The Ultimate Guide to WordPress Security Part 1 of 3

by Cerys O’Brien

This is the first of a three-part series on WordPress security.  The series continue tomorrow and finish on Thursday

On December 9, 2021, 1.6 Million WordPress sites were hit with 13.7 million attacks in 36 hours*…

That data only includes the blocked attacks

And the sites attacked on that day were ones already using one of if not the most popular & reputable WordPress security plugins!

If you’re a WordPress user you’re probably terrified now and you know you need to secure your site.

Securing your site will save your website data, help you avoid lawsuits, and stop you from losing website traffic.

So if you want to learn how to make your WordPress website secure to save your sanity, data, and traffic keep reading.

Table of Contents

  • Basic WordPress Security Checklist

  • Advanced WordPress Security Practices

  • Limit Your Vulnerabilities

  • Summary


Basic WordPress Security Checklist

We are going to start with the basics. If you have no security protection at all, you need to begin here before advancing to more technical armor.

Even if you are a tech-savvy business owner, you should read through this checklist and make sure you have completed every step before moving on. A little slip could be all a hacker needs to worm their way into your website.

Keeping WordPress Up To Date

WordPress is a type of open-source software. This means that the software’s source code can be looked at and modified by anyone. If someone has access to the source code, they can manipulate the software and change it for better or worse.

Originally, this type of software was created with customization in mind, however, if your website isn’t protected, anyone can add or modify your website. One way to protect against unwanted modification is to allow WordPress updates to run their course.

WordPress is normally very good at automatically maintaining and installing small updates to keep your website functioning smoothly.

However, whenever you install a new plugin, you are inviting a third-party developer to connect to your website. These third parties might not remind you to complete the updates, and so you may end up with out-of-date plugins which are no longer safe.

To make sure your website is secure you need to check that your plugins, themes and core WordPress updates have been completed.

Have Strong Passwords

The easiest way for hackers to get into your WordPress account is by using a stolen password. Many people use the same passwords for multiple online uses, or they use passwords that can be easily guessed. If you are someone who does both of these failings, then hacking your accounts will be simple.

Once they get into one account, the hackers can get into all of them – emails, bank accounts, social media, everything.

You might think that creating a different and strong password risks forgetting what the password is, but you can use management systems to securely retain your key information giving less pressure on your memory.

Strong passwords contain a mixture of uppercase, lowercase, numbers, and symbols. They also have a lot of characters, preferably 10 or more. The more random and unpredictable they are, the better.

For example, if a common phrase in your home is “Pull The Lever Kronk” you can turn it into an unbreakable password such as “P>2l;t;L8a;Kr0k”. As long as the code makes sense to you but is confusing to anyone else, then it is strong.

Choose A Secure Hosting Company

A hosting company is a secure place for you to store your online content. This content could be images, videos, text, and even code. When you put something onto the internet, it needs to be stored somewhere, otherwise, it will instantly disappear.

Luckily WordPress allows you to use its own hosting services as part of their agreement. However, there are ways for you to expand on the already given service provided.

There are other companies designed to help manage your WordPress hosting features. They can boost your security by creating automatic backups, push through updates without delay, and search for holes in your security.

Having two separate companies managing your hosting can help you stay afloat if one stops working. You will be doubling your security, and allowing diversity to stop any hackers from bridging one service and getting to your content.

With extra security, hackers have to work twice as hard, which makes your platform seem undesirable to these criminals.

Enable SSL/HTTPS On Your WordPress Site

SSL stands for Secure Sockets Layer. When a website has an SSL certificate, they have proven that its website is secure and they have created an encrypted connection from the user to the host website. When the connection is encrypted, it means that your personal information, browsing history and more have been scrambled into a code. In modern use, SSL has been replaced with TLS or Transport Layer Security

If anyone tries to hack you when you enter into the website, all they will see is jumbled garbage.

SSL is extremely important to create a secure website that your users can trust. You can tell if a website has SSL by looking at the website address in your search bar. If you see a padlock, it means SSL has been certified.

Another way to see if a website has SSL security is by looking at its Hypertext Transfer Protocol or HTTP. You can see this acronym written before the website name or “www.” beginning. If the website is SSL secure, the HTTP will change to HTTPS. The added “S” stands for secure.

The last way to tell if someone’s website has this encryption or protection is by using browsers such as Chrome. They will warn you, saying “Not Secure” next to the website name in the search bar.

