10 Tips to Secure WordPress

Share this article

Keeping WordPress secure is important in order to ensure that your site isn’t compromised. Uptime is maximized, your data is safe, and your site runs as quickly and reliably as possible.


Today we’ll look at 10 ways to help improve and maintain your WordPress site’s security, starting with the simplest and working through to some more advanced tips to help you secure WordPress.

User Security

A key area that attackers will attempt to access is the WordPress administration interface. If a malicious user is able to login as an admin, they’ll be free to do whatever they like to your site.

Some will attempt to login using a brute force attack, by setting up a botnet (many computers which the attacker controls) to repetitively attempting to login to your site, using different username and password combinations.

Here are some changes that you can make to help secure the WordPress admin interface:

1. Use a Unique, Secure Username and Password

Avoid using the default admin username. While you’re able to choose your own username when setting up a new WordPress site, if you’re on an older installation (which you should really upgrade – we’ll cover that later), or you’ve already set your username to admin, you can use a WordPress Plugin such as Username Changer to change your username to something more secure. You can also create a new user with admin rights and remove the old ‘admin’ username.

Try to avoid common usernames such as administrator, your website’s name or your name.

For passwords, it’s important to choose a complex password comprised of letters, numbers and characters. Don’t choose a password that’s similar to your username, website name or a simple word with a few changes. Avoid dictionary words, and preferably use a random string of characters. A good password management tool will help you securely generate, store and use these complex passwords.

Alternatively, an easy way to remember a password, whilst maintaining sufficient complexity, is to use a phonetic password generator (such as this one).

2. Use Two-factor Authentication

Two-factor authentication (known as 2FA, or sometimes 2-step verification) requires a user to login with not just their username and password, but also a unique code that’s generated for one-time-use and sent to a device (typically a smartphone) via SMS or an iOS/Android app.

We’ve covered how to setup 2FA in our Google Authenticator tutorial.

3. Verify the User Is Human

reCAPTCHA forms, which ask the user to input what they see in an image as text, are a useful way to stop botnets from attempting to brute force login to your WordPress site. Botnets typically can’t automate this part of the login process, therefore it helps prevent them from accessing your site.

We’ve covered how to implement ‘No CAPTCHA reCAPTCHA’ as part of your WordPress login process here.

4. Password Protecting wp-login.php

If you’re a more advanced WordPress user or developer, and you’re comfortable with some server-side changes, you can require a server-side login before the WordPress login screen is displayed.

This provides another layer of security, and we’ve covered how you can do this in our Preventing Brute Force attacks against WordPress websites article.

Code Security

Whether you’re developing your own theme or plugin for your site, or using something from a third-party, it’s important that the code used is secure, and doesn’t open the door to potential attacks.

Insecure code, and not following best practices, may result in attackers being able to gain control of some or all of your WordPress site.

There are a few ways we can help ensure code integrity and security:

5. Keep WordPress Updated

Since WordPress 3.7, minor releases – which cover security and maintenance – are automatically applies. However, you can also extend this to automatically install major WordPress releases, by adding the following to your site’s wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

Whilst this may seem like a good idea, it may result in incompatibility between the newly installed version of WordPress and your existing themes and/or plugins. It’s always a good idea to maintain a testing environment for this sort of thing.

There are third party tools which can connect to your WordPress website and let you manage all of your WordPress installations from a single, unified interface. Best of all, you can perform one-click installs of WordPress, theme and plugin updates:

For further reading, we’ve published articles on how to keep your WordPress website up to date:

6. Choose Your Theme and Plugins Wisely

It’s important to choose themes and plugins that are actively maintained and regularly updated. Whilst this isn’t a guarantee of security, it should mean that if there are security vulnerabilities found in a theme or plugin, it’ll be addressed and updated quickly.

Also check the detailed descriptions of plugins, as some will be audited by third parties (such as Sucuri) for security, which can help give you peace of mind.

7. Developing Themes and Plugins

Whether you’re new to WordPress development, or have been working with WordPress for some time developing themes and/or plugins, it’s important to follow key WordPress security best practices.

From sanitizing data, using nonces and adhering to WordPress Roles and Capabilities, it’s important to keep up-to-date with WordPress development best practices:

Hosting Security

With your WordPress installation more secure due to improving user authentication and the quality of our code, it’s also important to ensure you have well supported, secure, hosting.

8. Use Managed Hosting

There are several companies now offering Managed WordPress hosting, such as WP Engine, SiteGround and Media Temple. Whilst you’ll typically pay a premium over more traditional shared or unmanaged hosting, a managed host will help keep your site secure.

For example, WP Engine will automatically update WordPress and key plugins, if there are known security vulnerabilities, as well as disable plugins known to cause performance and security issues. As with most managed WordPress hosts, they provide hardware based firewalls and configuration to ensure that Distributed Denial of Service (DDoS) attacks don’t bring your site down.

Some users might find this approach intrusive, it does provide peace of mind and expertise to ensure your WordPress website remains functioning.

9. Ensure File and Folder Permissions Are Correct

If you’re not using a managed web host, it’s important to ensure that WordPress files and folders have the correct ownership and permissions. Not only does this allow WordPress to keep itself updated, it also prevents attackers from exploiting poor file security and taking control of your site.

As a basic guide, WordPress folders should always have 0755 permissions, and WordPress files should always have 0644 permissions – although this can vary from host to host.

If you’re getting errors when attempting to install plugins, or upload new media, don’t be tempted to set any folder permissions to 0777. Instead, work with your web host to ensure that PHP is run with the correct user, and that the folders are owned by the same user.

If you’ve got shell access, you can run a few commands to ensure WordPress is secure:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

If you know the user and group that should have ownership of the WordPress files and folders, use:

sudo chown -R username:group /path/to/your/wordpress/install

10. Server Side Hardening

For advanced users managing their own web hosting, you can also:

  • Ensure your database user has access to SELECT, INSERT, UPDATE and DELETE privileges only
  • Use strong database usernames and passwords
  • Disallow server-side file editing within WordPress, by adding define('DISALLOW_FILE_EDIT', true); to your wp-config.php file

Some web hosts will be able to perform some of these actions for you – it’s always worth asking.

For more information on WordPress and server hardening, check out the WordPress Codex documentation on Hardening WordPress.


In this article we’ve covered 10 tips for securing your WordPress website, ranging from basic user authentication through to coding practices and hosting setup. For more advanced users, we’ve touched on some of the advanced hardening techniques that can be used to ensure WordPress is as secure as possible.

Another option which is worth considering is the use of a security plugin such as WordFence or BulletProof Security. There are many to choose from, and they all have their advantages and disadvantages, so it’s best to do some research to find one which best suits your requirements. We’ve covered some of the more advanced options of security plugins here.

And, it always pays to remember that while prevention is better than cure, it only takes one small mistake to result in loss of data through a hacked WordPress installation. Therefore it’s vital to install a WordPress backup service, such as VaultPress and BackupBuddy, so that your website can be restored easily in case of attack or error. We cover the topic of backups, plus plenty more, in our Definitive Guide to WordPress Maintenance.

Tim CarrTim Carr
View Author

Tim is a WordPress Developer who builds WordPress web sites, themes and plugins. He runs n7 Studios, providing WordPress development, consultancy & training, and WP Zinc, providing free and premium WordPress Plugins.

ChrisBsecure wordpresssecurityWordPressWordPress Security
Share this article
Read Next
Get the freshest news and resources for developers, designers and digital creators in your inbox each week