Most people use WordPress to run their blog or website.
But to most bloggers, WordPress security isn’t a top priority.
1. WordPress security is not an exciting topic.
2. It doesn’t produce positive ROI; adding security to your WordPress site doesn’t grow your traffic; it doesn’t sign up more email subscribers; it doesn’t put more money to your PayPal account.
3. It’s technically challenging to most people.
So, most people ignore it, taking a chance on the odds.
“It won’t happen to me.”
But when the bad guys strike, dang, that bites:
WordPress is currently powering 27.3% of the web, and it’s still on the rise.
Because of its popularity, WordPress is an incredibly popular target for hackers.
According to WP White Security, more than 70% of WordPress installations are vulnerable to hacker attacks.
Every year, we witness WordPress sites falling victim to hackers.
So, if you ain’t paying attention to your WordPress security, take action to secure your WordPress site before it’s too late.
In this blog post, I’m going to show you 14 actionable steps you can take to ramp up your WordPress blog security to ensure your content remain safe.
Once you have implement all 14 steps on this post, your WordPress site is going to be more secure than 90% of all WordPress site floating on the web.
Awesome, now let’s get started with step 1.
That’s using a web hosting company that specialize in WordPress…
1. Use Web Hosting That Specializes in WordPress
Most people don’t know this, but your WordPress site will be more secure merely by choosing the right web hosting company.
Yes, I’m serious…
According to security experts WP White Security, 41% of WordPress websites were hacked through security vulnerability on their hosting platform.
That means, if you are with the wrong hosting company, you are putting your blog at high risk.
Growthtext is hosted with SiteGround, a hosting company that’s designed for running WordPress.
These guys live and breathe WordPress.
I can sleep well as I know my blog is in the right hands.
Their servers proactively protect all WordPress sites with custom Web Application Firewall (WAF) rules…
In lay terms: Their servers blocks all malicious traffic before they even reach my blog.
Apart from that, they make daily backups of my hosting accounts (all websites – files, databases and emails), and they can perform a restore for me free of charge whenever I need one done.
For the small fee of an extra $12/year, they run a malware scanning service for Growthtext. If my blog gets infected, the scanning feature submits a report instantly to support so they can take immediate action.
I wasn’t offered such thorough security measures with my last web host, so apart from Growthtext, all my WordPress sites are now hosted with SiteGround.
2. Use a Scheduled WordPress Backup Solution
If you want to take one step further to protect your WordPress site, use a scheduled WordPress backup solution.
Go for Vault Press.
Vault Press keeps an off-site backup of your WordPress site, so worst case scenario, even when your web server is hacked, you still have a backup copy of your site.
Vault Press goes for as little as 9 bucks per month for daily backups and one click restores.
Should anything bad happen, you’re just a few clicks away from restoring your WordPress site.
3. Keep WordPress Updated
Why update WordPress?
There are several reasons to update your WordPress, such as improving site performance, adding new features, adding new information to an existing post, deleting obsolete features, and fixing minor bugs.
The most important reason- security.
Often, when security vulnerabilities are spotted, WordPress will deal with it quickly. These fixes are released as WordPress updates.
If you don’t update your WordPress to the latest version, you’re putting your WordPress site at risk.
That’s why, whenever I receive a notification in my email inbox for a WordPress update, I immediately update it to the latest version. Always.
Keeping your WordPress install updated is an important part of keeping your site secured.
If you haven’t logged in to your WordPress site lately, very likely your WordPress needs an update.
Stop reading this and go do an update right now; you can come back to continue reading later. 😉
4. Remove Your WordPress Version Number
By default, WordPress shows your WordPress version on your website. It’s easily found… it’s sitting there in your site’s source view (in any browser, use Ctrl+Shift+i to see a web page’s coding, aka source).
This can be a security leak on your site as you are now telling hackers which version you are running.
If you are always running on the latest WordPress version, you are fine.
But if for some reason you are not, then it’s best to remove your WordPress version number to keep the footprint away.
How to do it?
Add the following function to your WordPress theme’s functions.php file
5. Don’t Use “admin” As Username
A lot of the 1-Click WordPress install script still use “admin” as the default WordPress username.
Every time I do a fresh WordPress install for clients, I change the username to something other than “admin” to make it harder for hackers to guess the site’s login username when they are laying on a brute force attack.
If you are trying to change the username of a WordPress site which is already running, you have 2 options to change your login username:
Option 1: Create a new user and delete the old one.
Option 2: Use Username Changer WordPress plugin to change your username to something else.
6. Use a Strong Password
Don’t use your pet’s name, your mother’s name or even your car plate number as your WordPress password.
Use a stronger password.
What’s a strong password?
The traditional advice for a string password are:
– At least 16 characters
– Include capital letters, lower-case letters, numbers and symbols
– Isn’t a dictionary word or combination of dictionary words.
So, most people will hop over to a password generator and end up with something like this:
That’s a good password.
But how are you going to memorize it?
Even if you write it on a piece of paper, it’s still a pain when you want to use it later: you have to read it like, 7 times before you fill up your password field. 😉
Here is one tip to create a strong password and still remember it.
Write a long sentence; turn that into a password by using the first digits of each word.
Example: I used to live at 721 Fake Street. Rental was $0 each month
So your password: Iutla721FS.Rw$0em
It’s more than 16 characters, and complies to all categories of a strong password.