WordPress offers SSL as part of its services, but if you are not using WordPress you may need to purchase the security through another company.

Install A WordPress Security Plugin

If you are actively looking for possible malware, you are more likely to stop any negative interactions before they become a problem. But you can’t spend every day looking into the code and figuring out where any failed security issues are.

Instead, you should install a security plugin. Your security plugin will audit and monitor every click and interaction with your website. They then file and notify you of anything suspicious or downright malicious.

For example, they could send you an alert when malware has been detected and removed, or they could notify you if a specific login has had multiple failed login attempts.

When you are shown multiple failed login attempts, you can freeze the customer’s account and email them explaining that someone might be attempting to hack into their account. Freezing their usage will protect your website while you wait on confirmation that the customer has dealt with the issue.

[Bob says: We use and recommend WordFence]

Install A WordPress Backup Solution

If any malware does get through all of these defenses that you have installed, then your last basic solution to saving your website is through your backup systems.

Backup systems are the safety net of the website world. They are designed to let you restore your website as soon as it collapses as all the content you have saved can be re-added.

There are free and paid-for backup plugins that you can use. The free services often simply keep your data secure, while the paid-for services can instantly bring your website back up.

To make sure either is 100% up-to-date, you need to save your changes regularly. To make sure that your backup doesn’t get hacked either, you need to diversify your storage and keep the data away from your WordPress website.

Enable Web Application Firewall (WAF)

WAFs or Web Application Firewalls are software that protects your website from malicious traffic trying to break your website.

Generally speaking, you will have legitimate traffic (also known as genuine customers or readers) and you will have malicious traffic (which include robots or automated users trying to quickly steal from or scout out your website). WAF blocks large data packages from entering your website, as it recognizes them as illegitimate traffic.

Firewalls should be an instant first line of defense when you look into protecting your website. As the first protections installed, it blocks malicious users before they can even touch your website.

Scan WordPress for Malware and Vulnerabilities

Your security plugins which we mentioned earlier should be searching and pulling out malware as soon as it finds anything suspicious. However, sometimes a sneaky piece of clever technology can breach your defenses. It’s reasons like this which show us why manual scans should also be included in your monthly checks.

That being said, you should perform a manual scan if you notice a drop in website traffic or if your website has dipped down the search rankings. This could be a sign of malware successfully infiltrating your website.

Whenever anything suspicious occurs on your website, your first thought should be to check for malware. If you find out that you’ve been hacked, don’t expect the scanner plugin to know how to tackle it. Some issues need to be taken to a specialist to resolve.

Advanced WordPress Security Practices

The above suggestions are steps that any website owner should be able to follow. Even if you get confused along the way, the process will be simple and WordPress is designed to help create a secure website.

These next steps, however, require a bit more software knowledge. If you do not feel comfortable making these changes on your own, then you might benefit from hiring a professional to adapt these for you, or you could stick to the basic protection.

Either way, we would advise everyone to look through these advanced security practices and implement as many as they can.

Change The Default “Admin” Username

When WordPress first began, the username for your website would be “Admin”. In fact, If you were to make a quick build website today, your username might still be “Admin”.

However, as a heavily used log-in credential, keeping the default username means that hackers already have one answer to your security questions.

Look at your website and search for your username. WordPress doesn’t allow you to simply change these details, instead, you can either install a username changer plugin or create a whole new admin and delete the old one.

Customize Your Login Page URL

One way in which hackers try to attack is through the login page. There they can request your wp-admin folder. This folder contains the coding functions required to make sure your website runs properly. A hacker accessing this information can quickly stop your website from running.

To stop this type of attack, all you need to do is customize your login page’s URL. Your login URL defaults to /wp-admin or /wp-login.php. To change this go into the official plugins directory, and pick a plugin which suits your needs. For example, you could pick Custom Login Page Customizer. Once activated, you will be asked what your preferred login page URL is and hey-presto your page is more unique and therefore more secure.

Password Protect WP-Admin And Login

You can add another layer of protection to your login page by adding a server-side. If the hacker gets past the first layer of protection, they then have to deal with this second layer too. For most bots, that’s enough to register a waste of time, and they move on to the next victim.

As we said before, a hacker can request your wp-admin folder through a login page, but changing your URL to something more unique can prevent this from happening. If that doesn’t work and the bot can pull through your folders (which contain functions to run your website properly), then you need to stop them from opening the folder.

