15 WordPress Security Best Practices

Concerned about your WordPress site security?
Well, you have come to the right place. Let us give you a WordPress Security Best Practices to help you understand the user role for maintaining a high level of security for your website. Make it work in your favor by learning about the security niche of this open source content management system. Around 75 million web sites use WordPress. So, you made the right decision of creating a website on this miracle User-Friendly platform. But, how can you secure it? In this day and age, where everything is up for grabs, your website is also a part of it. There are people out there who are continuously trying to exploit your website. That’s why you need to educate yourself regarding WordPress site security so it can be fruitful for you without any setbacks. In this post, let us give you a security plan for your frictionless movement in the space we all call the Internet.

WordPress Security Vulnerabilities

Firstly understand a few WordPress security vulnerabilities that it possesses:

SEO Injections

It is a clever malware built for SEO injections where the hacker loads up webpages with spam links, redirects and adds keywords, without the knowledge of the owner of the website. It usually attaches itself in unusual places in the back-end code of the WordPress site.

Cross-site scripting (XSS)

It happens when a hostile script is injected inside a website or an application. The hacker uses it to send malicious codes to the end user without them knowing about it. It can be as brutal as rewriting HTML on a page or even grab cookie/session data. It is one of the most common vulnerabilities found in WordPress plugins by a great margin.


Almost 98% of WordPress vulnerabilities are related to plugins. The most common vulnerable plugins include:

  • Event calendar
  • Ultimate Member
  • Coming soon page
  • Ninja forms
  • Duplicate pro

Denial of service (DoS)

This is the most dangerous vulnerability. Its major targets are the errors or bugs in the code to overpower the memory of website operating systems. The outdated versions of WordPress software are a common target for hackers with DoS. It’s very difficult to defend against high profile DoS attacks, even the latest versions of WordPress software cannot defend itself against that.

WordPress Security Checklist

Following are the best WordPress security tips that we compiled for your convenience:

1. How strong Passwords Help?

One of the greatest difficult challenges faced by any internet user nowadays is setting a secure, safe and uncrackable password to prevent things like Brute force attack, Dictionary attack, or Phishing. Let us give you a few points to help you create a password:

  • Understand the term Personal Password, first establish somethings that are very personal to you.
  • Write them down, mix them up and try to combine them in a way that only your mind can interpret so it’s easy to remember (it can include anything from letters to numbers).
  • Make it long
  • After following these steps, you can use helpful tools like a strong Password Generator and also use its guidance to create an uncrackable and a pure Personal Password with a professional touch.

It’s a really simple and easy way to avoid any breach. You will be safe after following the previously mentioned steps.

2. How to hold down your fort in “User Permissions”?

User Role
Assign User a Role

When you created a website on WordPress that requires more than one person to carry its duties on time and in a neat fashion, obviously you must have other professionals. Performing specific jobs that you may assign to them. Before allowing anyone else to access your handling of the website, you want to take precautions. Prevent any irregularity that may spoil your product. Follow these simple steps to stay a strong King of your own Fort:

  • Add New Users to permit people for specific jobs. Go to the User Section on your WordPress Dashboard and click on Add New.
  • Assign only specific User Roles to each user.
  • Go to the People option in your Dashboard and select the user to assign them a specific role.
  • Select Role in the drop-down menu beneath role and select the role you want to assign e.g author should have his/her particular permissions only, subscriber-only have reading permission etc.
  • If you want to assign Custom User Roles, the basic way is to add a plugin like a User Role Editor or Capability Manager Enhanced, where the entire operation of giving permissions remain in your hand. The other method is by code if you want a more professional approach. Contact us to learn about it from our experienced engineers at a more deep level.
  • Keep the number limited of your users, for a clean working environment to enhance productivity.

So, before you give other users to make changes or work on your website first develop an understanding of User Roles.

3. Changing Default Admin Usernames

Want to change your WordPress Admin Username? Follow these steps:

  • Go to i.e wp-admin the Users from your dashboard panel and click Add new user.
  • Always use different display name from the username, as the risk of identifying and targeting by a hacker falls by a great deal.
  • Put in the required information and select administrator in user roles. Create a strong reliable password by the learning you did earlier in this article.
  • After completion, go to Add new User and log out.
  • Login using your new WordPress admin username.
  • Delete the previous admin username by selecting, click on the attribute all posts and link to option.
  • Select New administrator and confirm the deletion.

