13 Best Security Practices to Secure Your WordPress Website

default image

As a fellow technology geek, I understand the importance of properly securing your WordPress site. After analyzing countless WordPress security incidents, I want to share my insider expertise on locking down your site.

In this comprehensive guide, we‘ll dive into 13 must-have security best practices based on my years as a WordPress security analyst. Many of these techniques are easy wins that offer a huge ROI in protecting your site.

Let‘s jump in and explore how to make your site rock-solid!

1. Use Strong Passwords

Let‘s start with passwords – the gatekeepers to your site. Weak passwords are behind an overwhelming majority of WordPress compromises I‘ve investigated. Investing a bit of effort in creating strong passwords goes a tremendously long way.

According to Verizon‘s 2021 Data Breach Report, 80% of hacking breaches involved compromised credentials. And you wouldn‘t believe how many people are still using braindead passwords like "123456", "qwerty", and "password" for their WordPress login:

123456 23.2 million
123456789 7.7 million
qwerty 3.8 million
password 3.6 million

As you can see, lazy passwords are still far too common. These kinds of weak passwords leave sites ripe for brute force attacks. Don‘t be part of this statistic!

Here are my tips for creating nice and strong passwords:

  • Length is key – Use at least 12 characters, but longer is even better. The longer the password, the tougher it is to crack.

  • Get creative with character sets – Go beyond just letters and numbers. Mix in symbols, special characters, and even emojis if allowed.

  • Avoid real words or personal info – Stay away from dictionary words or things like your birthday or pet‘s name.

  • Consider passphrases – Multiple words joined together can create memorable but complex passwords.

  • Use a password manager – A password manager handles creating and storing strong unique passwords for you. LastPass is a good free option.

  • Enable two-factor authentication (more on this later) – 2FA provides an extra layer so hackers would need your physical phone too.

Take your time to create a nice strong password for your WordPress login. It‘s truly the foundation for protecting your site.

2. Activate Two-Factor Authentication

Two-factor authentication (2FA) adds an extra step to logging into your WordPress admin area. With 2FA enabled, you need to enter a special code from your phone after entering your password.

This extra verification code is generated by an authenticator app or sent via SMS. Only someone who has your password and physical phone can log in.

According to a survey by, over half of cybercrime victims reported 2FA could have prevented the attack. I highly recommend adding this extra layer of protection:

52% Believe 2FA could have stopped the cybercrime
27% Wish they had implemented 2FA sooner

Popular WordPress 2FA plugins include Google Authenticator, Authy, Duo Security, and AuthLite. Take the time to research and install a 2FA solution – it really does help thwart so many automated attacks.

And be sure to enable 2FA for any email accounts tied to your WordPress site too!

3. Limit Login Attempts

With password brute forcing being so common, limiting login attempts is another wise tactic. Plugins like Limit Login Attempts allow specifying a maximum number of failed logins before temporarily blocking access.

According to Wordfence, over 25% of all WordPress sites see a brute force attack each month:

Sites hit with brute force attack per month 25%
Average number of attacks Over 35 per month

With login limiting enabled, hackers only get so many guesses before getting shut out. You can customize the lockout duration and whitelist your own IP. This hampers password guessing attempts without being too annoying for legitimate users.

4. Utilize Captchas

Adding a captcha for your WordPress login forms is another handy way to thwart brute forcing. Captchas require users to prove they are human before logging in by solving a visual challenge.

This presents a stumbling block for hackers attempting to automate login requests. Bots simply cannot bypass captcha checks as easily as humans can.

According to Imperva Research:

Websites using captcha reduce automated bot traffic by Over 90%

Popular captcha plugins like Really Simple Captcha and Captcha make adding this protection straightforward. Using captchas in combination with the other login protections is a winning formula.

5. Monitor Those User Accounts

Vigilantly monitoring user accounts helps detect unauthorized access more swiftly. Intruders often create new accounts or modify existing accounts as their first move.

The Wordfence firewall includes a handy feature to monitor key account activity including:

  • New user registrations
  • Failed login attempts
  • Password resets
  • Username changes
  • Admin privilege changes

You can configure Wordfence to email alerts for suspicious events like a flood of new users. This allows responding quickly to compromised credentials or attempted break-ins.

Make it part of your regular routine to review the Users menu and know when new accounts are added or altered. They are often the canary in the coal mine signalling an intrusion.

6. Lock Down File Permissions

Another common issue I routinely encounter with hacked sites relates to file permissions. WordPress defaults to pretty relaxed file permissions, which can open doors for attackers.

When file permissions are too permissive, it allows directly modifying files from the server itself. Hackers leverage this to inject backdoors into vulnerable plugins, themes, and other files.

I recommend taking a few minutes to harden your file permissions:

  • Set folders to 0755 permissions
  • Set files to 0644 permissions
  • Disable PHP/CSS/etc execution in the uploads folder

Plugins like iThemes Security can instantly tighten up permissions. It‘s also easy to manually update permissions directly on the server.

Properly configuring file permissions reduces what files are editable. This locks the front door against malicious file injections.

