Get FAST WordPress Support
World’s Fastest WordPress Support Since 2009  
WordPress Security Best Practices

18 Best WordPress Security Practices

Want to know the best WordPress security practices?

WordPress is a web publishing application that helps you to create and manage your website or blog. It is one of the more popular web publishing platforms used and empowers more than 38.6% of the entire web. 

It is safe to say that WordPress is the most popular content management system (CMS) in the world, used by many businesses and organizations that operate online stores. To use it, you don’t even really need any coding knowledge. 

There are, however, a few small potential areas WordPress users need to be mindful of. One of these is when it comes to security. 

Why is WordPress Security Practices Important? 

If you’re serious about your blog or website, you’d do well to pay attention to the WordPress security. No matter the size or nature of your business, your website will always be at risk from threats from hackers. They typically want monetary gains from selling information which they intend to obtain from your website. 

If a business website is successfully hacked, that business’s brand and reputation can be seriously damaged. Hackers do so by usually installing malicious software or viruses with the express intention to extract sensitive data from your website. Such malware can also be spreaded to your customers too.

Hackers usually use automated systems to scour the Internet for any vulnerable websites and take advantage of loopholes in their virtual defences. In some instances, some may even find themselves paying hackers to regain access to their websites. A hacked business website results in a loss of trust in the business and customers turning to its competitors. 

In the short term, you lose revenue and in the long term, you’ll need to invest more to rebuild your reputation and restore customers’ confidence. In some cases, you may even fall short with compliance requirements, thus having to pay fines and other penalties.

The fact that Google blacklists around 10,000+ websites each day for malware and around 50,000 for phishing each week would surely push you to put much emphasis on WordPress security. You need to, or risk the repercussions. Simply put, you won’t want to leave your website vulnerable to cyber criminals. 

Is WordPress Secure?

Many are convinced that since WordPress is open source, this means that it is easily vulnerable to various types of attacks. Plus the fact that WordPress is a favorite target for malware attacks does not alleviate such fears. 

In 2018, Sucuri reported that around 23,000 WordPress websites fell victim to security breaches. So, does this mean that WordPress is not secure at all? The answer is mostly ‘No’ because the main cause behind such website security breaches is the users’ lack of security awareness. 

WordPress does play its part to help, by consistently publishing security patches and software updates. But all these are futile if you don’t know how and what to make of them. Reuters was badly hacked because they were using an outdated WordPress version. 

There’s no such thing as a 100% perfectly secure system. This is impossible or impractical to achieve. Security is about risk mitigation and not a total risk elimination. It’s about implementing the right and appropriate controls. All these within reason, that helps improve your overall website’s posture and stance. 

18 Important WordPress Security Best Practices

Like any other systems, WordPress, especially with tons of theme and plugin combinations, would have its set of vulnerabilities. Admittedly, there will also be potential security issues if certain basic security precautions aren’t taken.

Here are some of the top WordPress Security Best Practices, to help you protect your website against unwanted threats.

1. Use a Good Hosting Service Provider

Not all hosting companies and their hosting product offerings are created equal. Whatever it is, the one thing that is for sure – you need to work with a reliable, high-quality and safe hosting provider to host your website. This can make a huge difference. 

In general, there are a few types of web hosting services, namely shared, dedicated and cloud-based. Smaller businesses usually go for a shared type, as this is more economical but you will be sharing with others. 

You can choose to upgrade to a Virtual Private Server (VPS) which uses virtualization technology, giving you dedicated resources on a server with multiple users. This is a more secure and stable solution than a simple shared hosting. Since it is on a smaller-scale, it is affordable.

A dedicated server is basically one server totally reserved for your business alone. In the past, this was costly and so, was mostly used by large conglomerates expecting high traffic. However, dedicated servers are now comparatively less expensive, so you can consider getting this if it makes economic sense to your business. 

Since the cloud has greatly impacted the business environment, business web hosting has now also embraced the cloud. This is an alternative to the usual traditional hosting methods. The strength about cloud hosting is in the flexibility it offers; you can easily expand anytime with no downtime to your business.

