40 Ways to Keep Your WordPress Site Secure

By Adrian Try
We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now

This article is part of a series created in partnership with SiteGround. Thank you for supporting the partners who make SitePoint possible.

Hackers. Vulnerabilities. Brute-force. Malware. Denial of service. Man-in-the-middle. Phishing. All scary words. We live in a dangerous online world!

Has your site been hacked? I have, and we’re not alone. In 2012 more than 70% of WordPress sites were vulnerable to attack, and not much has changed since. What have you done to protect your site?

In this article we’ve pulled together security tips from previous SitePoint articles, our own experience, and from around the web, and organized them in a way I hope you find useful and understandable. And most importantly, easy to act on.

All-in-one WordPress security plugins are useful (and we’ll be covering them in our next article), but security requires more than just installing a plugin and walking away. It requires a careful strategy and constant vigilance. Be proactive, not reactive. In other words, don’t assume your site is safe—work out a security plan before you are hacked!

That being said, there is no such thing as 100% security. What you can achieve is risk reduction, and find the balance (for you) between security and convenience.

Security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. What security is though is risk reduction, not risk elimination. It’s about employing all the appropriate controls available to you, within reason, that allow you to improve your overall posture reducing the odds of making yourself a target, subsequently getting hacked.” — codex.wordpress.org

Where should you focus your attention? In an article last year, WP White Security reported the following statistics about hacked websites:

  • 41% were hacked through a security vulnerability on their hosting platform
  • 29% were hacked via a security issue in the WordPress Theme they were using
  • 22% were hacked via a security issue in the WordPress Plugins they were using
  • 8% were hacked because they had a weak password

That’s where the holes are in your defence. Keep that in mind while you’re creating your security strategy.

OK. With all that in mind, here are 40 ways you can keep your WordPress site secure. Choose the ones that make sense for you and your site.

Secure WordPress

1. Keep WordPress Up to Date

The latest of WordPress is most likely more secure than the last one, and has less vulnerabilities. So keep it up to date—it’s a one-click operation. Make sure you back up your site first!

WordPress updates rarely cause problems, but if you like to be careful, update it on a test server first. Or, if you’d just like WordPress to auto-update itself, apply the following code to your wp-config.php file:

#Enable all core updates, including minor and major:
define ( 'WP_AUTO_UPDATE_CORE', true );

If you don’t want to manually update your WordPress, consider a hosting provider like our partner SiteGround, which has a special auto-update tool available on all plans.

2. Back Up Your Site Regularly

Make sure you make regular backups of your WordPress site. A backup of WordPress data and files can play a crucial role in an emergency. If all else fails, you won’t have to start from scratch!

Schedule your backups so you won’t forget them, and do a test restore from time to time.

Further reading:

3. Enable SSL for WordPress Data Security

Enable SSL to secure your WordPress site. A Secure Sockets Layer encrypts all information sent to and from your site, keeping it private and preventing man-in-the-middle attacks where a third party listens in or modifies the communication between the client and the server. As a bonus it can also boost your Google PageRank.

The address of an SSL-certified site will start with an HTTPS, while a site that’s not SSL certified will begin with HTTP. It’s best to activate HTTPS before installing WordPress, but it’s possible to update your WordPress settings if you add it later. Hosting providers like SiteGround offer free SSL certificates.

Further reading:

4. Secure wp-config.php

Lock down wp-config.php—it’s one single location that contains a wealth of critical data regarding your database, username, and password. Only you should have access.

To deny access to this file, you should add the code below at the top of the .htaccess file:

<files wp-config.php>
    order allow,deny
    deny from all

5. Move wp-config.php

Move the wp-config.php file into the folder above your WordPress installation. This will make it inaccessible to anyone using a browser, meaning a cracker has less chance of locating it.

Further reading:

6. Hide the WordPress Version Number

Some versions of WordPress have known vulnerabilities. Someone familiar with those vulnerabilities can discover which version you’re using because it’s shown in the HTML head of every page.

