WordPress security & hardening, the definitive guide

WordPress is very popular. About one in five websites on the internet uses WordPress in some form. WordPress has become ubiquitous on the internet, whether for a simple blog, a content management system (CMS) with multiple websites, or an e-commerce website. Therefore, it’s no surprise that WordPress websites are a popular target for experienced hackers and script kiddies.

The last thing web designer wants is to discover that their site has been hacked, possibly hacked, and belongs to a botnet dispersing malware or participating in denial-of-service (DoS) attacks. In this article, you will find some tips and strategies to help you secure your WordPress website to increase its security.

Is WordPress secure?

That is a question many system administrators ask, and rightfully so. While well-built and secure overall, WordPress has a reputation for being vulnerable to security breaches and not “enterprise-ready.” This reputation is not entirely justified.

WordPress is a trendy software package. Many people work with WordPress, including in development and screening. It stays highly adjustable, which is just one of the reasons it is so preferred. Nevertheless, this customizability can bring vulnerabilities that enhance the general safety and security risk.

WordPress personalization can take numerous types, including the arrangement of WordPress itself and the atmosphere in which it runs, in addition to the installation of plugins and styles, to name a few. While only some customizations necessarily pose risks, they can lead to security issues if done correctly.

Plugins and Themes

Wordpress Vector Art Stock Images | Depositphotos

WordPress can be customized in plenty of means. A few of these modifications can present code and also misconfigurations that compromise WordPress safety. compromise WordPress security. One popular method of WordPress customization is plugins and themes.

The quality and security of WordPress plugins and themes vary widely. While the WordPress team has done a lot to help developers create more secure plugins and themes, not all developers adhere to security best practices. That often appears in poorly maintained plugins or plugins from a dubious source.

Before we continue the discussion on WordPress plugins and themes, let’s first comprehend what a WordPress plugin is. Plugins are custom PHP codes that WordPress runs to extend its functionality.

Similarly, WordPress themes allow you to customize the visual aspects of your WordPress website. The two have little difference from an attacker’s perspective, as both can be abused to execute malicious code.

Run less software

1,239 Html Css Illustrations & Clip Art - iStock | Html css javascript

Before you install a new WordPress plugin, ask yourself if you need this plugin. How can you inform if a plugin is harmful or not? That’s a complicated question, but luckily we have an answer for you.

The plugin may introduce security threats even if you do all the necessary research. So, one way to reduce the risk is to use only the software you need and trust.

Important: Be very wary of code snippets you find on the internet. Only use a code if you fully understand what it does – just because it can be found on StackOverflow doesn’t mean it’s safe.

As our guide explains, if you need a plugin, ensure it’s maintained and regularly updated. As a rule of thumb, the more downloads and updates a plugin or theme has, the more secure it is. That shows that it is widely used and actively maintained by its authors. That does not mean that the plugin will never have a security vulnerability. However, if a vulnerability is found, it is more likely that the developer will act quickly and provide a solution.

Avoid plugins that are not downloaded that often and, most critically, do not have an active community and regular updates. If something has not been updated for a year, you should avoid it.

Keep in mind the concept of least privilege

12,343 Privilege Access Stock Photos, Pictures & Royalty-Free Images -  iStock | Vip

WordPress doesn’t have to use the MySQL root user to connect to its database. Also, only some WordPress users need to be an administrator. Similarly, running most programs as a privileged customer is a good concept if there’s a specific factor.

Best security practices dictate that applications should always be granted the least privileges possible to function correctly and that any additional privileges should be disabled. This technique is generally described as the concept of least privilege.

Let’s assume WordPress connects to a database with a privileged user account. If a WordPress plugin contains an SQL injection vulnerability, an attacker can execute SQL queries as an administrator and, sometimes, even implement operating system commands. If an attacker successfully implements operating system regulations, they can look and extend the assault to other systems.

Running software with administrative privileges or granting more access rights than necessary is a security risk that should not be taken. It violates the proven principle of least privilege because it allows an attacker to do more damage in case of a protection violation.

