WordPress Security Guide: 20 Steps to Protect Your Site

WordPress holds the majority of the Content Management System (CMS) market share and powers over 400 million websites. There is no doubt that it covers a great variety of websites, from personal blogs to big eCommerce sites.

With such an important role, it’s no surprise that WordPress attracts cybercriminals.

WordPress developers do their best to cover all vulnerabilities by constantly updating the core software. However, it’s up to the website owners to implement additional security measures to further protect their WordPress websites.

This WordPress security guide will discuss 20 methods that you can easily implement to keep your website secure.

Types of WordPress Security Vulnerabilities

WordPress is so popular that it has become a target for many cyberattacks. Furthermore, it will be tricky to implement WordPress security measures without first understanding its vulnerabilities.

Here are some of the most common WordPress security vulnerabilities you need to understand before implementing any WordPress security measures.

SQL injection – malicious code injection directed to the WordPress database to access the website’s data and content.
Distributed Denial of Service (DDoS) attack – an attack performed by a network of computers. This creates a surge of fake traffic that takes up the website’s resources, overwhelming it and making it inaccessible to the public.
Brute-force attack – attempts to break the login by guessing a significant amount of usernames and passwords.
Cross-site scripting (XSS) – a malicious code injection into a web application. This attack will then send the malicious script to the end-user using the web application to steal sensitive information stored in cookies or session tokens.
Backdoors – a malware attack that allows an attacker to bypass WordPress security measures. Backdoors can lead to situations where attackers place a redirection code to a malicious site.
Phishing – if an attacker gains access to your website, they can place a phishing link to a fake website that asks for the user’s credentials and other sensitive information.
Hotlinking – performed by another website that embeds your content directly from your server without permission. Not only is this considered stealing, but it also takes up your resources.

How to Secure WordPress Website: The Basic Steps

There is no single website security practice that can block all threats alone – you have to implement multiple methods to improve WordPress security. The following WordPress security tips are essential and are relatively easy to implement from your dashboard with the help of WordPress plugins.

1. Use Strong Credentials

While login credentials are the first line of defense to secure a WordPress site, many WordPress website owners don’t utilize the correct practices for their credentials.

A common mistake is to use generic usernames and passwords, such as admin or administrators, and personal information like a full name or birth date. This puts the website at a higher risk of brute force attacks.

The first important tip for strong credentials is not using the same username and password combination twice on different platforms. In other words, your WordPress credentials should not be the same as the credentials for, let’s say, your Twitter account.

Using the same credentials for multiple logins means that once attackers find out the username and password for one platform, they get access to all your accounts, including the WordPress website.

The second tip is to use a strong password that combines various characters. Various password generator tools are available to help you create strong passwords. Remember that longer passwords are harder to crack, so we recommend using at least 12 characters.Password managers like 1Password or LastPass help you to store your strong passwords. Avoid using an implemented password manager on a web browser like Google Chrome as they tend to be less secure than dedicated password managers.If you have already set up your WordPress account and want to change the username and password, you can add a new administrator account. Follow these steps:

Enter the credentials. Select Administrator for the role, then click Add New User.

2. Enable 2FA (Two Factor Authentication)Two-Factor Authentication or 2FA adds another layer of security by authenticating login attempts using a unique code. The code is continuously regenerated and can only be accessed from a separate device or text message.To enable 2FA on a WordPress website, you’ll need a WordPress plugin and a third-party authentication app on your mobile device, like Google Authenticator.While various WordPress security plugins enable 2FA, the most popular one is Wordfence. Install this plugin and follow these steps to enable 2FA:

Navigate to the Wordfence -> Login Security menu on the left panel.

Open the Two-Factor Authentication tab.

Scan the QR code using the authentication app on your mobile device or enter the activation key.

Enter the code generated on the mobile authentication app.

Click the Activate button to finish the process.

Every time you log in to your WordPress account, you have to enter the code generated by the app on your mobile device.3. Regularly Update Your WordPress VersionUpdating to the latest version of WordPress is the simplest yet most important step to secure your WordPress site. The update to the WordPress core software patches any vulnerabilities to protect you from attackers.Remember to update the themes and plugins, too. In addition to patching security weaknesses, WordPress theme and plugin updates make sure they work well with the latest version of WordPress.Keep in mind that when updating the WordPress core software, you should check whether the installed themes and plugins already support the latest WordPress version. If not, there’s a risk that they won’t work correctly.To check for any available updates, log in to the WordPress dashboard and go to Dashboard -> Updates. There, you’ll be able to see whether updates for the core WordPress software, themes, or plugins are available. If so, you should update them immediately.