7. Delete All Plugins and Theme That’s not Active
When someone comes to me to revamp their WordPress sites, 9 times out of 10, when I log in to their WordPress dashboard, I can see a lot of WordPress plugins that are not active but are still eating up space on the site.
Out-dated plugins can pose a security risk.
The same applies to WordPress themes- any themes not in use have got to go with only one exception: a default theme for fallback.
Each plugin and theme installed on your site is like a backdoor into your site’s administrative area.
Hackers can use these plugins and themes as entry points if they have vulnerable loopholes. You need to update them regularly to keep your site secured.
So, if you have installed any plugins or themes that you’re not using, get rid of them.
Remember, don’t just deactivated them and keep them on your site, you must actually hit the “Delete” buttons.
8. Limit Login Attempts
This is what happens when a hacker is running a brute force attack on your WordPress site:
They use software that generates an infinite number of username and password combinations to bombard your login page… until they get in to your site.
So, how do you protect your website against this kind of attack?
Limit the number of login attempts.
Use WP Limit Login Attempts plugin to limit the number of times anyone can attempt to login to your site.
Limiting login attempts is a great move to protect your site against brute force attack, but what if you make it so that no one can find your login page?
That’s even more awesome right?
Here is how you can hide your WordPress login page from the bad guys…
9. Hide Your WordPress Login URL
The default WordPress login page looks like this: www.website.com/wp-admin
Or this www.website.com/wp-login.php
When hackers perform brute force attacks to your WordPress sites, these are the URLs they are after.
How do you make life difficult for them?
Move your login URLs to somewhere else.
Lockdown WP Admin allows you to do it easily.
With this plugin, you will be able to rename your login page.
Once this is set up, when someone visits the 2 default WordPress login URLs above, it will return a 404 error message (page not found).
10. Disable WordPress File Editing
WordPress comes with a built-in code editor that looks this.
It allows you to edit your theme and plugin files right from your WordPress dashboard.
While this is a handy feature (you don’t have to bother with FTP client upload systems when editing WordPress files), it can be very dangerous because a simple typo can end up locking you out of your site.
So, it is always advisable to disable the theme and plugin editors from the WordPress dashboard.
How to do it?
Add this code in your wp-config.php file to disable file editing feature in WordPress:
11. Setup Your WordPress File Permissions Correctly
You don’t want to set a directory with permission of 777 as that will allow someone to modify your file in WordPress.
On computer servers, different files and directories have permissions that specify who and what can write, modify and access them.
It’s important that you configure your WordPress file permission correctly.
You should use the following permissions on your WordPress site:
– wp-config.php file: 600
– All files : 644 or 640
– All directories : 755 or 750
On this page, WordPress shows you how to change file permission correctly
12. Protect The wp-config.php File
The wp-config.php file is an important file of your WordPress installation.
It contains WordPress database connection settings, table prefix, security keys, and other sensitive information.
You want to make it inaccessible to hackers.
How to do that?
Add the following code to your .htaccess file (Be sure to place the code outside of #BEGIN WordPress and #End WordPress tags)
13. Change WordPress Database Prefix
WordPress database is just like the brain of your WordPress install.
Every piece of important information is stored there… so it’s one of the favorite targets of hackers looking to take your site down.
Most people don’t change their WordPress database prefix. This makes their site database prone to SQL injection attacks.
A great way to protect your database is to change the database prefix to something else.
Here is what a default database look like: wp_
You can change it to something else that’s harder to guess like: mynewwp_
Plugins like WP DB Manager make it easy for you to change your database prefix without having to touch your wp-config.php file and the phpMyAdmin in cPanel
14. Off PHP Error Reporting
I’m sure you have seen error that looks something like this on your site when a theme or plugin goes wrong:
y() expects parameter 1 to be a valid callback, function ‘admin_menu_alexa_verification’ not found or invalid function name in /home1/jason/public_html/domain.com/wp-includes/class-wp-hook.php
That’s an error reporting.
If a plugin or theme causes an error, the error message may display your server path.
The error above is giving away the username of the hosting account.
That’s a crucial piece of information for a hacker to attack your hosting account.
You want to turn off PHP error reporting on your WordPress site.
How to do it?
Add the following code to your wp-config.php file:
As a web designer, again and again over the years I’ve seen so many sad stories where years of effort have been lost because people don’t want to spend a relatively small effort to secure their site.
Keeping your WordPress site secured is super important.
And prevention is better than cure.
If you haven’t implemented any of the safety measures I’ve listed above, I seriously advise you to take time out of your busy schedule to do so… your future self will thank you.
10 thoughts on “The Ultimate Actionable WordPress Security Guide”
Great article Verena – thank you 🙂
Glad you liked it, Val.
Very good information Verena…thank you
So happy you like it, Martin. Keeping our WordPress site secured is super important. And prevention is definitely better than cure.
Hi Verena, not sure when or how I subscribed to you. But it’s the best decision I made. I will definitely change my login page URL, which will remove 95% of the hacking strikes. I think you should also add 2 step authentication to this list.
I was hacked on one of my sites and it was super scary. I had the typical admin as my username. There’s also a way they can figure out your username especially when you have a blog post, it tends to post the authors username there. I had to download an author plugin to cloak it.
I would love to work with you on a proposition. I will send you an email.
You’re welcome, thanks for sharing your experience too. 2 step authentication definitely helps.
Hi Verena, Thank you so much. Your post is very helpful. I will share this!
Amazing tips. Thanks so much for sharing. Just implemented some of them including few other security tips from this source. Hope my WP will not be hacked again.