The Ultimate Guide to WordPress Security

December 27, 2016

Website security is often an overlooked aspect of managing your WordPress site. It is more important than ever that you take the necessary steps to properly secure your site, protecting you and your website’s visitors in the unfortunate event of a security breach.

Why Security is Important

The threat landscape is increasing, affecting more websites faster than ever before. Earlier this year, Google reported that over 50 million websites have been greeted with warnings that website visitors were attempting to install malicious software (malware) or trying to steal information.

The fact of the matter is that most websites are not secure. Roughly three out of four websites contain security vulnerabilities that put users at risk due to web administrators failing to keep on top of their security protocols. As a result, Google blacklists approximately 30,000 websites for containing malware and another 50,000 for detecting phishing per day!

Most WordPress users feel that securing their website is a daunting task that they are not qualified to take on. Good news! We’re here to tell you that it is not that difficult. Follow the best practices outlined in this step-by-step guide to WordPress security to learn how you can secure your WordPress site.

It’s Not Personal, But You’re a Target!


WordPress powers more than 27% of all websites, making it the most popular content management system (CMS) in the world (by a landslide). Despite the array of benefits associated with the WordPress platform, WordPress websites are vulnerable. According to WP White Security, more than 70% of WordPress sites are vulnerable to attacks.

Despite how familiar with hacking you think you might be from binge watching Mr. Robot, the real hacking world is quite different. At face value, hackers aren’t that sophisticated, but rather they rely on third party software that scours the internet looking for websites with known vulnerabilities (aka the low-hanging fruit) in an attempt to exploit them. Since hacking is automated, it is not prejudiced to the amount of traffic or popularity of the site, but instead how vulnerable it is.

The impact to WordPress users stems from these exploitation attempts against vulnerable software, such as outdated plugins and themes, as well as improper user management of their WordPress account.

While there is no special formula to guarantee that you will not get hacked, there are certain steps you can take to significantly lower your risk and, in the unfortunate case that an event does occur, ensure you quickly recover with minimal damages.

WordPress Security Best Practices


In this detailed guide, we’ll provide you with the best practices to ensure that your site is safe and free of vulnerabilities. At first glance, this looks long and overwhelming. Don’t worry, we’ve simplified each process and offer WordPress tools and resources to simplify the process. Your time spent on hardening your WordPress website is well worth it in the long run.


Select a Reliable Host


The path to a secure and healthy website begins with a reliable hosting company. If you choose to use shared hosting, we recommend that you use a well-known provider with a reliable reputation. For example, Bluehost and Hostgator are great selections since they include basic security protocols.

According to WP White Security, 41% if hacks are through a security vulnerability on their hosting platform

If you use a virtual private server (VPS) or dedicated server, it is important that you make sure your server is up-to-date and that all potential vulnerabilities are addressed. For example, if your server uses Web Host Manager (WHM) and cPanel, you’ll want to ensure that auto updates are turned on.

If you do not use a WHM, check with your hosting company to see if you are responsible for maintaining updates and if there is are other settings to reduce potential vulnerabilities. Unless you have a fully managed service agreement in place, it’s likely that you are responsible for maintaining updates.

In addition, whenever possible try to use a server that supports Secure File Transfer Protocol (SFTP). An SFTP is a network protocol that encrypts the stream of all data that is transferred between your computer and the server, including your password.

Many people stick to using an FTP, which is fine, but error on the side of caution and always connect to your server on a secure, private network (NEVER connect to your server over a public network).

[back to top]

WordPress Updates


WordPress is by far the best open-source content management system. Open source software has its many advantages; however, it is a double-edged sword. Since the code is publicly available, cybercriminals have access to the code. As such, they can reverse engineer the code and quickly discover vulnerabilities.

The security impact to WordPress users stems from exploitation attempts against vulnerable software, specifically in outdated plugins and themes–the number one reason why WordPress sites get hacked–alongside mismanaged settings and lack of hardening techniques from administrators.

According to a report by WP White Security, 51% of attacks were made through an outdated WordPress plugin or theme.