4. Upgrade to the Latest PHP VersionWordPress relies on PHP as its main scripting language, therefore, having the latest version of it is essential both for keeping the website working correctly and making sure it’s secure.Each major release of PHP gets full support for two years after its stable release. During this period, developers and contributors fix bugs and security vulnerabilities using the regular point releases. After two years, each version will get another year of support for critical security issues only.However, note that the developers will fix issues based on reports only. This means the fewer the number of users, the fewer reports of security issues.Currently, PHP version 7.3 has reached the end of its lifespan, ceasing any further support for it. As for PHP 7.4, it will only receive patches for critical security issues. If you’re still running PHP 7.3 or PHP 7.4, upgrade your PHP version as soon as possible.PHP 8.0 and PHP 8.1 are currently the recommended versions to run your WordPress site on.Depending on your web host, you should be able to see the active PHP version using the control panel. If your site runs on PHP 7.4 or lower, upgrade it to PHP 8.0 or PHP 8.1 immediately – doing so should be easy to configure it from the control panel.For example, in hPanel, simply navigate to Advanced -> PHP Configuration. Select the PHP version you want to use and click Update to save the change.

5. Get Secure WordPress HostingA hosting provider will grant you space to store your website data and make it accessible on the Internet. Therefore, you should choose a host that offers a secured hosting environment.Many WordPress websites run on shared infrastructure, meaning that multiple clients use the same managed server. This increases the security risk as a breach in one website can affect another.Hosting companies should implement security measures and tools to minimize the risk, such as 24/7 monitoring against vulnerabilities, firewalls, and DDoS protection. Some providers even suspend hacked WordPress sites as they can affect other websites on the same server.When choosing a WordPress hosting plan, we recommend checking for these features:

Firewall – server protection should block any malicious traffic and prevent DDoS attacks.

Auto backup – a website backup is the main mitigation plan to prevent permanent data loss in the event of cyber-attacks. Auto backup features from the provider should reduce any hassle you might otherwise experience.

Credible managed service – if you use a managed service, be sure that the provider regularly updates the server software and hardware to minimize vulnerabilities.

Support – an excellent 24/7 support team will help you with technical assistance to solve any security issues that arise.

Hostinger is an excellent example of a secure WordPress hosting provider. Their services include a 24/7 security monitoring system and a Cloudflare DNS firewall that prevents DDoS attacks. Hostinger’s tech team will also notify you and even perform force-updates if you have vulnerable WordPress plugins installed on your site.Another option for secure WordPress hosting is NameHero. Its AI-based security identifies threats and malicious traffic to your website. Some plans even include this AI technology to identify malicious WordPress admin logins.6. Install an SSL Certificate on the WordPress siteSSL (Secure Sockets Layer) adds a security layer that enforces a secure protocol for data transfer between the web server and visitors. This is especially important if your website collects a lot of data.Without SSL certificates, the data exchange between users and the web server will use plain text. This makes it easier for attackers or middlemen to steal information, especially when using unsecured network connections.In contrast, websites with SSL certificates encrypt all data exchanged. When users want to connect to a website, the browser will send a request, and the server will send the certificate with the public key. The browser then checks the certificate validity and encrypts the data using the public key. This data can only be decrypted using the private key in the server.Other benefits of SSL certificates include better SEO rankings as Google factors in SSL for their SERPs. SSL certificates also help you build trust and credibility, as visitors will feel safe submitting their data to a secured website.Many hosting plans already include a free Let’s Encrypt SSL Certificate. If that is not the case for your plan, you can get one for free on the Let’s Encrypt website or purchase a premium Comodo SSL certificate.

After the certificate is installed on your hosting account, you still have to activate it on your WordPress site. You’ll need a plugin like Really Simple SSL to activate the certificate in a few clicks from your WordPress dashboard.7. Install Trusted Plugins and ThemesPlugins and themes can be an entry point for attackers to gain access to your website. This is the case when a WordPress theme or plugin is compromised or outdated. To prevent this from happening, only install trusted plugins and themes.When it comes to free themes and plugins, be sure to install only those already available on official WordPress directories. These themes and plugins are tested to comply with safe coding standards. In addition, we recommend choosing themes and plugins that are frequently updated, as they are more likely to frequently patch security vulnerabilities.

Make sure to only choose from reputable developers and marketplaces when browsing premium plugins and themes. Check for the number of active installations and read user reviews as they indicate their credibility and robustness. Themeforest is a great example of a credible marketplace for premium themes.

