The Ultimate WordPress Security Guide – Secure Your Site Today

Every WordPress website owner needs to be aware of the steps required to secure a WordPress installation. Like any piece of software, WordPress isn’t inherently secure – all software requires effort from the end-user to be secured.

WordPress vulnerabilities

Known WordPress vulnerabilities are logged in the WPScan Vulnerability Database. Only 17% of known vulnerabilities come from plugins. About 80% of all known vulnerabilities come from the WordPress core software, with most vulnerabilities found in WordPress 3.X.

Although most vulnerabilities come from past versions of WordPress, there are plenty of vulnerabilities to be found in other versions.

If you care about your website, or if you’re running a business and can’t afford to be taken down by hackers or malware, you’ll want to follow certain user security best practices. This article will outline the most important security measures to keep your site secure.

1. Perform a manual install of WordPress

Using quick install software is easy, but it’s not the most secure way to install WordPress. When you use quick install software, some settings are created automatically and you’ll have to go through a long, complicated process to change them later.

For instance, your administrator login username will be set to ‘admin.’ As you’ll soon read, your administrator username should be more complex.

You’re better off downloading WordPress and manually installing the software on your server.

2. Create a regular schedule for updates

Staying on top of updates is critical for maintaining a secure WordPress installation. However, you won’t know there are updates to be installed until you log into your account. If you don’t log in daily, work it into your schedule on a weekly basis to check for updates.

3. Choose a secure web hosting environment

While most of your security efforts will happen at the installation level, it’s still critical to choose a secure hosting environment. Some of the top-rated shared hosts include BlueHost, HostGator, and WPEngine. However, if you have a decent budget, look into dedicated hosting.

Shared hosting means you share the same server resources with many other websites. If one site gets hacked, your site is at risk. A dedicated hosting plan provides you with your own server.

4. Use complex passwords

Although it’s basic security, it’s important to use complex passwords for all of your WordPress user accounts and your database.

5. Back up your installation regularly

Backing up your WordPress installation is the only way to protect yourself against getting hacked. There are two ways to create a backup: with a plugin and through your web host.

Some WordPress backup plugins are fantastic, but you’re always risking some kind of breach with a plugin. If you can, sign up for backup services through your host that includes backing up your files and your databases. When the backup finishes, download the file and keep it on a hard drive offline.

6. Avoid security plugins

You can find a ton of plugins that add features like secret questions on the login screen, two-factor authentication, firewalls, and other plugins that will do things like change your database prefix. These features are great, but as a plugin, they’re insecure.

When you rely on a plugin for your security, your site is actually more at risk. Plugins can be hacked, especially when the developer stops offering support and updates.

If you can’t figure out how to make security changes manually, hire a professional developer. It’s not worth the risk.



SSL stands for Secure Sockets Layer and is a protocol that encrypts all traffic between users and your website. Encrypted data can be stolen, but not read.

If you’re collecting any personal information from users, including just their email address, you need to use SSL. Although you can buy SSL Certificates, some hosting companies provide them for free with certain hosting plans, like HostGator.

8. Create a dedicated admin account for contractors

Sometimes you can’t avoid providing admin access to a developer or writer. Always create a unique administrator account for each person who requires access and delete the account when they no longer need access. Don’t just change the password because they might try hacking your installation.

Before providing access, back up your files just in case. If someone abuses their admin privileges by deleting other admin accounts and locks you out, log into PHP MyAdmin and change their password inside the database immediately. Then, log into whatever account you can access and fix the problem.

9. Use a complex admin name

Choose a complex username for your administrator name. Don’t use “Admin.” Hackers will have a harder time getting into your site when they have to guess your login name along with your password.

Make your username a complex series of numbers and letters that resembles a password. For example: 88RT3Xk8g.

Your posts will display your username as 88RT3Xk8g, but you can change your display name in your admin panel under Users > All Users.

  • Hover over the username you want to set a display name for and choose Edit.
  • Scroll down to “Nickname” and enter the name you want to display. For example: John Smith.
  • Then, under “Display name publicly as,” select your desired display name.

Now, instead of 88RT3Xk8g, your posts will say they were published by “John Smith.”

10. Create a random database prefix

The default database prefix is wp_, and hackers know this. Changing your database prefix is a small, yet significant step in securing your site. Instead of using wp_, change it to something like 8f_ or 4R_.

You can change your WordPress database prefix after installation, but doing a manual installation gives you the opportunity to define your table prefix from the start.