4. Changing WordPress Default Database Prefix To Avoid Hackers

WordPress uses Dynamic publishing that stores everything in a database. It is a direct target for hackers. They develop SQL injections, automated scripts and hostile codes to break into your website, abuse various databases and publish spam content. But not to worry, there are ways to prevent this from happening. By making a few changes regarding your WordPress before or after installation. When we install WordPress, 12 tables are created in the database consisting of a prefixwp_. Hackers know this and since most of the users do not change this prefix, it becomes a doorway for outsiders. The flexibility of WordPress allows us to change this situation by doing the following little things:

Before Installation Solution

  • Before you install WordPress, go to wp-config.php file and look for $table_prefix = ‘wp_’;
  • Alter the tables prefix wp_; with a stringy or unapproachable password or those letters, numbers, and underscores which cannot be easily guessed e.g. ‘wp_n8u9_99’;
  • After the change has been made, save the file wp-config.php and continue with the installation of WordPress to your website.

After Installation Solution

  • Firstly create a full backup of your database before a change in the table prefix.
  • Locate the filewp-config.php in your WordPress root directory.
  • Find the table prefix mentioned above i.e $table_prefix = ‘wp_’;

    Database Prefix

      Database Prefix

    and make the changes as guided above.

  • Keep in mind to alter all the table prefixes so there is no room for any intruder to trespass. Be smart about entering your SQL commands.
  • Customize the options table also. Search for it and change every option that starts with a prefix‘wp_’. After finding every option, rename them.
  • Look for the usermeta table for replacing the default prefix‘wp_’ with a new one.

This little change can enhance your WordPress site security and you can then focus on other important stuff.

5. Disabling The File Editing (Theme/Plugin Editor)

Let’s say if an attacker gets access to your Administrator account on WordPress and see editor’s availability, he/she can easily make changes to theme/plugin with any hostile code. For that purpose, you may want to prevent that by disabling the editor part on your WordPress dashboard. Follow the simple steps below:

  • Use a text editor and search for the filewp-config.php.
  • Open the wp-config.php file with your text editor.
  • Look for the line mentioning
    /* That's all, stop editing! Happy blogging. */,
    add there
    define( 'DISALLOW_FILE_EDIT', true );
  • Save your file.
  • Go to your WordPress dashboard, you will no longer see (including on your administrator account) links as Appearance > Editor or Plugins > Editor.

6. Limiting Login Attempts For Users

Login Attempts
Login attempts limit reached

A practice known as Brute force attack is constantly used by hackers. The intruder tries to enter your website by using a script of code that will try different combinations until your password gets cracked. Nothing to worry about here, we have a solution for you. Simply limit the number of attempts a user can have to enter his/her password. The common practice is to allow 3 attempts only, after that your website will block the IP of that user for the time period you have selected (based on your own choice). How can you do that? Just follow these basic steps:

  • Install and activate the Login LockDown plugin.
  • Go to Settings and select Login LockDown page to set your plugin configuration.
  • Fill the required information according to your cup of tea like How many login attempts? After how long a user can retry? The Lockdown timing?
  • Under Lockout, invalid usernames select the option of Yes. This will definitely help you a little bit more secure WordPress site.

7. WordPress Hosting With Care

WordPress Hosting
WordPress Hosting

Now that you are using WordPress you might have seen the term WordPress Hosting. What is WordPress hosting? It is actually a website hosting service, that takes care of your WordPress website as an All In One WordPress Security services. It maintains its quality and reliability. They help your website run smoothly in the following ways:

  • Keeping your website secure: All the security measures and threats to your WordPress website are taken care of by hosting. They take care of all the vulnerabilities that your website may or may not face. They handle all security-related issues to make your website full proof. Relieving you with the unnecessary worrying of someone entering your website.
  • Loading Time (Speed): Your Website loading speed is increased by the utilization of these services. Everyone who uses the internet wants fast results, Why not you?
  • Traffic Load Control: If your website is visited by a lot of traffic at once, your website sustains that load without breaking a sweat.
  • SEO: Good hosting helps you drive more traffic because of the speed increase and load control. This benefits your SEO also.
  • Disciplined Backups: It is the most important security part of your website. As a one-man army, individual hosting may forget to back up their WordPress website on a regular basis. This is the reason these hosting services are heaven on Earth.
  • Customer Care: Your website is given value as a priority. Any technical issue in relation to your website gets full and complete attention to get rid of it.
  • Hosting types: You have a choice to select the best hosting type to meet your requirements.
  • Weekly Reports
  • Smooth Sailing: Even though one individual can run the WordPress site in a good manner, but hosting makes it better unless you can handle everything by yourself. Now you might be wondering How do I select Best Hosting Service? Click here