Avoid installing nulled WordPress themes and plugins. These are hacked premium themes and plugins that attackers may have injected with malicious code and then sold at lower prices or even for free. The aim is to lure victims into installing this software that can be a backdoor to their WordPress websites.Another important tip is to remove unused themes or plugins. If you still have them installed on your WordPress site and leave them outdated, they can pose serious WordPress security risks.8. Lockdown WordPress Login PageLocking down your WordPress site is a great way to strengthen the site’s security by making it harder to access the login. There are three ways to do this – changing the WordPress login URL, setting up an IP address safelist for the WordPress login page, and limiting login attempts.Changing the WordPress Login URLBy default, the WordPress login page will have the URL of yourdomain.com/wp-admin. This makes it easier for other people to access the login page and conduct login attempts, putting your site at risk of brute-force attacks.The All In One WP Security and Firewall plugin has a feature to rename login URLs. Once you’ve installed and activated the plugin, follow these steps:

Go to WP Security -> Brute Force.

Go to the Rename Login Page tab.

Check the Enable Rename Login Page Feature and insert your custom URL in the Login Page URL field.

Click Save Settings.

Create an IP Address WhitelistThis method protects the login page from being accessed by unauthorized IP addresses. The easiest way to do this is by using the All In One WP Security and Firewall plugin or a web application firewall (WAF) service like Cloudflare.Follow these steps to create an IP Address Whitelist using the All In One WP Security and Firewall plugin:

Go to WP Security -> User Login.

Open the Login Lockdown tab and scroll down to the Login Lockdown IP Whitelist Settings.

Check the Enable Login Lockdown IP Whitelist box and enter the permitted IP address or IP ranges in the Enter Whitelisted IP Address field.

Click Save Settings.

If you use the Cloudflare firewall instead, it has a Zone Lockdown feature to specify the URLs to lock down and the IP addresses allowed to access these URLs. Any request from IP addresses outside the permitted range will be automatically blocked.Limit Login AttemptsThe last safety measure to lock down the login page is limiting login attempts. There’s no limit to login attempts by default, making your site prone to brute force attacks. By contrast, authorized users may only need a few tries to log in. You can adjust the login attempts by using the Wordfence plugin. It has a feature to log out any IP addresses that exceed the failed attempt to indicate those addresses as malicious. There’s also an option to set a lockout time before the IP address can attempt to log in again.Here’s how to do it using Wordfence:

Go to Wordfence -> All Options.

Scroll down to the Brute Force Protection.

Switch on the Enable brute force protection option and select the login lockout options.

Click Save Changes on the top navigation bar.

9. Turn Off PHP Error ReportingPHP error reporting is a useful feature for finding any problems related to PHP files. However, unauthorized users can exploit this feature, as PHP error reports display flaws on your WordPress back-end in great detail, including the type of error, PHP file path, and code line.The easiest way to fix this is from the control panel. If there’s an option to configure the PHP error logging on the PHP configuration, disable the feature.For example, in Hostinger’s hPanel, you can turn off PHP error reporting by navigating to the Advanced -> PHP Configurations. Then, open the PHP options tab and uncheck the logErrors and displayErrors boxes. Scroll down and click Save.

10. Install WordPress Security PluginsAmong all the plugins you’ve already installed to have your website functioning as intended, you must also remember to include security plugins. Choose one plugin with many security features, such as 2FA, a login limiter, and firewall protection. This way, you don’t need to install multiple plugins to cover various vulnerabilities.Also, remember that the free version may not provide complete protection. We recommend finding reputable plugins and investing in premium versions if needed.While there are thousands of great plugins, here are our recommendations:

Wordfence Security – the leading plugin for WordPress security. It offers a web application firewall, two-factor authentication, and IP address blocking to improve your security.

Sucuri – offers website firewall protection and WordPress file integrity check. Its dashboard and interface are among the easiest to use.

iThemes Security – a complete security plugin that offers user lockouts and a database prefix change.

All In One WP Security – offers a great range of security features, including firewall, spam prevention, and hotlinks protection.

11. Disable the XML-RPC FunctionXML-RPC is a WordPress feature that enables data transfer between WordPress and other devices. This feature has been enabled by default since WordPress 3.5 and uses HTTP for the data transfer mechanism and XML encoding protocol.This feature allows content management using mobile devices through the WordPress mobile app. However, XML-RPC can be risky for a WordPress website as it has a feature to use the system.multicall function. This function executes multiple commands in a single HTTP request. Attackers can exploit this to perform brute force attacks by trying thousands of passwords in less than 100 requests.While XML-RPC has some benefits like managing content using mobile devices and activating certain plugins like Jetpack, we recommend disabling this feature if you don’t use it at all.The easiest method is by using a plugin. While there are multiple plugins for disabling XML-RPC, we recommend using the Wordfence security plugin as it’s a complete package for WordPress security.

