WordPress security – How to make WordPress secure

WordPress is the world's most popular CMS and powers 28.6% of all websites on the internet. But with that popularity it can become the target of hackers. So how can we make it more secure?


Updated Tuesday 11th of September 2018

WordPress is the world’s most popular CMS. As of the time of this writing, it powers 28.6% of all websites on the internet. But with that popularity, it can become the target of hackers. With a string of major security flaws attributed to the platform, we have to ask how can we make it more secure?

Is WordPress Insecure?

The WordPress core is actually one of the most secure platforms that you can choose to build your website on. The problem often lies with the users, theme developers, and plugin developers.

“WordPress core is without a doubt one of the most secure platforms you can choose to put a site on” – Jason Cosper

But a plain WordPress install isn’t going to cut it for most people. So we extend it with plugins and themes. Security flaws are often revealed when people install a plethora of plugins without knowing more about them.

The bottom line is, WordPress is secure. It’s a combination of an oversaturated plugin and theme market, and end users making uninformed decisions that lead to security vulnerabilities. Just because you can install lots of plugins, doesn’t mean you should. Sticking to a few well-designed plugins that are well-documented, up-to-date and supported will serve you much better.

How can we harden WordPress?

Knowing why WordPress can become vulnerable is one thing, but how we can make it stronger and more secure? The following is a list of things you can do to make your WordPress website security stronger. Some of them are simple one-minute fixes, others are more technical and you may feel better hiring a professional to do them for you.

Use a strong password – This is almost a no brainer but the number of people that use weak passwords is surprising. Often it’s just convenience, no one wants to remember a long password so they choose a weak password such as ‘password’ or ‘123456’. Can you afford to lose all your data or the trust of your customers over a password?

An example of a strong password is one that includes both upper and lowercase letters, numbers, special characters, and is at least eight characters long. If you keep a copy of your password somewhere, make sure you don’t label it as your password and keep it in a safe place.

Image of a password
Please don’t use password123 as your password!

Use two-step authentication – Two-step authentication is a good way to secure your login by forcing users to not only login with a password but to provide a code sent to their mobile phone, too. There are numerous plugins that offer two-step authentication for WordPress including:

Use a well-built theme – This can be hard to gauge just from looking through theme repositories and there’s often no way of telling until you download the theme and install it. You can, of course, read the theme reviews and ask a web developer for their expert opinion on a particular theme. In general, we prefer to build bespoke websites for our clients as this ensures that the website will be lean, and free of unnecessary code bloat, which can reveal security flaws and also slow the website down.

Choose WordPress plugins wisely – In general, you shouldn’t install plugins that allow code execution as this will allow hackers to inject malicious scripts into your website. Read the plugin reviews, check when the plugin was last updated, and visit the developer website. If they give good support and have good reviews that’s a good start. Also keep your plugins up to date.

Access your website on a secure network – Logging into your website on a public network, such as an internet cafe, is unsafe. Network vulnerabilities can allow passwords and sensitive information to be intercepted. In general, be careful what networks you work from.

Don’t allow user enumeration – Hackers can use tools such as WPScan to run scans on your site which can reveal sensitive information such as usernames. This can be prevented by using a plugin such as WordFence (which we install on all our clients’ websites).

Don’t allow hackers to run unlimited brute force attacks on your site – A brute force attack is when a hacker runs a script that will continuously attempt to crack your password with known usernames and a password list. If user enumeration is enabled, and no firewall is present, a hacker can set a scan like this running and theoretically pound your log in screen with a thousands of passwords. You can prevent this, as mentioned in the previous point, by using a plugin such as WordFence. This will lock a user out by their IP address after a number of failed log in attempts.

Keep WordPress up to date – Another seemingly obvious one, but a lot of WordPress websites still run on old versions of the framework. This is unsafe as hackers already know common exploits for these older versions and so your website will be more vulnerable. Each new version of WordPress addresses security flaws, and minor releases include security patches. At Xpand, we offer this service as part of our ongoing maintenance package.

Use a reputable web hosting company – Although it can be tempting to go with a cheaper web hosting company, it’s a lot better for your continued security to choose one of the better-known ones. The reason is that many of the most reputable web hosting companies do a much better job of keeping their servers up to date and providing customer support. Servers that run old versions of PHP and MySQL are more likely to be vulnerable to attacks for the same reasons mentioned in the previous point. Spending a few more pounds for your web hosting is just another step you can take to minimise the risk of a website hack.

Backup regularly – This obviously won’t prevent hacks but it will mean that you can easily get back up and running in the event of one. How often should you back up? It really depends on how often you update your content. If you run a popular blog and write content every day, then you should probably back up once a day. If you only add new content once a week, then a weekly backup schedule should be enough. At Xpand we backup all our clients’ websites every day.

Use a CDN – The security benefits of using a CDN are questionable but it’s worth trying and certainly can’t do any harm. Using a CDN filters out bad traffic including attacks and bots, ensuring that it never reaches your server.

