WordPress Security Guide

WordPress Security Guide – Best Practices To Protect Your Site From Hackers

Recently, the Sucuri team found a malicious JavaScript used in the WordPress site redirects the users to other annoying scam websites. Over 2,000 websites were infected since they started tracking this.

Make sure your WordPress sites are safe, enhanced with premium security options and reliable managed WordPress hosting.

When it comes to WordPress security, you have plenty of things to do to safeguard your site from the scammers.

I’m damn sure; this WordPress security guide will help you with the essential WordPress security measures to lock down your WP site safer.

Is WordPress secure?

First of all, it becomes momentous to check whether the WordPress platform is secured?

WordPress powers 35.8% of all websites across the globe. That isn’t easy.

Indeed, its fame comes with a cost. WordPress is the highly vulnerable CMS platform to the threatening hacks.

Being prone to security vulnerabilities, not being a safe platform for any business, it wouldn’t have been so popular. With its high-standard security measures, WordPress proves its capability in outranking other CMS’s.

Keep in mind; it is not about WordPress; all the websites are vulnerable. While WordPress is more susceptible by the hackers often, you can still protect your WordPress sites to the core adhering to the WordPress security best practices.

Why Is WordPress Security Essential?

Most of the companies and brands prefer WordPress for their business websites. When it gets hacked, you will face severe downside in your online reputation, and of course, business revenue.

There are chances; your competitions might rear up such hackers to ruin your business with these unethical hackings. Once the attackers started infiltrating your WordPress site or server, they are likely to steal your user’s data, secret passwords, install malicious scripts, etc.

WordPress Hacking Hurts Your SEO Too!

As we all know, search engines pay more attention to the quality of the links that link to one another. In such a case, during the hack, attackers will always add massive links from spam sources to your WordPress website.

Ultimately, this lowers your site’s trust value. It adversely affects your SEO and hence, website rankings.

Being hacked, Google never hesitates to blacklist your site. Then, recovering or bringing your website back to normal would be difficult. The compromised site that is blacklisted for malware seriously drains its overall online visibility.

The worst case is you don’t even know that your WordPress site is at risk.

Rarely, you will have to pay ransomware to the hackers to recover or regain access to your website.

However, the reputation and the audience base lost are always lost. Prevention is still better than cure. So, pay extra attention to your website security adhering to the best WordPress security practices.

Common WordPress Vulnerabilities You Must Know

Here are some of the different types of typical WordPress vulnerabilities –

Improper Usage of WordPress

Lack of WordPress security and web knowledge among the users favor hackers to play around their cyber-crime games. Software vulnerabilities are awful.

Cyber-attackers identify the highly vulnerable targets scanning millions of websites over the web via automated scripts. The real game starts then. They will begin to exploit your resources deploying malicious tools, malware, etc.

You don’t believe, the wrong usage of update_option() function in the WordPress sites were the severe software vulnerability in 2019.

Outdated CMS

People often forget to update their WordPress to the latest versions, in their workflow. That means they are neglecting the important security patches and releases to fix the vulnerabilities in the core. Fortunately,

WordPress has its auto-update features (from version 3.7 and above), favoring its users to overcome this pain point.

Even though, in 2019, 49% of sites were using outdated WordPress versions.

Also, your hosting provider can take care of it, in case of managed WordPress hosting.

Also, outdated PHP installations may not be a threat, still having the older PHP versions can greatly affect your website loading speed and performance.

Vulnerable plug-ins

Hackers leverage the usages of nulled plug-ins to inject malicious scripts into your WordPress core files.

The proliferation of unpatched plug-ins makes the known vulnerabilities to invade into your (even) protected system or website. You don’t believe, Sucuri detects that the WordPress users used even Yoast SEO plug-in unpatched. Indeed, it contributes around 15.83% of overall vulnerable components that affect WordPress sites in 2019.

Hence, Yoast SEO compels its users to use its latest version that has more significant security patches to mitigate the risks.


As the name represents, this is nothing but the hackers bypass the security encryptions with unethical passages.

By which, they will get access to your WordPress sites via SFTP, WP admin, etc. to plunder the entire hosting server. But, don’t panic, prevention and cure for this vulnerability is simple with 2FA, blocking IP’s, etc. Indeed, this guide will help you with more effective WordPress security tips to stop those attackers.