To do this, simply edit the wp-admin folder found in the current directory, and click “password protect”. Use a unique password, as we mentioned before, and you’ll have a second protection system in place.

Limit Login Attempts

Most hackers come in the form of bots. They can try hundreds of combinations to attempt to find your passwords and login. They can attempt this on your customers or even on your admin profile. To stop this “brute force” method, you should limit how many login attempts a person can make.

By default, WordPress doesn’t have a limit to how many login attempts you can make. To fix this security risk, you can install a plugin that limits the number by either their recommendation or your desired settings. For example, you could use WP Limit Login Attempts.

Add Two Factor Authentication

To secure the login page even further, you can add in a two-factor authentication process. There isn’t a strict rule on what the two factors have to be, but they are commonly the username and password in the first step and a second device confirmation in the second step. This forces the hacker to have at least one physical connection to a known device and warns the user of a possible attack.

As with everything on WordPress, all you need to install this verification process is to use the relevant plugin. For this service, you can choose a Two Factor Authentication version. There are many to choose from each with its own setup plan.

Automatically Log Out Idle Users

It isn’t uncommon for people to walk away from their desk or computer screen while logged into a website. Although this might seem confident to let the website stay logged in during this time, it actually creates a massive security risk.

With the system unlocked and unprotected, anyone can walk by and use the service or take your details without the user’s permission.

To reduce this security risk install an Inactive Logout plugin. You can give the user a reminder to be active before the logout commences. This will encourage them to click through a page and “wake up” the website, just in case they are simply taking their time looking through a page. If there is no change, then the website will automatically log the user out when they reach the time limit.

Limit User Permissions

Ideally, you should limit the user’s permissions as soon as you launch your website. This is so they don’t gain access to the “behind the curtain” operations, such as moderating comments, creating pages, or editing posts.

Although you want the users to write comments on your pages, they shouldn’t have any other ability to edit your content. To do this, you can make every new user a subscriber. Subscribers can only read content and view the webpage.

To do this, go to settings, and then general. You can see the term “New User Default Role”, there you change the dropdown to “Subscriber”.

You can then change the user role from “Users” to “All Users”, so previous customers will be turned into a subscriber too.

Add Security Questions To WordPress Login

This next tip is another one for the login page. To make the first login step harder for hackers and bots to get past, you should include at least one security question.

You can do this by installing a security question-based plugin such as WP Security Question. When you activate it, the plugin will ask for your security question and your answer. This step is an easy one, but it can dramatically decrease your chances of being hacked.

The security questions should be unique, leading to a wide possibility of answers. For example, you do not want the answer to be similar to your password or your username. You also don’t want the answer to be found online through social media. If you said “What Was Your First Pet Called” and your Instagram is filled with pictures of your first pet, a hacker can easily find the answer.

Disable File Editing

One reason why so many people love WordPress is because of its endless possibilities for customization. The in-built code editor is just one of many avenues you can go down to create your own space.

When it comes to security, this feature can be a problem. Hackers can use this area to change themes or plugins. If you have no desire to edit your website or use the code editor, then we suggest turning it off.

If you aren’t using the feature then it is simply a doorway into your mechanics, and so should be removed. To turn this file editor off, either install a plugin that specializes in this area or add the below code to the wp-config.php:

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true );

Disable PHP File Execution

A PHP file is a website filled with code, Hypertext Preprocessor code to be exact. It has all the details the website needs to function properly including the date, time, online forms, and database information.

Unless you are writing the code yourself, you do not need to access the PHP file. If you do not need to access it, then you should disable anyone from being able to access it. That way you know the files are safe despite never opening them.

To disable the files you can either install a plugin that can do it for you, or you should add the below code to a text editor:

<Files *.php>

deny from all


Save this code as “.htaccess” inside your wp-content folder.

Disable Directory Indexing And Browsing

Just like a phone book directory, Directory Browning allows you to place your website into a listing. The idea was to make finding your website easier. However, following in the phone book directory’s footsteps, the process has become outdated and has even allowed criminals to find vulnerabilities to exploit.

Hackers can use the listing, which is usually unprotected, as a gateway to your sensitive company information. Seeing as search engines do the same job as listings but better, we recommend turning off your indexing to stop hackers from gaining access.

To do this you should be looking for the .htaccess file first. You can find it in your file manager. Add this code to the end of the file name:

Options -Indexes

Then simply save and reupload the file. There are very few reasons to keep your directory running, so if you know how to disable it, we highly recommend doing so.

