. Let me refresh this. So this plugin has been deactivated, and both of these plugins cannot be activated. This is how you can prevent anyone to install plugins on your website. However, please do not forget to replace the plug in folder and plug in file name here. If you want to restrict more plugins, simply use commas and add more plugins. Anyway, we hope this video was useful to you. Thank you very much. 14. Get Email Notification on wp Login - No codes: Greetings everyone. Today's video, we'll quickly learn how you can get notified when someone accesses your Wper's dashpout. The specified e mail address will get a notification of something like this. Let's get started. So to get notified, when someone accesses your Wper's dashput, we will use some custom codes. We will not be using any plugins. So here is the code we are going to use. So here, you can add any e mail address. The WP access notification will be sent here. However, we recommend using the e mail from the same domain rather than G mail or hotmail. If you do not receive any e mail, please talk to your host. Anyway, so this will be the subject line of the e mail. You can change it if you want. This will be the message. You can use any cost of message, IP details from where it was accessed, country name, and time and date as per your WPs settings. So this is one code we need to use, and this code here will grab the IP address and country name. So we will use this code. To do that, we need to log into Wpress. I'm already logged into Worpress. Go to appearance and theme file editor, and go to theme functions. Scroll down, and we will be adding our codes here. Copy the code and paste it here. I will change the e mail ID with the notification will be sent. I will use the same parent domain e mail. It is done, Update File. So it's updated. I'm actually logged into the e mail. Let me refresh it. So there are no e mails. Now let me log out from Wordpress, and again try to log in. So I am logging in with the user name Demo. I'm in the dashboard. Let me quickly check the e mail, refreshing the e mail. So I have received an e mail. Here is the subject Demo user has logged into the Wer dashboard. And this was the IP country name and the date and time when it was locked in. So this is how you get a notification when someone accesses your Worers dashboard. Thank you very much. 15. Get an Email on plugin activation or deactivation: Greetings everyone. In today's video, we will quickly learn how you can get notified when a work press plug in is activated or deactivated. So we will use some simple codes to get notified about the plugins, and this can be very useful if you are using a freelancer. Anyway, so we are in the dashboard, and since we are only using codes, go to appearance and theme file a dta. Go to theme functions, scroll down, and we will add some codes here. If you do not want to use them functions, you can as well create your own plug in or use MO plug ins. Anyway, it is the code we will use. You need to change this e mail ID. So a notification will come here. We recommend using the same domain email. This is a subject, plug in name and is activated or deactivated. And this is the message notifying plug in activation or deactivation. Now copy the code. We sit here, update file. The file has been updated. Let's test it. Go to plug ins, add new. Let's randomly install a plug in. Activated. So the plug in is activated. This is the e mail we used. Here is a notification which tells us if the plug in is activated or deactivated. Let's try deactivating the plug in. So again, we get a notification, the plug in is deactivated. So this is how you can get notified if any plug in is activated or deactivated on a website. Thank you very much. 16. These popular sites uses WordPress: Greetings everyone. Today, we will share some popular websites that are built using Worpress, and trust us there are millions more. So the first one is Sonny Music. Let's go to WPS Samin. So you can see. Popular artist Katy Perry. You can see it's Worps, two. Even Microsoft News is using or Press. Go to Slash Login. And this is the Worpras Interface. Bloomberg Professional is also using Worprass. It's probably protected. You can see WPS login. The popular TD blog is also made on or Press. It's made with orpast.com. The flicker blog is also built on or Press. It also seems to use or past.com. Yields blog is also using or Press, as you can see it here. The popular Ts is also using orpst.com. **** crunch is also made a War Press, and Howard is also using War Press. So there are many popular sites with millions of views using War Press, just to ensure that Worpress is a great platform and probably isn't dying anytime soon. Happy building your website. Thank you very much.