Quick security tips for hardening your WordPress website

WordPress counts as a secure CMS to run your website on and this might be one of the reasons why so many users trusted WordPress. But no software is 100% secure and WordPress is no exception.

Core developers constantly release updates which take care of discovered security problems and ads overall improvements. Last year alone core developers released six security orientated releases – big applause to them for keeping us safe.

If you consider yourself as a newcomer to website building process, here is the first tip: Make sure to update your website along with the WordPress releases. This will secure you from the already know and discovered “holes” in your website’s security bastion and you will be safe from automated hacking attempts. So simple action, yet can be easily forgotten or skipped for some reason.

According to W3Techs.com (23 September 2016) statistics, there are just 29.8% of know WordPress sites that use current major release branch. And this leaves us with more than 70% percent of outdated and potentially vulnerable WordPress source code used on live websites.

Is your website among them?

If so, now is a good moment to take a small break and update your website. Seriously, just do it. And next time when you log in to your WordPress backend area and notice that “Update available” badge in the nav-bar click it and update your website. OK?

More than 70% of all #WordPress websites are vulnerable because of outdated WP versions. #security Click To Tweet

But don’t stop here… Check out other necessary tips to secure your online site even more.

Update WordPress plugins and themes

Same applies to your list of plugins and themes – update them regularly. Eventually, this should become a good habit of yours. Spotted an update? Update ASAP. And to stress things, a bit, keep in mind that most plugins and themes aren’t developed by experienced core developers who know WordPress in and out and as a result that code might be more vulnerable. And this leads us to the next tip…

Get rid of the waste

Delete every plugin and theme that you don’t use or can leave without. Each and every plugin or theme adds additional code to your WordPress installation that is a potential security problem, the more code you have the more “opportunities” you left to hackers to execute. Simple plugin deletion will reduce that risk, so stick to essential plugins trusted by millions.

Download plugins from trusted sources

Never use plugins from shady websites that offer premium (paid) plugins for reduced price or even free. Most likely you will get a plugin or theme with a backdoor injected in the code and your website will be exposed to hackers or will become one of the nodes in the zombie’s networks. Consequences? You may be banned by Google search or simply taken offline by your hosting provider without a notice.
So safest way here is to obtain plugins from well-known sources where a code is inspected before approval. Such as WordPress.org or premium marketplaces.

OK, so by now your website is up to date and is using only plugins that were inspected and went through moderation. Good! What’s next? Can we take security to the next level? Sure! There are plenty of things to improve. Let’s get deeper.

Take passive security actions

First of all, what are passive actions? Those are actions that you can make in order to distinguish your website from “default” state. And this will add extra security from generic and automated hack attempts that scan the internet and execute pre written scenarios.

Come up with a username for an admin account

Never use “admin” as a username for your admin account it is too generic. Instead, use your own nickname. The first things that brute force attempts will check are username “admin” and password “123”? This advice was never getting old …

It looks like everyone knows about it but somehow make the same mistake over and over again. How? While building your website you set a “temporal” password and then your browser remembers it and you forgot to change it upon project launch. Set good passwords even for temporal or local WordPress installations.

Make your passwords strong

WordPress have password strengths meter so whenever you set or change your passwords make it strong. Random strings with a mix of lowercase and capital case letters and numbers is a general rule of thumb for strong password creation. Be creative. And on top of that – change your password periodically.

Here’s a good password example for inspiration: g#2ede2FSxcdsfs@!!@XCASsgHJt.

Furthermore, if you manage your website from public places eg. coffee-shops of public parks, then make sure to enable https protocol for your website. Otherwise, your extremely complex password can be simply hijacked over the non-encrypted wi-fi network. And as a bonus for adding SSL certificate to your website, you will receive more “love” from Google, which prefers https websites over the regular non-encrypted connections.

Protect your website with two level authentication

Google Authenticator WordPress Plugin

Personally, I suggest using the Google Authenticator plugin for WordPress. It is widely adopted by many other websites and eventually, it will become a handy and frequently used application on your smartphone.

With the second level of authentication, it will be impossible to log in to your website even if your password will be compromised. Because you have to input a temporally six digit code whenever you log in to your WP Dashboard.

Change database prefix

If you are just starting with your new WP website then change the database prefix during the initial WordPress installation. This can make hacker’s life just a bit more complicated and this is exactly what we want, right?

Set correct file and folder permissions

Most of the auto-installers take care of this one, but to be extra sure it’s better to check it yourself. There’s a very detailed page in WordPress Codex explaining in depth about correct permissions. The most popular permissions that you will ever set are 644 for files and 755 for folders. This will allow the owner to read and write to those files and folders, but everyone else will have just a read permission.

Backup your website

Better to be prepared than sorry. Backup your website automatically at least on a daily basis and make sure to create a manual backup before initiating an update or big website maintenance. In a case of emergency, you will have a luxury option to simply roll back and deal with the situation in a relaxed mode rather than fire-fighting mode.

While most of the hosting companies offer their backup solutions it is also beneficial to look into some premium backup plugins, like BlogVault.

Scan your website for threats and problems

There are a few very good and popular solutions to protect your website from known threats. To name a few WordFence and Sucuri. Definitely, check those plugins and choose one for your website. After activation and performing an initial scan, it will do checks in the background and you will be notified in case of any problems found on your website. Both plugins rely on a very big database accumulated from thousands of websites and used to harden the security of your website.

Down the road, it is also useful to think about the spam issues which will get bigger and bigger as your site grows. Gladly, there are plugins, like MalCare, that can take care of all the malware in no time.

Tips outlined in this blog post are on my personal checklist for every WordPress website that I launch. I have specially kept them no too tech-savvy that way anyone could do it and elevate security to the next level. And of course to illustrate that every small action counts. It’s much better to do at least something instead of complaining that your small business can’t afford to have an independent security department.

What precautions do you make on your website?

More on wpcrib


  1. Thank you so much for sharing your informative article with us. It will help me a lot to secure my website.

    1. Thanks! Yes, it’s always good to stay safe and these are really some tips everyone can implement.

  2. This is very useful topic for any WordPress user. I love the writing and definitely VC is my personal favorite. I added it to my tools page.

    1. Thank Ataul, hope you will integrate (or already have) few of these tips or maybe share your own.

      1. You’re welcome buddy! I will always share this with my audience.

  3. What I do : most of attacks come into WordPress website by overwriting header.php in your theme folder. Just be sure to restrict the read-write access to read only for everyone. If there’s error when you update your theme, just add write access to the file, update and then remove the right.

  4. Nice Post! I work with a nifty Plugin called All In One WordPress Security. Easy to configure and it has a ton of features, like changing DB Prefix and adding a firewall over .htaccess
    It can get tricky sometimes, but activating the basic features already makes your site safer than most other WP sites.

    1. Agree, sometimes it’s better to rely on third party plugins which are focused on the specific problem.

Add comment

Join discussion and make an impact. Your email address will not be published.

GDPR is going into effect on May 25, 2018. Learn more in our new GDPR section. You can also view changes to our Privacy Policy.
We use cookies to provide a personalised experience for our users.