Best Practices to Secure Your WordPress

Best Practices to Secure Your WordPress

With Best Practices to Secure Your WordPress, you will learn to apply some rules and concepts that will help you to keep your site out of problems.

Introduction to Secure Your WordPress

WordPress started in 2003 as a joint effort between Matt Mullenweg and Mike Little. They create a fork of b2/cafelog, a blogging tool developed in 2001 by some French programmer Michael Valdrighi.

In 2002 Valdrighi stopped the development of b2, but in January 2003 this job that was left behind by Valdrighi was taken back with a fork of his project which is now nowadays as WordPress.

WordPress is a Web Content Management System (CMS), computer software used to manage the creation and modification of digital content. It provides website authoring, collaboration, and administration and it helps users with little knowledge of web programming languages or markup languages create and manage website content.

It is open-source and it is free, meaning anybody can download and install it for its own purpose. It was developed initially as a blog system but it evolved and nowadays it is possible to use it for developing websites, forums, eCommerce, media gallery, and learning systems, and the list continue and is expanding with time.

Isn't WordPress secure?

By nature, WordPress is secure enough to use, and there are a lot of people studying and analyzing its code and implementing patches and updates when a defect is found.

But remember that it is open-source and not only the original developers and maintainers have access to the code but everybody, and in this list, malicious people are found.

Once in a while, the code is exploited by bad entities, but fortunately, there are others that are competing against these entities and they are trying to discover these weaknesses before they are exploited. Companies like WordFence are doing an excellent job.

Before implementing WordPress:

1.- It is important to select the right place to host your WordPress project. Your Web Hosting company must guarantee a secure environment for a WordPress implementation. Be sure your selection includes a place where elemental security is included. For example, Modsecurity rules should be implemented on a server level and by default. Modsecure is an open-source web application firewall that will stop almost all well know SQL injection attacks.

2.- The Operating System is important too, for example, CloudLinux offers stability with the most optimal secure environment for deploying applications in a shared environment. Users are isolated between them and the process levels are regulated and administered.

3.- Good hosting companies host their resources in high-end data centers. These always include DDoS attack protection that is automatically implemented every time an attack is discovered. You can help yourself by implementing Cloudflare which is a CDN, WAF, DDOS protection, bot management, API security, web analytics, image optimization, stream delivery, load balancing, SSL, DNS, and so on. There is free use of their DNS infrastructure that you can use.

Initially Secure Your WordPress:

1.- Use strong passwords: Nowadays there is no excuse for not using strong passwords. I should not need to explain the reasons behind this but logically the use of strong and difficult passwords makes it harder for attackers to gain access to your system. This is true for your mail, for accessing your computer, for any registration to any service that requires registration or the use of login.

2-. Change the default login address: Everybody knows that the login address of a WordPress site ends in /wp-admin. Test yourself trying this with different domain names and I bet you will find once in a while an unsecured WordPress admin login address. There are plugins that allowed you to hide the access to the administration page of your site, they are easy to use.

3.- Unsecure plugins: Only install plugins that are considered secure. Select the one that has more and better reviews and the one that has more installation. I would consider a plugin with 10 million installations more secure than one that has only 100. Popular plugins are considered mature and updates and patches are delivered more frequently than the ones that are not so popular.

4.- Uninstall plugins and themes that you are not using: This will eliminate any hiding that you considered not in use, obvious that the code is still installed on your WordPress, so keep it clean with only the necessary code for your website.

5.- Keep your implementation updated: Sometimes security vulnerabilities are corrected with new WordPress releases. Updating to the newest version of WordPress will ensure that you have the latest security fix. Not updating your version of WordPress may leave your site open to hackers. The same is true with the plugins and themes. Keeping them updated is a good way to make things difficult for attackers.

6.- Backup your site: It is good practice to have a backup system like the one offered by neteron. You can configure it to backup the complete account and have the possibility of recovering if something happens or rolling back after a mistake made by your web developer or yourself. I promise you won't regret it. you will be able to automatically apply the next rules to Secure Your WordPress:

Some of these are not so simple and require some research for a standard user. Some web hosting like has an easy way of implementing these measures, just with a few clicks.

1.- Turn off pingbacks: Pingbacks allow other WordPress websites to automatically leave comments under your posts when these websites link to these posts. Pingbacks can be abused to use your website for DDoS attacks on other sites. This security measure turns off XML-RPC pingbacks for your whole website and also disables pingbacks for previously created posts with pingbacks enabled.

2.- Restrict access to files and directories: If access permissions for files and directories are not secure enough, these files can be accessed by hackers and used to compromise your website. This security measure sets the permissions for the wp-config file to 600, for other files to 644, and for directories to 755.

3.- Configure security keys: WordPress uses security keys (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY) to ensure better encryption of the information stored in the user's cookies. A good security key should be long (60 characters or longer), random and complex. The security check should verify that the security keys are set up and that they contain at least alphabetic and numeric characters.

4.- Block directory browsing: If directory browsing is turned on, hackers can obtain various information about your website that can potentially compromise its security. If directory browsing is turned on, this security measure can block it. This measure modifies the server configuration file (Apache, Nginx). Note that custom directives in the .htaccess file might override this.

