Why WordPress Security Matters
WordPress powers over 40% of all websites on the internet. That ubiquity makes it the biggest target for automated attacks. Every day, thousands of WordPress sites are compromised through:
- Brute force attacks on login pages
- Exploits in outdated plugins and themes
- SQL injection through vulnerable forms
- Cross-site scripting (XSS) via unvalidated input
- File upload vulnerabilities
The good news: most WordPress attacks exploit basic misconfigurations that you can fix in an afternoon.
15 Steps to Harden Your WordPress Site
Step 1: Keep WordPress Core Updated
WordPress core updates include security patches. Enable auto-updates:
// wp-config.php
define('WP_AUTO_UPDATE_CORE', true);
Or update manually from Dashboard > Updates. Never ignore the "update available" notification.
Step 2: Update All Plugins and Themes
90% of WordPress hacks come from vulnerable plugins. Rules to follow: - Enable auto-updates for all plugins (WordPress 5.5+) - Delete unused plugins entirely (deactivating is not enough) - Delete unused themes (keep only your active theme + a default) - Check plugin reviews and last update date before installing
Step 3: Use Strong Admin Credentials
- Change the default
adminusername to something unique - Use a password manager and generate a 20+ character password
- Enable two-factor authentication with a plugin like WP 2FA or Wordfence
Step 4: Change the Login URL
The default /wp-admin and /wp-login.php URLs are targeted by every bot on the internet.
Use a plugin like WPS Hide Login to change your login URL to something custom like /my-secret-login.
Step 5: Limit Login Attempts
Block brute force attacks by limiting failed login attempts:
Install Limit Login Attempts Reloaded and configure: - Max 3 retries before lockout - 20-minute lockout after failed attempts - Increase lockout after 3 lockouts - Email notification on lockout
Step 6: Disable XML-RPC
XML-RPC is an old API that most sites do not need. It is commonly used for brute force attacks and DDoS amplification.
// Add to functions.php
add_filter('xmlrpc_enabled', '__return_false');
Or block it at the server level:
# Nginx
location = /xmlrpc.php {
deny all;
return 403;
}
Step 7: Disable File Editing
By default, WordPress lets admins edit plugin and theme files from the dashboard. If an attacker gets admin access, they can inject malicious code directly.
// wp-config.php
define('DISALLOW_FILE_EDIT', true);
Step 8: Protect wp-config.php
Your wp-config.php file contains database credentials and security keys. Protect it:
# Nginx
location = /wp-config.php {
deny all;
return 403;
}
# Apache (.htaccess)
<Files wp-config.php>
Order Allow,Deny
Deny from All
</Files>
Step 9: Add Security Headers
WordPress does not set security headers by default. Add them in your server config or via a plugin:
// functions.php
function add_security_headers() {
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin-when-cross-origin');
header('Permissions-Policy: camera=(), microphone=(), geolocation=()');
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
}
add_action('send_headers', 'add_security_headers');
Step 10: Use HTTPS Everywhere
Force HTTPS in WordPress:
// wp-config.php
define('FORCE_SSL_ADMIN', true);
Also update WordPress Address and Site Address in Settings > General to use https://.
Step 11: Disable Directory Listing
Prevent attackers from browsing your directory structure:
# .htaccess
Options -Indexes
Step 12: Secure the Database
- Change the default table prefix from
wp_to something random (e.g.,xk7_) - Use a dedicated database user with minimal privileges
- Enable database encryption if your host supports it
For new installations, set the prefix in wp-config.php:
$table_prefix = 'xk7_';
Step 13: Set Proper File Permissions
# Directories: 755
find /var/www/html -type d -exec chmod 755 {} \;
# Files: 644
find /var/www/html -type f -exec chmod 644 {} \;
# wp-config.php: 600 (read/write by owner only)
chmod 600 wp-config.php
Step 14: Install a Security Plugin
A good security plugin adds multiple layers of protection:
Recommended options: - Wordfence — Firewall, malware scanner, login security (free tier excellent) - Sucuri Security — Audit logging, file integrity monitoring, security hardening - iThemes Security — 30+ security settings in one plugin
Pick one (not multiple, they can conflict) and configure it properly.
Step 15: Set Up Automated Backups
Even with perfect security, you need backups:
Recommended backup plugins: - UpdraftPlus (free, backs up to cloud storage) - BackWPup (free, scheduled backups) - BlogVault (paid, real-time backups + easy restore)
Configure daily database backups and weekly full backups, stored off-site.
Verify Your WordPress Security
After implementing these steps, run a ZeriFlow scan on your WordPress site. It checks your SSL configuration, security headers, cookie settings, and 80+ other security points. The scan takes about 60 seconds and shows you exactly what is working and what still needs attention.
Quick Wins Summary
| Step | Time | Impact |
|---|---|---|
| Update core + plugins | 5 min | Critical |
| Enable 2FA | 10 min | High |
| Change login URL | 5 min | Medium |
| Limit login attempts | 5 min | High |
| Disable XML-RPC | 2 min | Medium |
| Disable file editing | 1 min | Medium |
| Add security headers | 10 min | High |
| Force HTTPS | 5 min | Critical |
Conclusion
WordPress security hardening is not optional — it is essential. The 15 steps above cover the most important attack vectors and can be implemented in a single afternoon. Start with updates, strong credentials, and HTTPS, then work through the rest of the list.
Scan your WordPress site now to see your current security score.