WordPress Security 101: Securing your Site

Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Learn more

Sharing is caring!

Last Updated on August 5, 2019

Securing your self-hosted WordPress site is one of the most critical aspects of starting a blog or growing it to the next level. As your site becomes more popular and garners the attention of new readers, it becomes a more attractive target for hackers and people who are up to no good.

While there is no silver bullet when it comes to securing a site, there are several things that can be done to make it less likely that yours will be compromised.


Secure Password
The first, most common-sense way to secure your site is to have a strong, hard-to-guess password. This means that neither your significant other, best friend, nor malicious intruders should be able to guess what it is.

The ideal password is at least 8 characters long and contains one or more capital letter, lower case letter, special character (*&$#), and number. How secure is your password?

Examples of terrible password formats include your name, your children’s names, your pet’s name(s), or combinations of names and numbers that have significance in your life. John Smith’s password shouldn’t be johnsmith1965, for example. This is not only easy to guess; it’s very easy for a brute force attacker to decipher the password.

Keep WordPress and plugins up-to-date
Running an outdated version of WordPress is one of the best ways to get your site hacked. When security holes are found and patched, updates are pushed out to site owners and they’re encouraged to upgrade their site. Hackers are most likely aware of the exploit already, but the ones that aren’t can easily put together a piece of software than scans for vulnerabilities in your version of WordPress.

One of the foremost experts on WordPress is involved with keeping the platform secure. His consulting (for people like you and me) is $250 per hour, and keeping your installation up to date is like applying his personally-suggested updates to your site as soon as they’re available.

Use plugins sparingly
There’s virtually no quality control when it comes to plugin coding, and certainly nothing in the way of an official security audit. What this means is that each plugin you add to your site increases the chances that your site could be compromised.

When evaluating a plugin, it might be helpful to ask yourself the following questions:

  1. Is this something I absolutely need? Will it help me reach my website goals?
  2. What feedback have others left for the plugin? Is it generally positive or mostly negative?
  3. Have many other users installed the plugin on their site already?

Use a reputable web host
Your site should be hosted by a reputable company just like your car should be serviced by a qualified mechcanic. You wouldn’t trust your means of transportation to someone with a bad reputation, so why accept anything less than the best in web hosting?

There have been several recent incidents where popular hosting companies have fallen victim to targeted attacks that compromised the websites of thousands of users. It’s your responsibility to research the reputation of the company that’s hosting your website. You can run simple google searches, ask around (particularly your tech-savvy friends), and check out who’s hosting the websites of industry leaders and businesses you admire.

Making it Easier

Another way of ensuring minimizing an opportunity for a slip-up or mistake is fully managed hosting. Managed hosting offers significantly more care and support for your project as opposed to a conventional plan. A couple of hosting providers known for solid managed support are Kinsta and Media Temple. Having said that, you are looking at a slightly higher premium to pay for this perk.


Change table prefix
When a WordPress website is installed for the first time, it will use the wp_ prefix in front of all records stored in the MySQL database unless it’s changed. Since hackers make the (correct) assumption that most people neglect to change this, attacks that use automated scripts to carry out malicious tasks will expect this database table naming convention.

The database table prefix can be found in the following line of the wp-config.php file:

$table_prefix  = 'wp_';

Here’s an example of how we can make this default WordPress installation more secure by changing the default database prefix:

$table_prefix  = 's3cur3pr3f1x_';

A different approach would be used to change the database table prefix of a live site.

Set correct permissions on files and folders
The concept of permissions applies to WordPress sites in that access must be explicitly granted to certain files and folders in the WordPress installation in order for the site to run properly. These settings determine who can read, write, and modify files and folders on the server.

Generally speaking, the correct permissions setting is 644 for files and 755 for folders or directories. Permissions can be verified and changed using most FTP clients such as FileZilla.

The webserver must have permission to access and run certain files in the same way that visitors must have permissions set so they’re able to view images and other media on your site. By the same token, we don’t want Harry Hacker being able to view the contents of your configuration files under any circumstances.

Sensible backup strategy
Part of securing your site means that you’re prepared for a worst-case scenario. Since we know there’s no way to guarantee that our site will be compromised, we should also include a layer of security and insurance that includes a sensible backup strategy. There are many helpful plugins that can automatically schedule backups of your database or your entire site.

