The Ultimate WordPress Security Guide – Step by Step

Anyone with a WordPress website knows how important effective security is, both to protect your site from threats and to ensure your users stay safe. However, a lax approach to WordPress security could lead to penalization: thousands of websites are blacklisted by Google daily due to the presence of malware or phishing.

With all that in mind, it’s crucial that you stay up to date on the latest WordPress security methods and innovations. And that’s why we have written this comprehensive guide to WordPress security.

Ultimately, WordPress is a secure platform at its core, and numerous developers run regular audits to assess its safety, but there are risks to consider. Fortunately, you can take action to help your WordPress website stay secure — even if you’re a relative newcomer to the world of WordPress, you still have plenty of options to consider.

Read on to learn everything you need to know about protecting your WordPress website against common security threats.

Why Does Effective Website Security Matter?

If someone manages to hack a WordPress website, they could cause issues so serious that it may affect a business’s productivity, performance, revenue, and even reputation.

The latest technologies and techniques enable hackers to gather essential data (such as passwords and customer information), install malware, and potentially infect users’ systems. Another common threat facing businesses today is ransomware: an attacker essentially holds a website to ransom, preventing the owners from accessing it again until they pay the fee demanded. But even then, the culprits may not honor the agreement.

If your business depends on your WordPress website, whether for generating leads or selling goods to customers directly, it’s vital that you take WordPress security seriously. You should take the necessary measures to keep your site secure and reduce its risk of being breached in any way.

Protecting Your WordPress Website with Passwords and Permissions

Stolen passwords are the cause for most attempts to hack a WordPress website, but you can make a hacker’s task more difficult if you create unique, complex passwords that no one can guess. Good passwords are a must for the WordPress admin area, database, FTP accounts, email accounts featuring your website’s name, and more.

Unfortunately, some novices prefer not to use complex passwords as they can be tough to remember. That’s understandable, but it can leave WordPress websites more vulnerable to hacking than they need to be. The good news is that nobody has to memorize passwords today: password managers can do that for you. These make storing passwords for various accounts quick and easy.

Furthermore, you can ensure good WordPress security by restricting access to your WordPress admin account as best you can. That means only sharing it with others when it’s critical, and only choosing individuals you know you can trust.

Take care when adding new user accounts to your WordPress website: to minimize risk, everyone with access to your WordPress admin account should understand what they can and can’t do.

The Importance of Updating WordPress Regularly

WordPress is an open-source platform that undergoes frequent maintenance and receives updates regularly. Small updates are installed automatically by WordPress, which is convenient and straightforward for website owners. However, WordPress requires you to initiate bigger updates manually instead, though that’s still fairly simple.

Additionally, you can choose from a huge range of themes and plugins ready to install on your WordPress website. There are thousands of options to explore, with something for everyone. Themes and plugins are the work of third-party developers, and updates are released often.

Installing the latest WordPress updates is essential to maintain your website’s security and general performance. You should ensure that your theme, plugins, and WordPress core are the most up-to-date versions.

WordPress Website Hosting and Security

One of the most important elements of effective WordPress security is the WordPress hosting service you choose. A reputable provider of shared hosting services, such as Siteground or Bluehost, implements careful precautions to defend all of their servers from security threats.

A trustworthy hosting brand works hard behind the scenes to keep your WordPress website as secure as possible. Here’s how:

  • Keeping all server software, hardware, and all other essential components up to date. This helps to prevent hackers from taking advantage of security weaknesses that may be more prevalent in outdated versions.
  • Monitoring their network round the clock to identify signs of possible security threats and other disruptions.
  • Maintaining detailed plans for disaster recovery in the event of a major security breach or accident, which enables them to keep your data safe and secure.
  • Using cutting-edge tools to fend off major distributed denial-of-service (DDoS) attacks that could cause severe disruptions.

How does a shared hosting service work? It’s simple: you and a plethora of fellow customers share the provider’s server resources. However, the biggest issue with this setup is that hackers may attack your site through a neighboring one.

Managed WordPress hosting services, though, offer a more secure environment for websites. Providers give customers automatic updates for their WordPress website, automatic backups, and intricate security setups to keep sites safer.

Simple No-Code Ways to Improve WordPress Security

Taking WordPress website security into your own hands can be a daunting concept for newcomers, even if you consider yourself fairly tech-savvy. However, there are steps you can take to boost the quality of your WordPress website’s security with no need to delve into the complex realm of coding.

Let’s take a look at a few ideas to get you started.

Take Advantage of Backup Plugins to Keep Data Secure

A solid backup process is vital for protecting your WordPress website: in the event of a disruptive attack, backups will help you restore your site. No website is completely safe from being hacked, sadly, so you need to be prepared for potential problems.

Fortunately, you have a wealth of backup plugins to choose from for your WordPress site, with free and paid options available. Whichever backup plugin you pick, though, bear this in mind: full-site backups must be saved to a remote location, such as Dropbox, on a regular basis.

The ideal frequency for backing up your WordPress website depends on how often you update it. That could mean backing the site up every week or every day. Reputable backup plugins include BlogVault and Duplicator: both of these are straightforward and require no experience of coding.

