An Ultimate Guide for WordPress Security in 2018

WordPress Security is one of the essential and most important topic to consider for every site owner.

Every serious site owner need to pay attention to the best practices and implementation strategies for security of their WordPress site.

Even though the WordPress Core is secure and audited regularly by talented developers and community members. There is still some scope to harden the security of your WordPress site.

As a site owner, there are lots of areas you can work upon to improve security on your WordPress site ( even if you’re not a tech gig ).

In this guide, I will share all the essential and most important techniques to strengthen security of your WordPress site to help you protect it against hackers and malware.

Before proceeding further, you must know about the importance of Security and why it is essential to be implemented.

Why WordPress Security is Important?

If your website is insecure, then any hacker can easily hack your website and hamper your revenue and reputation.

Hackers are capable of stealing user information, passwords, installing malicious softwares to infect user devices, and can even get access to your sensitive information.

Worst scenarios can be that you should pay ransom amount to hackers to get access back of your website.

Every Week, Google blacklists around 40K+ websites for malware and around 70K+ for phishing.

Being an online business owner, it is your responsibility to protect your website from illegal access, similar to how you protect your physical store from theft.

WordPress Security in Quick & Easy Steps

I know that improving WordPress security can be a horrible and scary thought for beginners. Specially, if you’re not tech gig.

I’ve helped hundreds of WordPress users in hardening their WordPress security with the essential and most important steps.

I’ve hand-crafted a list of essential and most important security measures that will help you to harden WordPress security with just a few clicks and almost no coding required.

#1 Use Managed WordPress Hosting

Use Regular & Reliable Backups

Backups are essential first defensive step to fight back against any kind of WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so yours.

It allow you to quickly restore your WordPress site in case mess up, website hacked and anything bad happened.

There are so many free and paid WordPress backup plugins available that you can use. But, these backup plugin can prove to be resources intensive when it comes to site performance.

The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a safe remote location like Amazon, DropBox, Google Drive, and Stash or allow the managed WordPress hosting provider such as FlyWheel and Kinsta to do it (as they provide hack proof guarantee).

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups.

Also, backups can be easily done by using plugins like VaultPress or BackupBuddy. They are both reliable and most importantly easy to use (no coding needed).

It is your choice whether you need to backup your complete WordPress site using Plugin or Managed Hosting Providers or Both. I, personally, take backups using FlyWheel which is a hosting provider of my site.

Change Database Prefix

By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default table prefix, then will be easier for hackers to predict the table name in your site database and perform malicious activities on your site. So, I recommend you to change the table prefix of your site database for WordPress security

Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills or you can hire a developer to accomplish this point.

Use Unique WordPress Secret Keys

Use WordPress Secret Keys to ensure additional layer of WordPress Security.
Unique WordPress Secret Keys

A WordPress Secret Key is a unique, random, and complicated string of data that hashes to ensure better encryption of information stored in the form of user cookies. It makes your site harder to hack by adding random elements to the password.

Using WordPress Secret Key is very important to ensure an additional layer of security to WordPress. You can find these WordPress Secret Keys in wp-config.php file under WordPress root.

These WordPress Secret Keys are divided into 2 categories:

  • Keys, and
  • Salts

Each of these categories have four different secret keys to add additional layer of security. From these, four keys are required for the enhanced security. While other four salts are recommended, but are not required, because WordPress will generate salts automatically for you, if none are provided.

In simple words, a secret key is a password with elements that make it harder to have enough scope to break through the site security barriers.

For example, A password like “password” or “test” is simple and easily broken. A random, long password which uses no dictionary words, such as “88a7da62429ba6ad3cb3c76a09641fc” would take a brute force attacker millions of hours to crack. So, A salt is used to further enhance the security of the generated result.

You don’t have to remember these salts, instead make them long, random and complicated or simply use the online generator to generate new unique WordPress salts. You can change these at any time to invalidate all existing cookie

Disable Directory Indexing

Directory indexing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

It can also be used by other people to look into your files, copy images, find out your directory structure, and other information to create a clone of your site. Hence, I highly recommended that you turn off directory indexing on your server.

