WordPress Security: Tried and True Tips to Secure WordPress

WordPress Security: Tried and True Tips to Secure WordPress

Securing your WordPress site keeps you, your content and your visitors safe from hackers trying to collect personal information or distribute nasty malware and viruses.

I was once hacked and it cost me traffic, money and lots of time. I had to completely redo my site! Unfortunately, back then I wasn’t familiar with the many ways I could protect my site from such attacks.

According to Forbes, about 30,000 sites across the web are hacked everyday. Not all of them are WordPress sites, mind you, but it does pose a huge problem. Legitimate businesses everywhere suffer needlessly from lost revenue and time when their site gets hacked and injected with malicious links and malware, not to mention a loss in credibility.

All this can be prevented, but it can be difficult to know where to start and what actually works when it comes to ramping up your security measures. The WordPress Codex has many great tips, but there’s so many more steps you could take to improve the overall security of your site.

The cliché “the more the merrier” applies to the security of your site. The more you put into its defences, the less likely it will be that a hacker can infiltrate your site. So here are 10+  ways you can improve the security of your WordPress site for single and Multisite installations.

1. Stay Updated

Newer versions of WordPress roll out regularly and they contain fixes for many bugs, new features and, most importantly, security updates. The core team does a great job patching up security vulnerabilities quickly and efficiently.

All this is rolled out in newer versions, but if you don’t take the time to apply those updates your site won’t include the latest in security fixes, leaving you open to hackers.

You can update your version of WordPress by going to Dashboard > Updates on single installs.

"Updates" is highlighted under the admin dashboard sub-menu.
You can also update your plugins and themes from this page as well.

For Multisite installs, go to your network admin’s dashboard > Updates > Available Updates.

"Available Updates" is highlighted under the "Updates" sub-menu in the network dashboard.
You can also find the updates for your network’s themes and plugins here.

While security updates are applied automatically, major releases are not and need to be updated manually by visiting these pages. If you would like to stay updated with new releases, we keep you up-to-date in our weekly WordPress newsletter, The WhiP.

2. Use and Enforce Strong Passwords

If the password to your administrator account is simple, then it may be easy for hackers to guess it and log into your site without you knowing. Passwords such as “John1234,” “adminpassword” or “Password1” will be easy to guess.

According to SplashData, the most common passwords for both 2013 and 2014 were “123456” and the runner up was “password,” which is just as secure – which is to say that they most definitely are not secure at all!

With simple to guess passwords like these, hackers may be able to sign into your site and create a new admin account for themselves to come back to your site at their leisure to add whatever malware and backlinks they please.

This can be easily avoided by using a strong password that contains both uppercase and lowercase letters, numbers and punctuation. It should also look like a random string of characters or otherwise unreadable to humans.

You may think that a password like this would be incredibly difficult or impossible to remember, but it doesn’t have to be. If you think of a sentence you can easily remember, write out the first letter of each word and include the punctuation and numbers you normally would add if you were to write out the sentence.

For example, a memorable sentence such as “My name is Jane Doe and I love my dog Puddles, who was born in 2013.” – becomes the password “MniJDaIlmdP,wwbi2013.” Could you guess this password without any reference to its origins? Probably not and the same goes for hackers.

You don’t necessarily need to have a password this big as long as it contains all of the suggested elements and is at least eight characters long. You can also enforce strong passwords to be created by your users by installing a security plugin like Wordfence Security or iThemes Security.

3. Use Trusted Plugins and Themes

The WordPress.org Theme and Plugin Directory are amazingly abundant sources of free and premium themes and plugins, but not all of them are created equal. While most of them are top notch, WordPress is largely run by volunteers who approve themes and plugins before they become available in the directory, but it’s not a fool-proof system.

The WordPress Theme Directory page.
There are over 37,000 plugins alone on the WordPress.org site.

Many plugins (more so than themes, usually) are approved even though they may contain sloppy code or can otherwise slow down your site or cause other problems. Even though they are approved for not causing major WordPress malfunctions doesn’t mean it’s necessarily good.

They may contain security holes that aren’t caught by the developer, allowing hackers to more easily intrude on the plugin and then n your site.

While the directory has a rating system, it’s fairly subjective since they are based on other users’ reviews who sometimes don’t have a legitimate reason for voting the way they do. For example, one star reviews are too often given for reasons such as the users found the plugin didn’t have a certain feature, even though the plugin page clearly stated its capabilities – or lack there of.

A developer can also create a great plugin that’s approved, only to update it later with undesirable code or even malicious ones since the plugin doesn’t need to be reviewed before updates are applied.

This is why it’s important to download and install themes and plugins from trusted sites and developers like WPMU DEV. Searching for reviews online is a great way to check the quality of your desired download in addition to reading the reviews and information on the theme or plugin’s page in the WordPress directory.

If you’d like more information on this issue, check out our detailed post WordPress Needs to Enforce Better Plugins – and Here’s How to Do It.

4. Backup Your Site

When you save a copy of your entire site – both files and database – it means you can easily recover your site if something were to go wrong such as making a change that breaks your site or if you get hacked.

There are many plugins currently available that are reliable including our own Snapshot Pro. There’s also VaultPress, BackupBuddy or blogVault.

It’s important to note that no matter how you choose to backup you site, you should keep a regularly updated copy in multiple places. You shouldn’t only keep copies on your server or in your email since both these places can be hacked.

Plus, if you also keep a copy offsite such as on your OS or on the cloud, there’s even less of a chance that you will lose your site. You’ll have an extra copy handy just in case.

5. Use a Security Plugin

Ever since I started using a security plugin I won’t go back to not using one. When I look at the statistics I can see how many hundreds of times a day any one of my sites is hit with an attempted attack that’s also blocked.

