Essential tips for WordPress security

Security need not be in the sole domain of the security professionals. Learn about the absolutely essential WordPress security tips that can be implemented by most novice WordPress website owners.


Security need not be in the sole domain of the security professionals. The following tips are not only essential, but can be implemented by most novices and WordPress website owners.

In this post we’ll look at two aspects of WordPress security tips – first on how to prevent security breach (i.e. being hacked), and the second deals with limiting the damage in the event of security breach.

Keeping your WordPress sites secure

Your WordPress sites don’t need to be harbouring a treasure trove of credit card information to be a target to hackers. There are too many automated attack scripts just looking for vulnerable websites to breach into for a myriad of reasons – illicit advertisement, spamming, increasing the resources of a botnet, etc. For this reason, any remotely popular website is bound to get a large number of intrusion attempts.

Fortunately (or not), these kind of attacks are rarely sophisticated, and therefore can be thwarted by good preventive measures and security practices. Here are the essential steps you can take to minimise the chances of a successful attack.

1. Use strong passwords

Strong passwords are difficult to remember, which is why the large majority of passwords for the large majority of people are really easy to crack. However, it is absolutely essential that all administrator accounts on your WordPress sites use very strong passwords – that means a random combination of upper and lower case letters, numbers, and symbols.

You don’t have to remember every single password that you have – we recommend using a password manager like LastPass for that.

2. Change the admin username

Analysis on intrusion attempts on the websites we administer revealed that the most common usernames being used for brute-force attempts are “admin” and the website’s domain name. For example, if your website’s domain name is, hackers will try to login with the username “johndoe”.

So make sure none of your administrator accounts have those as the username.

3. Keep everything updated

Updates for WordPress core, themes, and plugins don’t just include new features and bugfixes – they often include patches to security vulnerabilities as well. Once these updates are made available, the genie is already out of the bottle, and hackers who were not privy to such vulnerabilities can now learn about and exploit them as well.

Which is why it is absolutely essential that you keep everything on your WordPress sites updated.

4. Restrict permissions on files and folders

If your website is hosted on a shared server (as most websites are), security breaches that occur in another website can affect yours as well. To minimise the chances of this happening, WordPress recommends setting files permission to 0644 and folder permission to 0755.

You can probably ask your web host to do this for your sites, or you can do it yourself via FTP.

5. Change the default database prefix

By default, WordPress uses “wp_” to prefix all tables in the database. To prevent possible intrusion via what is known as SQL injection attack, you should change this to something else. You don’t need to remember what it is, so feel free to use any random combination of letters. It doesn’t need to be long either – 3 or 4 letters and the underscore should be fine.

6. Secure config and admin files

A simple addition to your site’s .htaccess file can help to further prevent intrusions. The wp-config.php file contains the database username and password for your WordPress installation in plain text, so you must secure this file. You can do this by adding the following code into the .htaccess file in the root folder of your WordPress site:

<files wp-config.php>
order allow,deny
deny from all

Another part of WordPress that is never meant to be accessed directly by any visitors is the wp-includes folder. You can secure this by adding the following code to the same .htaccess file:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

7. Use a firewall plugin

If you have taken all the previous steps above, your site should be quite well protected against the garden variety attacks. However, you can still significantly improve your site’s security without having to implement the more difficult measures, simply by using a firewall plugin.

We would recommend WordFence for its ease of use and excellent coverage of the most common attack vectors. The free version of the plugin is sufficient for most sites, but if your site is particularly vulnerable, you can opt for the pro version.

Limiting the damage when your site is hacked

Let’s face it: no system is absolutely secure. Your website can be hacked, no matter what you do. Whether it will be hacked or not depends on just how determined the attackers are despite the security measures you’ve put into place.

So in the unfortunate event that an intrusion takes place anyway, here are some essential tips you can take to minimise the damage to your website.

1. Disable file editing

The WordPress administration area includes a feature where you can directly edit your plugins and themes files. This means that in the event that an attacker successfully cracked your admin username and password, he will be able to edit those files as well and inject any code that he could then execute at a later date and time. Most of the time you won’t notice this happening until it’s already too late – like your site is being used to send spam emails, or worse to spread malware to your site’s visitors.

You can still somewhat prevent this by disabling the file editing feature in WordPress. Just add the following line to the wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

2. Take regular backups of files and databases

Even though it’s unlikely that you’ll catch an intrusion when it happens, you can still usually determine the date when your site is breached. There are several ways to do this: compare the files modified dates, checking the server’s access logs, etc. When you have determined the date of intrusion, you can then simply replace the entire files and databases of your site with the backup copy taken before the intrusion occurred.

It’s a lot easier to completely disinfect a hacked website this way, rather than manually checking for changed files and malicious codes in the hundreds of files in WordPress, not counting the thousands of rows in the database.

That concludes the most essential steps that you should take to significantly improve the security of your WordPress sites. Some of them are more difficult to implement than others. If you find that you are at wit’s end on how to implement them, you can always get a web development studio like, you know, we are, to do it for you.