8. Using SSL

Secure Sockets Layer
Secure Sockets Layer

Encrypting something secures it. That’s a common truth. Germany almost won WW2 by using the same technique in their Enigma. SSL is the same thing that provides protection to the sensitive information you place on your website. The https:// is a symbol of confidence on the internet, a user feels safe when he/she sees this symbol. Every Website Owner must use SSL to encrypt and secure their data and personal information. How does SSL primarily helps? It helps in: something secures it. That’s a common truth. Germany almost won WW2 by using the same technique in their Enigma. SSL is the same thing that provides protection to the sensitive information you place on your website. The https:// is a symbol of confidence on the internet, a user feels safe when he/she sees this symbol. Every Website Owner must use SSL to encrypt and secure their data and personal information. How does SSL primarily helps? It helps in:

  • Encrypting Sensitive information: Any information sent across the internet, SSL encrypts that info. So that only the receiver of that information can have access to it. Any computer in between you and the server can see your credit card numbers, usernames, passwords, and other sensitive information if it is not encrypted with an “SSL certificate”
  • Authentication: It makes you sure that you are sending information to a secure server where no one is going to steal it. Why this is important? Someone in between your information pathway may pretend to be your website and extract information. This is only avoidable if you get an SSL certificate from a trusted SSL provider. We also provide SSL services, you can contact us also if you have any query in this matter.
  • Visual Trust: SSL gives your visitors visual cues like a lock icon or a green bar. This will make them feel secure and trust your website instantly.
  • Phishing: No one will be able to impersonate your website to exploit, as the attacker will not have your SSL certificate of Authentication.
  • PCI (payment card industry): SSL is used widely by PCI to avoid money-related thefts during online transactions.

Many online WordPress security services provide SSL. If you do not have an SSL we WP inCare provide this service to set up SSL for you so you can relax and let us take care of these technicalities.

9. WordPress Backups Regularity

Website Backup
Website Backup

Why is backing up your WordPress website so important?. Websites need regular backups because you never know when something might go wrong. All the professional and experienced website owners know this, that backing up your database on a regular basis is severely important because of the following major reasons:

  • Server Failure: Many hosting companies (even the best) cannot promise 100% uptime and reliability. The Server can go down at any point during the problems occurring in the data centers. The customers face many problems during this time. Server outages may occur due to hard drive failure, software errors or any change done in the server structure. Many people don’t take backing up seriously until they lose everything.
  • Hacker’s Victim: If your website gets hacked and is used to send spam emails or publish content online without you knowing, then, as a result, your website might get blacklisted by spam monitors. This can be avoided by regular WordPress backups because one way or the other you can start again from the same point before you became a victim of hacking at a small loss. Be secure!
  • Human Nature: Our nature is flawed and no one is perfect. We make mistakes, even experienced website owners make errors and face the consequences of losing a lot. Wrong files sometimes get overwritten or deleted. These professionals always tell us to regularly backup our WordPress website to avoid these issues.
  • Do Not Rely Upon: Be the caretaker of your own website, do not rely completely on anybody to keep your data backed up. It’s primarily your duty. It is not just important to back up your website regularly but it is a necessity.

It is not just important to back up your website regularly but it is a necessity. Many WordPress Backup plugins are available that will create a zipped version of your website to your server. Hosting companies also offer daily backup in their packages, giving you peace of mind to some extent. We at ‘WP inCare’ also provide WordPress backups in our maintenance plan. Be smart and do backups regularly.

10. WordPress Updating “A Ritual”

WordPress Update
WordPress Update

Do you want your website to be secure and threat free? Updating it will help in preventing most of the hack attacks. When your website is not updated (that may include Themes, Plugins and other core updates), it becomes a security threat. It is an easy target for an attacker to demolish your creation and hard work in a second. Make updating a ritual because it is critically important in the following ways:

  • Malfunctioning: Failing to update effects certain parts of your website and leads to malfunctioning.
  • Compromised Website: No updates means your website is compromised and become an easy target for the hackers.
  • Bug-Free: Website remains safe and bug-free.
  • New features.
  • Better Compatibility.
  • Smooth WordPress experience.
  • WordPress Security releases: Most sites are hacked because they are not updated properly. WordPress security releases is a big part in keeping your site secure, even if you have no interest in the new/cool updated features.