11. Generate new salts

WordPress uses salts and keys to protect your logins. Basically, when you ask WordPress to save your login credentials, the information gets stored in a cookie. That cookie is subject to getting hijacked. Salts and keys encrypt your login data, making it harder for your login information to be retrieved.

If you haven’t set any salts, or if it’s been a while since you’ve set your salts, generate new salts and keys and replace the old ones in your wp-config.php file. All users will be logged out when your salts and keys are changed, but that might be to your benefit.

12. Disable PHP execution

Many hackers use PHP executions to gain access to a website. You can prevent some of these attacks by disabling PHP execution in certain directories. What you’ll do is add some code to an .htaccess file that resides in each of the folders you want to protect.

13. Disable file editing

As the owner of your website, you can edit WordPress files through your admin panel or through your web hosting file manager. When a hacker gains access to your WordPress site, they don’t necessarily have access to your web hosting account, too.

It’s smart to disable file editing inside of your WordPress installation. That way, if a hacker gains access to your site, they can’t edit or delete your WordPress core files, themes, or plugins.

To disable file editing, add the following code to your wp-config.php file:



// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true );

14. Password-protect your login directories

If a hacker wants to get into your WordPress website (or WordPress multisite, which would be worse), they usually only need to crack your username and password. Most usernames are “Admin,” so they really only need to crack a password.

However, when you password-protect your login directory, hackers will need to crack two sets of login credentials. This greatly reduces your potential for getting hacked.

You can set a password for your directories inside of your hosting account. If you’re not sure how to do that, contact your host’s tech support and ask.

Be sure to password-protect the following directories:



15. Limit login attempts

Limit login attempts

Hackers that use brute-force attacks won’t get very far when login attempts are limited. As long as you know your username and password, you shouldn’t have a problem limiting your login attempts to 2 tries. This means that after 2 failed login attempts, the person will be locked out from trying again for whatever period of time you set.

Limiting login attempts requires using a plugin, so make sure you keep your chosen plugin up-to-date at all times.

16. Disable directory browsing and indexing

If any of your directories are browsable, hackers looking for files to exploit will have a party. While adding an index.html or index.php file to directories will prevent the contents from being visible, there’s a better way.

Find the .htaccess file in your root WordPress directory. Append the following to the end of that file:

Options -Indexes

This will prevent the contents of your directories to be displayed to wandering users.

Be sure to save your .htaccess file if you are editing directly in your file manager or upload the file if you’ve downloaded the file to edit.

17. Force idle users to be logged out

When user accounts are logged in, yet idle, it’s a security risk. You don’t know if someone was working from the library on a public computer, or if they’ve just walked away from a computer they never turn off.

This requires a plugin. While you don’t want to have too many plugins, since they can create more vulnerabilities, the Inactive Logout plugin is useful when you have independent contractors or remote employees accessing your WordPress installation.

18. Disable XML-RPC

From WordPress 3.5 on, XML-RPC was a standard in helping to connect WordPress sites with other applications. However, this feature can speed up and strengthen brute-force attacks.

For example, a brute-force attack normally requires one separate login attempt for each password tested. If a hacker wanted to try 1,000 passwords, they’d need to make 1,000 individual login attempts.

Through XML-RPC, that same hacker can test out thousands of passwords in about 50 individual requests through the system.multicall function.

To disable XML-RPC, add the following code to your .htaccess file located in your main WordPress directory:







# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from


If you use any kind of remote application to post to your WordPress site, you can’t disable this feature. However, if you follow all of the other instructions for securing your site, and keep regular backups, you probably don’t have to worry much.

19. Repair a hacked site immediately

Ultimately, if your site gets hacked and you let it go for a long period of time, the damage can accumulate. For instance, if someone is using your site to deliver malicious payloads or phishing emails, it’s only a matter of time before your host will shut down your account and cause a service disruption.

Anytime you suspect your site has been hacked, take care of the situation immediately. If you don’t know what’s going on, hire a professional security expert to clean it up for you.

Confused about WordPress security? We’ve got you covered

If you feel overwhelmed by all of the steps required to secure your WordPress website, you’re not alone. Most people don’t have the time or patience to learn all the technical skills required to secure or design their own site. That’s where we can help.

Whether you’re just launching a new site or you want to secure an existing site, our team of professional WordPress designers and developers can help. At, we specialize in WordPress development and security, so your site will be in good hands. Contact us today for a free website design cost quote to get your website designed and secured.

Timothy Carter
Latest posts by Timothy Carter (see all)