If you’re working with or using WordPress, then you should always be thinking about your site’s security. WordPress isn’t any more or less secure than any other platform, but the number of users, plugins and third party addons make it a common target for attackers. Don’t worry, though, there are some basic steps you can take to keep your site safe (even if you’re not very tech-savvy)!
New to WordPress? Don’t worry! Our FREE WordPress for beginners training is here to help. Find out how to set up your own site, learn the ins and outs of creating and maintaining it, and more. This training is part of our free training subscription, take a look at all online SEO training subscriptions!
Table of contents
- 1. Don't use 'admin' as a username
- 2. Use a complex password
- 3. Add two-factor authentication
- 4. Employ least privileged principles
- 5. Hide
- 6. Use WordPress security keys for authentication
- 7. Disable file editing
- 8. Limit login attempts, and hiding your login
- 9. Be selective with XML-RPC
- 10. Hosting & WordPress security
- 11. Stay up-to-date
- 13. The the best WordPress security plugins & themes
- Closing thoughts
1. Don’t use ‘admin’ as a username
Most WordPress ‘hacks’ and attacks don’t do anything more sophisticated than try and brute-force their way into your admin area by guessing your password. That’s much easier for them to do if they don’t also have to guess your admin username! Avoiding using common words (like ‘admin’) for your usernames can make brute force attacks much less effective.
If you’re working with an older site which already has an ‘admin’ user, it might be time to delete that account and transfer any content or access to a more secure username!
2. Use a complex password
Having a better password can make it much harder to guess or to brute-force.
An easy thing to remember is CLU: Complex. Long. Unique.
But longer, unique passwords can be hard to remember, right? That’s where tools like 1Password and LastPass come into play, as they each have password generators. You type in the length, and it generates the password. You save the link, save the password, and move on with your day. Depending on how secure you want the password to be, it’s sensible to set a long password (20 characters is good) and decide on things like the inclusion of less usual characters like
3. Add two-factor authentication
Even if you’re not using ‘admin’ and are using a strong, randomly generated password, brute force attacks can still be a problem. Don’t worry, though – two-factor authentication can help to protect you.
The principle is that, rather than just entering your login details, you also need to confirm that you’re you by entering a one-time code from another device you own (usually an app on your phone). That’s much harder for attackers to fake!
Two popular plugins for handling authentification in WordPress are Google Authenticator, and Rublon Plugin (which takes a slightly different approach). Just make sure that you don’t lose your backup codes, or you might find yourself locked out.
4. Employ least privileged principles
The concept of Least Privileged is simple, give permissions to:
- those that need it,
- when they need it and
- only for the time they need it.
If someone requires administrator access momentarily for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.
Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles, and you’ll greatly reduce your security risk.
These files are critical to your WordPress security – they often contain your system credentials, and expose information about your site’s structure and configuration. Ensuring that attackers can’t gain access to them is vital.
Hiding them is relatively easy to do, but doing it wrong might make your site inaccessible. Make a backup and proceed with caution. Yoast SEO for WordPress makes this process somewhat easier. Go to “Tools > File Editor” to edit your
For better WordPress security, you’d need to add this to your
.htaccess file to protect
<Files wp-config.php> order allow,deny deny from all </Files>
That will prevent the file from being accessed. Similar code can be used for your
.htaccess file itself, by the way:
<Files .htaccess> order allow,deny deny from all </Files>
6. Use WordPress security keys for authentication
‘Authentication keys’ and ‘salts’ are basically a set of random variables, unique to your website, which improve the security (encryption) of information in cookies.
wp-config.php file has a dedicated area where you can provide your own variables (simply get a new set of keys from here, and paste them in).
7. Disable file editing
If a hacker gets in, the easiest way to change your files would be to go to “Appearance > Editor” in WordPress. To improve your WordPress security, you could disable writing of these files via that editor. Again, you can do this from within your
wp-config.php file by adding this line of code:
You’ll still be able to edit your templates via your favorite (S)FTP application; you just won’t be able to do it via WordPress itself.