Now that you are familiar with the importance of updating your site, you might be thinking that What are the major updates for your WordPress website? These are the following:

  • Core Updates: Adds new and improved features that enhance the overall security, design, and performance of your website. Failing to do this will have a negative impact on your visitors and a fall in Search Engine Rankings.
  • Theme Updates: It takes the framework (i.e the way your websites appears and runs) to a whole new level with better security and performance. If you don’t do this, it will affect your web presence.
  • Plugin Updates: WordPress Security Plugins are a creation of various authors and are updated regularly. They help in amplifying the functionality of your website. When an author updates a plugin that you are using also, failing to perform an updating job on your plugin makes your website security unsafe.

11. WordPress Security Plugins: “Heavenly Service”

Want extra help? Here are a few best WP Security Plugins available worlds wide so you can have a plugin always looking out for your WordPress site security:

  • iTheme Security Pro: We here at WP inCare support iTheme Security Pro. A reliable group of people who’s No.1 priority is to keep your website secure at any cost whatsoever. You will never feel unsafe again. It is specially designed to meet your every need regarding WordPress site security. All the sections discussed above are taken care of, by this All in one WordPress Security handling plugin.
  • Wordfence: It is the most popular WordPress firewall and security scanner. It is a very comprehensive WordPress security solution available.

Additional Security Measures

Security Measures
Security Measures

What security issues/methods do professional WordPress website users face/use? Since this an All In One WordPress Security Guide Here are a few details in that regard:

12. 2 Factor Authentication

It is a popular method used by Facebook and Google also to improve security. Now you can add 2-factor authentication to your WordPress site also to avoid getting hacked. Most common two-factor authentication setups are:

SMS Verification:

A verification code is sent through a text message. How can you set it up? Here’s a step by step guide:

  • Install and activate Two Factor and Two Factor SMS plugins.
  • Go to Users and select Your Profile there. Find Two Factor Options section there.
  • Check the SMS (Twilio) option and select the radio button also to make it your primary verification method.
  •  Go to Twilio and create a free account there.
  • Add the usual personal information. Fill Product section with SMS. Building section with Two Factor Authentication. Language section with PHP.
  • After sign up. Go to your Twilio Dashboard and click on the Get started button.
  • It will take you to settings wizard. Click on get your first Twilio number.
  •  Copy and save that number in a text file somewhere. Click on ‘choose this number’.
  • Head over to settings. Find Geo permissions page. Here you will select the countries where you will be sending and receiving your SMS.
  • Visit Twilio console dashboard to copy your Account SID and Auth Token.
  • Go to Users your profile section on your WordPress website. Scroll to Twilio section. Fill the Twilio account information.
  •  Click Update Profile information to save your settings. You are now all set for your 2-factor authentication security.

Google Authenticator:

In case you don’t want SMS verification here is another security method in two-factor authentication. Here’s a step by step guide:

  • Go to Users and select Your Profile there. Find Two Factor Options section there.
  •  Check the Enabled check box Time-Based One-Time Password (Google Authenticator) and click on view options for Google Authentication Setup.
  • You will see a QR code which you will need to scan with Google Authenticator app.
  • Install the Google Authenticator app on your phone.
  • Open it and click on the add button.
  • Scan the QR code using your phones’ camera.
  • The app will detect and add your website. Now enter the six-digit code on your plugins settings page and it’s done.
  • Click Update Profile information to save your settings. You are now all set for your 2-factor authentication security.

You will have a more secure WordPress site after these practices.

13. Moving ‘wp-config.php’ To One Folder Up

Do you want to harden your WordPress site security? Move the ‘wp-config.php’ file from a public accessible folder to a folder which is not easily accessible by the general public. Lessen the chances of getting hacked. We move the folder to secure our database connections and other important stuff. This is how you can do it:

  • Go to WordPress.org through an FTP program and find the root.
  • Download wp-config.php to your hard drive and rename it to something other than wp-config.php.
  • Upload your renamed file to a folder above your public_html or www folder.

That is it. You are done. This is a very professional approach and if you feel uncomfortable doing that then hire someone to do that for you. It works great.

14. Http Authentication Protection For WordPress Admin And Login Page


Http Authentication Protection
Http Authentication Protection

Do you want to add an extra layer of security to your wp-admin files? Well, you can implement basic authentication (HTTP authentication).