WordPress plugins and themes are frequently coming out with updates. While some of these updates include feature enhancements and bug fixes, many of these updates are known as “security releases” and intended to patch a known vulnerability.

The longer you go without performing updates, the more vulnerable your site is to getting hacked. As a rule of thumb, we recommend that you log in at least twice a week to check for updates. Better yet, just enable automatic updates for your site.

In the case that you have installed third-party commercial (paid) plugins or themes, it is important to make sure all required licenses are installed. As with all plugins and themes, third-party plugins and themes are frequently coming out with updates. If you don’t install a licensed version, you will not have access to the updates and probably won’t be notified if and when updates become available.

If you’re running a theme that came pre-packed with paid plugins, keep in mind that you may not have a license for that plugin. Don’t rely on the theme developer to push an update for all the complimentary plugins that came with their theme. With that said, it might be worth purchasing the plugin (if applicable). This way you’ll have a valid license and be notified when updates are released.

[back to top]

Managing Plugins


We know it is tempting, there are so many shiny plugins available at the click of the mouse. Most plugins are free and add increased functionality to your site in a matter of seconds.

Unfortunately, plugins are the leading cause of vulnerabilities in WordPress. We won’t tell you not to use plugins, that’s just silly. Plus, we think plugins are great! However, we will provide you with a short list of security best-practices with regard to plugins.

To make your WordPress website more secure and reduce vulnerabilities, keep an eye out for following when installing and activating plugins.

  • Take a Look Around: Evaluate all your options–free and paid. There are nearly 50,000 plugins available in the WordPress Plugin Directory, so there are countless options to choose from. In addition, plugins are available from third-party sources–both free and paid–so see what’s out there. Note: not all plugin developers list their plugin(s) through the directory.
  • Last Update: Check to see when the plugin was last updated. If it has been more than a couple months, you might want to consider one of the many alternative options.
  • Download Count: The more times the plugin has been installed, the quicker vulnerabilities are detected. Plugins with more installs are typically more responsive to patches and updates that keep the plugin–and the user’s website–secure.
  • Comments: Read the latest comments. Even if the plugin has great ratings, it doesn’t mean there haven’t been problems. Be cautious, low reviews or complaints are often disguised by positive reviews.
  • Delete Unused Plugins: If you’re not using a plugin, delete it! Unused, inactive plugins are a hazard. Plus, nobody wants old expired code sitting on their server.
  • Check its History: If you’re still hesitant about a must-have plugin, you can always check its history online to see if it has a track record of vulnerabilities. Visit and search the name of a plugin. If the plugin has a bad track-record, consider another option.

[back to top]

Planet WP Security Toolbox Plugin


While on the topic of WordPress plugins, we encourage that you download the Planet WP Security Toolbox plugin. In an effort to simplify the WordPress security best practices, we created a robust security plugin that provides you with the ability to easily enable/disable security measures.

The Security Toolbox plugin is a great resource for new users that want to secure their WordPress website. Its user-friendly interface is perfect for those that aren’t familiar with advanced security settings or coding. The Security Toolbox hardens your WordPress website by fixing common vulnerabilities thereby preventing automated attacks. Best of all, you can implement the changes from within the WordPress Dashboard.

[back to top]

Pick a strong Password


A strong password is a good password. A weak password–especially the default assigned password–can expose your WordPress site to security vulnerabilities.

This may seem like a no-brainer; yet for some reason, the top two passwords in 2016 were “password” and “123456”. C’mon now!

When choosing a password, we recommend the following parameters:

  • Be no less than 12 characters long
  • Consist of uppercase and lowercase letters
  • Include numbers
  • Have at least one special character (e.g.: $, &, %)

[back to top]

User Roles: New Admin Account


A popular way hackers gain access to your website is a technique known as a ‘brute force’ attack. In this type of attack, a hacking software attempts to log in as the administrator by entering millions of password combinations.

Getting ahold of the admin username is half the battle, so change your admin username from “admin”–the default WordPress username–to something unique. Brute force attacks are nearly impossible unless they can somehow get access to your new username.

