How to Secure WordPress Website

WordPress powers over 43% of all websites on the internet, making it the most popular content management system (CMS) in the world. Its open-source nature, extensive plugin ecosystem, and user-friendly interface have made it the go-to platform for bloggers, businesses, and developers alike. However, this widespread adoption also makes WordPress a prime target for cyberattacks. According to recent reports, nearly 70% of hacked websites are running WordPress, often due to misconfigurations, outdated components, or poor security practices.

Securing a WordPress website is not optionalits essential. A compromised site can lead to data breaches, loss of customer trust, search engine penalties, financial damage, and even legal consequences. The good news is that with the right strategies, tools, and ongoing vigilance, you can dramatically reduce your risk of being hacked. This comprehensive guide walks you through every critical step to secure your WordPress website, from foundational configurations to advanced hardening techniques, best practices, real-world examples, and trusted resources.

Whether youre a beginner managing a personal blog or an enterprise administrator overseeing a high-traffic e-commerce site, this tutorial will equip you with the knowledge to build a resilient, secure WordPress environment that stands up to modern threats.

Step-by-Step Guide

1. Keep WordPress Core, Themes, and Plugins Updated

The most common cause of WordPress compromises is outdated software. Developers regularly release updates to patch known security vulnerabilities. Failing to install these updates leaves your site exposed to automated bots scanning for known exploits.

Always enable automatic updates for WordPress core. You can do this by adding the following line to your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

For themes and plugins, navigate to Dashboard > Updates and ensure everything is current. Consider using a plugin like WP Update Manager or Easy Updates Manager to control which updates are applied automatically and which require manual approval.

Never ignore update notifications. Set a weekly reminder to check for updates. If youre managing multiple sites, use a centralized dashboard like MainWP or ManageWP to monitor and update all sites from one interface.

2. Use Strong, Unique Passwords and Enable Two-Factor Authentication

Weak passwords remain one of the easiest ways for attackers to gain access. Avoid common passwords like password123 or admin. Instead, use a combination of uppercase and lowercase letters, numbers, and special charactersminimum 12 characters long.

Use a password manager like Bitwarden or 1Password to generate and store complex passwords securely. Never reuse passwords across platforms.

Enable Two-Factor Authentication (2FA) for all admin accounts. This adds an extra layer of protection by requiring a time-based one-time password (TOTP) from an authenticator app like Google Authenticator or Authy, in addition to your password.

Install a trusted 2FA plugin such as Wordfence, Two Factor, or Google Authenticator. Configure it for administrators and, if possible, for editors and other privileged users. Avoid SMS-based 2FA when possible, as it is vulnerable to SIM-swapping attacks.

3. Limit Login Attempts and Lock Out Brute Force Attackers

Brute force attacks involve automated bots trying thousands of username and password combinations until they gain access. These attacks are relentless and often target the default admin username.

To mitigate this risk, install a security plugin like Wordfence or Loginizer that limits login attempts. Configure it to lock out IP addresses after 35 failed attempts for 1530 minutes.

Additionally, rename or remove the default admin user. Create a new administrator account with a unique username (e.g., site_manager), assign it full privileges, then delete the original admin account. This removes one of the most commonly targeted entry points.

4. Secure wp-config.php and .htaccess Files

The wp-config.php file contains your database credentials, authentication keys, and other critical configuration settings. If compromised, an attacker can gain full access to your database.

Move the wp-config.php file one directory above your WordPress installation (e.g., from /public_html/ to /). WordPress automatically detects it there, and it becomes inaccessible via web browsers.

Protect both wp-config.php and .htaccess by adding the following rules to your .htaccess file:

<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>

Also, ensure your wp-config.php uses strong authentication keys. Replace the default keys with new ones generated at https://api.wordpress.org/secret-key/1.1/salt/. These keys encrypt user session data and prevent cookie forgery.

5. Change the WordPress Database Prefix

By default, WordPress uses wp_ as the prefix for all database tables (e.g., wp_posts, wp_users). Attackers often exploit this predictability in SQL injection attacks.

During a fresh WordPress installation, change the database prefix to something unique, such as xyz789_. If youre securing an existing site, you can change the prefix manually using a plugin like Better Search Replace or WP Security Scan. Always back up your database before making changes.

After changing the prefix, update the $table_prefix variable in wp-config.php to match the new value:

$table_prefix = 'xyz789_';

6. Disable File Editing in the WordPress Dashboard

By default, WordPress allows users with administrative privileges to edit theme and plugin files directly from the dashboard. This is a serious security riskif an attacker gains access to an admin account, they can inject malicious code into core files.

