16 WordPress Security Tips To Keep Your Site Safe (2024)

Pinterest Hidden Image

Are you in need of a complete list of WordPress security tips that’ll protect your site from common dangers WordPress is known for.

In this post, you’ll find over a dozen basic and advanced security tips you can implement to keep your site safe from vulnerabilities and hacks.

Here are the WordPress security tips we’ll be covering in this post:

  1. Choose a quality WordPress host.
  2. Manage WordPress core, themes and plugins.
  3. Install a WordPress security plugin.
  4. Install a backup plugin.
  5. Choose third-party themes and plugins carefully.
  6. Know about WordPress user roles and their permissions.
  7. Implement protection protocols on your site’s backend login page.
  8. Use secure username and passwords.
  9. Enable an SSL certificate for your site.
  10.  Disable file editing.
  11.  Disable PHP execution.
  12.  Change the WordPress database prefix.
  13.  Secure your wp-config.php file.
  14.  Rename the WordPress login page.
  15.  Disable directory browsing.
  16.  Log out inactive users.

We’ve organized into two separate lists: basic security tips and advanced security tips.

Let’s start at the top with basic security tips.

Basic WordPress security tips for all users

1. Choose a quality WordPress host

Everything starts here.

If you don’t choose a quality WordPress host with a reputable reputation, your site will be vulnerable to attacks no matter how much security you implement within WordPress.

While your site is made up of code, that code exists inside of files, files that need to be installed on a web server.

At the very least, choose a host who’s known for maintaining fast and secure servers, keeping their server technology up to date, and providing access to the latest PHP versions.

We use Cloudways to host Blogging Wizard. It’s fast and affordable. Its scalability is an important factor too because we get a lot of traffic.

They offer the following security features:

  • A Cloudflare Enterprise add-on that implements DDoS protection and a web application firewall (WAF).
  • Server firewalls.
  • Login security.
  • Database security.
  • Bot protection.
  • Free SSL certificates.
  • User role management.
  • Secure operating system management.
  • Two-factor authentication.

However, as far as WordPress security is concerned, you may be better off with a managed WordPress host, especially if you’re not an advanced WordPress user.

Managed WordPress hosting

Managed WordPress hosting is a form of WordPress hosting in which your host manages a lot of aspects of maintaining a WordPress site for you.

This typically includes aspects of WordPress security.

Here’s an example using our most recommended managed WordPress host WPX Hosting. This hosting provider offers the following security features:

  • Malware removal included on all plans.
  • Site fixes if your site goes offline.
  • DDoS protection.
  • Automatic backups with storage for up to 28 days worth of backups.
  • Proprietary CDN with 35 edge locations.
  • Free SSL certificates.
  • A staging area to test updates before you push them live.
  • Two-factor authentication.
  • Advanced account security that allows you to limit access to your WPX Hosting account on a hardware level.
wpx hosting homepagePin

2. Manage WordPress core, themes and plugins properly

Like we said, your WordPress site consists of files and code. That includes WordPress themes and WordPress plugins as well as WordPress itself, which is known as “WordPress core.”

Like the computer and phone applications you use, WordPress files receive regular updates to implement new features and security fixes.

wordpress updateswordpress updatesPin

This is why it’s imperative that you keep WordPress itself and your themes and plugins up to date as often as possible. Failing to do so could result in your site being exposed to devastating security flaws.

You should always try to use the latest WordPress version on your site.

Fortunately, WordPress already implements emergency security updates automatically, and you can set up automatic WordPress updates across the board as well.

However, it’s best to do most WordPress updates manually via a staging area (like the one WPX Hosting lets you create) so you can test the changes those updates make to your site in a controlled environment before you push them to the live production version of your site.

All in all, set aside a time every week to check for, test and apply WordPress updates to your site to keep it as secure as possible.

Also, be sure to remove themes and plugins you’re no longer using.

Enabling automatic updates for themes and plugins

You can enable automatic WordPress updates for themes and plugins without a plugin inside of WordPress.

For themes, go to Appearances → Themes, click on a theme, and click the Enable Auto-Updates button.

wordpress enable auto updateswordpress enable auto updatesPin

Enabling auto updates for plugins works the same way.