Brute force attacks

Again, the attackers use automated scripts to get a passage to your secured WordPress. Specifically, the brute force attackers tend to exploit weak passwords and get access to your site. With simple WordPress security ideas, you can be safe from these brute force attacks. But, most of the website owners never care about it and fail to perform. Later in this WordPress security guide article, we’ll see how to protect your WordPress site against brute force attacks.

Malicious Redirects

The hackers will find backdoors like gaining access to your WordPress site via FTP, SFTP, etc. and further to the servers. Placing server-side redirects (.htaccess files), they are likely to redirect your audiences to some malicious sites.

Also, there are cases where these hackers inject browser-side scripts to grab the cookies, session data, and user’s data even without their knowledge. Technically, we call it as Cross-Site Scripting (XSS).

DDoS attacks

Indeed, the most simple-to-do and dangerous among all these vulnerabilities. Flooding the target and its surrounding infrastructure with the surges of traffic and disrupting its actual performance.

Even using the latest versions of WordPress cannot fight against DDoS attacks comprehensively; still, it can protect your sites from the chain of attacks by sophisticated cybercriminals.

Don’t worry; you will get to know the actionable WordPress security tips to stay out of all these vulnerabilities and crime attacks.

WordPress Security Guide – Easy Ideas To Secure & Protect Your WordPress Websites

Indeed, improving website security is always horrible for start-ups, especially for non-techies. By the way, it is not a one-time task. You must be consistently monitoring and optimizing your WordPress site for maximum protection.

However, you are not alone. There are abundant WordPress resources available online by the experts that have helped hundreds and thousands of WordPress users. This WordPress security guide is one such to help you.

For your convenience and better understanding, I have categorized the WordPress security tips based on the areas where the hackers take advantage.

Let’s roll-out. If you are specific about particular category, then scroll to it directly. Otherwise, keep on reading below.

#1 Secure WordPress Hosting Servers

The WordPress hosting service plays a great role in keeping your site secured. Especially in shared hosting, you will share resources with many other sites. That opens a passage for the cross-site infection.

The hackers are likely to corrupt your neighbor sites on the same server to detriment your system. They can easily upload or inject malicious files to your WordPress site. You don’t believe; they might even grant access to those hackers willingly.

I don’t say that there is no comprehensive security using shared hosting. There are a few hosting brands that take more care to protect their servers against such malicious activities.

Let me help you with some ideas to choose your WordPress hosting from a security standpoint.

The host that –

  • Continuously monitors their servers for any malicious activities
  • Has hardened infrastructure, updated software, and hardware versions to block severe hacking
  • Flexible and transparent in communicating the server malware before that cause damage to your site
  • Has vetted team of WordPress and networking experts to assist and resolve issues at the earliest
  • Provides proper and instant disaster recovery that helps to retain your data in case of any unexpected flaws

Anyways, good things cost you always high. Hence, managed WordPress hosting is expensive, being a customized hosting solution for WordPress platforms. It is worth the extra money you spend. It provides a more secure platform.

SiteGround Banner

In common, the managed WordPress hosting companies offer automatic backups, regular server monitoring, auto malware scanning and removal, premium support, automatic WordPress updates, and more server-side security configurations.

So, here are some of the crucial things to consider safeguarding your WordPress site from the server-side.

  • Protect wp-config.php file

Wp-config.php resides in the root directory of your WordPress installation. And, it contains crucial information about WordPress installation and database log information handling the cookie encryptions. Protecting the wp-config.php file is nothing but securing your core of the WordPress site.

Fortunately, it is so easy to protect your wp-config.php file, just moving it to a higher level than your root directory. WordPress can still access it even you store it over there. Doing so, the wp-config.php file is inaccessible to hackers to break your WordPress security.

  • Disallow file editing

Having multiple users and administrators to access your WordPress dashboard is unsafe. But it is inevitable. WordPress is known for its flexibility and easy-to-customize features. At the same time, that is highly prone to risks. Its built-in code editor allows any user to edit your themes and plug-ins from the dashboard. That’s unfair at all.

When the hackers invade into your dashboard via backdoors, first thing, they will try to edit your PHP file or theme via Appearance editor.