After you install and activate the plugin, follow these steps:

Navigate to Wordfence -> Login Security from the dashboard.

Select the Settings tab.

Scroll down to the Settings section and check the Disable XML-RPC authentication box.

Click Save to save the settings.

12. Scan for MalwareMalware is software or a small code string that compromises the website’s security. There are various types of malware that can harm your website in various ways, such as stealing information, luring your visitors to a deceptive website, and even making money illegally. Another consequence of malware is getting your site blocklisted by search engines.Malware can live in your site undetected until it finally causes harm. Some malware can even avoid security detection by modifying themselves.This is why regularly scanning your website for malware is crucial.Various security plugins are capable of accomplishing this. Moreover, plugins like Wordfence include a real-time signatures update to protect your WordPress site from even the most recent of threats. Some plugins also conduct a file integrity check. In essence, they compare your WordPress installation files with the default ones and see if any malicious code has been injected. Ultimately, these plugins will replace infected files with the original ones from the WordPress repository.13. Back Up WordPressCreating a WordPress backup won’t prevent any attacks or website security issues on your site. However, it will help you recover the data quickly if any such events happen. The backup data should include all the WordPress core files and the database.There are two methods of backing up WordPress – using the control panel and using a WordPress plugin.Using Control PanelMost control panels have a backup tool to create and download backups easily. For example, using the Hostinger’s hPanel, go to Files -> Backups. Then click on Generate New Backup to create a new backup data. After that, you can download the backup files and database to your local computer.

Using WordPress PluginIf you prefer to manage your backup via WordPress dashboard, you can use plugins like UpdraftPlus and follow these steps:

Navigate to Settings -> UpdraftPlus Backups.

Click Backup Now.

A pop-up screen will appear, select Include your database in the backup and Include your files in the backup, then click Backup Now.

Download the backup from the Existing backups section at the bottom of the page.

An important tip when storing your backup data is to use more than one location. For example, you can keep the data on your local computer, a USB flash drive, and cloud storage like Google Drive. This way, if one storage location is damaged, your backup data will be fine.14. Block HotlinkingHotlinking refers to the practice of a website using another site’s content, such as an image, by linking the source. For example, website A uses a picture from website B. Instead of downloading the image and reuploading it. Website A uses the image URL from website B to display the image.This practice has certain disadvantages for the source website. If the traffic is high, this takes up the original site’s resources, causing the site to slow down or even experience downtime if the resource is not enough.There are three methods to block hotlinking – by using a content delivery network (CDN), a WordPress security plugin, or an FTP client.Content Delivery Network (CDN)The main aim of a CDN is a faster content delivery speed. That said, some CDNs also have asset management features, including hotlink protection. The steps to enable hotlink protection may vary depending on the CDN. In this tutorial, we’ll use Cloudflare as it’s one of the most popular CDNs. Here are the steps for it:

Select the website to configure.

Select the Scrape Shield app from the left sidebar.

Switch the Hotlinking Protection toggle button on.

WordPress Security PluginSeveral WordPress plugins have a feature to modify your .htaccess file to prevent hotlinking. We recommend using the All In One WP Security and Firewall plugin, and here are the steps:

Install and activate the plugin.

From the sidebar, navigate to WP Security -> Firewall.

Go to the Prevent Hotlinks tab and Check the Prevent Image Hotlinking box.

Click Save Settings.

FTP ClientIf you opt to do this manually, you can use an FTP client to access the WordPress installation folder and modify the .htaccess file. Connect the FTP client and open the public_html directory. Then, find and open the .htaccess file using a text editor.All you have to do is insert this code snippet into the file:RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]Replace yourdomain.com with your actual domain name and save the file. Now, your WordPress site should block hotlinks on .jpg, .jpeg, .png, and .gif media files.15. Use a Secure Connection at All Times One of the important security practices is to use a trusted and secure internet connection, especially when accessing your admin page and other sites that require credentials.This is to avoid a hotspot honeypot – a malicious WiFi access point that appears to be a legitimate connection but is controlled by attackers to launch man-in-the-middle attacks. This hotspot honeypot allows attackers to record your internet activity and steal important information using a spoofed website.Avoid using public WiFi when you need to use the internet for important activities like accessing the WordPress admin panel. Even school, library, or cafe networks that look legitimate can be compromised and exploited by attackers.If you have to use a public network, we recommend using a VPN. This will add protection in the form of encryption to the connection. Therefore, your data and online activities should be safe.Another tip is to use the Secure File Transfer Protocol instead of a regular FTP client. Doing so you will use an SSH file transfer protocol to encrypt the data you transfer from your computer to the web server, making it harder for attackers to steal and intercept your data. 16. Review PermissionsThe website files and folders have permission settings that define who can read, write, and execute them. You can prevent attackers from accessing the WordPress admin account by configuring the correct permissions.The default permissions vary depending on the files and folders. However, you should check the permissions for the wp-admin folder, wp-config.php, and .htaccess files. We recommend changing those permissions so that only the Owner can write them.There are several methods to change the permissions. The easiest one is using the hosting file manager. Here’s an example of doing it using Hostinger’s hPanel file manager. The process should be similar on any other control panel.

