Wordpress Security

Keeping website security should be a top priority for any site owner. When it comes to WordPress, there are numerous ways to harden security and certain steps to follow. Most of them are quick and easy settings, while others require some more attention.

There are many ways to secure a WordPress website. Website security is not a sprint. Rather it looks more like marathon. Well… to be completely honest, it never ends. There are no steps to do and forget about it. Security maintenance is an ongoing task.

In this article, we will be discussing WordPress security basic steps, and how to perform a basic security audit.

The Importance of Security

As a WordPress site owner, you need to stay focused on security as failing to protect your site harms not only your web presence, but also your brand, reputation, customers data, financial information and what not. Security breaches also allow for malicious software installed on a website by hackers who have found weaknesses and vulnerabilities. Such scripts can spread spam, viruses and bugs.

These can cause a massive damage to not only your site, but also computer, greatly affecting your business.

Harden your WordPress website

1. Keep WordPress Up to Date

It may sound simple, but it’s actually one of the easiest and most important ways to harden your WordPress security. The WordPress Developers Community updates WordPress on a regular basis. When updating your WordPress installation, it ensures removing security flaws in previous version and helps you keep your site safe.

To update WordPress, click on the Update button on the Updates page. You can find the update page under the DASHBOARD menu in the In your WordPress admin.

It’s not jsut about the WordPress core, though. By keeping your theme and plugins updated, your site is less likely to experience security breaches. Theme and plugin update notifications frequently appear on your dashboard. Never ignore ignores these as they not only improves security but also fix bugs you may not even know about.

2. Use Complex Passwords

WordPress can automatically create strong passwords for user accounts. When it comes to comparing passwords, WordPress generated passwords are harder to break by Brute Force Attacks (BAT) – a common type of attack used to break in websites by simply trying out popular and possible symbol combinations.

On the Edit User screen, you can find the password option. Generate a new password and save changes at the end.

If you prefer custom passwords, always use at least 8-12 symbols and combination of lower and uppercase, digits and special symbols – e.g. “MyP@ssw0rd” is much stronger than “mypassword”.

3. Backup Your Site Regularly

Backups are generally a saved copy of your entire site. Even if your site gets successfully hacked, you can restore all your files and data from a backup pack.

Fortunately, most hosting provider offer full website backup option. Even if your hosting don’t, WordPress backup plugins like UpdraftPlus cover the gap for beginners.

Just be careful, as such plugins can quick and easily consume all your server storage in literally no time. Read the settings carefully and make sure you’re not storing more than one backup at a time.

4. Install a Plugin for WordPress Security

Although you can manage your security manually, WordPress security plugins are proven to be extremely helpful, especially for non experienced users.

Most security plugins not only monitor and maintain common security holes on your site, but also offer a security scan and checks for malicious scripts and suspicious file changes.

Popular WordPress security plugins are WordFence, Sucuri or Defender Security.

All of them provide both e-mail and dashboard notifications about potential security flawas, outdated software versions, including WordPress core files and plugins. Also, they enables you to keep track of failed login attempts and blocked IP addresses.

5. Utilize “Limit login attempts” Functionality

Implementing restrictive security measures on login attempts helps protect your site from Brute Force Attacks. When Limit Login Attempts functionality is enabled on your site, users (or even bots) repeatedly entering incorrect login details are denied for a specific time and/or blocked by IP.

Most WordPress security plugins have this option built-in, but its also available as a standalone free plugin. You can use the Limit Login Attempts Reloaded plugin for the said purpose. It helps you significantly strengthen your site’s security against hacker attacks.

6. Add Extra Security Layer With Two Factor Authentication

Just like using a WordPress plugin to limit login attempts, you can get additional security layer with a plugin for Two Factor Authentication.

Two Factor Authentication (2FA) is a Two-step security measure on WordPress login. After activating it on your website, each time you try to login, you will get an additional security code by text message or mail (if your password was correct). Once you enter that code from email or text message, you will see the dashboard of your site.

As hackers are not supposed to have access to your email or mobile phone, even if using the correct password they have no chance entering your site admin without passing the 2FA.

7. Use Hard to Guess Admin Username

Using “admin” for username is generally a mistake by itself. As a site administrator, you can perform all possible actions with an Admin account. Always use a hard-to-guess word for admin account username and never expose it publickly. You have an option to set a public display name on your site in your user profile edit screen. Make sure site visitors can only see your name (e.g. – John Doe), but not your username (e.g. J0hn@dmin). Whenever possible, use an Editor account for your common site maintenance tasks, like content creation. This would help you stay away from hacking attacks such as Session Hijacking, a type of attack used to hijack login sessions.

Surely, hackers can also target an Editor account, buth they can’t use it to take total control of your site.

8. Monitor File Changes

As you install different plugins and scripts, you may notice your files have been changed or updated.

In this case, you can’t notice the changes without having a specific measure in place.

To actively monitor your site’s files, install a plugin such as WordFence or WP Security Scan. Such plugins help you get notifications on file changes.

Also, make sure theme and plugins editor code editor is disabled on your admin interface. Simply edit your wordpress-config.php file adding the following line just before the line that says ‘That’s all, stop editing! Happy publishing’ :

define( 'DISALLOW_FILE_EDIT', true );

That’s all, plugin and theme editors will now disappear from themes and plugins menus in the WordPress admin area.

9. Host Your WordPress Site on Secured Servers

When it comes to hosting for your WordPress website, choosing a reputable provider is crucial.

Good WordPress hosting companies provide active and passive measures to stop attacks and malicious intent in its tracks. Continuous monitoring for uptime, DDoS attack detection, software-based restrictions, SSL support, and hardware firewalls are the things too look for.

You can read our updated guide on how to choose the best WordPress hosting for your site.

10. Delete Unused Themes and Plugins

You can only run a single theme at a time on your site, so there is no reason to build collection of themes uploaded to your server. Not only it bloats your file storage space space, but it’s also a major security flaw. Old themes often contain outdated files where even known vulnerabilities are still in place.

When it comes to your website’s security optimization, not only removing unused themes and plugins helps you close the “holes”, but also helps to speed up your WordPress site and reduce inodes count (common problem) on your server.


These are the basic measures to harden your WordPress based website security.

Last but not least, as your site grows with new content, you must create and implement monitoring habits.

What safety advice do you have to secure a WordPress website? Please, share your experience in the comments bellow.

About the Author:

Dimitar Koev is a graphic and web designer, front-end developer and marketing expert. CEO & founder of the Althemist team (previously known as Koev) - an independent envato market author, focused on building WordPress themes with strong e-commerce accent.

Leave a Reply

Your email address will not be published. Required fields are marked *