The Ultimate WordPress Security Guide – Step by Step

15 Min | 06 January, 2022

WordPress powers around 42% of all the websites, hence, WordPress is easily the most popular content management system in the world. But what makes WordPress so popular? Well, there can be plethora of reasons for it:

  • It’s easy to use
  • It has great customization options

And Most importantly…

  • It is responsive!

Hence WordPress is the preferred choice of many website owners. But this popularity also makes it vulnerable to hackers. Hackers are always on the go to gain access and exploit every WordPress website they can.

You need to take your WordPress website security very seriously because 1/3 Americans are affected by these attacks every year which occurs every 39 seconds.

The question here is: What can be done to prevent such attacks and make your WordPress website secure?

Don’t worry, we have it all sorted for you. This WordPress security guide will walk you through the best practices to make your website secure. So let’s begin:

Why is WordPress Security Important?

Many small businesses have this false impression that their website is entirely safe from hackers. What they don’t know is that hackers mint millions by selling personal information. And this is why WordPress security is imperative for all.

It’s difficult to predict how your website will be attacked, but it is necessary to protect your WordPress website and use the right plugins to fortify its security.

When a business website gets hacked, it negatively impacts the reputation of the business in the market. Most hackers install malicious data into the website, which runs in the background.

It extracts data from the website which also includes user information. When their data is leaked or sold online from a website, they lose their trust in the brand instantly.

The immediate threat of a hacked website is the theft of customers’ data and billing information. The damage that your company gets with this theft may harm the reputation of your company.

In short, it will take a lot more money, effort and PR to rebuild the long-lost reputation and restore customer’s confidence.

There are different areas of security to protect your website. In this blog, we cover all the security areas starting with the most important ones.

Secure WordPress WP Admin:

Research shows that every 7 out of 10 compromised WordPress websites is due to an insecure wp-admin login page. The hackers get access to your website via breaking the wp-admin password using brute force technique and your WordPress admin password is compromised.

Also, 6 out of 10 WordPress websites face performance-related issues due to brute force attacks on the login page of wp-admin. Due to so many failed login requests on the website, the hosting server consumes high computational power to entertain those false requests. Due to a lack of free computational power, your website speed gets bogged down.

We strongly recommend you implement all the security features mentioned in this section to secure your WordPress backend.

Change WP Admin URL: The most common hacking attack on WordPress websites is a brute force attack on the wp-admin page to gain website backend access. The hackers know that every WordPress website’s default backend login page is Wp-admin like, so change it to something complex like By changing the WordPress admin URL, you prevent the website from brute force attacks and the website’s speed is not affected.

Apply Captcha on WP Login: Suppose, even after changing the wp-admin URL, your new URL somehow gets exposed to hackers, what would you do then? Well, don’t worry!. To prevent attacks on the changed URL, apply the captcha feature on the backend login page. The attacker systems or bots will not initiate the login attempt if you apply a captcha because the bot or script doesn’t know how to answer the captcha, whether it’s text-based or image-based captcha. You can use reCAPTCHA powered by Google; it’s very easy to implement and free.The above two steps are to protect your WordPress wp-admin from brute force attacks. However, there are some cases in which your website backend is not secure, where someone has access to your backend who can potentially access it and fetch information or misuse your website. We have mentioned all those points to secure your wp-admin user’s credentials and apply best practices to ensure security.

Use the Two-Factor Authentication: By applying two-factor authentication, you will ensure the user’s legitimacy. In case the wp-admin user’s credentials are compromised due to any reason, the login page needs a real-time generated login code to allow backend access. The top WordPress security plugins provide a two-factor authentication feature. You can also use the free plugin to get code on the email.

Edit the Default Username: The default WordPress username is “admin”. Since everyone knows this, hackers are likely to know it better than anyone out there. You need to change the default username and make it something personal. Suppose, if your name is “Paul”, you can set the username to: Paul489 or something. The purpose is to make your username a bit complicated.

Use Difficult Passwords: Although it might seem challenging to manage but using strong passwords is still the most understated but highly effective WordPress security practice. Think of your own strong password or use a strong password generator to secure your WordPress website. Never hesitate to change the password once every one month. The requirements of a strong password are as follows.

  • Password should be at least 8 characters long
  • Must contain 1 upper case letter
  • Must contain 1 lower case letter
  • Must contain 1 number
  • Must contain 1 special character

Limit WP Admin Login Attempts: Apply the limit on false logins; if the limit exceeds, the Wp Admin user will be automatically blocked. The best practice is to set three false login attempts. You can implement this feature on the login page using a free plugin.

