a metal latch and lock on a aqua painted door

WordPress is one of the most popular platforms on the web, powering billions of websites around the world. That means it’s not only a top choice for site owners, it’s also a top target for hackers. Imagine if one hacker found a small vulnerability in the open-source core code of WordPress. Theoretically were that to happen, that hacker could hack dozens website in one click. That makes security of sites using the CMS a top concern—and one you should make a top priority as a WordPress site owner.

The good news? There are a ton of ways developers can secure WordPress sites—from handy, less technical tricks to foil hackers, to more in-depth measures like renaming databases and setting up SSL encryption.

In this article, we’ll dive into 10 popular, easy-to-implement ways to check your WordPress site’s security settings and strengthen your defenses.

Remember: Some, all, or a combination of these security tactics might work for you. What mix you use has to be right for your site’s needs. The key is layering the security and making a hack as difficult as possible on different levels.

1. Always update the core—no exceptions.

When bugs or vulnerabilities are located in the core code, international teams and communities of WordPress developers work to fix all them as quickly as possible. However, these fixes only work if your site gets updated with each new release.

Since version 3.7, automatic core updates have been turned on by default, but you can also add this feature by hardcoding it into the wp-config.php file.

If you don’t already have your WordPress site automatically updating, simply add this bit of code to your wp-config.php file:

define('WP_AUTO_UPDATE_CORE', true);

Keep in mind that the auto update feature only works for minor updates. Major updates to the WordPress core must be confirmed by an admin within the WordPress dashboard.

Another easy step: It’s possible to hide what version number of the WP core you’re running in your source code with a plugin. This is a no-brainer way to disguise what version you’re using so hackers are less likely to know what associated vulnerabilities exist in your site. This is known as an “obscurity” tactic and makes it that much harder for hackers to figure out where your weaknesses might lie.

2. Always update your plugins—no exceptions!

Plugins are another possible entry point to hack your WordPress site, so it’s important to keep them fresh and up-to-date. Some famous plugins (like Contact form 7 or Akismet) are installed on millions of WordPress-based websites and hackers are always trying to find vulnerabilities within them. If you think you can “trust” a plugin because it’s popular, or it comes from a big-name brand, don’t be fooled—some of the most vulnerable plugins in recent years have been popular plugins available for purchase.

Be vigilant—the best way to stay ahead of hackers is with regular updates.

  1. Login to your Dashboard
  2. Select Plugins from the sidebar menu
  3. Update any that have new versions available

A tool like ManageWP allows you to integrate your WordPress sites into its platform, login to the platform’s dashboard and easily monitor what plugins, themes, and versions of your WP sites need updating, and ManageWP will handle the updates for you.

3. Don’t use a certain plugin? Delete it!

Even if you “turn off” some plugins, they’re still available to hack into as it’s not the same as clicking “delete.” Files of plugins or themes that haven’t been fully deleted still present security risks, even if they’re deactivated. It’s easy to delete old, unused plugins and themes:

  1. On the main menu to the left, click Appearance.
  2. This will bring you to your Themes page where you can view all of the themes that you have installed. Find the theme that you would like to uninstall.
  3. Hover your mouse over a theme to see the Theme Details option appear. Click Theme Details.
  4. This will bring up a window with information about the theme. In the bottom right corner, click Delete.
  5. Confirm that you are sure you want to delete the theme. Once you do so, the theme will be removed from your WordPress site.

Bonus: By cutting back on plugins you aren’t using, you’ll also improve your site’s performance.

4. Permissions for everyone? Not a good idea.

Hackers often use registrations as an entry point for hacking, with their final goal being to gain access to your server via the shell. They don’t even need admin permissions to do that, or to upload files to your server (e.g., Avatars, Images, etc.). Even .gif or .jpeg files can be dangerous because hackers can embed malicious code inside image metadata.

Also, be sure to give those with admin access the lowest level of permissions they need.

Other ways to secure your site from a user standpoint: Use emails as a login username, and definitely avoid using “admin” as a username. You can also force users to create stronger passwords with a plugin, and turn off file editing access for those who don’t need permissions to do so.

define('DISALLOW_FILE_EDIT', true);

5. Help prevent SQL injection attacks with unique database table prefix.

In WordPress, databases are given a default table prefix, which makes it easier for hackers to know and locate the database and conduct an attack known as SQL injection attack. By renaming the database and using a unique table prefix, you’ll be better throw them off the scent.

Basically, when installed a WordPress site gives a standard prefix to database tables—”wp_”—and this isn’t good because if left unedited, any hacker already knows the structure of your database name. Make their work a bit more difficult by renaming your database prefix.