Remove that information by adding the following line to your theme’s functions.php file:

remove_action('wp_head', 'wp_generator');

You should also remove the readme.html file, which also contains the WordPress version number.

7. Remove WordPress References from Your Theme

Someone will only try to hack WordPress if they know you’re using it. So keep it a secret! Remove all references to WordPress from your theme files.

Find and delete the references from the header.php that look like this:

<meta name="generator" content="WordPress" />

8. Disable PHP Error Reporting

Hackers can use error messages to their advantage. For example, an error from a theme or plugin might display your server path.

To disable error reporting, add the following code to your wp-config.php file:

error_reporting (0);
@ini_set ('display_errors', 0);

9. Change the Default Secret Keys

When you install WordPress, four secret keys are written to your wp-config.php file. They improve encryption of information stored in the user’s cookies and make it harder to crack your password.

Use WordPress’ Secret Code Generator to get some new keys, and copy them into your wp-config.php file.

Secure Your Themes and Plugins

51% of hacked sites are because of security issues with themes and plugins. Give special consideration to this section!

10. Keep Your Themes and Plugins Up to Date

Don’t just update WordPress, make sure your themes and plugins are also up to date. Each one is a potential back door to your site, and each new version is likely to have less vulnerabilities.

11. Choose Themes and Plugins that are Actively Maintained and Regularly Updated

If there are security vulnerabilities found in a theme or plugin, you’d like it addressed as quickly as possible. That won’t happen with a theme or plugin that’s no longer maintained. Whenever possible, make sure the themes and plugins you use are actively maintained.

Further reading:

12. Delete Themes and Plugins You Don’t Use

If every theme and plugin is a potential back door, reduce the risk as much as possible. If you’re not using it, remove it. Deactivating plugins isn’t enough—click “Delete”!

13. Restrict Access to Your Plugins Directory

Restrict access to your WordPress plugins directory: www.your-domain.com/wp-content/plugins/. Otherwise, someone browsing the folder can see which plugins you’re using, explore them for potential vulnerabilities.

Deny access by uploading a blank index.html file to the directory. Alternatively add the following line at the start in your .htaccess file in the root folder:

Options –Indexes

14. Eliminate the Plugin and Theme Editor

There’s a built-in plugin and theme editor on the WordPress dashboard. This editor can be used to bring down your entire site if one of your user accounts is hacked.

If you don’t regularly use the editor, it’s best to disable it. Insert the following into your wp-config.php file:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Secure Your Logins

8% of hacked sites are caused by weak passwords. Here are some techniques to improve the security of your login procedures.

15. Change the Admin Username

Avoid using the default admin username, or obvious names like ‘administrator’, the name of your site, or your own name. They’re too easy to guess, and a hacked admin account is more dangerous than an author account.

Choose an appropriate admin username when you’re setting WordPress. If your site is already using “admin”, then create a new admin user, then delete the old one, or alternatively use a plugin like Username Changer.

16. Use a Secure Password

Choose a complex password comprised of letters, numbers and characters. Here are some hints:

  • Don’t choose a password that’s similar to your username.
  • Don’t choose a password that’s similar to your website name.
  • Don’t choose a password that’s a common word with a few simple changes.
  • Avoid dictionary words.
  • Consider using a random string of characters.
  • Consider using a good password management tool to securely generate, store a complex password.

Here are some tools that can generate a secure password for you:

Finally, make sure you don’t use the same password as you use elsewhere. All passwords should be unique.

17. Force All Users to Have Strong Passwords

It’s no good if you use a strong password, but the rest of the team aren’t so diligent. You don’t want any weak links in the chain.

You can ensure everyone uses a strong password by using a plugin like Force Strong Passwords.

18. Change Your Password Regularly

The longer you use the same password, the more time you give hackers to crack it. Shorten the window of opportunity!

Change your password at least a few times a year. And encourage your other users to do the same.