Disable XML-RPC in WordPress

Ever since the 3.5 version had been updated, WordPress has included XML-RPC as default. It was included to help the open-source web host transmit data while still using the secure HTTPS system. WordPress couldn’t do this on its own due to the open-source nature of the website.

This allowed website owners to put their sites on mobile devices, and access the admin areas remotely. However, there is a drawback to this system. All of the password security we have implemented above would be ignored when switching from PC to mobile.

If a hacker tried to put through 1,000 passwords to find the correct one and hack your website, they would be blocked after 5 or so due to your limited login plugin. With XML-RPC, a hacker can split the attempts through different devices to produce fewer blocks. This makes your password security less secure.

To disable XML-RPC use the below code, and copy it into the .htaccess file:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from


Change WordPress Database Prefix

When thinking about your security, you have to make everything as hard for a hacker as possible. One way that a hacker can confirm what web host you are using or where your table name is, is through the wp_ prefix on your database.

We should warn you that attempting to change your prefix can be difficult. Doing so incorrectly can cause your website to crash. Only attempt the change if you have strong coding skills.

Move Your Wp-Config.Php File If Possible

Some people believe that moving your wp.config.php file to a new location doesn’t give you a lot of security benefits and could introduce new issues if done incorrectly. Because of this, we will only lightly touch on the subject, so knowledgeable readers can be reminded of the process and new coders aren’t encouraged to try something they might not succeed in.

If you move the wp.config.php file to your directory and above your WordPress installation, you will be creating a root outside of the web-root folder.

This will make the folder harder to find and you can block everyone but you from viewing the contents. To do this create a 400 or 440 permission limitation. You can also use this coding to create limited access:

<files wp-config.php>

order allow,deny

deny from all


Hide Your WordPress Version Number

The latest version of WordPress will always have the most up-to-date security systems and protections. Since the 3.7 updates were released, all further updates have occurred automatically. This means that you do not need to re-download the software to get the newest version.

If you are unsure if you have the newest version, install WordPress using their official website and not through any other means.

No matter which version you are using, you shouldn’t allow it to be displayed. This is because any information you freely give out can be used to figure out how to hack you.

To do this, download the plugin Sucuri. Once active go to “Security” and then “Settings”. Switch to the Hardening tab. There you will see an option to “Remove WordPress Version”.

Although most criminals will assume you are using the newest version, they cannot be sure unless you put that information out there. Users with the most information freely available will be the most profitable target in the eyes of a criminal. So hiding this information will put you lower down the list.


Limit Your Vulnerabilities

There will always be vulnerabilities in your website, you cannot consider every possible thought a criminal might use to take down your website. All you can do is limit the vulnerabilities and create safety barriers if the worst does happen.

Here are a few areas you should watch over every couple of months to make sure no new vulnerabilities show up.


We have already talked about security in-depth, but if you notice any issues with your security, you should report them as soon as possible. WordPress as a Security FAQ webpage to help you talk to developers, understand the issue, and see if there are any legal issues to be brought up too.

Web Server Vulnerability

Every piece of software your server is using should be monitored. Vulnerabilities can come out of nowhere, so make sure every connection is stable and you are using the most up-to-date versions of each plugin and software.

Ideally, you should ask your web host what type of security precautions they use and how to best utilize these methods. This could be paring specific software together, avoiding software, or tracking vulnerabilities using the same pattern as the web host. Having these conversations now can prevent a bad situation later.

Network Vulnerabilities

Both the network which WordPress uses and the network that you use should be trusted. You cannot control which network WordPress uses, but you can control your own. Although it might seem fun to run your website in the local cafe, such an open network can allow criminals to slide into your network connection and access your unencrypted information.

You should only be using trusted networks with reliable strength and active encryptions to protect you and your users.

Database Vulnerabilities

This issue is for people who have multiple websites or blogs and are using the same server. To make sure your connection and information are secure, you should keep each database separate. This means having different users for each one. This way if someone manages to hack your system, they only have access to one website and not all of them.



Starting with the basic level of security you need to make sure that your passwords and login page are protected against potential threats. Using our checklist above, you can go through each suggestion and tick off when you have completed it to make your website safe.

If you are a capable coder, you can attempt the advanced security measures too. Granted most of them are simply disabling features, but seeing as those features are defaults in WordPress, you cannot simply click a toggle button to remove them. Be sure before you try.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.