Having said this, it is an unfortunate fact that most of the time, you won’t know if your hosting provider is taking your website security seriously until incidents like increased hacker attacks, frequent downtime and low performance occurs. However, in general, the more you pay, the better your hosting service should be, although there are also some budget options you can consider.

2. Update WordPress Regularly

WordPress is an open source software. It is maintained by third-party developers who regularly release updates. Such updates include latest security patches, enhancements and bug fixes, to help combat the ever-increasing cyber attacks. These improvements also apply to the plugins and themes.

A study where over 1,000 WordPress website owners who fell victim to attacks were interviewed, confirmed that plugin vulnerabilities represent 55.9% of the known entry points for hackers. They merely exploit bugs that have been fixed. So, it is a shame that such bugs weren’t fixed in time before such attacks began.

These updates are essential in ensuring the security and stability of your WordPress website. While WordPress automatically implements minor software updates, you’ll need to manually install any major updates. Always be on the lookout for new updates in the ‘Updates’ section of your WordPress admin panel as using outdated software is an outright recipe for disaster. 

3. Strong Passwords and User Permissions

One of the most common WordPress hacking attempts uses stolen passwords. You can make it harder for them by creating stronger and unique credentials in your passwords for WordPress admin, FTP accounts, database, hosting account and your email addresses which use your website’s domain name.

If you don’t, your website becomes vulnerable to brute force attacks which is typically a cyber attack that uses a trial-and-error approach to guess your login credentials. There are password managers that you can use to help manage your WordPress passwords too.

Be mindful on how you set the user permissions. Give your staff access to your WordPress admin account only if you absolutely need to. Have an in-depth understanding of the user roles and capabilities in your team, before you add new user accounts to your WordPress website.

4. Enable Two-Factor Authentication (2FA)

Utilizing 2FA adds an extra layer of protection that requires users to obtain a unique code from an authentication application. Users will need to input the correct login credentials along with this code to access their account.

WordPress offers several 2FA plugins. The notable ones include Google Authenticator, Two Factor Authentication and Two-Factor. You need to decide what the 2FA implementation entails. It can be a regular password followed by a secret question, a secret code or the more popularly used which is sending a code to your phone. 

5. Use the Latest PHP Version

PHP is the essential backbone of your WordPress website. Therefore, using the latest version on your server is crucial. Each major release of PHP is usually fully supported for two years after its release. During these 2 years, any bugs and security issues will be fixed and patched regularly. 

As of September 2020, anyone using PHP 7.1 or below, no longer has the needed security support. This, in turn, exposes them to unpatched security vulnerabilities.

WordPress Security Best Practices

The diagram above clearly shows that around 33% of business owners are still using PHP 7.1 or below. As such, they are vulnerable to attacks.

6. Change WordPress Database Prefix

SQL injection attacks comprise around 80% of hacking attempts launched per month. This is a high figure. Your WordPress website database is the most frequented target for SQL injection attacks. When successful, this attack forces the database to execute the injected malicious code, allowing hackers to access and modify the data. 

WordPress Security Best Practices

The default prefix for your WordPress database is ‘wp_’ . You’ll need to immediately change this. If not, hackers can easily guess your table names and then gain unauthorized access to wreak havoc in your database.

7. Protect the wp-config.php File

The wp-config.php file is the heart and soul of your WordPress installation and thus the most important file when it comes to WordPress security. It contains all crucial WordPress installation information, such as your database login details and encryption security keys.

Therefore, you need to secure this file as this is akin to securing the core of your WordPress website. All you need to do is move this file to a higher level than your root directory.

8. Protect the wp-admin Directory

The wp-admin directory is the most important directory of any WordPress website. If this gets breached, then your entire website can get hacked into and damaged. To do so, you’ll need to 

password-protect this directory. 

Once done, you’ll need to submit 2 passwords when attempting to access the dashboard. One password secures the login page, while the other protects the WordPress admin area.

9. Disable PHP Error Reporting

It is understandable why many would like this PHP error reporting function activated, as it helps to locate errors within the PHP files much faster. However, this comes with a cost, as it also allows others to see your website’s vulnerabilities. 

