WordPress security in a few easy steps

WordPress security has always been food for thought. Even though most of the latest updates deal with WordPress security issues, there is still a lot that can be done to improve that security, even by the less tech-savvy of us. Here, I’d like to enumerate some suggestions on how to improve security on your WordPress website for the best WordPress security.

New to WordPress? Don’t worry! Our FREE WordPress for beginners training is here to help. Find out how to set up your own site, learn the ins and outs of creating and maintaining it, and more. Soon you’ll be able to do it all by yourself!

Table of contents

WordPress itself has a list on WordPress security you might want to read. Of course, some of the things in that list will be repeated in the article below. Personally, I prefer a more hands-on list and direction; that’s why we decided to write this article about the best WordPress security.

Since we do not know your site, we are not sure how it will respond to these tips. We highly suggest to backup your site before trying any of the methods here. We use BlogVault for all our backup needs.

1. Don’t use admin as a username

Think about this. This is perhaps the easiest baseline step for WordPress security you can take as a WordPress user. It costs you nothing, and the install makes it easy to do. A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some password in what is known as Brute Force attacks. Common sense would dictate that if you remove admin, you’ll also kill the attack outright.

Yes, the argument exists that the attacker can still enumerate the user ID and Name and can in some instances pull the new username. There is no denying this. Remember, though, as our friends at Sucuri like to say, Security is not about risk elimination, it’s about risk reduction.

For the every day, automated Brute Force attack, removing the default admin or administrator username will already help a lot. You’re at least making it a bit harder for the hacker to guess the username. For the sake of clarity, understand that when we say admin we are speaking specifically to the username only and not the role.

Simply create a new user in WordPress at Users > New User and make that a user with Administrator rights. After that, delete the admin user. Don’t worry about the post or pages the admin user has already created. WordPress will nicely ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.

2. Create an editor account for yourself

In addition to the above, when you write/edit your blog posts, your “author name” shows up in the lower left-hand corner of your browser when you hover over the author name in the post. If your author name is the same as your admin name, you’ve just given any hackers half of a successful hack attempt.

The fix is simple: create a username for yourself that only has editor privileges, then anytime you log in to write and edit posts, use that name; and it will be on all your posts as a result. Your hackers will assume it’s your admin name and will waste an incredible amount of time attempting hacks with a username that only has edit privileges. What simple and great revenge on these evil people!

Also, there are security plugins for WordPress that limit login attempts and reports the hacker to your email so you can tell if there’s a hack attempt that uses your real admin name. This tells you it’s time to pay more attention to your security before they suss out the password.

3. Use a less common password

An easy thing to remember is CLU: Complex. Long. Unique.

This is where tools like 1Password and LastPass come into play, as they each have password generators. You type in the length, and it generates the password. You save the link, save the password, and move on with your day. Depending on how secure I want the password to be, I usually set length of the password (20 characters is always right) and decide on things like the inclusion of less usual characters like # or *.

‘123456’ isn’t a password. ‘qwerty’ is like writing your security code on your bank card. ‘letmein’; seriously? Shame on you. Even ‘starwars’ made the 2015 list of 25 most used passwords. Remember, you’re never as unique as you think you are…

4. Add Two-Factor Authentication

Even if you’re not using ‘admin’ and are using a strong, randomly generated password, Brute Force attacks can still be a problem. To address this, things like Two-Factor Authentication are key to helping to reduce the risk of such attacks.

Oh, I know, the hassle two-factor authentication is. But for now, it’s your Fort Knox. The essence of two-factor authentication for WordPress security is exactly as implied in the name, two forms of authentication. It’s the standard today for enhanced security at your access points.  You are already using two-factor authentication for Gmail, Paypal, and the works (at least you should be), why not add it to your WordPress security toolkit as well. Ipstenu (Mika Epstein) did an article on the subject you might want to read: Two Factor Authentication.

There is a plugin for that: Google Authenticator. An alternative that takes a slightly different approach for the same purpose is the Rublon Plugin.

5. Employ Least Privileged principles

The WordPress.org team put together a great article in the WordPress Codex regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to this step.

The concept of Least Privileged is simple, give permissions to:

  • those that need it,
  • when they need it and
  • only for the time they need it.

If someone requires administrator access momentarily for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.

Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles, and you’ll greatly reduce your security risk.

6. Hide wp-config.php and .htaccess

This is relatively easy to do, but doing it wrong might make your site inaccessible. Make a backup and proceed with caution. Yoast SEO for WordPress makes this process somewhat easier. Go to Tools > File Editor to edit your .htaccess.

For better WordPress security, you’d need to add this to your .htaccess file to protect wp-config.php:

<Files wp-config.php>
order allow,deny 
deny from all

That will prevent the file from being accessed. Similar code can be used for your .htaccess file itself, by the way:

<Files .htaccess>
order allow,deny 
deny from all

You can do it. It’s no rocket science.