If you use any managed WordPress hosting provider like FlyWheel or Kinsta, then you’ll have Directory Indexing disabled by default which is a plus point. 

If you are using any other hosting than the managed ones, then you need to connect to your website using FTP or cPanel’s file manager. Then, locate the .htaccess file in your website’s root directory. 

After that, you need to add the below line of code at the end of the .htaccess file:

Options -Indexes

Then, save and upload .htaccess file back to your site and confirm that the directory indexing is disabled or not.

Advanced Monitoring

#2 Keep WordPress Core, Plugins & Themes Updated

WordPress is an open source web software which is regularly maintained and updated by a team of developers and contributors. By default, WordPress automatically installs minor updates. You need to manually update the major releases from WordPress.

There are thousands of plugins and themes available on WordPress Plugins and Themes directory respectively that you can install on your website with a single click. These plugins and themes are maintained by third-party developers which regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date on your WordPress websites.

Alternatively, if you’re running out of time managing content and marketing, then I would suggest you to use services like InfiniteWP and ManageWP for automating all the updates within a single dashboard.

#3 Use Strong Passwords

The most common WordPress hacking attempts use stolen passwords or weak passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, Database, hosting account, and even for your professional email address.

The main reason behind why beginners don’t like using strong passwords is because they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager such as DashLane and LastPass.

Another way to reduce the risk is by providing access of WordPress admin to only those persons you trust and are part of your team considering the user roles and capabilities in WordPress.

#4 Don’t use default username

Previously, the default WordPress admin username is “admin” and usernames make up half of login credentials. Hence, this made it easier for hackers to perform brute-force attacks and crack the passwords.

Thanks to WordPress since they changed this and now allows you to select a custom username at the time of installing WordPress.

However, there are certain 1-click WordPress installers, still set the default admin username to “admin”. So, I would recommend that if you notice “admin” as default username, then it’s probably a good idea to change the username of the website or switch your web hosting to a better one.

Note: I’m talking about the username called “admin”, not the administrator user role to avoid further confusion.

#5 Disable File Editing

By default, WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area.

This feature can be a considered high security risk as any unauthorized user can easily change the code of your WordPress website.

Hence, I recommend you to disable file editing. You can easily disable file editing by adding following line of code in your wp-config.php

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

#6 Limit Login Attempts

By default, WordPress allows everyone to try to login as many time as they want. Due to this behaviour, all the WordPress sites are vulnerable to brute force attacks. Hackers try to hack passwords by trying to login with different combinations.

This can be easily fixed by limiting the failed login attempts per user and then blocking the site access to IP Addresses which are trying frequent failed login attempts.

To implement login attempt limitations, you need to install and activate the Login LockDown plugin. After activating the plugin, visit Settings » Login LockDown page to configure the plugin as per your needs and frequency of brute force attacks on your WordPress website.

#7 Disable XML-RPC

XML-RPC was introduced in WordPress 3.5 and is enabled by default because it helps connecting your WordPress site with web and mobile apps.

However because of it’s powerful and vibrant nature, XML-RPC can exponentially increase the risk of the brute-force attacks to your site.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

Instead with XML-RPC, a hacker can use the system.multicall function to try thousands of password with around 20 to 50 requests.

Hence, I would recommend to disable XML-RPC, if you’re not using it.

#8 Auto Logout Idle Users

Sometimes, Logged in users can go away from screen being idle instantly after login, and this poses a high security risk. Someone can hijack their session, change passwords, or make changes to their account in the mean time (specially on public computers).

This is the reason why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You need to install and activate the Idle User Logout plugin. After activating the plugin, visit Settings » Idle User Logout page to configure plugin settings.

#9 Add Security Questions

Login screen is the most risk sensitive area for any website. Adding a security question to your WordPress login screen will make it harder for anyone to get unauthorized access to the site.

You can easily add security questions by installing the WP Security Questions plugin. After activating the plugin, you need to visit Settings » Security Questions page to configure the plugin settings.


Get instant free access to my monthly developer friendly newsletter where I'll share my best informative tips about WordPress and my Life Experiences.