“ CDNs provide an added level of security at a level higher than many hosting companies manage.” – Growmap

Here are a few CDNs that you can use:

  • Cloudflare
  • Sucuri
  • Incapsula

Ensure that your computer is free from viruses and malware – Keeping your own computer protected with antivirus software can help prevent any viruses affecting your website.

Use WordPress security keys – WordPress security keys are random characters added to your password to make it harder for hackers to guess or use brute force attacks. You change these keys within the wp-config.php file. You can edit this file through an FTP client or using your website’s admin panel. If in doubt, ask an expert to do it for you. The easiest way to get a secret key for your WordPress website is to use the online generator tool. Simply copy and paste the generated code and paste into your wp-config file.

Image of wp-config.php showing wordpress salts
How your wp-config should look after adding the WordPress salts

Use SFTP instead of FTP – Using SFTP to send files to your remote server is safer than FTP because it encrypts the data that is being sent over the network. When you use FTP, your data (including passwords and other sensitive information) is sent in the open, which could be intercepted and used by hackers. SFTP stands for SSH File Transfer Protocol, or simply Secure File Transfer Protocol. It is easy to set up with most hosting companies.

Get an SSL Certificate – This is becoming the standard for most forward-thinking website owners today. An SSL certificate basically gives your users peace of mind that your website is safe and secure. Once you have this setup, your website domain name will be prefixed with HTTPS instead of the plain old HTTP. HTTPS stands for secure HTTP and is essential for web owners who run an e-commerce website or any other type of website that takes personal and private information from its users. If you want to set up an SSL certificate, contact your hosting company or hire a professional who can take care of it for you.

An image of a URL bar showing a green HTTPS certificate
HTTPS is the new HTTP – make sure you get your site secured!

Don’t use the default wp_ database table prefix – By default, a new installation of WordPress will prefix your database tables with wp_. This is well known by hackers and makes it easier for them to attack your database. Ideally, this can be set during the initial set up. To change this once your site is already in place takes a little more time.

Restrict access to your database – When you set up a new database, you have the option to set all privileges for the database user. Although this is often the preferred option as it requires the least know how to implement, it’s actually safer to set only the privileges that you really need. These privileges are SELECT, INSERT, UPDATE, and DELETE. Others such as DROP, ALTER, and GRANT can be revoked and only turned on in cases where you really need them. This method is part of the containment policy in regards to security. In the case that a hacker does gain access to your database, you minimise the damage they can do.

Disallow file edits through the admin interface – This is another containment measure. When you first install WordPress, the editor interface (for editing core code files) is available by default. This can be found under the Appearance tab in the WordPress dashboard. The problem with this is that if a hacker does gain access to your WordPress admin, they will be able to change and/or delete your website files. To prevent this, open up your wp-config.php file again and add the following code to the top of the file: define( ‘DISALLOW_FILE_EDIT’, true ); As a rule, we always include this line of code when building new websites.

Remove your WordPress version number – Only marginal security benefits can be gained from this but in the world of security, every little thing you can do to keep the hackers at bay is worth trying. This comes under the category of “security through obscurity”. Although you certainly can’t rely on this method 100%, it’s definitely worth implementing. Again, this is a measure we take when developing our clients’ websites.

Prevent access to the wp-login.php file via the .htacess file – Any savvy hacker will be able to find your WordPress login screen under your-site.com/wp-admin or your-site.com/wp-login.php. You can prevent access to this area to anyone but yourself by adding a code snippet like below to your .htaccess file:

# prevent access to wp admin except for my IP
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from xxx.xx.xx.xxx

Make sure to replace the xxx.xx.xx.xxx with your actual IP address.


Security for your website means staying vigilant and taking the necessary steps to ensure your website is as safe as it can be. Keep in mind this security mantra when securing your website:

“Limit, contain, prepare, trust”

Limit – limit the access points to your website. Take a moment to think about what the main access points are. These will include things like the WordPress login screen, cpanel, and database. Then think about how you can lock these down and secure them. Use two-step authentication for your admin login, create strong passwords for your cpanel and database.

Contain – in the worst case scenario a hacker gains access to your site but you contain the problem by making sure they don’t have access to important files. This will include things like disallowing file edits through the admin interface, or turning off user privileges for your database.

Prepare – be prepared for the worst. Backup regularly, have your code base stored offline somewhere. If you are hacked, you want to be back online in the shortest amount of time possible.

Trust – use trusted resources. This includes a trusted network, plugin or theme repositories, reliable hosting providers, and Xpand 🙂

Nothing is 100% secure. Hackers never get bored of finding new ways to infiltrate a system. It’s not so much about absolute security as ongoing vigilance. Stay up to date with WordPress vulnerabilities. Make sure your servers and WordPress version are up to date, keep everything backed up, and monitor your website often. If in doubt, consult an expert for a security audit. If your website is your bread and butter, then security is something you’d have to be stark raving bonkers to brush under the carpet.

Suggested reading
Why we (and Disney) love WordPress and you should too!
Read more