WordPress Security: 15 Ways to Keep Your Site Secure

There are approximately 64 million WordPress sites in the world, making WordPress the most popular content management system (CMS) in existence.

In many respects, WordPress’s popularity is a major advantage for developers and businesses. The large, dynamic community surrounding WordPress makes it easy to find plugins that extend WordPress functionality or locate a hosting provider that specializes in WordPress. And users can be confident that WordPress will remain actively developed and supported for years to come.

But from a security perspective, the widespread use of WordPress poses a challenge. Given the massive popularity of the platform, it’s a common target for attackers. WordPress sites can be breached in a variety of ways, from attacks against the host server or operating system, to database exploits, to injection attacks and beyond.

That’s why protecting against WordPress’s vulnerabilities must be a priority for any organization that wants to take advantage of WordPress as a reliable, extensible CMS. Let’s take a quick look at those vulnerabilities before walking through fifteen WordPress security best practices.

WordPress Security Vulnerabilities

The first step to protecting your WordPress site is understanding where its vulnerabilities lie. Here are some of the most common.

Brute force attacks

Actors can use brute force attacks to break into WordPress installations by cycling through long lists of username and password combinations until they hit the right one. Sites that use short, simple passwords are especially vulnerable to these attacks. Keep in mind that even if your WordPress accounts use strong passwords, brute force attacks against the WordPress host server or database could allow intruders to gain access to your site.

DDoS attacks

In a DDoS attack, attackers overwhelm a site with malicious traffic in order to prevent it from responding to legitimate requests. Although WordPress itself can do little to prevent DDoS attacks, plugins are available to integrate WordPress with anti-DDoS services.

XSS attacks

Cross-site scripting (XSS) attacks can allow attackers to bypass access controls, such as login pages. They can also be used to redirect site visitors to malicious websites designed to steal passwords or other important information.


Malware that attackers manage to install inside a WordPress site can give them access to sensitive data, like pages that are supposed to be password-protected. Attackers could also use malware to post malicious content within a WordPress site without the site owner’s knowledge.

SQL injection

WordPress uses SQL databases to store most of your site’s data and its access credentials. SQL injection involves submitting malicious commands to the database server, allowing attackers to gain access to sensitive data stored in the database. They could also delete data, effectively destroying your site.


Attackers can create backdoors by running malware that gives them remote access to your WordPress site or the server hosting it. This allows third parties to monitor and manipulate your site without your knowledge.

15 Ways to Improve WordPress Security

You can’t hope to address every one of the more than 17,000 specific identified WordPress vulnerabilities. But you can follow best practices when designing and managing your WordPress site to help mitigate security risks.

1. Update WordPress

Keeping your WordPress sites up-to-date is perhaps the most important way to address potential vulnerabilities. This means both upgrading when major new WordPress versions become available and updating for smaller point releases (such as an update from version 5.1.1 to 5.1.2). Every new WordPress release contains fixes for known security vulnerabilities. If you don’t update, you leave your site at risk for attacks that malicious parties already know they can execute.

Remember that updating WordPress itself is only half the battle. You should also update themes and plugins, which can also contain vulnerabilities.

Modern versions of WordPress offer optional features that can update your WordPress deployment, themes, and plugins automatically. You should enable auto-updates whenever available. Failing that, be sure you perform manual updates whenever possible.

2. Choose the Right WordPress Host

WordPress can run on virtually any web hosting platform, but that doesn’t mean you should settle for just any hosting provider. Look for a host that has significant experience with WordPress and provides strong security capabilities. For instance, if you find a hosting service that meets robust compliance requirements associated with specific regulatory laws, like FedRAMP, PCI DSS, and HIPAA, you know they have experience securing sites that contain even the most sensitive data. The best hosts also offer managed services to help clients stay ahead of security threats and respond to them when they do occur.

3. Create and Manage Strong Passwords

Passwords that are short or that consist of simple words or phrases are vulnerable to brute force attacks. To address this vulnerability, use strong passwords for all accounts associated with WordPress. WordPress can help you do this by auto-generating strong password strings when you create new user accounts. You can also refer to password guidelines from organizations like NIST, a U.S. federal agency that provides cybersecurity recommendations. And try using password managers to avoid repeating passwords between accounts.