So, to prevent such unauthorized edits, you can simply add the below code in your wp-config.php file.

// disallow file edit define (‘ DISALLOW_FILE_EDIT’, true );

Even when the hacker obtains access to your dashboard, they can’t modify any of your WordPress files.

  • Grant directory permissions carefully

It is highly momentous to check the directory and file permissions. If the directories are open for all the admin or users, then you are in danger. At the same time, you have too strict permissions then this might break your WordPress functionalities.

So, it is important to set the right directory and file permissions for the proper and secure functionality.

Here are the recommendations –

  • Set 644 or 640 for files 7 sub-directory access
  • 755 for directory permissions
  • 440 or 400 for wp-config.php

Don’t even set 777 for any directories ever. Then, your WordPress site will be at risk. You can set these permissions manually via the File Manager in your hosting cPanel.

  • Disable directory indexing

Whenever you add a new directory to your site, make sure not to mention the index.html file in it. When the directory is available publicly for browsing, then the hackers can advantage of it to gain access to your WordPress core files or at least know your directory structure.

So, make sure to disable the directory indexing and browsing, adding the following code in your .htaccess file.

Options All –Indexes

  • Disable XML-RPC

By default, XML-RPC is enabled in WordPress 3.5 versions to help to connect your site with mobile and web applications. But, that can also amplify the risks of brute force attacks.

For an instant, usually, the hackers should try 500 login attempts for 500 different passwords. But, with XML-RPC enabled, they can use the system.multicall function to try 500 different passwords in just 10 login requests. So, you are making their job easy.

If you are not using it, then simply disable it with free Disable XML-RPC plug-in for free.

  • Prevent hotlinking

Hotlinking refers to the act of others using the image file on your website server on their website. That dissipates your server bandwidth too and slows down your site loading speed.

Beyond that, you will have to deal with illegal implications for your images being used on any questionable domains. That’s a headache and costs you.

So prevent hotlinking from protecting your server resources and staying secure.

There are some manual actions to prevent hotlinking in Apache, adding additional scripts to your .htaccess file. Alternatively, using any WP security and firewall plug-in has a built-in feature to block such hotlinks. Go for it.

  • DDoS protection

The DDoS attacks are widespread, where the attackers use multiple programs to send traffic urge to your server overloading it. It may not be a big hazard to your site and its files, but it can ruin your site performance for a few hours or even days. If it is not resolved soon, then it is a total crash of your website.

Using web application firewalls can help you identify the IPs that cause such dreadful DDoS attacks, and hence, you can block those. Using premium security plans like Cloudflare or managed WordPress hosting services, you can stay out of it.

  • Enable Web Application Firewall (WAF)

Enabling Web Application Firewall can be a comprehensive solution to protect your WordPress site from security threats and malware.

Application-level firewalls can examine the traffic that reaches your server but before loading your WordPress scripts against it.

On the other hand, the DNS level firewall can route your traffic through the proxy cloud servers to examine and just send the real traffic to your web server. Indeed, this DNS level WAF is most secured than the application level firewall.

The good web application firewall is one that comes with malware cleanup and blacklist removal options. Go for it. Most of the security and caching plug-ins would help you with this.

Repairing a hacked website is quite expensive. It’s better to be preventive with suitable security measures.

#2 Lockdown WordPress Dashboard

Securing your WordPress dashboard can stop plenty of backdoors available for hackers to attack your site.

Locking down your WordPress admin can greatly improve your WordPress site security.

But, protecting your WP admin is easier than you think. Even for beginners, you can follow the below WordPress admin security practices to breach your WordPress site security.

  • Protect wp-admin

It is most essential to secure your wp-admin directory, the core of any WordPress website. As if the hackers gained access to it, then it leads to an overall hazard. So, password-protect your wp-admin directory. Thus, only the site owner can access it with security keys. You can easily set up this in your hosting cPanel.

  • Enable SSL/HTTPS

One of the mandatory mechanisms to harden your WordPress security is upgrading your site to HTTPS, enabling SSL. This ensures encrypted data transfer between the browser and the website.

WordPress-Security-with-SSLMost people believe that SSL is mandatory for eCommerce sites that accept credit card payments. But it is not so.