This is why it is highly recommended to disable this function. By default, this is disabled. However, if it has been enabled for some reason, you’ll need to disable it manually via the wp-config.php file. 

10. Disable Directory Browsing

Although directory browsing provides you with a quick access to the website’s individual directories, this function can backfire on you if others are able to access it. 

Hackers often use this function to find vulnerable files, plugins and themes, to try to gain access to your website. It is advised to disable this function to safeguard your website.

11. Configure Website Lockdown Feature

This feature is great to prevent continuous brute force attempts. Whenever several failed login attempts are encountered, this lockdown feature will be triggered and the website is locked. This helps to ward off any hacking attempts with repetitive wrong passwords. 

12. Hide Your WordPress Version

Older WordPress versions are usually plagued with more vulnerabilities. Therefore, making your WordPress version public isn’t a wise step to take. This is because if hackers see any outdated WordPress installation versions, you might as well hang up the ‘Welcome’ sign at your door. 

Your WordPress version is visible at the bottom right of your admin panel and also the page source. It also appears in the header of your website’s source code. In order for you to completely remove your WordPress version number from both your head file and RSS feeds, you’ll need to do some editing in your functions.php file.

If you always ensure that your WordPress installation is up to date, you don’t have to worry about this.

13. Disable File Editing

WordPress allows you to modify the plugin and theme scripts via the built-in file editor. Unfortunately, this feature can endanger your website. 

If a user with malicious intentions, has admin access to your WordPress dashboard, they can edit the files which includes all plugins and themes. Therefore, it is highly recommended to disable this function by editing in the wp-config.php file.

14. Perform Regular Backups

It is always a good practice to create backups regularly. It is as important as securing the website. If you have a backup, you can easily and quickly restore your WordPress website to a working state. 

This reduces your downtime significantly. Having regular backups is perhaps the best antidote to no matter what happens.

15. Use SSL to Encrypt Data

Secure Socket Layer (SSL) encrypts and secures data transfer between browsers and the server. This makes it more difficult for hackers to breach the connection. Thus, implementing a SSL certificate is a great way of securing your WordPress website, including the admin panel. 

In addition to this, the SSL certificate impacts your website’s Google rankings as Google tends to rank sites with SSL higher. This translates to more traffic which is awesome. You’ll need to either purchase a SSL certificate from a trusted and licensed 3rd-party company (Certification Authority) or check if your hosting solution provider offers one for free.

In most cases, enabling SSL on your WordPress site, requires you to install the Really Simple SSL plugin. You’ll need to activate it.

16. Automatically Log Users Out When Idle

Imagine leaving the wp-admin panel of your website wide open on any computer screen. Don’t you think that this can pose a serious security threat? Any passerby can gain unauthorized access to the information on your website.

This can be prevented by configuring your website to log people out after they have been idle for a certain interval of time. The plugin BulletProof Security allows you to set a customized time limit for idle users. After the time is up, they will automatically be logged out.

17. Block All Hotlinking

The concept of hotlinking involves another person using your image and stealing your server’s bandwidth to display the image on his/her website. When this happens, you’ll notice slower loading speeds on your website and the potential for higher server costs at your end.

You can prevent this via a WordPress security plugin – all in One WP Security and Firewall plugin which includes built-in tools to block all hotlinking or to manually add a few lines to your your .htaccess file

18. Monitor your Audit Logs

If you’re running a multi-author website, it’s crucial for you to know and understand all behind- the-scene user activities. You do so by checking the audit log. This helps you to check if your admins and contributors have done anything without approval.


Cyber threats and attacks are not backing down anytime soon. So, especially If your website is a business, you’ll need to pay extra attention to your WordPress security. Just like how business owners are responsible to protect their physical store buildings, you, as an online business owner, also need to protect your business website.

Fortunately, there are many easy and effective best safety measures that you can undertake to improve your WordPress website’s overall security. On the whole, they are relatively inexpensive and do not require advanced technical knowledge to carry out, which is great.

In short, the more you care about your WordPress security, the harder it becomes for a hacker to break in.

Leave a Reply

Your email address will not be published. Required fields are marked *