Encryption Is A Must

The Secure Sockets Layer (SSL) protocol encrypts data as it’s transferred from your WordPress website to a user’s web browser. As a result, it’s much more difficult for hackers to access and steal data in transit.

By activating SSL, your WordPress website will switch from HTTP to HTTPS, denoted by the padlock symbol beside your site’s address in a browser. And it’s easy to implement SSL for your WordPress website today, thanks to the Let’s Encrypt non-profit project.

Initially, certificate authorities distributed SSL certificates for a price, charging potentially hundreds of dollars on a yearly basis. That put many website owners off, and they operated a less-secure site instead. But the Let’s Encrypt organization came along and provided website owners with free SSL certificates, with support from Mozilla, Google Chrome, and other major names.

If you’re ready to switch to SSL, you can find various hosting companies offering WordPress website owners free certificates.

Using Security Plugins for WordPress Website Safety

Another crucial security factor to consider is implementing a system to monitor and audit everything that occurs on your WordPress website (e.g. failed attempts to log in and scanning for malware). One of the most popular security plugins for WordPress, Sucuri Scanner, can do this for you with ease.

The Sucuri Security plugin is free and ready to use. Install it, activate it, then make your way to your WordPress admin section and find the Sucuri menu. Set up a free API key to get started, which allows you to use email alerts, audit logs, and more. Click on the Hardening tab (found in the settings menu), then tap the Apply Hardening button.

Why go through this process? Because this plugin will help you secure those areas that hackers tend to utilize when launching attacks. Most hardening options are free, but there is a paid Web Application Firewall available too.

The plugin’s default settings are effective for the majority of websites, and it’s unlikely that you’ll need to make adjustments. Still, take a few moments to set up your email alerts to cover important activities (e.g. plugin tweaks) to prevent your inbox from being crammed.

Whether you opt for Sucuri Security or another reputable security plugin for your WordPress website, explore its features in depth to make sure you know what it offers and how to get the most out of it.

Activate the Web Application Firewall (WAF) to Improve Your WordPress Website Security

Take advantage of a WAF to defend your WordPress website and enjoy greater peace of mind that it will be protected effectively. A WAF will block all traffic viewed as malicious before it can get to your site.

You can choose from two types of website firewall:

  • A DNS level firewall directs traffic via its proxy cloud servers, which enables it to deliver genuine traffic only to your server.
  • An application level firewall that assesses traffic at the point between it getting delivered to your web server and WordPress scripts being loaded. Generally, this type of firewall is less efficient at decreasing server load than the DNS option.

Advanced Ways to Improve Your WordPress Security

In this section, we’ll look at some more advanced techniques for taking your WordPress security higher. You may need some knowledge or experience of coding to implement these.

Turn Off File Editing

If you want to edit your WordPress plugin files or theme, try the built-in code editor. WordPress’s code editor is solid, but it can create security hazards, so we suggest that you disable it immediately.

That’s easy to do: just enter the following command into your wp-configphp file:

define( ‘DISALLOW_FILE_EDIT’, true ) ;

Create a New Username for Your Admin Account

Once upon a time, the admin username for WordPress was “admin” by default. However, that helped hackers launch brute-force attacks on WordPress sites more easily, and WordPress tried a new approach. As a result, you now need to create a personalized username when you install WordPress instead.

WordPress won’t let you switch usernames by default, but you can try one of three methods to do that instead:

  • Install the Username Changer WordPress plugin
  • Update the username from phpMyAdmin
  • Set up a new admin username and get rid of the previous one

Restrict the Number of Attempted Logins Permitted

WordPress gives you an unlimited number of login attempts by default, but that means your website could be hacked using the brute-force method. Attackers will try to guess passwords by entering a plethora of combinations at the login screen.

However, you can limit the number of failed login attempts a user is allowed to make before they’re blocked. Web application firewalls will put this into effect automatically, but if you don’t have one, you can follow these steps instead.

  • Install the Login LockDown plugin and enable it.
  • Go to Settings > Login LockDown to initiate the setup process.
  • Determine the number of login attempts users have, how long the plugin will lock a user out for, and more.

Deactivate PHP File Execution

Another technique for improving your WordPress security is turning off PHP file execution in directories in which it’s unnecessary (e.g. /wp-content/uploads/).

Simply open a text editor and enter the following code to get started:

<Files *. php>

deny from all


Save this text file as htaccess. Next, use an FTP client to upload the file to /wp-content/uploads/ folders on your WordPress website. Certain plugins allow you to do this with one click instead.

Set Up 2FA for Added WordPress Security

Two-factor authentication (2FA) is a popular security measure that requires users to verify their identity in two ways before they can log into an account. The first step involves entering their usual details (username and password), and the second requires that they use a different application or device to confirm who they are.

A huge range of websites use 2FA for security purposes, and you can set it up on your WordPress site. Install the Two Factor Authentication plugin to get started, then activate it. You will then be able to click on the Two Factor Auth link in the admin sidebar to set it up.

You also need to install an authenticator app on your smartphone, such as LastPass Authenticator or Google Authenticator. Both of these enable you to backup accounts to cloud storage, which is helpful if you lose or replace your current phone.