  • Ensures added security
  • Is an SEO ranking factor
  • Builds trust among the customers
  • Makes browser to attest that your site is secured (with a green padlock)

By the way, Let’s Encrypt offers free SSL to help site owners to enjoy its benefits. Indeed, most of the hosting companies started offering free SSL along with its hosting plans by default. Make use of it, and keep your website data safe. Let the customers believe that your site is safe to browse, and data is more secure.

  • Add new users with care

Whether you run a WordPress blog or a multi-author website, you should deal with multiple users accessing your WP dashboard. And, that leads to vulnerability.

Whenever you create an account for new users, make sure they have the most robust password.

  • Have custom URL & username

Immediately after installing the WordPress application, ensure changing your WP admin URL. By default, it would be https://www.sample.com/wp-admin. Instead of that, have a custom URL that nobody can guess.

Also, admin is the typical username most of the WordPress sites will have. That’s easy to guess by the hackers.

They just need to figure out your password. So, make things complex for hackers. You can see more login attempts using the username ‘admin’ while checking your website logs. So, the cunning eagles are waiting to infiltrate. Be preventive.

  • Limit login attempts

Indeed, changing the admin login URL can minimize the number of bad login attempts. Still, limiting login attempts can be much effective. There are free WordPress plug-ins available to limit WP admin login attempts like Cerber Limit Login Attempts, Login Lockdown, etc. You can easily set the login attempt limits, lockout duration, IP blacklists, etc.

The plug-ins can even record the IP address and the timestamp of the failed login attempts. You can block the IP to be safer aside.

  • Two-factor authentication

As the name suggests, one requires a two-step verification to get access. Even though you have a strong password to login to your WordPress admin, there is always a risk somebody can crack it. Enabling this 2-factor authentication, you need the second step verification as text messages, phone, or One Time Password (OTP).

Install Two Factor Authentication plug-in and click on the Two Factor Auth link in your WordPress sidebar.

Then, open the 2-factor authentication app installed on your mobile. Click on the ‘Add’ button and scan the QR code displayed on the WordPress 2-factor authentication plug-in settings page. That’s it. Hereafter, whenever you log in to your WP admin, you need two-factor authentication code after entering your password.

Hackers are smart in playing over the web. They can’t steal both your password and mobile phone at a time. Isn’t it?

These are some of the popular authenticator apps – Authy, LastPass authenticator, Google Authenticator, etc. Almost the setup process will be the same.

#3 Protect WordPress Database

All your site data even your login credentials are stored in your WordPress database. So, securing it is more critical.

First and foremost, change or rename your database name. So that the hackers will find it more complex to figure out and access your database. Likewise, here are some of the recommendations to protect your WordPress database form hacking.

  • Change Database prefix

By default, WordPress has wp_ as the general prefix of all the tables in your database. In such a case, the stealers can easily identify your table’s name. So, set more obscured database prefixes that are hard to guess.

  • Have automatic backup solutions

This may not be a precautionary security measure. Still, if something happens accidentally, the only possible way to recover your site and retain its data – is with its backup.

We all know that, but we never take regular backups.

However, there are too many free and premium WordPress backup plug-ins available. Using one, make sure to fully backup your site regularly.

Indeed, your host will take daily or weekly backups of your site. But, most of the backups are deleted since each backup file would take more space. So, download and store your backups in external cloud services like Amazon, Dropbox, etc.

  • Set strong DB passwords

Like how you set your custom database name, make sure to have a strong password for your database.

  • Check your audit logs often

You must often be monitoring what kind of user activities are going on in your site. Giving access to multiple authors and contributors, they might be changing the login passwords. That happens. But, there might also be some unusual things happening.

They don’t deserve the right to change themes and plug-ins. So, regularly auditing your website logs allows you to know if your admin or contributors are trying to make any changes without your approval.

There are matured WordPress plug-ins like WP Security Audit plug-in to have a full list of website logs, set email alerts, and reports. Also, the plug-in can notify you about the malicious activity your users, if any.

#4 Care For WordPress Themes & Plug-ins

Of course, themes and plug-ins are the integral parts of a WordPress site. Meanwhile, it poses high risks to your website. So, here are some of the recommendations to keep your WordPress site against the vulnerabilities using themes and plug-ins properly.