8. Limit login attempts, and hiding your login
Brute-force attacks usually target your login form. So changing where that lives can make it harder for attackers to get in. The All in One WP Security & Firewall plugin has an option to simply change the default URL (from
Next to that, you could also limit the number of attempts to log in from a certain IP address. There are several WordPress plugins to help you to protect your login form from IP addresses that fire a multitude of login attempts your way.
9. Be selective with XML-RPC
XML-RPC is an application program interface (API) that’s been around for a while. It’s used by a number of plugins and themes, so we caution the less technical to be mindful of how they implement this specific hardening tip.
While functional, disabling can come with a cost. Which is why we don’t recommend disabling for everything, but being more selective on how and what you allow to access it. In WordPress, if you use Jetpack you’ll want to be extra careful here.
There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.
10. Hosting & WordPress security
Even if you’re meticulous when it comes to the security of your website, if it’s hosted by a company who isn’t just as meticulous, you may as well not have done anything at all.
If an attacker can gain access to your website hosting, then they can take complete control of everything. That means it’s really important that you choose (or move to) a host which takes hosting seriously. Cheaper hosting options often won’t come with good security or backups, or might not offer support to help you clean up a hacked site.
Shared hosting (which is common on cheap packages) is often particularly risky, as attackers might be able to gain access to your site via another compromised site on the same system. That’s why we always recommend that serious users spend a little more on hosting, and use a company with a great reputation for specialized WordPress hosting (e.g., GoDaddy or WP Engine).
11. Stay up-to-date
Staying up-to-date is an easy statement to make, but for website owners in the day-to-day, we realize how hard this can be. Our websites are complex beings. They have many different things happening at any given time, and sometimes it’s difficult to apply the changes quickly. A recent study shows that 56% of WordPress installations were running out of date versions of core.
But it’s not just WordPress itself which needs to stay up to date – the same study shows that a very large percentage of the website hacks came from out-of-date, vulnerable, versions of plugins.
It’s critical that updating your themes, software, plugin and other components is part of an ongoing routine, otherwise you’re leaving the door open to attackers.
12. Put more security layers in place
The best security solutions prevent attackers from ever getting anywhere near your website. That’s why we recommend that most sites run some kind of WordPress firewall plugin. These plugins look for known attackers and common attack patterns, and stop them before they have a chance to compromise your site.
It’s also worth considering that many Content Delivery Systems now include firewall functionality; combining performance optimization with protection. Cloudflare, in particular, does a great job of blocking ‘bad traffic’, and even has rules and scans specifically developed to protect WordPress sites.
13. The the best WordPress security plugins & themes
Most WordPress users tend to apply themes and plugins at will to their posts. Unless you’re doing this on a test server for the sole purpose of testing that theme or plugin, that makes no sense, especially not with reference to WordPress security. Most plugins and a lot of themes are free, and unless you have a solid business model to accompany these free giveaways. If a developer is maintaining a plugin just because it’s good fun, chances are he or she did not take the time to do proper security checks.
We teamed up with Sucuri years ago, to make sure every plugin is checked for security before release, and we have an agreement with them for ongoing checks as well. If you are creating a free theme or free plugin, you might not have the resources to add solid checks like that.
How to pick the right plugin
If you want to be taken by the hand in selecting the right WordPress security plugin for your website, please read this in-depth article Tony Perez did on the subject: Understanding the WordPress Security Plugin Ecosystem.
Let me focus on the basics of plugin selection here. As explained above, free plugins and themes could be a possible vulnerability. When adding a plugin (or theme for that matter), always check the rating of that plugin. WordPress.org shows ratings, but one five star rating won’t tell you anything, so also check the number of ratings. Depending on the niche, a plugin should be able to get multiple reviews. If more people think a plugin is awesome and take the time to rate it, you could decide to use it too.