The good idea concerning WordPress is that it has numerous integrated customer functions that allow you to appoint various opportunities to different customers depending on their needs.

Update your WordPress plugins and themes

101 WordPress Stock Photos, Pictures & Royalty-Free Images - iStock |  Website wordpress, WordPress security, WordPress theme

WordPress plugin and theme updates are essential to benefit from new features, bug fixes, and closing security holes. Both plugins and themes can be easily updated within the WordPress interface.

Some commercial plugins likely have mechanisms for keeping plugins up today; nevertheless, for the most part, this is clear to users. Nonetheless, keep your plugins and themes updated regardless of your update system.

Do not utilize “nulled” WordPress plugins and also themes

348 Cdn Stock Photos, Pictures & Royalty-Free Images - iStock | Cdn icon

WordPress is released under the GNU GPL. Without entering too much detail, the GPL license allows Anyone to distribute GPL-licensed software freely. That also applies to commercial/premium GPL-licensed WordPress themes and plugins. So it’s not illegal to download a modified premium theme or plugin and utilize it for free, which is usually referred to as “nulled.”

However, as you may have guessed, you are unlikely to get updates for unlicensed plugins, apart from not supporting the plugin developer. Also, you must be a developer to know if that plugin’s code has been modified to do something nefarious.

Keep WordPress up to date

35,685 Web Design Illustrations & Clip Art - iStock | Website, Aesthetics  beauty, Responsive web design

Just as you should keep your plugins and themes up to date, you should also ensure that the WordPress version you are using is up to date. Of course, this is if you don’t explicitly disable this feature. Fortunately, this is much easier now than it used to be, as critical security updates are installed automatically.

Besides new features, improvements, and bug fixes, WordPress core updates include security fixes that protect you from attackers exploiting your WordPress website.

WordPress hosting

1,057 Login Tablet Illustrations & Clip Art - iStock

Where and how you host your WordPress website depends mainly on your requirements. While there’s nothing wrong with hosting and managing WordPress yourself, if you need to be more technically savvy or want to ensure that most WordPress security basics are met without much work, you should opt for a managed WordPress hosting provider like WP Engine.

Managed WordPress hosting takes away many security decisions and configurations you would otherwise worry about.

Of course, managed WordPress hosting may need to be corrected for you too. While hosting plans have been available in all shapes and sizes, you can also choose to host WordPress, especially if you have a limited budget. When you host WordPress, you also have more control over your installation.

WordPress Dashboard

98,740 Dashboard Stock Photos, Pictures & Royalty-Free Images - iStock |  Car dashboard, Data dashboard, Dashboard icon

Your website’s WordPress dashboard is one place that unauthorized people should not have access to. While some websites have legitimate reasons for allowing public users to log in through the WordPress dashboard, this poses a significant security risk and must be weighed carefully.

The good news is that most WordPress internet sites do not have this requirement and must avoid accessibility to the dashboard. There are many methods to do this, and you must select the best choice.

One common practice is restricting access by password-protecting the WordPress admin pages (wp-admin). Another solution would be to allow access to /wp-admin only for specific IP addresses. Access can also be restricted via the htaccess file.

Disable registration

27,577 Registration Illustrations & Clip Art - iStock | Register, Event  registration, Online registration

WordPress does not enable public users to register on your website by default. Here’s how to confirm that user registration is disabled:

  • Go to the Settings > General page in your WordPress dashboard area.
  • Navigate to the Membership section.
  • Make sure the checkbox next to anyone can register is unchecked.
  • Credentials

As with any other website, access to your WordPress dashboard is only as secure as your credentials. Enforcing wordpress solid password security is a crucial security control for any system, and WordPress is no exception.

WordPress doesn’t offer the ability to set a password policy out of the box. Still, a plugin like WPassword is an absolute must for enforcing password strength requirements for all WordPress dashboard users.

Once you’ve enforced password security on your site, use WPScan to scan for weak WordPress credentials and ensure that no account uses weak passwords again.