5.- Forbid execution of PHP scripts in the wp-includes directory: The wp-includes directory may contain insecure PHP files that can be executed to take over and exploit your website. This security measure prevents the execution of PHP files in the wp-includes directory. This measure modifies the server configuration file (Apache, Nginx). Note that custom directives in the .htaccess file might override this.

6.- Forbid execution of PHP scripts in the wp-content/uploads directory: The wp-content/uploads directory may contain insecure PHP files that can be executed to take over and exploit your website. This security measure prevents the execution of PHP files in the wp-content/uploads directory. This measure modifies the server configuration file (Apache, Nginx). Note that custom directives in the .htaccess files might override this.

7.- Block unauthorized access to wp-config.php: The wp-config.php file contains sensitive information like database access credentials, and so on. If for some reason, the processing of PHP files by the web server is turned off, hackers can access the content of the wp-config.php file. This security measure prevents unauthorized access to the wp-config.php file. This measure modifies the server configuration file (Apache, Nginx). Note that custom directives in the .htaccess files might override this.

8- Disable scripts concatenation for WordPress admin panel: This security measure turns off a concatenation of scripts running in the WordPress Administrator panel, preventing your website from being affected by certain DoS attacks. Turning off the concatenation of scripts might slightly affect the performance of the WordPress Administrator panel, but it should not affect your WordPress website from visitors' point of view.

9.- Disable PHP execution in cache directories: If a compromised PHP file ends up in one of the cache directories of your website, executing it can lead to compromising the whole website. This security measure disables the execution of PHP files in cache directories, preventing such exploits from happening. Note that some plugins or themes might ignore the security recommendations from WordPress Security Team and store valid PHP executables in their cache directory. You might have to disable this security measure if you need to make such plugins or themes work.

10.- Disable file editing in WordPress Dashboard: Disabling file editing in WordPress removes the ability to directly edit the plugin and theme file sources in the WordPress interface. This measure adds an additional layer of protection for the WordPress website in case one of the WordPress admin accounts is compromised. In particular, it prevents compromised accounts from easily adding malicious executable code to plugins or themes.

11.- Change default database table prefix: WordPress database tables have the same standard names on all WordPress installations. When the standard wp_ prefix is used for the database table names, the whole WordPress database structure is transparent, making it easy for malicious scripts to obtain any data from it. This security measure changes the database table name prefix to something different than the default wp_ prefix. Note that changing the database prefix on a website with production data might be dangerous, so it is strongly advised to back up your website before applying this measure.

12.- Enable bot protection: This measure protects your website from useless, malicious, or otherwise harmful bots. It blocks bots that scan your website for vulnerabilities and overload your website with unwanted requests, causing resource overuse. Note that you might want to temporarily disable this measure if you're planning to use an online service to scan your website for vulnerabilities since these services might also use such bots.

13.- Block access to sensitive files: This security measure prevents public access to certain files that can contain sensitive information like connection credentials or various information that can be used to determine which known exploits are applicable to your WordPress website.

14.- Block access to potentially sensitive files: This security measure prevents public access to certain files (for example, log files, shell scripts, and other executables) that might exist on your WordPress website. Public access to these files could potentially compromise the security of your WordPress website.

15.- Block access to .htaccess and .htpasswd: Gaining access to .htaccess and .htpasswd files allow attackers to subject your website to a variety of exploits and security breaches. This security measure ensures that .htaccess and .htpasswd files cannot be accessed by abusers.

16: Block author scans: Author scans are looking to find usernames of registered users (especially WordPress admin) and brute-force attack the login page of your website to gain access. This security measure prevents such scans from learning these usernames. Note that depending on the permalink configuration on your website this measure might prevent visitors from accessing pages that list all articles written by a particular author.

17.- Change the default administrator's username: During the installation WordPress creates a user with administrative privileges and the username 'admin'. Since usernames in WordPress cannot be changed, it is possible to try brute-forcing the password of this user to access WordPress as the administrator. This security measure creates a WordPress administrator account with a randomized username and ensures that there is no user with the administrative privileges and 'admin' username. If the 'admin' user is found, all content belonging to this user is reassigned to the new administrator account, and the 'admin' user account is removed.

Going the extra mile with Secure Your WordPress and Wordfence.

Installing a security plugin like Wordrfence will give you an extra level of security. The free version will provide you with Malware scanning, two-factor authentication, rate limiting, brute force protection, vulnerability alerts, and more.

With Wordfence you will be able to identify and block malicious attackers targeting WordPress, and if you get the paid version then you will receive the latest firewall security rules, block IP addresses in real-time, and detect the newest malware.

If you are running a high-end mission-critical website where downtime has a financial impact then you must consider a Response Plan through Wordfense. This will provide an SLA of 4 hours a day, 7 days a week, and 365 days a year incident response with a 1-hour response time and 24-hour time to resolution. you


WordPress is a relatively secure CMS that allowed the integration with hundreds and hundreds of external applications called plugins. It is difficult to follow and track the origin of all this code and it is up to you to follow some rules to keep your site as safe as possible. Remember this is an open-source and as well as there are good people reviewing the code on a daily basis, there is the not-so-good one that is looking for flaws to exploit.

You must always think about security in everything you do with your WordPress. Always backup before any update is made, or before a plugin is installed. Automatic daily backups are the best, and manual backups are just before any changes are made.

The end.