Go to Plugins → Installed Plugins, and click the Enable Auto-Updates button for any plugin you want to enable automatic updates for.

You can even use the bulk option to enable automatic updates for all plugins in one go.

wordpress automatic updates bulkwordpress automatic updates bulkPin

3. Install a dedicated WordPress security plugin

If you don’t host your WordPress website with a managed WordPress host, your best bet is to use a dedicated WordPress security plugin.

We recommend the WordPress security plugins MalCare or Sucuri.

MalCare implements the following features into your WordPress site:

  • Malware scanner.
  • Malware removal.
  • Firewall custom built for WordPress.
  • Login protection.
  • Uptime monitoring.
  • Incremental backups and one-click site restores.
  • Bot protection.
  • Vulnerability scanner.
  • Activity log that enables you to identify suspicious behavior.
  • Email alerts about malware and vulnerabilities.
malcare statsmalcare statsPin

Sucuri offers a lot of these features as well but is mostly known for its malware scanning and removal features as well as its ability to implement a firewall to protect your WordPress site.

MalCare is more affordable than Sucuri and even includes a limited free plan.

4. Install a WordPress back plugin

Backups provide one of the best ways to secure your website in the event of other security aspects failing.

If your site gets hacked or becomes corrupted or an update breaks a few things, you can use a backup to restore it to a time where it functioned normally.

If your host doesn’t offer backups and you’re not getting this feature from a security plugin, you should most definitely use a dedicated backup plugin.

We recommend WP STAGING.

wp staging homepagewp staging homepagePin

It specializes in site staging, as its name implies, but it also offers backup, migration and cloning features.

This plugin offers automatic backups and allows you to store them offsite on Google Drive or Amazon S3.

If you want incremental backups and many of the same features WP STAGING offers, try BlogVault.

Both solutions allow you to restore your site from a backup.

Note:  While choosing a quality WordPress host means you’re unlikely to use third-party backups, we’d still recommend using one of the above solutions as a precaution.

5. Be wary of third-party WordPress themes and plugins

When you hear about WordPress sites getting hacked, it’s usually because of one of two reasons: outdated versions of WordPress core and third-party themes and plugins.

This is why it’s so important to stay on top of WordPress updates. Even so, all the updates in the world cannot protect your site from a malicious or poorly-coded, third-party theme or plugin.

Before you decide to install a theme or plugin on your site, do your research.

For starters, when was the theme or plugin last updated? It’s not a good sign if a theme or plugin hasn’t been updated in over a year.

wordpress plugin outdatedwordpress plugin outdatedPin

Be sure to read through a theme or plugin’s reviews and support threads as well. These will give you better indicators of how well supported the theme or plugin is.

Make sure to also run the theme or plugin’s name through a social media search as well, especially on Twitter, Reddit and Facebook.

These sites may have complaints that aren’t addressed on the theme or plugin’s official page on WordPress.org.

6. Be aware of WordPress user roles and their permissions

As WordPress website owners, it’s important to know the differences between WordPress user roles and the permissions each one provides.

Here’s a quick rundown of the permissions each role has access to:

  • Administrator (Admin) – Can access all areas of the WordPress dashboard and make changes to any part of the website as well as any user on that site.
  • Editor – Has access to WordPress posts and pages and possesses the ability to add, publish, delete and edit this content, even if they didn’t create it themselves.
  • Author – Has the ability to add, edit and publish their own posts.
  • Contributor – Has the ability to add and edit their own posts.
  • Subscriber – Can edit their user profile and leave comments with the native WordPress comment system.

So, if you hire an editor for your blog, you should assign the Editor role to them as opposed to the Admin role.

This way, they can handle content on your site but cannot make changes to your theme, plugins and WordPress settings.

7. Protect the WordPress login page

The WordPress login page is the page you use to log into the WordPress dashboard.

wordpress login pagewordpress login pagePin

You can typically access it by going to yourdomain.com/wp-login.php.

There are a number of different techniques we can use to secure the WordPress login page.

We’re going to mention two in this section, but there are additional techniques in the advanced section of this article.