Disable file editing by adding this line to your wp-config.php file, just above the line that says Thats all, stop editing!:

define( 'DISALLOW_FILE_EDIT', true );

This prevents access to the Theme Editor and Plugin Editor under Appearance > Theme Editor and Plugins > Plugin Editor. Youll still be able to edit files via FTP or your hosting control panel, which is more secure and auditable.

7. Use HTTPS and Enforce SSL/TLS Encryption

HTTP sites are vulnerable to man-in-the-middle attacks, where data transmitted between the user and server can be intercepted. Always use HTTPS to encrypt all communication.

Obtain an SSL certificate from your hosting provider (many offer free Lets Encrypt certificates) or through a third-party service like Cloudflare. Once installed, force HTTPS by adding these lines to your .htaccess file:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Also, update your WordPress Address and Site Address in Settings > General to use https://. Use a plugin like Really Simple SSL to automate SSL configuration and fix mixed content issues.

8. Secure Your Hosting Environment

Your WordPress sites security begins at the server level. Even the most secure WordPress configuration can be undermined by a poorly secured host.

Choose a reputable hosting provider that specializes in WordPress and offers built-in security features such as:

• Automatic backups
• Firewall protection
• Malware scanning
• DDoS mitigation
• PHP version management

Recommended providers include Kinsta, WP Engine, SiteGround, and Cloudways. Avoid cheap shared hosting with no security controls.

Ensure your server runs a supported version of PHP (7.4 or higher, preferably 8.1+). Older PHP versions have known vulnerabilities and are no longer maintained. Most hosts allow you to change PHP versions via cPanel or their dashboard.

Disable directory listing by adding this line to your .htaccess file:

Options -Indexes

This prevents attackers from browsing your directories and discovering sensitive files.

9. Restrict Access to wp-admin and wp-login.php

IP Whitelisting

If you access your site from a fixed IP address (e.g., your office or home), restrict access to wp-admin and wp-login.php by IP. Add the following to your .htaccess file:

<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from 192.168.1.100
Allow from 203.0.113.50
</Files>

Replace the IP addresses with your own. This blocks all other IPs from accessing the login page.

Two-Layer Authentication via .htpasswd

For more robust protection, add an additional password layer before WordPress even loads. Create a password-protected directory for wp-admin using an .htpasswd file.

Generate the password file using an online .htpasswd generator. Upload it to a secure location outside your web root (e.g., /home/username/.htpasswd).

Add this to your .htaccess file:

<Files wp-login.php>
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /home/username/.htpasswd
Require valid-user
</Files>

Now, users must enter two passwords: one for the server and one for WordPress.

10. Regularly Backup Your Website

No security measure is foolproof. A reliable backup strategy ensures you can restore your site quickly after a breach, hack, or accidental deletion.

Use a plugin like UpdraftPlus, BlogVault, or BackupBuddy to schedule automated daily or weekly backups. Store backups offsitein the cloud (e.g., Google Drive, Dropbox, Amazon S3)not on the same server.

Test your backups regularly. Restore a backup to a staging environment to confirm all files and databases are intact. A backup that doesnt work is worse than no backup at all.

Enable versioning so you can roll back to a specific point in time. Some plugins allow you to keep 10+ versions of your site. Retain at least 35 recent backups.

11. Remove Unused Themes and Plugins

Every installed theme and plugin is a potential vulnerability. Even if deactivated, unused code can be exploited if it contains unpatched flaws.

Regularly audit your installed plugins and themes. Delete anything youre not actively using. Remove default themes like Twenty Twenty-Four unless youre using them.

Use only plugins and themes from trusted sourcesthe official WordPress repository or reputable developers. Avoid nulled (pirated) themes and plugins. These often contain backdoors, malware, or malicious code.

12. Disable XML-RPC and Pingbacks (If Not Needed)

XML-RPC is a legacy API that allows remote publishing and communication between WordPress sites. While useful for mobile apps or third-party tools, its frequently abused for brute force attacks and DDoS pingback floods.

If you dont use WordPress mobile apps, Jetpack, or other remote publishing tools, disable XML-RPC. Add this to your .htaccess file:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

Also, disable pingbacks and trackbacks in Settings > Discussion. This reduces the risk of spam and amplification attacks.

13. Harden File and Folder Permissions

Incorrect file permissions can allow attackers to modify or upload malicious files. WordPress recommends the following permissions:

• Directories: 755
• Files: 644
• wp-config.php: 600 or 640

You can set these via FTP client (e.g., FileZilla) or SSH using the chmod command:

find /path/to/wordpress -type d -exec chmod 755 {} \;
find /path/to/wordpress -type f -exec chmod 644 {} \;
chmod 600 /path/to/wordpress/wp-config.php

Never set permissions to 777. This gives full read, write, and execute access to everyone and is a major security risk.