Enforce Password Change Policy: Enforce the password change policy on every wp-admin user to ensure maximum security of your website backend. We don’t change passwords often because strong passwords are hard to memorize and changing passwords after certain intervals is a hassle, right? But, do change them often. It’s for your own good. According to the Website Security Audit checks, we must change website passwords every month and ensure maximum security. If you set a policy to change password after every one month, then every user has to change it every month. Once the password age expires, the system automatically forces users to change their password on the next login.

WordPress Files and Folder Management

As a website owner, you know the importance of your website files and folders management because hackers will control your website by potentially injecting malicious code on the code files. We have compiled four significant areas in this section to manage your website files and folder:

Files and Folder Permission:

Different files and folders on the hosting server have different permission rules that specify which operating users have access to writing, reading, and updating the files and folders.

Setting the right permission is very important because WordPress may need access to write the files on the wp-content folder due to certain operations done by the backend. In a Linux environment, usually, the www-data user is used to manage your WordPress website. The general rule is to assign 755 permission on the folder and 644 permission on the files on the OS user.  Execute the below mentioned command on the root directory of your website to set the correct permission.

For Folder permission:

find . -type d -exec chmod 755 {} +

For Files Permission:

find . -type f -exec chmod 644 {} +

Disable File Editing: WordPress allows for editing themes and plugins files directly from the WordPress admin area. It’s handy but it comes with high-security risk in case unauthorized users get admin access. Unauthorized users can easily inject malicious code on the website via the admin area using a file editor. To disable file editing, you need to open the wp-config.php file in the text editor present in the root directory of your WordPress.

Anywhere above this /* That’s all, stop editing! Happy blogging. */ line add the line

define( 'DISALLOW_FILE_EDIT', true );

After saving the file, visit the WordPress dashboard with any account, and you will not see the link at Appearance > Editor and Plugins > Editor.

Hide wp-config.php and .htaccess files: During WordPress installation, it creates a file with the name wp-config.php. This is your website’s critical configuration file that contains sensitive configuration and data without encrypted formats, such as database credentials. By hiding the wp-config file, you will add an extra layer of security to strengthen your website from security risk.

There are several ways to secure the wp-config.php file, but we use the .htaccess file to hide the wp-config.php. This method is the easiest and most commonly used method to hide the wp-config.php file. Open the .htaccess file present in the root directory of WordPress using any text editor and add the below line of code at the end of the file. Once the below code is added, save the .htaccess file.

#secure wp-config.php
order allow, deny
deny from all

The above code will block access of your wp-config.php file from hacking and code modification.

We also need to hide the .htaccess files and other sensitive files starting with dot(.) like .htpasswd using the htaccess rule. To protect the dot(.) files, just add the below rule in the .htaccess file present in a root directory of your WordPress.  Open the .htaccess file using any text editor, add the below code snippet and save the file.

# Deny access to all files starting with dot(.)
<FilesMatch "^.">
Order allow,deny
Deny from all

Disable Directory Listing with .htaccess: The web servers like Apache and Nginx allow access inside the root directory of your WordPress website by default; this means all the directories and files are visible. Add the below line of code in the .htaccess file present in the root directory using any text editor and save the file.

# To disable directory browsing and hide the contents of directories.
Options –Indexes
IndexIgnore *

By implementing all the steps mentioned in WordPress Files and Folder Management section, your website directories, files, and sensitive information stored in those files are protected. No one can inject any code in the WordPress files to hijack your website.

Website Hosting

WordPress hosting plays a vital role when it comes to securing a WordPress website. Why? There are so many security areas of your website that depend on the hosting provider. Let’s discuss the security areas of the hosting provider.

The hosting server should not be accessible to any unauthorized services or users. There are so many different ways to access the server. For example, SSH is used to access the terminal, SFTP is used for Server File Management. To access the installed services like the database, you will use MySQL credentials with port 3306 to connect your database remotely. These external connections are also required to manage your WordPress website.

There should be a firewall to protect all the external connections of the server because losing an external server connection, you will lose your website in a blink. Due to the high demand for SSH, SFTP, and MySQL remote connections, most hosting providers offer these features without 100% security.

We at Devrims believe that server security is the most critical area of our services. By default, we block all the external connections of the server except SSH, but you can access any running services like MySQL on your server remotely via adding an Access Control Policy in a click against the services you want to access remotely.