You should update your passwords regularly as well. As a rule of thumb, passwords should be changed every three months. Regularly updating passwords ensures that if an attacker does gain access to a password, their access will be revoked when it changes.

4. Backup Your WordPress Deployment

To prevent unauthorized access to your WordPress site or server, make regular backups of your WordPress database and configuration files. Backups let you easily restore your site if it’s breached, or if attackers deliberately destroy your database or other important information.

Without a backup, rebuilding a breached site can be almost impossible. Even if you can pull copies of your site data from archived pages on the web, the content may be out of date. It’s also time-consuming and tedious to integrate that content back into a functional WordPress site.

5. Take Advantage of WordPress Security Plugins

Although WordPress itself doesn’t offer security tools beyond basic features like account access control, the WordPress community has developed a variety of plugins that you can install to enhance the security of your site. For example, you can use firewall plugins, such as Web Application Firewall, to filter network traffic to your WordPress site. With a firewall plugin, even if you can’t set up a firewall on the host server — which is typically not possible when using a shared WordPress hosting plan — you can block malicious IP addresses within WordPress itself.

Other WordPress plugins, like Wordfence, can automatically scan your site for malware so that you can take steps to isolate and remove the malicious code before it causes a breach. And plugins like Securi offer malware scanning as part of broader WordPress security packages that also provide configuration auditing and hardening, which can alert you to other types of threats beyond malware.

For the most comprehensive coverage in a single plugin, consider something like All in One WP Security and Firewall, which packages a firewall, malware scanning, configuration scanning, and more. However, the convenience of these general purpose security plugins can come at the cost of the customizability offered by more specialized plugins. Ensure whatever plugin you choose offers the necessary degree of control over your security setup.

6. Reduce Login Vulnerabilities

The harder it is for actors to find and attack your WordPress login page, the more secure your site is. There are a variety of ways to improve the security of WordPress logins:

  • Change the login URL: Consider changing the path of the WordPress login URL by using a tool like Rename wp-login.
  • Avoid “admin” usernames: Delete accounts that use “admin” as the username, which is the default name for the WordPress admin account, and replace it with a username that is harder for attackers to guess.
  • Limit login attempts: Using a plugin like Limit Login Attempts, restrict the number of times a user can attempt to log in within a given period. This makes passwords much harder to brute force because attackers won’t be able to cycle through long lists of passwords rapidly.
  • Secure the server: If you manage the WordPress host server, ensure that any user and admin accounts within the operating system are secured with strong passwords and usernames. Also consider installing security-hardening frameworks like SELinux and disabling SSH or other remote access protocols on the server unless they are strictly necessary.

7. Secure wp-config.php

The wp-config.php file contains sensitive security data, such as access keys. Anyone who can view the file can potentially use this information to gain access to your entire WordPress site. Mitigate this risk by locking down access to wp-config.php within your server’s operating system. Alter file permissions so that only users and applications that need to access the file can read and write to it.

You can add further security to wp-config.php by creating a .htaccess file to deny access to the file via the web. The WordPress server will still be able to use the file, but users on the internet won’t have the ability to access it. Although wp-config.php shouldn’t be viewable over the web by default, it could be readable within a browser if you accidentally configure your web server to serve your WordPress configuration directories. By explicitly denying web access for the file inside your .htaccess configuration, you mitigate this risk.

8. Address Permissions

Beyond wp-config.php, every file in your WordPress site should be locked down with the minimal access permissions necessary. If your WordPress site is hosted on a Linux server, you can use the chmod command to apply read- and execute-only permissions to the entire WordPress installation directory for all users except the file owner, who will have full permissions:

          chmod -R 755 /path/to/wordpress

You can also mitigate vulnerabilities associated with permissions by running WordPress on a dedicated, isolated server, where accounts from other users won’t be able to gain unauthorized access to your site content.

