Best Tips to Make WordPress Secure


To avoid any sort of compromise of your website, it is important to keep WordPress secure. The uptime is amplified along with safety of data. You will have a site that functions extremely fast and reliable.

Below listed are 10 most effective ways to increase and maintain your WordPress site’s security. Following are a few simple to some advanced tips to help with your security needs.

User Security

The WordPress administration interface is one of the most important areas the attackers will try to fiddle with. If a user with a cruel intention is able to login as an admin, the person can do anything with your site.
A few may try to login with a brute force attack which can be done by setting up a botnet (numerous computers controlled by the attacker). This is done with try many ways to login to your site using varied username and password combinations.

You can make the following alterations to secure the WordPress admin interface:

1. Make use of a Unique, Secure Username and Password

Never use the default admin username. You have the freedom to select your own username while opening a new WordPress site. If you are on an older installation or have by now set your username to admin, using WordPress Plugin like the Username Changer can help modify your username to a better secure one. It is also possible to create a new user with admin rights and take out the old ‘admin’ username.

It is best to not make use of common usernames like administrator, your website’s name or your name.
While creating a password, ensure to have one that is an unpredictable combination of letters, numbers and characters. Do not keep the password related to your username, website name or a simple word with just a few modifications as this could be guessed easily. Try not to use dictionary words. Make use an unsystematic string of characters that is hard to figure. Using a good password management tool helps to safely generate, store and use complex passwords.

A simple way to remember a password that is complex, is to make use of a phonetic password generator (like this one).

2. Apply Two-factor Authentication

For two-factor authentication (known as 2FA, or sometimes 2-step verification), users need to login with a unique code created for one-time-use and sent to a device (usually a smartphone) via SMS or an iOS/Android app, along with their username and password.

Steps to setup 2FA in included in the Google Authenticator tutorial.

3. Verify the User Is Human

ReCAPTCHA forms, commonly used, require users to enter what they see in an image as text. They are beneficial to stop botnets from trying to brute force login to your WordPress site. This step of the login process is something Botnets cannot computerize not allowing them to access your site.

How to implement ‘No CAPTCHA reCAPTCHA’ as part of your WordPress login process, is shown here.

4. Password protecting wp-login.php

For an advanced WordPress user or developer who is comfortable with a few server-side alterations, can call for a server-side login before the WordPress login screen is displayed.

This improves the security level by another level. The method to do is covered in Stopping Brute Force attacks against WordPress websites article.

Code Security

It is highly significant to ensure that the code used is secure that should not allow fiddling by potential attackers. This is immaterial of whether you are generating your own theme or plugin for your site, or using one from a third-party.

Usage of insecure code and not sticking to best practices may allow attackers to get little or complete control of your WordPress site.

A few methods can help to ensure code integrity and security:

5. Maintain Updated WordPress

From, WordPress 3.7, minor releases including security and maintenance are automatically functional. It is possible to advance this to automatically installing major WordPress releases, by including the following to your site’s wp-config.php file:
define ( 'WP_AUTO_UPDATE_CORE', true );

This looks like a good idea but it may lead to incompatibility between the newly installed version of WordPress and your existing themes and/or plugins. It is ideal to maintain a testing environment for something like this.
Third party tools that connect to your WordPress website let you manage all of your WordPress installations from a single, unified interface. It is possible to carry out one-click installs of WordPress, theme and plugin updates:

  • iThemes Sync (free for up to 10 sites)
  • ManageWP (free for up to 5 sites)

To know more about it, there are published articles on ways to keep the WordPress website up to date:

  • A Guide to Update WordPress
  • Ways to Configure Automatic Updates in WordPress

6. Select Your Theme and Plugins Cleverly

You should make it a point to select themes and plugins that are properly maintained and updated on a regular basis. This does not guarantee but highlights and updates security vulnerabilities in a theme or plugin, quickly.
Take a look at the detailed descriptions of plugins, as a few will be audited by third parties (like Sucuri) for security, which will relieve you of the stress.

7. Generating Themes and Plugins

It is vital to adhere to key WordPress security best practices immaterial of whether you are new to WordPress development, or have been using WordPress for a while to create themes and/or plugins.

To clean data, use nonces and hold on to WordPress Roles and Capabilities, it is essential to be updated with WordPress development best practices:

  • Cleaning, Escaping and authenticating Data in WordPress
  • Guard Yourself from Rogue WordPress Plugins
  • Hosting Security

Along with better secure WordPress installation because of improved user authentication and quality of code, you should make it a point to have well support, secure, hosting.

8. Utilize Managed Hosting

You will find numerous companies offering Managed WordPress hosting, like WP Engine, SiteGround and Media Temple. Even though you will have to pay a premium for a managed host than the traditional shared or unmanaged hosting, this will maintain security of your site.

For instance, WP Engine will automatically update WordPress and key plugins, when there are known security vulnerabilities. It will also halt plugins which obstruct performance and security. Most managed WordPress hosts offer hardware based firewalls and configuration to avoid the malfunctioning of your site due to Distributed Denial of Service (DDoS) attacks.

Even though this method may seem like an interference to a few users, it relieves you of security breaches while having experts to keep the WordPress website functioning.

9. Make sure that File and Folder Permissions Are accurate

For someone who does not make use of a managed web host, ensuring approved ownership and permissions for WordPress files and folders is essential. This helps WordPress to be updated and also avoids misuse of poor file security by attackers to take control of your site.

WordPress folders should always have 0755 permissions, and WordPress files should always have 0644 permissions – even though it may differ with the host.

Do not set any folder permissions to 0777 incase to you get errors while trying to install plugins, or uploading new media. Approach your web host to make certain that PHP is run with the correct user and the folders are also owned by the same user.

If you have shell access, you can try some commands to make WordPress secure:

  • find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
  • find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
  • If you are aware of the user and group that can have ownership of the WordPress files and folders, make use of:
    sudo chown -R username:group /path/to/your/wordpress/install

10. Server Side Hardening

If you are an advanced user managing you own web hosting, you can also:

  • Make certain that your database user has access to SELECT, INSERT, UPDATE and DELETE privileges only
    Utilize strong database usernames and passwords
  • Forbid server-side file editing within WordPress, by adding define(‘DISALLOW_FILE_EDIT’, true); to your wp-config.php file
  • You can find out which web hosts are capable of performing these tasks for you.

To know more details on WordPress and server hardening, take a look at the WordPress Codex documentation on Hardening WordPress.


This article includes 10 tips to secure your WordPress website, covering basic user authentication to coding practices and hosting setup. It also highlights a few advanced hardening techniques for advanced users to secure the WordPress to the most.

Using of a security plugin like WordFence or BulletProof Security is another alternative which can be tried out. As there are many available to select from, you can do some research to figure out which best fulfills your needs by weighing out their pros and cons. A few advanced options of security plugins are mentioned here.

You need to keep in mind that one petty fault is all it takes to completely lose data through a hacked WordPress installation. To avoid this, it makes sense to install a WordPress backup service, like VaultPress and BackupBuddy. It makes it possible to restore your website when there is an attack or error. Topics of backups and much more are covered in the Ultimate Guide to Maintaining WordPress.

  • Comments
  • Leave a reply
Xchop blog themes