19. Use 2-Factor Authentication (2FA)

Two-factor authentication (2FA) increases security when logging in by requiring a unique code in addition to a username and password. The code is generated for one-time-use by an app, or and sent to a device/smartphone via SMS.

Further reading:

20. Limit Login Attempts

Give hackers less opportunity to guess your password, and protect your site from brute-force attacks, by limiting the number of login attempts that are possible. This will automatically block the login screen after a configurable number of tries, and informs the administrator by email.

You can limit login attempts by using one of these plugins:

21. Use CAPTCHA or reCAPTCHA on Your Login Screen

In addition to a username and password, use CAPTCHA or reCAPTCHA on your login screen. The user is asked to input what they see in an image as text, which is a useful way to stop botnets from attempting to log in by brute force.

Further reading:

22. Add A Security Question to Your Login Screen

Adding a security question to your WordPress login screen makes it harder for someone to gain unauthorized access. You can do this by installing the WP Security Questions plugin.

23. Automatically Log Out Idle Users

Users can sometimes wander away from the screen when they are logged in, posing a security risk—someone can hijacking their session, changing passwords, or making changes to their account.

You can automatically log inactive users out with the Idle User Logout plugin.

24. Assign Users the Lowest Role Possible

Users are the weakest point of any system. That weak point is most dangerous when they have administrator privileges.

Few actually need administrative access. WordPress offers a range of alternate roles to choose from:

  • Editor: someone who can publish and manage their own and other people’s posts
  • Author: someone who can publish and manage their own posts
  • Contributor: someone who can write and manage their own posts but cannot publish them.

25. Use Forced SSL for Logins

Forced SSL is a relatively simple change which can make a huge difference. Even if you don’t encrypt your entire website, ensure your users have a secure login pages. You’ll need an up-to-date SSL certificate to ensure this.

26. Remove Error Messages from Your Login Page

With every failed login attempt, error messages on your login page can give hackers clues. Remove them by adding the following line of code in your theme functions.php file:

add_filter('login_errors',create_function('$a', "return null;"));

27. Change Your WordPress Login URL

Knowing that the WordPress admin URL is wp-admin, any hacker can easily get started with brute force attacking. Reduce the risk of getting attacked by changing that URL so hackers won’t be able to find it.

WPS Hide Login is the simplest plugin for achieving that.

28. Hide Author Usernames

To log in to WordPress you need a username and a password. By default, WordPress makes it easy to discover your authors’ usernames. According to DreamHost, it’s a good idea to hide the author’s username to ensure you aren’t making the hacker’s job easier.

To do that, copy and paste the following into your functions.php file:

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
if (is_author())
wp_redirect( home_url() ); exit;

29. Password Protect wp-login.php

This one’s for advanced users. You can provide another layer of security by requiring a server-side login before the WordPress login screen is displayed.

Learn more here:

30. Protect the wp-admin Directory

If only you (or your authors, but not members or readers) need to log in, then restrict access to your /wp-admin/ folder or wp-login.php file.

If you only log in from your home computer, restrict the log in screen to only that computer. Grab your home IP address (using whatismyip.com or similar) and add these lines to the .htaccess file in your WordPress admin folder (replacing xx.xxx.xxx.xxx with your IP address):

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx

To allow access to multiple computers (office/home/laptop or user1/user2/user3), add another Allow from xx.xxx.xxx.xxx statement on a new line.

31. Disable XML-RPC

XML-RPC allows users to connect to WordPress remotely via blogging clients, and is used for trackbacks and pingbacks. It has been enabled by default since WordPress 3.5.

Unfortunately, hackers can use it for DDoS attacks, so if you don’t use those features, consider disabling XML-RPC.

This can be done with one of the following plugins:

Secure Your WordPress Database & Files

32. Use Strong MySQL Database Names

Avoid naming your database “wordpress” with a user ID of “user” and a password of “password.” You only set the database up once, so make them as complex as you like. If you forget them, you can check the details in wp-config.php.

33. Set Strong Passwords for Your Database

Use a strong password for WordPress to access the database. See our password hints in #16 above.