Click File Manager under the Files section.

Open the public_html directory.

Right-click on the file you want to configure, then select Permissions.

Uncheck Write boxes for Group and Others user categories.

Click Change to save the changes.

Repeat on other files and folders you want to configure.

The second method is using an FTP client. We’ll use FileZilla for this example.

Connect FileZilla to your WordPress site.

Open the public_html directory.

Right-click on the file you want to configure, then select File permissions.

Uncheck Write boxes for Group and Others user categories.

Click OK to save the changes.

Repeat on other files and folders you want to configure.

17. Change the Database Prefix The WordPress database stores important information that makes your site work, such as post content, metadata, and user information. This is why attackers often target the database for SQL injection attacks, as they can bypass WordPress security measures and steal the database content.The database consists of several tables which have the default prefix of wp_. Many users forget to change this prefix, thus making it easier for attackers to launch SQL injection attacks.Use a plugin like iThemes Security that has a feature to change the database prefix easily. Follow these steps to do so:

Navigate to Security -> Settings.

Click Tools on the left banner.

Open the Change Database Table Prefix drop-down and click Run.

The plugin will automatically change all table prefixes with a random and secure prefix.You can also change the default table prefix when installing a WordPress manually by changing the table prefix to your preferred name on the WordPress setup wizard.18. Monitor User ActivityWe recommend monitoring users’ activities using an activity log plugin for a WordPress website with multiple users.This is because users may change important website configurations, such as plugins and themes. Having activity logs allows you to track and revert the changes.It’s also useful in order to find out who is responsible for any changes and identify hacked users. As an example, user A might have changed your site’s security based on the activity log, but the rightful owner of user A was not responsible for it. In this case, attackers may have hacked user A.We recommend using the User Activity Log plugin to monitor user activity as it’s easy to use. Once you’ve installed the plugin, navigate to User Activity Log from the sidebar, and you’ll see all activity details, including the user, associated IP address, and the involved object.

19. Manage WordPress User Roles If you have multiple users on your WordPress website, manage the user roles and limit access accordingly.By default, there are six roles for WordPress users, starting with Super Admin, who has the power to all network administration features, to Subscriber who can only manage their profiles.Chances are, not all users need the Super Admin or Administrator privileges. Therefore, limit the number of Administrators and assign roles to other users according to their contribution to the website.There are various reasons to do so.First, if any user accounts get hacked, not all will have access to the website administration, thus limiting the damage an attacker can do before you lock down the account.Second, this will minimize the risk of mistakes made by users. For example, someone may accidentally turn off a security plugin and put your WordPress site at risk.Follow these steps to change user roles:

Go to your WordPress admin dashboard and navigate to Users -> All Users.

Click Edit on the user you want to manage.

You’ll find the Role field on the user management page and open the drop-down menu to choose the proper user role.

Click Update User once you’ve finished.

20. Hide WordPress VersionYou may think that displaying the version of WordPress on your website won’t give away any important information. However, attackers can exploit vulnerabilities if they know which WordPress version your website is running, especially if it’s an older version.By default, the Sucuri plugin removes the WordPress version information from the HTML meta-tag. Install and activate the plugin, and it should hide your version of WordPress.To verify this, go to Sucuri Security -> Settings from your dashboard. On the Hardening tab, you should see the Remove WordPress Version option. It should have a green background if it’s already activated.

ConclusionWordPress security measures are essential to protect one’s site from various cyberattacks. While the developers are endlessly updating the software to patch various vulnerabilities, it’s up to you to keep updating your WordPress site with multiple layers of security.Remember that cyberattacks keep evolving and more vulnerabilities may be discovered over time. Keep yourself up to date with any relevant information and reinforce your WordPress site with suggested security measures if needed.For example, a specific vulnerability may be discovered on a plugin that’s installed on your site. In that case, you have to act before attackers exploit this and compromise your site quickly.Lastly, WordPress security is a continuous task. As your site grows, reassess your security measures and consider investing in more robust solutions like premium plugins or hiring a professional WordPress security service.