The first technique we’ll mention is to simply add a CAPTCHA form to your site’s login page.

If you decide to use the MalCare security plugin we mentioned earlier, you won’t need a separate plugin to add this functionality to your website.

This plugin lets you limit login attempts by automatically showcasing a CAPTCHA for visitors to solve if they fail to log in after three attempts.

If you’re not using MalCare, use a plugin like Advanced Google reCAPTCHA instead.

advanced google recaptchaadvanced google recaptchaPin

It’s a really simple plugin that lets you add a CAPTCHA form to the login form, registration form and more.

When you have this plugin activated, you and anyone who comes across your login page will need to complete the CAPTCHA form in order to log in.

Other than that, another simple way to protect the WordPress login page is by enabling two-factor authentication.

Use a plugin like Two Factor Authentication (from the makers of UpdraftPlus) to add two-factor authentication to your login page. The plugin integrates with Google Authenticator.

8. Use secure login credentials

CAPTCHA forms and two-factor authentication techniques make it harder for attackers to get into your site but not impossible.

This is why using secure login credentials is important. It adds an extra layer of security to your site.

For starters, you should never use “admin” as your username nor own name.

Combine fragments of your name instead. For example, if your name is David Smith and you were born on October 10, 1980, use “dasm1080” as your username or something similar.

This way, if an attacker tries to get into your website, they first need to find out your username.

This is a bit of an advanced tip, but you can actually hide WordPress usernames and make them harder for attackers to find. This is good because usernames can sometimes be found in a page’s source code.

Also, the URLs that WordPress generates for author archive pages typically contain each author’s username.

To combat this, go to that author’s user profile in WordPress and fill in the First, Last, Nickname and Display Name As fields with something other than the user’s username.

To go one step further, and this is where the advanced tip comes into play, access your site’s database via phpMyAdmin, and find the wp_users table. The “wp” bit may look a little different if you or your host changed your database’s prefix, but it’ll still have the “_users” part attached to it.

What you want to do is edit each user’s database entry and change the “user_nicename” value to something other than what the user’s username is set to.

The user’s name will do just fine. Just be sure to fill in spaces with dashes, such as “david-smith”.

For passwords, use a password generator to come up with a secure password, and consider storing it in a password manager for easy access.

9. Set up SSL for your site

SSL, or Secure Sockets Layer, is a security protocol that encrypts data as it’s transferred between two networks.

This is typically used to encrypt payment information and sensitive customer data.

There are two ways to see if a site is encrypted by an SSL certificate: a padlock featured in the address bar and the site’s use of “https” instead of “http.”

blogging wizard sslblogging wizard sslPin

Because SSL is a lightweight Google ranking factor, all sites are encouraged to set up SSL, even if they never plan to accept payments.

Fortunately, most hosts offer SSL certificates free of charge via Let’s Encrypt these days, so it’s now easier and cheaper than ever to set everything up.

Look through your host’s knowledge base to find out how to do this since each host handles it differently.

WordPress security tips for advanced users

10. Disable file editing

The WordPress dashboard, or WordPress admin, for admins has two file editors that allow you to edit theme and plugin files.

You can find them by going to Appearance → Theme File Editor and Plugins → Plugin File Editor.

wordpress theme file editorwordpress theme file editorPin

Making changes to these files can break your site. Even worse, if a hacker ever did gain access to one of your admin accounts, they’d be able to use these editors to inject malicious code into your site.

This is why it’s recommended for WordPress website owners to disable file editing completely.

All you need to do is add the following code to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

If your host doesn’t have a file manager, you’ll need to access your site’s files via FTP, download your wp-config.php file, edit it with a plain text text editor, save it, then reupload it to the same location in the file system for your WordPress installation.

Just be sure to overwrite the original.

Also, make sure you backup your site before making changes to your file system. It may also be a good idea to download a copy of your wp-config.php file before you apply changes to it.

11. Disable PHP execution

Hackers often create backdoors in your site’s file system by executing PHP files within it.

You can block these kinds of attacks by disabling PHP file execution in folders that shouldn’t have any PHP files to begin with, such as your Uploads folder where your media files are stored.