7. Use WordPress security keys for authentication

Authentication Keys and Salts work in conjunction with each other to protect your cookies and passwords in transit between the browser and web server. These authentication keys are basically a set of random variables. That keys improve security (encryption) of information in cookies. To change this in wp-config.php, simply get a new set of keys here and add these. These keys change on a refresh of that page, so you’ll always get a fresh set.

Syed Balkhi at WPBeginner did an article on WP security keys, in case you want some more background information. The Sucuri plugin can help you with these keys as well.

8. Disable file editing

If a hacker gets in, the easiest way to change your files would be to go to Appearance > Editor in WordPress. To lift your WordPress security, you could disable writing of these files via that editor. Again, open wp-config.php and add this line of code:

define('DISALLOW_FILE_EDIT', true);

You’ll still be able to edit your templates via your favorite FTP application; you just won’t be able to do it via WordPress itself.

9. Limit login attempts

Attacks like a Brute Force attack, target your login form. Specifically for WordPress security, the All in One WP Security & Firewall plugin has an option to simply change the default URL (/wp-admin/) for that login form.

Next to that, you could also limit the number of attempts to login from a certain IP address. There are several WordPress plugins to help you to protect your login form from IP addresses that fire a multitude of login attempts your way. We haven’t tested all, but feel free to let me know your experiences.

10. Be selective with XML-RPC

XML-RPC is an application program interface (API) that’s been around for a while. It’s used by a number of plugins and themes, so we caution the less technical to be mindful of how they implement this specific hardening tip.

While functional, disabling can come with a cost. Which is why we don’t recommend disabling for everything, but being more selective on how and what you allow to access it. In WordPress, if you use Jetpack you’ll want to be extra careful here.

There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.

11. Hosting & WordPress security

In the past years of website reviews, we have had our share of website owners stating that their hosting company couldn’t help with this, or knew jack about that. Hosting companies simply see your website differently. There is no simple rule to decide on your WordPress hosting company. But the choice of a hosting company does matter when optimizing your WordPress security.

Every article written on hosting or hosting companies seems to start by telling you that the cheapest one is probably not the best one. Most cheaper hosting plans won’t have support to help you out with a hacked site. These plans include little to secure your website, like for instance set up a Website Firewall (more on the Sucuri Website Firewall later). Shared hosting, for instance, does imply that your hosting server is also the home of other websites. These might have security issues of their own, which in turn might affect your own website’s security as well.

WordPress security seems to be one of the main USPs offered in specialized WordPress hosting products, like the one offered by GoDaddy. They offer backups, redundant firewalls, malware scanning and DDoS protection and automatic WordPress updates for very reasonable pricing (understatement).

Be mindful of host account

One of the biggest challenges with hosts is in their account configuration for website owners. Website owners can install and configure as many websites as they want, and this fosters “soup kitchen”-like environments.

This is challenging because, in many instances, a website will be compromised via a concept known as cross-site contamination in which a neighboring site is used as the attack vector. The attacker penetrates the server, then moves laterally into neighboring sites on the server.

The best way to account for this is to create two accounts. One account which you treat as a production environment – only live sites are on this one – and a staging one, in which you put everything else.

11. Stay up-to-date

Staying up-to-date is an easy statement to make, but for website owners in the day-to-day, we realize how hard this can be. Our websites are complex beings. They have 150 different things happening at any given time, and sometimes it’s difficult to apply the changes quickly. A recent study shows that 56% of WordPress installations were running out of date versions of core.
Updates need to extend beyond WordPress core. The same study shows that a very large percentage of the website hacks came from out-of-date, vulnerable, versions of plugins.

This can be compounded in really complex environments in which dependencies make it so that backups can’t be achieved. This is why we personally employ Sucuri’s Firewall. This firewall virtually patches and hardens our website at the edge. It gives us the time we require to go back and apply updates in a more reasonable time frame, allowing us to test in our staging environments first, and only then push to production.

12. Best WordPress security plugins & themes

Most WordPress users tend to apply themes and plugins at will to their posts. Unless you’re doing this on a test server for the sole purpose of testing that theme or plugin, that makes no sense, especially not with reference to WordPress security. Most plugins and a lot of themes are free, and unless you have a solid business model to accompany these free giveaways. If a developer is maintaining a plugin just because it’s good fun, chances are he or she did not take the time to do proper security checks.

We teamed up with Sucuri years ago, to make sure every plugin is checked for security before release, and we have an agreement with them for ongoing checks as well. If you are creating a free theme or free plugin, you might not have the resources to add solid checks like that.

How to pick the right plugin

Ratings on WordPress.org example

If you want to be taken by the hand in selecting the right WordPress security plugin for your website, please read this in-depth article Tony Perez did on the subject: Understanding the WordPress Security Plugin Ecosystem.