Limit login attempts

358 No Time Limit Illustrations & Clip Art - iStock

Bots can generate an astonishing number of failed login attempts quickly. Even though users tend to forget their passwords from time to time, numerous failed login attempts can indicate a hacking attempt. That can negatively impact your website’s performance and lead to a security breach if it is an actual attack.

As an administrator or site owner, you can use a password security plugin to limit failed login attempts. That should apply to the WordPress login page and any other login page you may have.

Two-Factor Authentication (2FA)

2fa Line Icon In Black Two Factor Authentication Icon Security Vector On  Isolated White Background Eps 10 Stock Illustration - Download Image Now -  iStock

Another essential security measure for your WordPress dashboard is two-factor Authentication. Two-factor Authentication (2FA) makes it much more difficult for an attacker to access your WordPress control panel. They must figure out a user’s password (for example, an attacker could learn it through a data breach).

Fortunately, it’s straightforward to set up two-factor Authentication in WordPress. There are many high-quality plugins you can use to add this feature.

Hardening the WordPress core

Even though WordPress core is a particular piece of software, that doesn’t mean we can’t harden it even further.

Below are some measures you can take to secure WordPress core.

1. Make sure debug logging is disabled

WordPress permits developers to log debug messages to documents (by default, this is/ wp-content/debug. log). While this is entirely appropriate in a refined atmosphere, remember that an assaulter can quickly access this file if the same file and settings discover their method into manufacturing.

WordPress’ debug feature is disabled by default. However, it is always better to ensure this is the case – make sure that the WP_DEBUG constant is not defined in your wp-config.php file or set it explicitly to false.

2. Disable XML-RPC

The WordPress XML-RPC requirements were created to allow communication between different systems. That means that virtually any application can interact with WordPress. The WordPress XML-RPC specification has always been important to WordPress. It allows interaction and integration with other systems and software.

The good thing is that the WordPress REST API has superseded XML-RPC. To highlight some security concerns related to XML-RPC, its interface has been the source of numerous security vulnerabilities.

Attackers can also use it for username enumeration, brute force attacks on passwords, or denial of service (DoS) attacks via XML-RPC pingbacks.

3. Limitation of the WordPress REST API

Like XML-RPC, the WordPress API is the modern way third-party applications communicate with WordPress. While its use is secure, it is advisable to restrict some features to prevent user enumeration and other potential vulnerabilities. Unlike XML-RPC, WordPress does not provide an easy native way to disable the REST API altogether (it used to but has been deprecated, so it is advisable not to do so anymore); however, you can restrict it.

4. Prevent WordPress version disclosure

Like many other web applications, WordPress discloses its version in several places by default. Disclosing the version number is not necessarily a security vulnerability, but this information benefits attackers when planning an attack. Therefore, disabling WordPress version disclosure can make an attack more difficult.

5. Preventing WordPress user enumeration

WordPress is vulnerable to various user enumeration attacks. Such attacks allow attackers to discover which users exist or whether a user exists. While this may seem harmless, keep in mind that attackers can use this information as part of a more powerful attack and compromise the security of your website.

To prevent WordPress user enumeration, ensure the following features are impaired or limited.

  • Limit the WordPress remainder API to unauthenticated individuals only.
  • Disable WordPress XML-RPC
  • Do not expose /wp-admin and /wp-login.php directly to the public internet
  • Disable the WordPress file editor

One of the most dangerous features of WordPress is the ability to edit files from the WordPress dashboard itself. There should be no legitimate reason a user should do this, and certainly not on WordPress core.

The Website File Changes Monitor plugin developed allows you to receive real-time file change notifications via email.

All file changes to your website should either be done over a safe link (e.g., sFTP) or ideally tracked in a version control repository and deployed with CI/CD.

It’s important to note that FTP ought to be prevented whatsoever expenses – make sure you use sFTP instead when accessing the backend.

6. Disable theme and plugin management

A good best practice for WordPress security is disabling the plugin and motif monitoring from the WordPress control panel. Instead, use command line tools like wp-cli to make these changes.