Blocking PHP execution in folders that do contain PHP can actually break your site, so it’s often recommended to only disable PHP execution for folders where PHP is never found just to be on the safe side.

If you’re using the MalCare security plugin, you can disable PHP execution by entering your site’s FTP credentials.

If not, you’ll need to do this manually by editing your site’s file system.

Start by opening a plain text text editor on your computer, and adding the following code to it:

deny from all

Then, save this file, and name it “.htaccess”. Make sure to include the dot “.” before “htaccess”.

notepad htaccessnotepad htaccessPin

Now, all you need to do is access your site’s file system, and upload your new .htaccess file to the Uploads folder, and save your changes.

12. Change the WordPress database prefix

We’ve said it multiple times, but your site is made up of code stored within files.

What we haven’t mentioned is how your site is also made up of database tables. Like code or files, deleting or making changes to these tables can do a lot of damage to your site.

Unfortunately, if a hacker knows your database prefix, they can use it to attack your site without actually accessing it manually.

All WordPress websites are designed to use the “wp” prefix by default, which is why it’s so important that you change it since hackers are already familiar with this prefix.

Fortunately, many hosts already change your site’s default prefix automatically as soon as you create a site with them.

You’ll know if they did if your database tables have something other than “wp” before each underscore value, such as “fx87_user” instead of the usual “wp_user.”

It’s actually quite simple to do if not, so long as you’re familiar with accessing your site’s file system.

This tip requires the wp-config.php file again. Just like before, it’s a good idea to save your site as well as a copy of your wp-config.php file before you make changes to it.

Here are the steps for changing your WordPress database prefix:

  1. Download your site’s wp-config.php file.
  2. Open the file in a plain text text editor.
  3. Find a line that says “$table_prefix”. If the whole line says “$table_prefix = ‘wp_’; you need to change it.
  4. Change the “wp” prefix to two to five letters and numbers that’d be hard for an attacker to guess.
  5. Make sure your new prefix still has the quotes and semicolon. Example: $table_prefix = “fx87_’;
  6. Save your wp-config.php file, and upload it to the same location in your site’s file system.
  7. Overwrite the original wp-config.php file when prompted.
wordpress database prefixwordpress database prefixPin

13. Secure your wp-config.php file by moving it

Some attack strategies involve injecting code into your wp-config.php file, which first requires the attacker to download it.

You can make it much more difficult for hackers to find your wp-config.php file by moving it.

WordPress allows you to move your wp-config.php file one directory up without having to do anything else. Your site will still be able to access it from there.

However, since one directory up may still be a public folder, it’s better to move it a little further than that.

This tip isn’t difficult to follow, but the changes it makes to your site are quite advanced, especially if something goes wrong, so only proceed if you know what you’re doing.

Here are the steps for moving your wp-config.php file:

  1. Make a copy of your wp-config.php file, and store it on your computer.
  2. Access your site’s file system, and find the folder that contains your public_html folder.
  3. Create a new folder in this directory, and name it something that doesn’t identify it as a folder that would contain your wp-config.php file. Something like “bw-assets” would work. Note: Don’t use bw-assets on your own site. Use something original that you came up with so it’s more secure.
  4. Set your new folder’s permission level to 700.
  5. Copy and paste your wp-config.php file into your newly created folder, and rename it to something that does not identify it as your wp-config.php file. Again, something like “bw-asset.php” would work fine.
  6. Change the permission level of this new file to 600.

Edit your original wp-config.php file, erase the code within it, and replace it with this:

The file path between the quotes should match your own site’s absolute file path, including how you named your newly created folder and file.

Save the file afterwards.

14. Rename the WordPress login page

The WordPress login page exists at /wp-login.php and similar URL paths by default. So, if you want to log into your WordPress site, you simply go to yourdomain.com/wp-login.php or yourdomain.com/wp-admin.

Hackers are well familiar with this. Once they access your site’s login form, they can initiate brute force attacks to try and breach your defenses.

Hopefully, those defenses include limiting login attempts with a security plugin or CAPTCHA form, but you can also hide the login page altogether.

Use a plugin like WPS Hide Login to implement this feature.