  • Use the latest versions

These WordPress themes and plug-ins are developed and maintained by third-party developers. So, often those will come with a lot of updates with security patches and improved features. In the security point of view, you should not neglect the latest security updates that can protect your core WordPress. So, keep your WordPress, PHP, database, themes, plug-in, or any other resources up-to-date.

Secure WordPress using Updated Versions

However, you will get email notifications and alerts in the WP dashboard, whenever there is any update. Just within a click, you can improve your WordPress security. Don’t ever use pirated themes or plug-ins that pose serious harm to your site easily.

  • Hide WordPress version

Yes, I mean it. Prevent your WordPress version from showing publicly in your site’s source code. With which, the hackers can build the appropriate attack to conquer your WordPress site. Also, in case of using the outdated version, then it’s a welcome note for the intruders to start attacking your site.

Consider adding this code to your functions.php file to manually hide the WordPress version of your site.

function wp_version_remove_version() { return ‘ ‘ ; } add-filter ( ‘the_generator’ , ‘wp_version_remove_version’ ) ;

  • De-clutter the unused

To prevent the future threats from themes and plug-ins standpoint, make sure to remove or delete unused and unwanted ones from WP dashboard.

Install the most essential and secured plug-ins from the trusted resources. Ensure that the plug-ins you use often come with regular updates. Check the installations counts and customer reviews before installing any WordPress plug-in.

WordPress Security FAQ

WordPress is indeed an open-source content management system to power millions of websites online. Even though its development community make it a secure choice for the website of all sizes, there are hackers to breakthrough.

So, the responsibility lies in the client-side too. The site administrators should pay more attention towards using core API’s, external scripts and underlying server configurations to avoid common security vulnerabilities.

Upgrade to the latest versions of WordPress even if it has minor releases since most of those minor releases are reserved for security fixes addressing critical bugs. Likewise, if you have any typical questions about WordPress security, we are readily available to respond as below.

1) Can I use multiple WordPress security plug-ins at a time?

You can. But, don’t do that. It could cause conflicts and neither one would work properly.

2) Is my site 100% secure?

Every best practice of WordPress security is to protect your WP site. But, one cannot guarantee 100% security. But, make sure your site has the maximum protection to prevent the security threats, alert you immediately when there are an attack and recovers from the disaster soon.

3) How managed WordPress hosting is more secured?

Being a tailor-made hosting solution for WordPress sites, it comes with extensive security options to protect it. Over and above, the hosting team will be monitoring your site 24/7 for its uptime, performance, security lapses, malware, etc. So, the chances for the malware attacks are highly reduced.

4) How do I know if my site is hacked?

If you notice an immediate drop in your website traffic, it redirects to any other phishing sites, you see funny characters or strange links in your content, pages disappeared from the search engine results suddenly – there are higher chances your site has been hacked.

5) How should I respond to my WordPress site hacking?

It’s better to get instant support from your hosting team to identify the cause. Knowing which, refer to these WordPress security guide and fix the issues as soon as possible. But, don’t go to that extent. Be preventive.

Fixing A Hacked WordPress Website

People really don’t care about the significance of backups until their site is hacked. Retaining the actual site is a tedious process and incurs a considerable loss.

Even though you have got your site back as before, make sure the root of the hacking or backdoors are shut down. Otherwise, it continues to be hacked.

If you are a start-up, non-techy, or running out of time to manage your WordPress security, then give it to the expert’s hand. WordPress security services like Sucuri, Cloudflare, etc. can prevent your site from suspicious attacks, protect against future threats, and fix your hacked website too.

DIY’s, double-check the WordPress security best practices before making any changes to your WordPress core files. But, always have an automatic backup solution in place.

Let’s Wrap Up This WordPress Security Guide

As discussed above, we have several things to do to harden our WordPress security. Using strong passwords, updated versions of applications, enabling essential security add-ons can help you protect your WordPress site.

The best practices shared in this WordPress security guide are crucial to improving your WordPress security. For most of you, the WordPress site might your business and revenue generator. So, take some time to care for its security and hence, steady performance.

Stay out of any questionable actions that are highly prone to risks.

Indeed, managed WordPress hosting services would be an ideal choice better to protect your site from malware and offensive attacks. Otherwise, opt for the professional WordPress security services to breach your WordPress site security.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top