Let me focus on the basics of plugin selection here. As explained above, free plugins and themes could be a possible vulnerability. When adding a plugin (or theme for that matter), always check the rating of that plugin. WordPress.org shows ratings, but one five star rating won’t tell you anything, so also check the number of ratings. Depending on the niche, a plugin should be able to get multiple reviews. If more people think a plugin is awesome and take the time to rate it, you could decide to use it too.

WordPress 4.5.2 compatible example

There is one other thing you want to check. If a plugin hasn’t been updated for two years, WordPress will tell you that. That doesn’t mean it’s a bad plugin, it could also mean there hasn’t been a need to update it, simply because the plugin still works. The ratings will tell you that, and the compatibility with the current WordPress version, which is also shown on the plugin page at wordpress.org. Having said that, Sucuri strongly recommends against using any plugins that haven’t been updated for that long. You should take their word for it.

Based on these ratings and compatibility, you could pick your plugins less random and have a larger chance of some kind of security being added.

Contact Sucuri


I’ve already mentioned our friends at Sucuri. Daniel and Tony have done a tremendous job on our plugins and have helped on several hacked websites in the past. If you’re not familiar with these gentlemen, they are the owners and managers of Sucuri.

Sucuri is a globally recognized website security company known for their ability to clean and protect websites, bringing peace of mind to website owners, including us here at Yoast.
We’ve partnered with Sucuri because we take security very seriously, it’s not and should not be an afterthought. There is a variety of ways to address WordPress security, and we found that security was best addressed remotely at the edge beyond the application. What Daniel and Tony have built is a product/service that lets you get back to running your business. They are our partners, the security team we lean on when we need help the most. And you can too. For instance, if you are using WordPress, please read their WordPress guide on how to clean a hacked WordPress site.

Failing to take the necessary precautions for your WordPress security, and leveraging the experts can lead to malware infections, branding issues, Google blacklists and possibly have huge impacts to your SEO (something dear to our hearts). Because of this, we turn to them for our needs, like they turn to us for website optimization.

Here is a webinar Sucuri put together on how websites get hacked:

A lot of the suggestions in this article can be dealt with by installing and configuring their free Sucuri Scanner plugin for WordPress or hiring them to handle your website’s security. At Yoast, we don’t think this is an ‘extra’, but consider it an absolute necessity. For us, security is not a DIY project, which is why we leave it to the professionals. Visit their website at sucuri.net for more information, and check your site now to see if you have been infected with malware or have been blacklisted.

Moreover, Sucuri created an infographic on what to do when your site does get hacked:

how to fix a hacked website

Yoast recommends Sucuri

If you are serious about your website, you are serious about your security. Get the complete security package of Website Security Stack now:

Get your Sucuri Website Security Stack NOW.

Don’t forget logs & monitoring

So far, we’ve seen how to harden a WordPress site. However, since WordPress security is not an absolute (sites are always evolving by changing functionality and users) there is another aspect to WordPress security: logging and monitoring. Audit logs, or activity logs, are a chronological record of events and changes that happened on your website. In the audit logs you can find information on who logged in to your site, installed or updated a plugin, changed the content, changed the site’s settings and more.

By keeping an audit log on your WordPress site you ensure user accountability, ease troubleshooting of technical issues and spot attacks before or as they happen, allowing you to take evasive action to stop them. Audit logs are also used for forensics, to find out what went wrong in the unfortunate case of a successful hack. To keep an audit log on your WordPress site you need to install a plugin such as WP Security Audit Log.

There are several other things you should keep an eye on. For example, if you use Sucuri you’ll get a weekly traffic report with details on what was blocked and allowed. You can learn a lot from it, as well as from your website’s analytics and traffic patterns.

Closing thoughts

If you have come this far in this article, you will have no excuse not to improve the WordPress security for your website. Like adding posts and pages, checking your WordPress security should be a routine for every WordPress site owner.

This isn’t the full list of all the things you can do to secure your website. I am aware that one should, for instance, create regular backups, and keep a log of all the activity that happens on a site.

Logs are particularly valuable, as they help with accountability, assist in identifying attacks before they happen, and can also be used for forensics – to find out what happened and what was the damage done in the unfortunate case of a hack attack.

Most logging plugins (like WP Security Audit Log) not only keep an activity log, but also allow you to setup email notifications for when important changes happen on your site.

I trust this article about WordPress security gives you a practical list of things you can and should do to secure at least the first layer of defense of your website. Remember, WordPress security isn’t an absolute, and it’s on us to make it harder for the hackers!

Tony, thanks again for your input and additions to this article!

Read more: 5 things to do after a hack »

Free: WordPress for beginners training

  • Find out how to set up your own WordPress site
  • Learn everything about creating and maintaining a WordPress site
  • Plus: learn all about WordPress, like its history and its open-source community
  • Free online & on-demand training by Yoast
More info