14. Monitor for Malware and Suspicious Activity

Even with all precautions, malware can slip in through compromised plugins, infected themes, or third-party services. Regular scanning is critical.

Use a security plugin like Wordfence or Sucuri to scan your site daily for malware, backdoors, and suspicious code. These tools compare your files against known good versions and alert you to changes.

Check your sites files manually occasionally. Look for:

• Unknown PHP files in the wp-content directory
• Base64-encoded strings in theme files
• Obfuscated JavaScript in footer.php or header.php
• Unexpected admin users

Use online scanners like SiteLock, Quttera, or Google Safe Browsing to check if your site has been flagged for malware.

15. Secure Your Web Server with a Web Application Firewall (WAF)

A Web Application Firewall (WAF) acts as a shield between your site and incoming traffic. It filters out malicious requests before they reach your server.

Cloudflare offers a free WAF with rules specifically designed for WordPress. Enable it by changing your domains nameservers to Cloudflares and turning on the WAF under the Security tab.

Configure Cloudflares Security Level to Medium or High and enable Under Attack Mode during active attacks. Use WAF rules to block common exploit patterns like SQL injection, XSS, and file inclusion attempts.

Alternatively, use Sucuris WAF or a server-level WAF like ModSecurity if youre on a VPS or dedicated server.

Best Practices

Use the Principle of Least Privilege

Assign users the minimum level of access required to perform their tasks. Avoid giving Administrator access to content editors or contributors. Use roles like Editor, Author, or Contributor instead.

Plugins like User Role Editor or Members let you customize permissions. For example, you can prevent authors from installing plugins or editing themes.

Disable Directory Indexing and Server Browsing

As mentioned earlier, use Options -Indexes in your .htaccess file to prevent directory listing. This stops attackers from seeing files like backups, logs, or configuration files that may contain sensitive information.

Regularly Audit User Accounts

Review your WordPress user list monthly. Delete inactive accounts, especially those with admin privileges. Remove users who no longer work with your site.

Check for suspicious accounts with odd usernames (e.g., admin123, test, wpuser) or accounts created outside your normal workflow.

Disable WordPress Version Number

WordPress automatically adds its version number to scripts and meta tags, making it easier for attackers to target known vulnerabilities.

Add this code to your themes functions.php file:

function remove_wp_version() {
return '';
}
add_filter('the_generator', 'remove_wp_version');

Also, remove the version from script and stylesheet URLs:

function remove_wp_version_strings( $src ) {
if ( strpos( $src, 'ver=' ) )
$src = remove_query_arg( 'ver', $src );
return $src;
}
add_filter( 'script_loader_src', 'remove_wp_version_strings' );
add_filter( 'style_loader_src', 'remove_wp_version_strings' );

Disable REST API for Non-Authenticated Users

The WordPress REST API exposes data like posts, users, and comments. While useful for apps and headless setups, it can be abused for reconnaissance.

To restrict access to logged-in users only, add this to your functions.php:

add_filter( 'rest_authentication_errors', function( $result ) {
if ( ! empty( $result ) ) {
return $result;
}
if ( ! is_user_logged_in() ) {
return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );
}
return $result;
});

Monitor Login Activity

Use security plugins to log all login attempts, including successful and failed ones. Review logs weekly for unusual patternssuch as multiple logins from different countries or at odd hours.

Set up email alerts for admin logins. This gives you immediate notification if someone logs in with your credentials.

Use a Staging Environment for Updates and Testing

Before applying updates or installing new plugins on your live site, test them on a staging environment. Most managed WordPress hosts offer one-click staging.

This prevents broken sites, plugin conflicts, or security issues from affecting your live audience.

Keep Your Computer and Network Secure

Your sites security is only as strong as your local environment. Use antivirus software, keep your OS updated, and avoid using public Wi-Fi to access your WordPress dashboard.

Use a Virtual Private Network (VPN) when connecting remotely. Enable two-factor authentication on your email accountsince password resets often go through email.

Tools and Resources

Security Plugins

• Wordfence Firewall, malware scanner, login security, and real-time threat defense.
• Sucuri Security Site firewall, malware removal, audit logging, and DDoS protection.
• iThemes Security Comprehensive hardening tool with file change detection and brute force protection.
• All In One WP Security & Firewall Free, feature-rich plugin with detailed security checks.
• Loginizer Lightweight login attempt tracker and blocker.

Backup Plugins

• UpdraftPlus Cloud-based backups with one-click restore.
• BlogVault Real-time backups and staging.
• BackupBuddy Full-site migration and backup with encryption.

SSL and CDN Services

• Cloudflare Free SSL, WAF, DDoS protection, and performance optimization.
• Sucuri Premium WAF with malware cleanup and monitoring.
• Lets Encrypt Free SSL certificates via hosting providers.