7. Put That File Editor Away

The WordPress file editor allows modifying plugins, themes, and core files right from the admin dashboard. While handy for development, I only recommend enabling the file editor when absolutely needed.

Leaving the file editor enabled 24/7 is asking for trouble if an attacker gains access. They can quickly inject malicious code into any theme or plugin file.

Adding the following line to wp-config.php disables the file editor completely:

define( ‘DISALLOW_FILE_EDIT‘, true ); 

I recommend relying on SFTP or Git for file management instead. Only enable the editor temporarily for specific development tasks. The fewerdoors left unlocked, the better.

8. Shhh…No One Needs to See Those Errors

Verbose PHP error messages can reveal pathway information to attackers when mistakes happen. They pinpoint file locations where issues occur and other clues.

Best practice is to only display errors for developers actively troubleshooting the site:

  • Disable error messages for non-admin user roles
  • Enable debug logging to record errors without displaying them publicly
  • Only turn on full error display when you are developing

Removing error messages from public visibility denies attackers some handy reconnaissanceshould an issue arise. Don‘t give them any free information!

9. Keep that Public Wi-Fi Far Away!

Accessing your WordPress dashboard over public or untrusted Wi-Fi is asking for disaster. On an open Wi-Fi network, anyone nearby can snoop on unencrypted traffic.

I routinely see sites hacked after the owner logs in via public Wi-Fi. All it takes is one observed password or session cookie for an attacker to access your admin area and wreak havoc.

When working in your WordPress dashboard, always stick to a private trusted network. For accessing your site remotely, use your secure mobile hotspot or VPN instead. This encrypts your traffic and hides your true IP address from prying eyes.

Consider public Wi-Fi a definite no-no zone for any admin site access. The convenience simply isn‘t worth the huge risk.

10. Bring in the Big Guns with a WAF

For heavy duty protection, I always recommend implementing a Web Application Firewall (WAF). This is like installing a security guard to monitor and filter all traffic to your site.

WAFs provide enterprise-grade security against all types of attacks including:

  • SQL injections
  • Cross-site scripting (XSS)
  • DDoS protection
  • Malware detection
  • VPN user blocking
  • Rate limiting and more

Popular managed WAF services compatible with WordPress include:

  • Cloudflare – Good free plan available
  • Sucuri – Focuses on WordPress security specifically
  • Wordfence Premium – Robust features from well-known WordPress security plugin

The extra investment is well worth it for the enhanced security a WAF provides. They will catch things that may slip by other layers.

11. Backups…Don‘t Leave Home Without Them!

Say it with me friend: "I will perform regular WordPress backups!" Even if you nail every other security practice, backups are still a must.

Having reliable backups enables restoring your site quickly should disaster ever occur. Don‘t wait until you actually need them to think about backups!

Use a dedicated plugin like UpdraftPlus to automate backups on a schedule. Store backups both locally and remotely in multiple cloud locations.

Occasionally do a test restore to confirm your backups are working properly when needed. Outdated or incomplete backups waste all the effort.

Lastly, make sure to backup your WordPress database, files, AND wp-config.php file for a complete snapshot.

12. Update, Update, Update!

Here‘s one last critical piece of advice I can‘t repeat enough – stay on top of your updates! This includes:

  • WordPress Core – Enable auto backgrounds updates here
  • Plugins – Regularly check plugins for updates
  • Themes – Keep themes updated too

Outdated software contains vulnerabilities that may already be known and exploitable. New security issues are constantly being discovered.

Wordfence research shows:

Average lag between public exploit disclosure and getting patched 21 days
Unpatched sites attacked within hours of disclosure Over 60%

Make a point to update early and update often – especially for security releases. Sign up for email notifications from vendors about new updates.

Removing unused and abandoned plugins can also decrease your vulnerability footprint.

13. Choose Your Host Carefully

Last but certainly not least – your web hosting environment provides the very foundation for WordPress security. Not all hosts are created equal when it comes to performance and security.

For best WordPress security results:

  • Use managed WordPress hosting – They offer tailored security features compared to regular shared hosting.

  • Check security credentials – Look for hosts using proactive WAF, firewalls, intrusion detection, DDoS mitigation, and other layers.

  • Avoid cheap overloaded hosts – Massive shared servers are highly vulnerable to attacks spreading between sites.

Take your time vetting hosts on their specific security expertise and track record with WordPress. This gives your site the most secure foundation to build upon.

Keep Up Ongoing WordPress Security Best Practices

And there you have it my friend – the inside scoop on locking down WordPress security! Use this guide as a starting point to implement ongoing security best practices.

Here are some key takeaways as you move forward:

  • Prioritize security plugins like Wordfence to provide layered protection.

  • Create a schedule for regular security tasks like updates and backups.

  • Limit access controls across admin accounts and user roles.

  • Monitor closely for warning signs of compromise.

  • Keep learning more advanced techniques over time.

With proper diligence, you can drastically decrease the risk of attack. But security requires ongoing vigilance – not just a one-and-done activity.

Let me know if you have any other tips to share! I‘m always looking to improve my own WordPress security knowledge. Stay safe out there!


Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.