The plugin adds a simple setting to the General WordPress settings page, a setting that allows you to change your login URL by entering your desired URL in a text field.

Use something secure that’s uncommon so hackers can’t guess it easily. Maybe try using a combination of words so it seems nonsensical, such as “einsteinbananafrisbee”.

wps hide loginwps hide loginPin

Once you make this change, you’ll no longer be able to access your login page from wp-login.php or similar URLs. You’ll only be able to use yourdomain.com/einsteinbananafrisbee, so make sure it’s something you can remember.

15. Disable directory browsing

Directory browsing is a web design feature that allows a user to enter a directory as a URL in the address bar and view that directory’s contents.

Hackers use this as a way to view a directory without actually having to access a site in a malicious way. When they do this, they can potentially pinpoint files and vulnerabilities they can exploit.

The best way to combat this issue is to disable directory browsing entirely.

Start by seeing if directory browsing is enabled for your site. You can tell by going to yourdomain.com/wp-includes. If you get hit with a 403 Forbidden error, directory browsing is already disabled, and you don’t need to worry.

However, if you see a list of files instead, you’ll need to disable directory browsing yourself.

Start by accessing your site’s file system and finding your .htaccess file.

Just like you did with your wp-config.php file, you should back up your site and create a copy of your .htaccess before making changes to it.

Then, download it, open it in a plain text text editor, and add this code snippet to the end of it:

Options All -Indexes
blogging wizard disable browsingblogging wizard disable browsingPin

Save the file, and reupload it to your WordPress site, making sure to overwrite the original.

16. Log out inactive users

Fellow admins, editors and authors may think their work spaces are secure, but you can never be too careful.

If an admin or editor walks away from their computer while they’re logged into your site, they can potentially open up your site to vulnerabilities without realizing it, especially if they’re in public and their computer gets stolen.

To combat this, it’s a good idea to log out inactive users. The Inactive Logout plugin offers one of the simplest ways to get the job done.

The plugin allows you to set up automatic logouts based on inactivity for a specified period of time.

wordpress inactive logout settingswordpress inactive logout settingsPin

You can even set up warning messages in case users are actually at their computers, just not interacting with the website.

It’s a pretty simple and straightforward plugin that allows you to implement an additional layer of WordPress site security.

Final thoughts and what to do if your site gets hacked

If your site gets hacked, you may see a few of the following warning signs while trying to interact with it:

  • Not being able to log in.
  • Changes to the frontend you didn’t make.
  • All pages on your website redirecting to an entirely different site.

This excludes warnings you may have received from your host or security plugin.

No matter what’s going on with your site, you now know that’s in trouble. Here’s what to do when this happens.

The first thing you should do is put your site in maintenance mode with a maintenance mode plugin.

The Coming Soon and Maintenance Mode plugin is a well-known plugin that’s fantastic for this purpose.

A hacked site leaves your users vulnerable to attacks as well, so the quicker you block outside access to your site while it remains compromised, the better.

Once your site is offline, follow these steps to secure it:

  • Change passwords for all users on your site, but especially administrator accounts.
  • View all users on your site, and remove administrative accounts you don’t recognize.
  • Install WordPress updates in case you missed a crucial security update for a third-party theme or plugin.
  • Use your security plugin to scan for and remove malware. If you use a host such as WPX Hosting, they’ll remove malware for you. If you have MalCare installed, the plugin should be able to remove it for you. Otherwise, you may need to use an external service such as Sucuri that will manually remove it.
  • Regenerate your sitemap, and resubmit your site to Google through Google Search Console. This is in case your sitemap file was corrupted.
  • Reinstall clean versions of WordPress core as well as the themes and plugins you had on your site.
  • Clean out your database with a WordPress plugin like WP-Optimize.
  • Disable maintenance mode once your site is stable.
  • Complete a security audit to identify security vulnerabilities that may have led to the hack.

Although it may be tempting to restore your site from a backup, you don’t know how long the malicious code has been hidden inside of your website.

For this reason, it’s best not to resort to backups when cleaning an infected site.

Disclosure: Our content is reader-supported. If you click on certain links we may make a commission.