Use secret keys
To increase the security of passwords stored in your WordPress database, you should ensure that your wp-config.php file has unique values replace the default secret key text that exists by default. Here’s what this section looks like before being changed:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');

And here’s what the section looks like after replacing the default text with unique keys obtained at WordPress’s secure secret key generator:

define('AUTH_KEY',        '*:f2*X;[email protected]&w$Pqz{^]8v1.i}*_MyX?DXyVy*P{Cy{0NOFuc0I:wT(P10Ng>-3=+_');
define('SECURE_AUTH_KEY', '-7b}IsGq#T{=+-seQI*f+06^gyJVzAY~v<+eNd P-! Hg|VI]}Vq^?JgNd:7=<|j'); 
define('LOGGED_IN_KEY',   'YR=->yG8UnLKN1t#to`Rfws&(GLoGvVFl3$3o)4j+%=R&vRUJQTnzU=D4w/1g1Yu');
define('NONCE_KEY',       'j +o0G?&FXo4ujI!UgpXSkh,{!#Yfs %-+hVP$PH[* CPmVnl+C:!!*_`S={u?F}');


Code basic plugin functionality yourself
Many WordPress users are surprised to realize that much of the functionality provided by many popular plugins can be added to their sites without using a plugin. For displaying recent posts, recent comments, and related posts in the sidebar on your site, a plugin is definitely not necessary.

When you want to add a bit of custom functionality to your site, Google “[what you’re trying to do] without a plugin” to begin researching an alternate approach. The result will often lie in a few lines of code that you add to your functions.php file (or custom_functions.php if you’re using the Thesis Theme, of course). Your site will be faster and more secure with fewer plugins.

Remove the admin account
The default account created for you in WordPress is called admin. If someone wants to hack into your site, being able to accurately guess your username cuts their work in half. Here’s what to do:

  1. Create a new user with Administrator permissions
  2. Log out and then log back into WordPress with the new user you created
  3. Delete the admin user account
  4. When it asks you want to do with posts attributed to admin, select the user you created


Some very helpful plugins have been developed that take WordPress security to the next level. In no particular order, here are six to consider:

  1. ServerBuddy — Check hosting quality, security issues, and more.
  2. Limit Login Attempts — Limit the number of login attempts possible.
  3. WP Security Scan — Scans your WordPress installation for security vulnerabilities.
  4. Login Lockdown — Records the IP address and timestamp of every failed login attempt.
  5. WordPress Exploit Scanner — Searches files, posts and comments for anything suspicious.
  6. Better WP Security — Removes typical WordPress vulnerabilities and adds security measures.


In this context, the .htaccess file is a configuration file that allows us to add an additional layer of security to our sites. It’s a “hidden” file (as evidenced by the “.” preceding the name), meaning that you’ll need to enable viewing of hidden files in your FTP client. Note that this approach assumes that your site is running on an Apache webserver.

One of the most comprehensive set of .htaccess rules was compiled by Jeff Starr at Perishable Press based on months of research, data, and testing. It’s called the 4G Blacklist and protects your site from a wide range of malicious attacks. When combined with these three tips from Google’s own Matt Cutts, you’ve got a near bulletproof .htaccess security approach.

Remove wordpress and theme version from head
WordPress includes the version of the software running on your site in the , which can be seen by viewing the source code of your site. The line looks like this:

<meta name="generator" content="WordPress 2.3.2" /> <!-- leave this for stats -->

The trouble with this is that there are often security vulnerabilities inherent to specific versions of WordPress, meaning that you’re potentially broadcasting information that you don’t want in the hands of a hacker. The best way to remove this is with the following snippet of code, which should be added to your functions.php file:

function remove_version_from_head() {
return '';
add_filter('the_generator', 'remove_version_from_head');

Force SSL login and administration
To enforce a secure, encrypted connection between you and the server when logging into and administering your site, add the following line to your wp-config.php file:

define('FORCE_SSL_ADMIN', true);

Move the wp-config file
WordPress 2.6 shipped with the ability to move your wp-login.php file a level higher than where it resides by default. Moving the file into your /wp-includes/ folder means that the file from the read-only permissions of this directory.

You can block access to the file by adding the following directive to your .htaccess file:

<files wp-config.php>
Order deny,allow
deny from all


Learning how WordPress works is the first step in finding out the areas where we can mitigate risk. There’s an excellent article on the WordPress Codex that discusses WordPress Hardening (making it more secure). Implementing even half of the suggestions in this post will make your site more secure than the vast majority of WordPress sites on the web. Good luck!

Willie Jackson is a Marketer and Website Performance Engineer with a strong sense of self and a tenuous relationship with the impossible.