34. Change the WordPress Database Table Prefix

When you install WordPress, tables use table prefixes like Wp_ by default. Knowing this, hackers with automated tools can work out your database structure. Change the prefix so that it becomes more difficult to run SQL injection queries and other attacks.

35. Use SFTP to Connect to Your Server

Use an SFTP (Secure FTP) connection when connecting to your server. This ensure the communication between your machine and the server is protected. Most hosts , like SiteGround, offer SFTP.

Further reading:

36. Restrict File Permissions

Protect the security of your site by setting your file permissions to the bare minimum:

  • Set the CHMOD value to 755 for folders. Only the owner will have write permissions, and others will have read and execute permissions.
  • Set the CHMOD value to 644 for files. Owners have the read and write permissions, and others can only read the files.

37. Monitor for Malware

If a breach does happen, you don’t want to be serving malware to your visitors unaware. You need a solution in place that will scan regularly for infected files.

There are several server-side scanning solutions, including Sucuri. Some hosting providers, like SiteGround, have it set up out of the box.

Choose a Secure Hosting Provider

41% of hacked sites are because of security vulnerabilities on the hosting platform. So take special care when choosing or changing yuour hosting provider.

38. Choose the Best Hosting Plan You Can Afford

Your WordPress site is only as secure as your hosting account. If it’s running an old, vulnerable version of PHP, it won’t matter what you do to secure WordPress.

It’s essential that you choose a hosting provider that prioritises security. Some of the features that you should look for are:

  • Support for the latest PHP and MySQL versions
  • Account isolation
  • Web Application Firewall
  • Intrusion detecting system
  • Proactive updates and patches
  • Fast server monitoring
  • Daily backups

SiteGround, our preferred hosting provider, provides all of that and more.

Further Reading:

39. Take Advantage of Your Hosting Provider’s Security Solutions

Several companies now offer secure, managed WordPress hosting with excellent security solutions, such as WP Engine, SiteGround and Media Temple. They spend time, effort and expertise configuring their tools for maximum effectiveness.

For example, WP Engine will automatically update WordPress and key plugins, and disable plugins known to cause performance and security issues. They provide hardware based firewalls and configuration to ensure that Distributed Denial of Service (DDoS) attacks don’t bring your site down.

SiteGround provides automatic updates for the WordPress core and plugins, an efficient ch-root account isolation for all accounts on shared servers, and sophisticated systems that block malicious bots and attackers.

Security Plugins

40. Install good security plugins

The WordPress site has a collection of security plugins with useful descriptions and reviews from users. In our next article we’ll cover the best of these. Stay tuned!

We teamed up with SiteGround
To bring you the latest from the web and tried-and-true hosting, recommended for designers and developers. SitePoint Readers Get Up To 65% OFF Now
  • Great Tips to secure the WordPress Website. I will Definitely try on our website.

    • In this article we’ve pulled together security tips from previous SitePoint articles, our own experience, and from around the web, and organized them in a way I hope you find useful and understandable. And most importantly, easy to act on.

    • That being said, there is no such thing as 100% security. What you can achieve is risk reduction, and find the balance (for you) between security and convenience.

  • Great article, thanks! :)

  • As for #7, they will reach you by searching “inurl:wp-content”. Usually using the name of a vulnerable​ plugin as well.

    • kerell78us

      Thank you…I was about to make the point that #7 is moot. The fact that you can just view the page source and see “wp-content”. It’s one of the reasons I’ve never liked using WordPress; as is their need to prefix the core site files with “wp-“. However, after some research I’ve discovered it’s possible to rename the “wp-content” folder and tell WP the name of the new folder via the “wp-config” file using PHP Constants. I’ve extremely happy about that and will now add WP to my repertoire.

      Thanks Sitepoint for this very informative article.

      • “It’s one of the reasons I’ve never liked using WordPress”

        Right?! The way WordPress “namespace”s things is way too outdated.
        Ad I’ll look into changing wp-content as well. Thanks for the tip.