You can do this in 6 easy steps:

1. Make a backup of your site (always a good if you are trying to work any ‘magic’ with your production site).

2. Open your wp-config.php file in the root directory of your WordPress install and change this line:

$table_prefix = 'wp_';

to this:

$table_prefix = 'xh2b3pq84tbe_';

3. Don’t be worried if after saving your wp-config.php, your website stops working properly. This is ok because you’ve just made changes in the config file, however, the database is still configured to the previous prefix. You’ll fix that next using this SQL query:

Rename table wp_commentmeta to xh2b3pq84tbe_commentmeta;
Rename table wp_comments to xh2b3pq84tbe_comments;
Rename table wp_links to xh2b3pq84tbe_links;
Rename table wp_options to xh2b3pq84tbe_options;
Rename table wp_postmeta to xh2b3pq84tbe_postmeta;
Rename table wp_posts to xh2b3pq84tbe_posts;
Rename table wp_terms to xh2b3pq84tbe_terms;
Rename table wp_term_relationships to xh2b3pq84tbe_term_relationships;
Rename table wp_term_taxonomy to xh2b3pq84tbe_term_taxonomy;
Rename table wp_usermeta to xh2b3pq84tbe_usermeta;
Rename table wp_users to xh2b3pq84tbe_users;

4. Now, it’s time to update some setting strings inside wp_options and wp_usermeta. (But note: after you changed the prefix, these aren’t those default titles anymore, they’re xh2b3pq84tbe_options and xh2b3pq84tbe_usermeta).

Search for:

SELECT * FROM xh2b3pq84tbe_options WHERE option_name LIKE 'wp_%';

5. You’ll get a list of search results. Replace strings where the options_name field starts with wp_ (the old, default prefix) to xh2b3pq84tbe_.

6. You’ll do the same with xh2b3pq84tbe_usermeta. Just add this query to PhpMyAdmin:

SELECT * FROM xh2b3pq84tbe_usermeta WHERE meta_key LIKE 'wp_%';

and replace any fields where meta_key starts with wp_ to xh2b3pq84tbe_.

Also, you can follow along with this video tutorial.

6. Make the switch to SSL encryption.

SSL (Secure Sockets Layer) encryption is a protocol that is a part of HTTPS, a secure protocol for sending encrypted information between a database and a browser. Sites that use HTTPS are more secure, and it’s becoming the gold standard for security—even Google has prioritized sites using HTTPS. Learn how to set up HTTPS encryption for your site in this article.

For WordPress sites, it’s relatively easy to transfer an existing site over to HTTPS without messing up your SEO (because it will be changing your domain name from http://sitename to https://sitename). Essentially, what an SSL certificate does is a verify that you or a company rightfully own the domain, then code is inserted into your root directory. That code enables the encryption of any data sent between your site’s web server and the browser, so users know anything they’re entering is secure. (That lock beside the URL lets them know they’re on a secure connection.)

You’ll need to get an SSL certificate from a provider like Cloudflare or Let’s Encrypt and install it. Or, purchase an SSL certificate from your own hosting provider if they offer installation.

For more tips, WPMUDEV provides an excellent SSL guide for timing your transition, how to handle existing backlinks to your site’s URL, and more.

7. Add 2-factor Authentication (2FA).

Adding 2FA helps to thwart brute force attacks by making it difficult for bots to break through. 2FA requires users to not only enter a password but also a unique authorization code that’s sent to their device. Options for that second level of login can include SMS messages, one-time tokens, email or phone call verifications, or even biometrics (retina scans, voice recognition, or fingerprint recognition). There are many plugins available to add 2FA including Google Authenticator, Duo, or services like Authy or Auth0.

8. Use your .htaccess file to protect your more critical files.

All kinds of files and access restrictions can be added to your .htaccess file—add whitelisted IP addresses, restrict access from blacklisted IP addresses, or hide files like your wp-config.php file, which is probably the most important file in your site’s structure.

9. Customize your site’s login page URL—and restrict failed login attempts.

Everyone knows the default WordPress login page URL, which means anyone who wants to try and hack into your site (a “brute force” attack) or a bot can easily figure out your WordPress login page by adding “wp-login” or “wp-admin” to the end of your URL. Customize this login page link with a plugin like Login Lockdown to add another level of security to your site.

Login Lockdown is also helpful for monitoring failed login attempts and banning users who try to login unsuccessfully too many times.

10. Back up your site—twice, if you can.

WordPress backup guide

Even the most secure systems can get hacked. Regular backups may prevent you from losing important data. Personally, I suggest you create a backup schedule: once a week, run an automatic backup of your database files. Usually, a database backup file size isn’t more than 10 to 20 Mb. (Don’t forget that there is compression, like tar.gz of .zip.) Because a backup of a MySQL database is just a textual file, they’re easy to compress. Even if you’re using shared hosting without gigabytes of files, a day-to-day weekly backup won’t weigh more than 200 Mb.

Another option, if you don’t have any free megabytes, is to look into free cloud storage providers like Dropbox, Google Drive, or OneDrive. Just install plugins for your Cloud drive provider, linked below:

Now, you can consider your WordPress site well-armed against any vulnerabilities. There’s always more to do, but this is a good start.