  • Creating a password file for your WordPress: Create an Apache htpasswd file. The htpasswd file is used by the web server to authenticate users. You can create such a file by:
    a. The online password file generator
    b. Alternatively, drop us an email and we’ll generate an htpasswd file for you.
  • Create an Apache htaccess file: After creating a htpasswd file. You need an htaccess file that will be uploaded directly to the wp-admin directory of your WordPress installation.
    a. If there is no htaccess file in your website’s wp-admin directory, you have to create a new one.
    b. If there is already available htaccess file then, make a backup copy and edit the existing one.
  • Troubleshooting basic authentication problems: If after implementing web server authentication, you try to access the wp-admin directory and receive
    a. HTTP 500 Error
    b. Internal Server Error
    The problem is the password file path specified in the AuthUserFile directive. This path you specify should be the full absolute path from the absolute root of the server.
  • Allowing front end Ajax functionality: Some WordPress Plugins use Ajax functionality in WordPress. This means that such plugins might need access to the file admin-ajax.php which is found in the wp-admin directory. To allow anonymous access to such file for the WordPress plugins to function, add the code below to the htaccess file you just created:

    <Files admin-ajax.php>
    Order allow,
    deny Allow from all
    Satisfy any

15. Enabling Web Application Firewall

Web Application Firewall
Web Application Firewall

A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. WAF is able to filter the content of specific web applications. By inspecting HTTP traffic, it can prevent attacks such as SQL injections, cross-site scripting (XSS), file inclusion, and security misconfigurations. It acts as a barrier between a trusted and a non-trusted network. Web application Firewall is a single scope firewall. Its role on a website is to protect it from any malicious hacker attacks. When a WordPress firewall is installed on your WordPress site, it runs between your site and the internet to analyze all the incoming HTTP requests. When an HTTP request contains malicious payload the WordPress firewall drops the connection.

Types of WordPress Firewalls

  • WordPress Firewall Plugins: When a plugin firewall is installed, every HTTP request sent to your website is processed. They are very affordable and easy to use. Most of them already have a malware scanner built-in them.
  • On-Site dedicated WordPress Web Application Firewalls: These are generic web application firewalls. Generic web application firewalls are installed between your WordPress site and the internet connection. So every HTTP request sent to your WordPress site first passes through the WAF. They are more secure than the plugins.
  • Online WordPress website Firewalls: It is an online service which acts as a proxy server – your website’s traffic passes through it for filtering and then forwarded to your website.

Limitations To Web Application Firewalls

  • Limited Zero Day Vulnerability Protection: One of the most common WAF protection technique is to check the payload of an HTTP request against a database of signatures. So, when someone visits your website the WAF checks the payload against a database of known web attacks. If it matches it means it is malicious, if not it lets it through. Therefore, in case of a zero-day WordPress security vulnerability, there are chances that your WordPress firewall might not block the attack. This is why vendor responsiveness is very important and you should always use software from responsive and trusted businesses. The sooner the vendor can update the firewall rules, the better it is.
  • Web Application Firewall Bypasses: Like all other software, a web application firewall is just another software. It can be bypassed. There a number of articles you can find on how to bypass the protection of web application firewall. As long as the vendor is responsive and re-mediates such complications in time, everything will be fine.

All the above mentioned Professional Security practices are included in our maintenance plans and also supported by our WordPress security plugin iTheme Security Pro as an All In One WordPress Security plugin.

Last Say!

Every website needs maintenance to run smoothly without any rocks in the way. Always perform maintenance tasks, especially when it comes to the security for your WordPress website otherwise all your hard work will suffer immensely. Many big names in the industry use WordPress and they have teams of the best security providers upholding their websites with efficiency. We here at WP inCare also provide maintenance services in our plans. You can go and check out our plans because our motto is

“We plan for your Safety”Click To Tweet

Stay safe, stay secure, don’t let anyone take advantage of your hard work in this competitive world we all call The Internet.


We hope this article All In One WordPress Security Guide was helpful to you. Please do let us know us in the comment section below if you have any stories or questions regarding WordPress you want to share with us.

What we do Best

you Need!

WordPress Updates

Security Checks

Daily Cloud Backups

Speed Optimization

Premium Plugins

Developer Consultation

1 thought on “15 WordPress Security Best Practices”

  1. You made some good points there. I checked on the net for more info about the issue and found most people will go along with your views on this website.

Leave a Comment

Your email address will not be published. Required fields are marked *