9. Disable File Editing

Modern versions of WordPress provide convenient tools for editing configuration files, theme data, and other important information directly from the WordPress web interface. These tools can be handy for making changes to your WordPress configuration without having to log into the server. However, they create a potential security risk by making it possible for users to edit WordPress files that would otherwise be accessible only by someone who could log in directly to the host server. An attacker could potentially inject malicious code into WordPress by inserting it directly into one of these files or by calling malware from a third-party site via a PHP script.

To avoid these risks, disable file editing within WordPress by adding this line to your wp-config.php file:

          define( 'DISALLOW_FILE_EDIT', true )

10. Implement Two-Factor Authentication

Two-factor authentication requires users to enter a second credential — like a code they receive via text message — in addition to a password to log in. Enabling two-factor authentication can significantly reduce your site’s vulnerability to brute force attacks. It also prevents attackers from logging in even if they manage to steal a user’s password if they lack access to the secondary credential.

Although WordPress itself doesn’t support two-factor authentication natively, you can set it up using plugins like Duo or Rublon.

11. Get an SSL Certificate and Move to HTTPS

By default, WordPress sends web content via HTTP, which is unencrypted. That means that someone who intercepts web traffic as it travels across the internet between users and the WordPress server could potentially read sensitive information that was meant only for a specific user.

You can address this risk by switching to HTTPS, which encrypts Web traffic. Doing so requires setting up an SSL certificate for your server. Your Web hosting provider may offer tools for handling this, or you can use a free service like Let’s Encrypt. You can also set up a self-signed SSL certificate using an open source tool like OpenSSL, although your site visitors will typically receive warnings about your site being insecure if you go this route.

12. Disable Directory Indexing

When enabled, directory indexing allows website visitors to browse the contents of your web server in a way similar to browsing through local files on a computer. Visitors could then potentially access password-protected pages or other sensitive content from your WordPress site.

You can’t disable directory indexing from within WordPress itself, but you can turn it off by modifying the .htaccess file in your WordPress installation directory. Add this line to the bottom of the file to disable directory indexing:

          Options -Indexes

13. Protect Against DDoS Attacks

WordPress doesn’t offer native features to protect against DDoS attacks, which can prevent legitimate users from accessing your site. However, choosing a hosting provider with anti-DDoS capabilities can help to limit your vulnerability to these attacks. You can also mirror your WordPress installations across multiple servers, which mitigates DDoS risks.

14. Secure Your Database

Because your WordPress database contains both access credentials and almost all of your site’s content, a database breach can be crippling. Avoid database security issues by configuring your database to require a password in order to log in (on some servers, databases allow password-less login by default). You should also remove nonessential accounts and change the administrator ID to make it more difficult for attackers to guess the access credentials for your database. Use different passwords for your database and other WordPress resources as well.

Finally, regularly backing up your database will help minimize the impact of an attack if one does occur. Your hosting provider may offer tools to assist with database backup, or you can use a command-line tool on your server like mysqldump.

15. Monitor Files, Logs, and More

The first signs of a breach or attempted breach against WordPress often come in the form of changes to configuration files, repeated login failures, or the creation of unauthorized accounts. By continuously monitoring your WordPress files and logs for events like these, you can stay ahead of security breaches. Plugins like WP Activity Log make this process easy. They keep track of all changes to your WordPress site on an ongoing basis, so you can pinpoint events that are out of the ordinary.

Protect Your WordPress Site with a Team of  Experts

From malware, to database attacks, to insecure web server configurations and beyond, WordPress is subject to a dizzying array of vulnerabilities, with new ones being discovered each day. While following best practices for securing your WordPress installation and the server that hosts it can help you to manage vulnerabilities, staying on top of every potential threat can be overwhelming. Most admins have better things to do than read WordPress vulnerability advisories all day and figure out whether the warnings impact their installations.

The team of WordPress experts at Contegix can help solve this challenge. By delivering fully managed WordPress environments that are tailored to the needs of each organization it supports, Contegix helps ensure that WordPress installations are secured on day one, and that they remain secure as they evolve. And if a security issue does arise, Contegix’s unlimited support is ready to help remediate the threat, 24/7.

Contact Contegix today to learn more about how its experts can help you manage WordPress security vulnerabilities.