Online Scanners and Checkers

• Google Safe Browsing Check if your site is flagged for malware.
• Quttera Web Malware Scanner Free online scanner for malware and vulnerabilities.
• SiteLock Comprehensive security scanning and monitoring.
• WPScan Command-line tool to scan WordPress sites for vulnerabilities (for developers).

Security Resources

• WordPress.org Hardening Guide Official security recommendations.
• CVE Database Track known vulnerabilities in WordPress and plugins.
• WP Security Community-driven security tips and tutorials.
• OWASP Web application security standards and best practices.

Real Examples

Example 1: The Infected Plugin Attack

A small business owner installed a free SEO Optimizer plugin from an unofficial source. Within days, their site began redirecting visitors to phishing pages. A scan with Wordfence revealed a hidden backdoor in the plugins main PHP file.

They restored from a clean backup, deleted the plugin, changed all passwords, enabled 2FA, and switched to a reputable SEO plugin from the WordPress repository. They also set up daily malware scans. No further incidents occurred.

Example 2: Brute Force Attack on wp-login.php

A WordPress site hosted on cheap shared hosting received over 10,000 login attempts in 48 hours. The attacker targeted the admin username. The site was compromised when the password was guessed.

After recovery, the owner moved to a managed WordPress host, renamed the admin user, enabled IP whitelisting, installed Loginizer, and disabled XML-RPC. They also enabled Cloudflares WAF. The attacks stopped immediately.

Example 3: SQL Injection via Outdated Theme

A developer used an outdated theme with a known SQL injection vulnerability in its search function. Attackers exploited it to extract user data and inject malicious scripts into every post.

They switched to a regularly updated theme, cleaned the database using a malware scanner, changed database credentials, and implemented a WAF. They now use a staging environment to test all theme updates before deployment.

Example 4: The Compromised Developer Account

A freelance developer had access to a clients WordPress site. When their laptop was infected with a keylogger, the attacker stole the clients login credentials. The attacker created a new admin user and installed a malicious plugin.

The client discovered the breach when traffic dropped sharply due to Google blacklisting. They revoked all user access, changed passwords, removed the rogue user, and implemented 2FA for all accounts. They now require developers to use temporary, limited-access accounts with expiration dates.

FAQs

How often should I update WordPress and plugins?

Update WordPress core, themes, and plugins as soon as updates are available. Security patches are often released within hours of a vulnerability being disclosed. Set up automatic updates for minor releases and review major updates weekly.

Can WordPress be hacked even with security plugins?

Yes. Security plugins reduce risk but cannot eliminate it entirely. A layered approachcombining strong passwords, updated software, WAF, backups, and server hardeningis essential. No single tool is 100% effective.

Is it safe to use free themes and plugins?

Only if they come from the official WordPress repository or reputable developers. Avoid nulled or pirated versions. Free plugins from unknown sources often contain hidden malware or tracking scripts.

What should I do if my site is hacked?

Immediately take your site offline (or put it in maintenance mode). Restore from a clean backup. Scan all files and databases for malware. Change all passwords (WordPress, hosting, FTP, database). Update everything. Implement stronger security measures. Notify users if data was compromised.

Do I need a Web Application Firewall (WAF)?

Highly recommended. A WAF blocks malicious traffic before it reaches your server, reducing server load and preventing exploits. Cloudflares free plan provides excellent protection for most sites.

How do I know if my site has been blacklisted by Google?

Check Google Search Console for security alerts. Use Google Safe Browsing to test your URL. If flagged, follow Googles removal process after cleaning your site.

Can I secure WordPress without plugins?

Yes, but its more complex. You can manually configure .htaccess, disable file editing, harden permissions, and update core manually. However, plugins automate critical tasks like malware scanning and login protection, making them invaluable for most users.

Whats the biggest mistake people make when securing WordPress?

Assuming that it wont happen to me. Most breaches occur because site owners delay updates, reuse passwords, ignore warnings, or trust third-party code without verification. Proactive, consistent security is the only reliable defense.

Conclusion

Securing a WordPress website is not a one-time taskits an ongoing process that requires vigilance, discipline, and the right tools. From updating software and enforcing strong passwords to implementing firewalls and regular backups, every layer of defense contributes to your sites resilience.

The threats are real, evolving, and relentless. But so are the solutions. By following the steps outlined in this guideapplying best practices, leveraging trusted tools, and learning from real-world incidentsyou can transform your WordPress site from a vulnerable target into a fortified digital asset.

Remember: Security is not about perfection. Its about reducing risk at every level. Start with the basics. Build from there. Audit regularly. Stay informed. And never underestimate the power of a simple, well-executed security routine.

Your website, your visitors, and your reputation are worth protecting. Take action todaybefore its too late.