WordPress Security Best Practices

Website security

Website security is critical for businesses and organizations of all sizes. Read on to learn about WordPress Security Best Practices.

One misconception that business owners might have is that WordPress is insecure. Maybe they’ve heard of WordPress as a “blogging” tool. But as of 2017, more than 29% of the web runs on WordPress. Following best practices will help ensure website security, no matter what platform you use.

Maybe you’re looking for a freelancer, agency or consultant to build your next website. It’s important to make sure that whoever you work with has website security experience. This article is more focused toward web professionals to learn about security. But as a business owner, you can run this by your team to make sure they’re in the know.

There are three important areas of focus in securing WordPress websites. These areas are core updates, secure passwords and secure server environments.

Keep WordPress Core Updated

WordPress core is open source software with hundreds of active contributors. Upon discovering insecurities, the team of contributors will write and deploy security updates.

The best way to keep your WordPress website secure is to keep the core files updated. WordPress now auto-updates itself when major security releases come out. This keeps your CMS generally secure on an ongoing basis.

But, you need to install minor updates yourself. And this task is simple. Just by logging into WordPress, you’ll see a dashboard alert that new core updates exist. Click the update button, and within a few seconds it’s finished.

WordPress core update notification

Here’s the good news: You can automate core updates. Just install the Advanced Automatic Updates plugin, and this will take care of itself. WordPress checks for core, theme and plugin updates every 12 hours. This plugin automatically installs them all as soon as they’re available.

Advanced Automatic Updates plugin

With Advanced Automatic Updates installed, rest assured that your WordPress website will always update. With core files always up to date, you’ve taken care of one of the biggest areas of WordPress security.

Give yourself a high five. You’re doing great.

Only Use Strong Passwords

The next WordPress security best practice is to only use strong passwords. Think about it: Your website is only as secure as your password. Taking care of this issue will provide a big layer of security that you can trust.

WordPress has a built-in password strength meter to encourage users to have strong passwords. This meter shows how strong or weak your password is. If you try to use a weak password, it will ask you to confirm that you really want to do that. This is a great start at enforcing strong passwords for all users.

WordPress password strength meter

But there’s a problem with relying on this strength meter. It depends on the user to choose a strong password. When your business has many individuals using WordPress, you need to be sure they’ll do it.

You can solve this problem completely with 2 simple plugins.

The first plugin you should install is Force Strong Passwords. Much like the name suggests, it forces users to choose strong passwords. This way it’s impossible for anyone to use a weak password.

The other plugin is Expired Passwords. This reminds you to change administrator passwords on a regular basis.

With Force Strong Passwords and Expired Passwords installed, you’ll know your passwords are strong. No need to worry about having your passwords guessed or stolen. This takes care of another one of the biggest areas of WordPress security after updating core.

You’re nailing WordPress security. Good job!

Secure the WordPress Login Page

The WordPress login page is where you login to your website to make changes. The strong passwords you already set up do a great job of making this page secure. You don’t need to be afraid of someone accessing this page, if your passwords are secure.

But you can also make the login page locked up tight with several layers of protection. When website security is a high priority, it doesn’t hurt to go above and beyond.

You can limit the number of allowed login attempts with a plugin. It’s called WP Limit Login Attempts, and it’s great at preventing brute force attacks. If a person or bot enters the wrong password a certain amount of times, the plugin blocks their IP address. Abnormal requests are also redirected back to the home page.

WP Limit Login Attempts

Another plugin which protects against traditional and distributed brute force attacks is Jetpack Protect. It also protects against botnet attacks.


Two-step login authentication nicely rounds out a secure WordPress login page. With the Clef plugin, you can prevent the following attacks:

  1. Brute force and botnet login attacks
  2. Weak, leaked and recycled passwords
  3. Sending login credentials via an insecure (non-SSL) connection
  4. Password phishing attempts
  5. Account takeovers via email breaches (using “forgot my password”)

Clef two-step authentication

Disable File Editing Inside WordPress

Within the WordPress dashboard, administrators have access to a file editor by default. This gives a logged-in administrator the ability to alter live theme code on the fly.

You should not use the WordPress file editor to change theme code. You could make a mistake and break the site, and it’s not simple to undo your changes.

So when it’s time for theme code to change, it should happen in a local development environment. This allows proper testing on a local machine. Then code should be versioned in GIT and pushed to a live staging server for further testing.

To protect from anyone abusing the built-in WordPress file editor, remove the capability altogether. You can do this within your root directory’s wp-config.php file.

Look for the line that says: /* That's all, stop editing! Happy blogging. */

Above that line, insert a new line which says:

[define( 'DISSALLOW_FILE_EDIT', true );]

With that change, you can trust that your theme files won’t change from within WordPress. What a relief!

Secure Important WordPress Files

Your WordPress root directory contains an important file called wp-config.php. This file contains basic configuration details, including sensitive database information.

By default, this file is already secure. No one can access the file by typing in the address, like www.example.com/wp-config.php. If they tried, they would only come to a blank page with an empty HTML document containing nothing.

You can add an extra layer of security by denying access to this file altogether. This can be done from within the .htaccess file. While doing so, you can also deny access to the .htaccess file itself. It’s also wise to prevent directory browsing.

To secure these important files, open your .htaccess file and look for # END WordPress. After this line, add the following lines of code:

<files wp-config.php>
order allow, deny
deny from all
<files .htaccess>
order allow, deny
deny from all
# directory browsing
Options All -Indexes

Remember to save the file when you’re finished. By adding these lines of code, you have tightened up your WordPress website even more. Pat yourself on the back.

Don’t Use the Default Admin Username

When you had WordPress installed, it created a user with Administrator rights. The default suggested name is Admin. Don’t use this name. It is is easy to guess, and avoiding it will prevent brute force attacks.

If you already have a user called Admin, you should replace it. You can do this by creating a new user with Administrator rights. Then delete Admin, and assign its content to a different user.

You should create and edit content using only users with Editor rights. If anyone manages to guess their username and password, they won’t have Administrator access.

You should make specific administrative changes using only users with Administrator rights. This might include installing and updating plugins, or changing general WordPress settings.

Separate these tasks because sometimes posts will display the author’s name. This way the Administrator’s username won’t show up anywhere in your content or code.

Put these WordPress security best practices into action

If you’re a web professional and you’ve taken the steps in this article, congratulations! You’re on your way to becoming a WordPress security expert.

If you’re a business owner, share this with your team and see if they have security procedures in place. They might find a few tips they haven’t thought of, which could prevent a disaster later.

What’s your best WordPress security tip?

I want to hear from you. What steps have you taken to make your website secure? Is there something I’ve missed in this article? Let me know in the comments below, and feel free to shoot me an email any time.

Leave a Comment