By disabling theme and plugin changes, you substantially reduce the attack surface of your WordPress website. Even if an attacker successfully penetrates an administrator account, they cannot upload a malicious plugin to extend the attack beyond accessing the WordPress dashboard.

The DISALLOW_FILE_MODS constant defined in the wp-config.php file disables updating and installing plugins and themes via the dashboard. It also disables all file changes within the dashboard, which removes the theme and plugin editor.

7. WordPress HTTPS (SSL / TLS)

Transportation Layer Protection (TLS) is among one the essential safety procedures you can take for your WordPress safety and security. It’s likewise free and easy to set up. Note: TLS is the method that changed Secure Socket Layer, SSL However, because SSL is very popular, several still describe TLS as SSL.

When you see your website via HTTPS (HTTP over TLS), the HTTP requests and responses are secured with a tls/SSL certification and can not be obstructed or spied on, or changed by an assaulter.

TLS may have even more to do with your web server or content distribution network (CDN) than your WordPress installation, yet one of the most vital facets of TLS (WordPress HTTPS) is its enforcement.

If you are uncomfortable editing configuration files and prefer to switch to WordPress HTTPS with a plugin, use Simple SSL or WP force SSL. Both are excellent and easy-to-use plugins.

Next steps for a lot more secure WordPress

If you’ve made it this far, that’s great, but that doesn’t mean there isn’t more hardening to do. Below are some items you can consider to secure your WordPress website further.

  1. Harden PHP: Since PHP is a core element of any WordPress website, solidifying PHP is one of the following practical actions.
  2. Use good safety plugins: Quality safety and security plugins provide innovative protection, including those not in WordPress. There are a large number of WordPress security plugins available.
  3. Carry out a documents authorizations audit: For WordPress internet sites operating on Linux, wrong data approvals can allow unauthorized users to access potentially sensitive files.
  4. Perform a backup file check: Backup files that are inadvertently left accessible can reveal sensitive information. That includes configuration data that contains secrets that permit opponents to gain control over the entire WordPress setup.
  5. Solidify your internet server.
  6. Harden MySQL.
  7. Add the required HTTP safety and security headers.
  8. Make sure you have a working WordPress backup system.
  9. Use a DDoS protection service.
  10. Implement a content security policy.
  11. Manage exposed backups and non-referenced files.


This is just the first step to WordPress security.

Congratulations. If you have followed all the advice above and applied all the preferred protection ideal techniques, your WordPress website is safe and secure. However, WordPress safety is not a single point but a constantly developing, repetitive process. There is a significant distinction between hardening a WordPress site (a single problem) and guaranteeing protection for years to come.

Hardening is just among the four stages in the WordPress safety and security process (WordPress safety wheel). For a secure WordPress website throughout the year, you must follow the iterative WordPress safety procedure of Examination > Harden > Monitor > Improve. You need to constantly examine and examine the safety and security status of your WordPress website, solidify the software program, keep track of the system, and enhance your arrangement based on what you see and find out.

  • A tool like WPScan can help you test the security posture of your WordPress site
  • A WordPress firewall, also called an internet application firewall software (WAF), such as WordFence or Sucuri, can shield your WordPress site from destructive, understood hacking attacks
  • A WordPress activity log can help you a lot – by recording all the changes made to your site, you can improve user accountability, know what each user is doing, and also keep an eye on all behind-the-scenes activity
  • Tools like our WordPress security and management plugins can help you keep passwords secure, harden the WordPress security process, be notified of file changes, and more

You have all the correct tools to keep your website secure. Even if you run a tiny WordPress website, you should take the time to go through this guide step by step. That will ensure you don’t invest in building a great website only to have it devastated by an attack targeting WordPress.

There is no such thing as 100% safety and security. However, you make it much harder for an attacker to gain a foothold and successfully attack your WordPress website using the hardening techniques covered in this guide.

Get Started Today With My Web Maintenance

We’d be happy to discuss our services if you’re looking for web hosting providers to help you provide web hosting & expert management for thousands of WordPress websites. Contact us now for web hosting services and to see how you can get started.

You Might Also Enjoy


WordPress security & hardening, the definitive guide Read More »