The easiest way to change your admin username is to create a new admin account from your existing one. After creating a new account with a unique username, log out and log into the new admin account. Navigate to Users > All Users from the navigation menu, select the old admin account and delete it (Bulk Actions > Delete > Apply). Don’t worry about losing any content created by the original admin account. WordPress will ask you “What should be done with content owned by this user?” Select Attribute all content to: and select the new admin account you created from the drop-down menu.

We also recommend that you limit the number of admin accounts to the least amount possible, preferably one. Every admin account is a potential security liability. Consider the assigned capabilities of other users when assigning new roles. For example, the Editor role will likely provide others with enough access. To learn more about user roles, check out our Understanding User Roles video tutorial.

[back to top]

Preventing Brute Force Attacks

Limit Failed Login Attempts


Another method to prevent a brute force attack is to limit the number of failed login attempts allowed before the site locks the user out for a period of time, such as 15 minutes.

For simplicity, we’ve added this functionality to our Planet WP Security Toolbox plugin. After installing the plugin, go to Security Toolbox > Brute Force and choose your desired settings. The default setting will suffice, but feel free to customize them to your likely.

Hide The Login Page


Most brute force attacks occur by hackers gaining access your /wp-admin login page. To prevent this, we can require additional parameters to the login page. When hackers attempt to access the /wp-admin page directly they will be presented with a ‘404 error’ page rather than the traditional login page.

Let’s take a closer look. Normally you would log into WordPress by visiting the following:

It doesn’t take a black hat hacker to find this. Rather than the default URL, we can change it to:

The key and password parameters are completely customizable. These act as a secondary username and password requirement to access the login page.

You can implement this change through the Planet WP Security Toolbox. Go to Security Toolbox > Login and check the option to Hide The Login Page. Type in your desired key and password. Click Save.

We also recommend you check the option to Email me when someone accesses my login. This will send you an email when a user visits the default /wp-admin login page (not the specified key and password login page).

Another option is to Email Me When an Admin Logs In. This will send you an email every time an admin logs into WordPress. This can help you catch a hacker dead in their tracks.

[back to top]

Change the Default Database Prefix

The default database prefix is _wp. Using the default database prefix makes it easier for hackers to execute what is known as an SQL (structured query language) injection. Your database–and all its content–will be fully exposed if a hacker gains access to your site through an SQL injection,

Thankfully, changing the database prefix is an easy task through the Planet WP Security Toolbox.

Once the plugin is installed and activated, go to Security Toolbox > Database, enter your desired prefix, and click update. It’s that easy.

Note: we strongly encourage that you backup your website before changing your database prefix. For detailed instructions, check out our How to Backup Your Website video tutorial.

[back to top]

Disable PHP in the Uploads Directory

Your WordPress upload directory is reserved for your website’s assets. PHP really has no business being there.

You can disable PHP in the uploads directory manually by opening your favorite text editor and add the code below to a blank file:

<Files *.php>
deny from all

Save the file and name it “.htaccess”. Upload the saved file to the following directory:


If you’re using the Planet WP Security Toolbox, go to Security Toolbox > Settings and check the box “Disable PHP in Uploads Directory”. Don’t forget to save your changes.

[back to top]

Block Traffic By Country


A proxy is used to route their traffic through another location. Most of the time, hackers are located outside of the country, making it difficult to track where the infiltration is coming from. If you have a website that does not need traffic from other countries (usually applies to most local service businesses) you might consider blocking traffic outside of your geographic location. This will greatly lower your probability of getting hacked.

Setting parameters by country is easy. Install the Planet WP Security Toolbox and go to Security Toolbox > Firewall. Scroll down to the block by country section and choose what countries you want to block. Click Save.

[back to top]

Disable File Editing


Administrators have the capability to edit PHP files, such as plugin and theme files, from within the WordPress Dashboard. If a hacker gains access to your admin account, they will likely target this area first, presenting a huge security risk. Thankfully, you can disable editing from the Dashboard by placing the following line of code in wp-config.php.

// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

Essentially, adding this code removes all users capabilities to edit PHP files.

If you prefer you can also do this in the Planet WP Security Toolbox, Go to Security Toolbox > Harden and check the box next to Disallow File Edit.

[back to top]

Uptime Monitoring


Uptime monitoring refers to the process of continuously checking your website at regular intervals to ensure that your site is online. If your site ever goes down, an uptime monitoring solution can automatically send you a notification and provide you possible reasons for downtimes. Uptime monitoring is an important aspect of website security. Not only can you prevent downtimes, but you can also address any abnormalities immediately upon notification.

The uptime monitoring solution we recommend is Uptime Robot. It is completely free and simple to setup. After creating your Uptime Robot account, log into the dashboard and click the button on the top left entitled Add New Monitor.

Then under Monitor Type drop down menu select Keyword.

  • In the Friendly Name field you can type anything you like. For our site, we named it “Planet WP Checker”
  • In the URL field, type in the web address for the home page of your website
  • In the Keyword field, enter a string of text that will not change on your site even with future updates. We chose to enter “WordPress training“ because this string will always be present on the home page. Side note: keywords are case sensitive so make sure you have the casing correct.
  • Under Alert When select “Keyword Not Exists” and click the email address on the right you want the notification sent to
  • The final step is to click the “Create Monitor” button

Now that you’re all set up, you’ll receive an email notification when your site goes down or if the keyword you entered is not present on the home page.

[back to top]

Backup and Restore


Protecting your valuable content by having a solid backup and restore strategy in place. While everything outlined in this article is intended to harden your website and mitigate the risk of being hacked, there is no guarantee that you will not fall victim to an attack.

There are many backup plugin solutions for WordPress. When selecting one, ensure that the solution offers to store the backup files offsite, for example on a Google Drive or Dropbox account. Our professional recommendation is Updraft Pro. With Updraft Pro, you can back up your website’s files to Google Drive, Dropbox or the Updraft Pro Vault.

Storing your backup files offsite reduces the risk of contamination or backup loss from an attack. Read our article on Setting up and Configuring Updraft Pro for details on how to setup and configure the settings for the entire backup and restore process.

[back to top]

Use HTTPS instead of HTTP


Switching from HTTP (HyperText Transfer Protocol) to HTTPS–”S” stands for Secure–will protect sensitive information like passwords and credit card information from being stolen. HTTPS uses the SSL (Secure Sockets Layer) protocol to encrypt communications and ensure that data travels securely between the client’s web browser and the server. This encrypted link ensures that all data passed between the web server and the browser remain private and secure.

Additionally, if your site runs on HTTPS, you don’t have to worry about scaring your visitors away through security warning alerts in their web browser. Actually, it’s quite the opposite. By having an SSL certificate, users will see a positive notification in their web browser, such as the green padlock icon with the “https” portion of your URL highlighted in green. For more information on the advantages of HTTPS, check out Make the Switch to HTTPS.

Want an SSL Certificate Now?

We offer Domain Validated (DV) SSL certificates–the most common type of SSL certificates for personal websites and blogs. Getting an SSL certificate is easier than you might think. After completing our 100% online application, we’ll validate your domain and issue an SSL certificate within minutes of your purchase. To get started, go to Planet WP SSL Certificates.

[back to top]

We hope the security tips and tricks outlined in this guide will help secure and protect your WordPress site.

If you like this article, please share it with your friends our like it on Facebook.


Leave a Reply

2 Comment threads
1 Thread replies
Most reacted comment
Hottest comment thread
3 Comment authors
Bob EdwardsAndrewDiana Recent comment authors
newest oldest most voted
Notify of

Hello there. Is there also a link to the Security Toolbox plugin?


Hi Diana, We launched the plugin last week and pulled it down to make a few changes before we started really promoting it. It will be back online by monday. 😉

Bob Edwards
Bob Edwards

I would also recommend to install the WordFence security plugin. The tech guys of my web host suggested this plugin to me and I found it very useful. It many features such as real time monitoring, limit login attempts, caching, etc..


Leave us a message