I first started using one after one of my sites got hacked and injected with backlinks to spam sites. I noticed what happened when I tried to share a blog post, only to see that when I pasted the link into Facebook, the preview showed the title and content were replaced with spam.

I had to start fresh and redo my site from scratch. I didn’t know at the time that there are many security plugins out there that offer anti-virus, firewall and anti-malware services. Some of them can even help clean up a hacked site if you still have access to install it such as Wordfence Security, which works for both single and Multisite installs.

Here are some other plugins that can help you amp up your security:

This is just a sampling of the many out there that you can peruse at your leisure.

6. Change the Default Admin Username

When you first created your site, by default your username was set to admin, just like most other WordPress sites out there. Not changing your username makes it easier for hackers to get into your site since they only have to guess your password.

"Admin" has been entered into the username field in the login form on the wp-login.php page.
If your login page doesn’t look like this when you have entered in your username, give yourself a pat on your back.

If you do change it, it’s one extra step the hacker needs to take, meaning you’re one step safer. We previously posted an article that shows you how to do this for yourself called How to Change Your WordPress Admin Username.

You could alternatively create a new administrator account and call it something else, then delete your old admin account.

If you’re not careful, though, this could cause you not to have access to functions you did before created by plugins you previously added if you don’t give your new account the proper access. This is why changing your username manually is usually the safest option.

7. Check Your File Permissions

If you’re hosting your site on a Linux or Unix server, you have access to your folder and file permissions, which either provides or limits access based on the settings you choose. If your permissions are too permissive, almost anyone could access important files and folders on your site.

The WordPress Codex has a great guide that explains file permissions in-depth. We’ll also be posting more about file permissions in our next Weekend WordPress Project article.

8. Limit Access to Important Pages

Your admin dashboard and login page are among the most important pages since they can grant access to your entire site. Limiting access to these pages means you and your users will be the only ones that will be able to access your site, keep you all a little safer.

If you would like to know how to limit access to these pages, check out our post Limit Access to the WordPress Login Page to Specific IP Addresses.

9. Use an Secure Socket Layer (SSL) Certificate

You may have seen SSL certificates in use when you visit may websites like Facebook, Twitter, Google and many others. Instead of http being shown in front of a link in your address bar, https is shown, indicating that the site you are on is secure and the connection is encrypted.

SSL in Google Chrome with a https URL prefix and green padlock
This is what a site with SSL looks like in Google’s Chrome browser. The padlock differs in different browsers.

If your site requires users to login or enter personal information, you need an SSL certificate. To find out more information on this and how to get one on your site, check out our post How to Use SSL and HTTPS with WordPress.

There are many plugins that help you switch your site from http to https once your certificate is installed. Here are a few of the best SSL plugins currently available:

10. Use Secure FTP (SFTP) or Shell access (SSH)

Transferring your site’s files through FTP is a quick way to get a new site up and running or add new files to your existing site, but it’s not as secure as other methods. Hackers could potentially interject your FTP connection.

Using SFTP is more secure and your passwords are encrypted to help prevent hackers from learning it. SSH is another secure method of adding or transferring your site’s files.

If you do want to use FTP, it’s a good idea to delete any FTP accounts that you’re not using to prevent them from being accessed without your consent. Some web hosts allow you to use FTP accounts for a time limit that you set. This is a great way to help keep your site and information more secure.

11. Password Protect Important Folders

You can make it  more difficult for hackers to access your site’s folders by password protecting them so only you have access to them.

In cPanel, go to Security > Password Protect Directories to access a list of your site’s folders. Choose the directory you wish to password protect and click on it.

Under the Create User heading, enter in your desired username and password, then click Add or Modify the Authorized User to save your changes.

Fields are displayed to enter a desired username, password and password confirmation in order to password protect a directory. There is also a password strength testing indicator bar and a "Password Generator" button.
If you already have created a username and password previously, you can skip this step.

Now under Security Settings on this page, check the box with the label Password protect this directory. Also enter a name you would like to be displayed when someone tries to access your directory in their browser.

The security settings to password protect a selected directory.
It’s not optional to enter a name that’s displayed, but you can name it whatever you want.

Finally, click Save and you’re done. Your file is now password protected.

You can also use a plugin to do this for you such as AskApache Password Protect. All you need to do is install it and choose a username and password. Your .htaccess file will automatically be updated without disrupting anything else written in it.

12. Change the wp_ Table Prefix

By default, each table in the WordPress database begins with wp_. Just like the other default features already mentioned, if you leave it as is, it makes it easier for hackers to infiltrate your site and database tables since the table names are the same across most WordPress installs.

Changing this to something more customized and memorable to you means it will be less accessible to hackers.

There are many plugins that can change the table prefix to something else you choose and here are some of the most popular ones:

Just be sure to make a complete backup of your site before attempting to make this change since it could break your site if not done correctly.

13. Change Your Database Name

Finally, changing the ending of your database name can make it more difficult for hackers to guess and identify it to keep them out, just as with your tables’ prefix. We have a detailed post to show you how to make this change without error, called Change Your WordPress Database Name in 3 Simple Steps.


We’ve covered 13 basic ways you can successfully increase the security of your WordPress site or Multisite and it doesn’t stop there. There’s many more things you can do to make your site secure and the WPMU DEV blog is full of them.

If you’re interested in going further, you can check out our posts 6 Best WordPress Security Authentication PluginsWordPress Security Essentials : Building A Layered Defense and 5 Simple .htaccess Tips to Tighten Your Site’s Security.

Have I missed any great plugins for the security tips I mentioned? Have you had any run-ins with hackers before? Share your experience and join the conversation in the comments below.