When you install your preferred authenticator app, you’ll need to connect it to your site. In the case of LastPass Authenticator, launch the app and tap the Add button. You can either scan a barcode or scan a site manually. For the former option, aim your device’s camera at the QR code on the LastPass Authenticator settings page.

The app will save the site, and you’ll be asked to complete the 2FA process next time you sign into your WordPress website. Open the app and use the code shown to get into your website.

Use Password Protection on the Login Page

Here’s a short and simple WordPress security tip: set up password protection on your wp-admin folder and login page to keep hackers out.

Usually, there is no restriction in place to stop them from requesting this, which makes it easier for them to launch attacks. But you can implement password protection to prevent them from making requests.

Stop Using the Default Prefix for WordPress Database

WordPress utilizes wp_ as the prefix for every table within your WordPress database as standard, which makes hackers’ work easier if they try to guess the name of your table. To make things harder for them, just change the prefix from the default to something more secure.

Changing the WordPress database prefix can be time-consuming, but it’s worth considering. However, only try it if you have some coding skills and experience, or get someone else to handle it for you. You could break your site if you get it wrong.

Deactivate Directory Browsing to Keep Vulnerabilities Out of Hackers’ Hands

Hackers can take advantage of directory browsing to discover files with known weaknesses on your WordPress website. If they find any of these vulnerable files, they can use them to get the access they need.

However, other users can delve into your files with directory browsing, too. They can explore images, check out the architecture of your directory, and more. That’s why it’s best to disable directory browsing and indexing.

To start, use FTP or cPanel’s file manager to connect to your WordPress site. Find the .htaccess file in your root directory, then add this line at the end of that file:

Options - Indexes

You also need to save the .htaccess file and upload it to your site once you’ve done this.

Sign Inactive Users Out Automatically

If a user leaves their device while they’re signed in, that creates an opportunity for someone to take over their session and adjust their logins or settings. It’s a real security risk.

However, lots of websites (including banking sites) automatically log users out after a period of inactivity. You can set this up on your WordPress website as well to improve security.

To do this, you’ll need to install and enable the Inactive Logout plugin. Navigate to the settings page and select Inactive Logout after installation to set it up. Choose how long you want to allow users to stay idle before they’re logged out, and create a logout message.

Switch Off XML-RPC

WordPress 3.5 activated XML-RPC as standard, as it enables websites to connect to apps. However, it can also help hackers use brute-force attacks to penetrate your site.

How? They can leverage the system.multicall option to try hundreds of access passwords with only dozens of requests, instead of making hundreds of individual attempts. Hackers can be harder to detect by security plugins as a result, and it’s best to disable XML-RPC if you’re not currently using it.

Searching for Security Vulnerabilities

WordPress security plugins automatically run routine searches for malware and indications of a breach. But if you notice that your traffic decreases or your rankings falter, it may be time to run a manual scan instead.

A good WordPress security plugin will make this fast and simple. Generally, you need to input the URL of your website and allow the crawlers to search for all known malware or harmful code. While WordPress security scanners are capable of scanning a site, they have no way to get rid of malware.

What can you do? We’ll come back to cleaning up a hacked site later.

Use Security Questions for Identity Verification on Your Login Screen

Using a security question on your WordPress login screen is a simple way to prevent anyone accessing your site without authorization.

Install the WP Security Questions plugin, then activate it. Navigate to the settings page and find the Security Questions page to set up the plugin.

Dealing with a WordPress Website After it’s Hacked

Setting up comprehensive security and backups for a WordPress website is crucial, but sadly, many site owners only realize that after they have been hacked. Cleaning a website after a hacker has breached it can be complicated and take a long time, which is why calling in professionals is often the quickest, easiest option.

One of the main reasons for leaving it to the experts is to prevent further hacks: backdoors may have been installed on a site, which allow hackers to attack it again in future. Working with professionals will reduce the risk of backdoors going undetected and help protect your site from other hackers.


Implementing a strong security configuration for your WordPress website will help keep it safe against common and uncommon cybersecurity threats. Taking advantage of the various security measures offered by security plugins will reduce your risk of being attacked by hackers and malicious software. In turn, that can decrease the likelihood of experiencing disruptive and costly downtime, reputation damage, and other negative effects.

We hope this guide to WordPress security has given you a helpful insight into securing your website and keeping it safe for users.

No comment yet, add your voice below!

Add a Comment

Your email address will not be published. Required fields are marked *


  • Yes, please, I agree to receiving my personal Plesk Newsletter! WebPros International GmbH and other WebPros group companies may store and process the data I provide for the purpose of delivering the newsletter according to the WebPros Privacy Policy. In order to tailor its offerings to me, Plesk may further use additional information like usage and behavior data (Profiling). I can unsubscribe from the newsletter at any time by sending an email to [email protected] or use the unsubscribe link in any of the newsletters.

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden

Related Posts

Knowledge Base

Plesk uses LiveChat system (3rd party).

By proceeding below, I hereby agree to use LiveChat as an external third party technology. This may involve a transfer of my personal data (e.g. IP Address) to third parties in- or outside of Europe. For more information, please see our Privacy Policy.