There is one other thing you want to check. If a plugin hasn’t been updated for two years, WordPress will tell you that. That doesn’t mean it’s a bad plugin, it could also mean there hasn’t been a need to update it, simply because the plugin still works. The ratings will tell you that, and the compatibility with the current WordPress version, which is also shown on the plugin page at wordpress.org. Having said that, Sucuri strongly recommends against using any plugins that haven’t been updated for that long. You should take their word for it.
Based on these ratings and compatibility, you could pick your plugins less random and have a larger chance of some kind of security being added.
I’ve already mentioned our friends at Sucuri. Daniel and Tony have done a tremendous job on our plugins and have helped on several hacked websites in the past. If you’re not familiar with these gentlemen, they are the owners and managers of Sucuri.
Sucuri is a globally recognized website security company known for their ability to clean and protect websites, bringing peace of mind to website owners, including us here at Yoast.
We’ve partnered with Sucuri because we take security very seriously, it’s not and should not be an afterthought. There is a variety of ways to address WordPress security, and we found that security was best addressed remotely at the edge beyond the application. What Daniel and Tony have built is a product/service that lets you get back to running your business. They are our partners, the security team we lean on when we need help the most. And you can too. For instance, if you are using WordPress, please read their WordPress guide on how to clean a hacked WordPress site.
Failing to take the necessary precautions for your WordPress security, and leveraging the experts can lead to malware infections, branding issues, Google blacklists and possibly have huge impacts to your SEO (something dear to our hearts). Because of this, we turn to them for our needs, like they turn to us for website optimization.
Here is a webinar Sucuri put together on how websites get hacked:
A lot of the suggestions in this article can be dealt with by installing and configuring their free Sucuri Scanner plugin for WordPress or hiring them to handle your website’s security. At Yoast, we don’t think this is an ‘extra’, but consider it an absolute necessity. For us, security is not a DIY project, which is why we leave it to the professionals. Visit their website at sucuri.net for more information, and check your site now to see if you have been infected with malware or have been blacklisted.
Moreover, Sucuri created an infographic on what to do when your site does get hacked:
Yoast recommends Sucuri
If you are serious about your website, you are serious about your security. Get the complete security package of Website Security Stack now:
Don’t forget logs & monitoring
So far, we’ve seen how to harden a WordPress site. However, since WordPress security is not an absolute (sites are always evolving by changing functionality and users) there is another aspect to WordPress security: logging and monitoring. Audit logs, or activity logs, are a chronological record of events and changes that happened on your website. In the audit logs you can find information on who logged in to your site, installed or updated a plugin, changed the content, changed the site’s settings and more.
By keeping an audit log on your WordPress site you ensure user accountability, ease troubleshooting of technical issues and spot attacks before or as they happen, allowing you to take evasive action to stop them. Audit logs are also used for forensics, to find out what went wrong in the unfortunate case of a successful hack. To keep an audit log on your WordPress site you need to install a plugin such as WP Security Audit Log.
There are several other things you should keep an eye on. For example, if you use Sucuri you’ll get a weekly traffic report with details on what was blocked and allowed. You can learn a lot from it, as well as from your website’s analytics and traffic patterns.
If you have come this far in this article, you will have no excuse not to improve the WordPress security for your website. Like adding posts and pages, checking your WordPress security should be a routine for every WordPress site owner.
This isn’t the full list of all the things you can do to secure your website. I am aware that one should, for instance, create regular backups, and keep a log of all the activity that happens on a site.
Logs are particularly valuable, as they help with accountability, assist in identifying attacks before they happen, and can also be used for forensics – to find out what happened and what was the damage done in the unfortunate case of a hack attack.
Most logging plugins (like WP Security Audit Log) not only keep an activity log, but also allow you to setup email notifications for when important changes happen on your site.
I trust this article about WordPress security gives you a practical list of things you can and should do to secure at least the first layer of defense of your website. Remember, WordPress security isn’t an absolute, and it’s on us to make it harder for the hackers!
Tony, thanks again for your input and additions to this article!
Read more: 5 things to do after a hack »