To protect your server from brute force attacks, we have implemented the Fail To Ban service on every server, so if you set: Allow All rule in SSH and SFTP connection from the dashboard, the system will block the suspicious IP on three wrong login attempts on SSH and SFTP.

Moreover, a professional hosting service is always ready for any accidents and compensates its users with a backup plan. Mostly, it isn’t easy to choose which type of hosting you need, i.e., shared or managed. But overall, managed hosting is better because it comes with a plethora of features, 24/7 support where literally everything is managed by the hosting provider itself.

Security Plugins

Although we have covered many important aspects to secure your WordPress website from securing your WP Admin Page, managing file & folder permission and even importance of a good hosting; but we are just scratching the surface here and there are more security checks you need to put in place before fortifying your WordPress website to a great extent!

There is still a chance that someone can use a DDoS attack to affect the speed of your website. The main intention of a DDoS attack is to affect a website’s performance and uptime by sending so many fake traffic requests on your hosting server that it becomes unresponsive or dead slow. You can use Cloudflare or security plugins to protect your website from DDoS attacks. Many WordPress security plugins also provide additional security features like Malware Scanning, integrity checks, firewall integration, etc.

To integrate Cloudflare, please visit our Step by Step guide.

Here are several WordPress security plugins that can ensure WordPress site security while you’re busy working on your business.

  1. Sucuri: This plugin, which comes in both free and paid versions, helps you audit the website for any malicious activity and act against it. You will be notified of any suspicious activity via notifications.
  2. iThemes Security Pro: This plugin claims to have more than 30 ways to protect your website from getting hacked. The best thing about this plugin is that it offers website protection for two websites simultaneously. With strong password protection and firewall, hackers will find it challenging to breach the website.
  3. Jetpack Security: Here’s a plugin that guards your website 24/7 so that you can focus on your core business. No need to worry about backups because this plugin takes automatic backups on unlimited storage space. There will be no more spam comments because Akismet blocks any suspicious comments before they harm the reputation of your website.
  4. WPScan: This one is a unique plugin that offers one-of-a-kind vulnerability databases for its customers. With more than 21,000 known vulnerabilities, it becomes easy for this plugin to keep track of the market’s latest vulnerabilities.

WordPress, Theme, and Plugins Updates

WordPress is quite proactive when it comes to the security of the platform. From time to time, WordPress will suggest you do the core update and version update. The developer community of the CMS is working hard to introduce new security features and fix the vulnerability in the existing version. On the other hand, the hackers are also trying to find new ways to compromise the security of the world’s most usable CMS. In every core update, WordPress fixes the known vulnerability of the CMS. In the new version release, they introduce new security features, including vulnerability fixes. We need to support WordPress developers by clicking the update now button as soon as the notification appears on the screen.

The above rule of thumb applies to the companies developing plugins and themes. So, never ignore the WordPress core, theme and plugins updates, and always incorporate the new update on the website.

Kindly note never forgot to check the WordPress updates and the new version’s compatibility with the Php version you are using. Also, check the WordPress version compatibility during plugins and theme updates. We strongly recommend taking the website’s complete backup before any update. If the new update is not compatible with your website, you can revert it by restoring the backup.

Set Regular Backup Policy

SSL certificate is an extra layer of security to protect your data during transmission from source to destination, also to gain customer trust. Moreover, Google also prefers those websites which have an SSL certificate.

Devrims provide an unlimited Free Let’s Encrypt certificate for every domain name added to your application in a click.  Still, there are so many questions about SSL, which are answered in a separate blog on All You Need to Know About SSL Certificates.

Use SSL Certificate

Some hosting services offer SSL certificates while many others don’t. Whichever the case is, you need to ensure that your website uses an SSL certificate for enhanced security. Hackers are actively seeking new ways to gain access to your website and you shouldn’t appear to them as a sitting duck.

With an SSL certificate, it becomes challenging for them to get access to your website. You can even install an SSL certificate on your own.

Closing Thoughts!

WordPress security is a serious matter. As a website owner, the privacy of your customers and the integrity of your own work are most important. Therefore, you need to work hard to prevent these attacks from happening at all. With this guide of WordPress security tips, we hope to help you in understanding more about WordPress and thus, be able to tackle any attacks on your website.

Hackers will always try to gain access to your website. You need to ensure that you are using all the tips mentioned above to strengthen your WordPress security.

The Author

Scroll to Top