WordPress Security: Best Practices

Introduction

WordPress powers a vast portion of the internet, and that popularity makes it a prime target for malicious actors. Every day, thousands of WordPress sites are compromised through brute-force attacks, exploited vulnerabilities in outdated plugins, SQL injection, and other attack vectors. The good news is that the vast majority of these attacks are preventable with proper security practices.

This guide walks you through the most important WordPress security measures, from fundamental hygiene to advanced hardening techniques. Whether you run a personal blog or manage client sites as a professional, these best practices will significantly reduce your risk exposure.

Keep WordPress Core, Themes, and Plugins Updated

The single most important thing you can do for WordPress security is to keep everything updated. Security vulnerabilities are discovered regularly in WordPress core, themes, and plugins. When developers release patches, they also publicly disclose the vulnerabilities they fix, which means attackers know exactly what to exploit on sites that have not updated.

How to Stay Current

• Enable automatic updates for minor releases: WordPress already applies minor security updates automatically by default. Do not disable this feature.
• Regularly check for major core updates: Log into your dashboard at least weekly and apply major updates promptly after confirming compatibility with your plugins and theme.
• Update plugins and themes immediately when security patches are released. Subscribe to security advisory feeds or use a monitoring service.
• Remove unused themes and plugins: Deactivated plugins and themes can still be exploited if they contain vulnerabilities. If you are not using it, delete it entirely.
• Test updates in a staging environment before applying them to your production site, especially for major version changes.

Automating Updates

Consider using managed WordPress hosting that handles updates for you, or configure automatic updates for plugins and themes by adding the appropriate filters to your functions.php file or using a plugin like Easy Updates Manager. The convenience trade-off is worth the security benefit for most sites.

Use Strong Authentication

Weak credentials are the easiest entry point for attackers. A brute-force attack can try thousands of username and password combinations per minute, and if your admin account uses “admin” as the username and a common password, it is only a matter of time before it is compromised.

Password Best Practices

• Use unique, complex passwords for every WordPress account. Each password should be at least 16 characters long and include a mix of uppercase letters, lowercase letters, numbers, and symbols.
• Use a password manager like Bitwarden, 1Password, or KeePass to generate and store strong passwords. Do not rely on human memory for secure passwords.
• Never reuse passwords across different services. If one service is breached, all accounts using the same password are at risk.

Two-Factor Authentication

Two-factor authentication (2FA) adds a second layer of security beyond the password. Even if an attacker obtains your password, they cannot log in without the second factor.

• Install a 2FA plugin like WP 2FA, Two Factor Authentication, or Wordfence (which includes 2FA as part of its security suite).
• Use authenticator app-based 2FA (like Google Authenticator, Authy, or Microsoft Authenticator) rather than SMS-based 2FA, which is vulnerable to SIM-swapping attacks.
• Require 2FA for all administrator and editor accounts. Consider requiring it for all user roles.

Limit Login Attempts

By default, WordPress allows unlimited login attempts, which makes brute-force attacks trivial. Install a plugin like Limit Login Attempts Reloaded or use the login protection features in Wordfence or Sucuri to:

• Limit failed login attempts to 3-5 before locking out the IP address
• Increase lockout duration with each subsequent lockout
• Block known malicious IP addresses proactively
• Implement CAPTCHA on the login page to block automated attacks

Implement a Web Application Firewall

A web application firewall (WAF) monitors incoming traffic and blocks malicious requests before they reach your WordPress installation. This provides a critical layer of protection against SQL injection, cross-site scripting (XSS), file inclusion attacks, and other common exploits.

Types of Firewalls

• Cloud-based WAFs like Cloudflare, Sucuri, or Astra Security filter traffic at the DNS level before it reaches your server. These are generally the most effective because they can block attacks before they consume your server resources.
• Application-level firewalls like Wordfence run as WordPress plugins. They operate at the application level, which means malicious requests still reach your server, but they are blocked before they can cause harm.
• Server-level firewalls configured through your hosting provider or directly on the server (using tools like ModSecurity or iptables) provide another layer of protection.

Recommended Firewall Configuration

• Enable real-time IP reputation blocking to automatically block known malicious actors
• Configure rate limiting to prevent DDoS attacks and aggressive crawling
• Set up country-based blocking if your audience is geographically limited (though this should be used cautiously)
• Enable file integrity monitoring to detect unauthorized changes to WordPress files
• Review firewall logs regularly to understand the threats targeting your site

Establish a Robust Backup Strategy

Backups are your safety net. No matter how strong your security measures are, breaches can still happen. A comprehensive backup strategy ensures you can recover quickly and minimize data loss.

Backup Best Practices

• Automate your backups: Use a plugin like UpdraftPlus, BackupBuddy, BlogVault, or your hosting provider’s built-in backup solution to schedule automatic backups.
• Back up both files and database: A complete backup includes all WordPress files (core, themes, plugins, uploads) and the MySQL database.
• Follow the 3-2-1 rule: Keep at least three copies of your data, on two different storage media, with one copy stored off-site.
• Store backups in multiple locations: Do not store backups only on your web server. Use cloud storage services like Amazon S3, Google Cloud Storage, Dropbox, or a dedicated backup service.
• Set appropriate backup frequency: For sites with daily content updates, daily backups are essential. For less active sites, weekly backups may suffice. Always take a full backup before major changes.
• Test your backups regularly: A backup you have never tested is a backup you cannot trust. Periodically restore a backup to a staging environment to verify it works.

Backup Retention

Keep multiple backup versions, not just the most recent one. If a compromise goes undetected for days or weeks, your most recent backup may also be compromised. Maintain a rotation of daily backups for the past week, weekly backups for the past month, and monthly backups for the past year.

Harden Your WordPress Installation

Beyond the fundamentals, there are several hardening measures that reduce your attack surface and make your site more resilient.

File and Directory Permissions

Set correct file permissions to prevent unauthorized modification:

• Directories: 755 (rwxr-xr-x)
• Files: 644 (rw-r–r–)
• wp-config.php: 600 (rw-------) or 640 (rw-r-----) depending on your server configuration

Protect wp-config.php

The wp-config.php file contains your database credentials, authentication keys, and other sensitive configuration. Protect it by:

• Moving it one directory level above your WordPress root (WordPress will still find it)
• Adding server rules to deny direct access via the browser
• Ensuring it has restrictive file permissions

Disable File Editing

WordPress includes a built-in code editor that allows administrators to edit theme and plugin files directly from the dashboard. If an attacker gains admin access, this feature gives them the ability to inject malicious code instantly. Disable it by adding this line to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Secure the Database

• Change the default table prefix from “wp_” to something unique during installation. This makes automated SQL injection attacks less likely to succeed.
• Use a dedicated database user for WordPress with only the necessary privileges (SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, DROP, INDEX). Do not use the root database user.
• Regularly optimize and repair your database to maintain integrity.

Hide the WordPress Version

Attackers can use your WordPress version number to identify known vulnerabilities. Remove version information from your site’s HTML source by adding this to your functions.php:

remove_action('wp_head', 'wp_generator');

Disable XML-RPC

XML-RPC is a legacy feature that allows external applications to communicate with WordPress. It is frequently exploited for brute-force attacks and DDoS amplification. Unless you specifically need it (for example, for the WordPress mobile app or Jetpack), disable it:

• Use a plugin like Disable XML-RPC
• Block access at the server level via .htaccess or nginx configuration
• Use your WAF to block XML-RPC requests

Secure Your Hosting Environment

Your security is only as strong as your hosting environment. Choosing a reputable host and configuring it correctly is fundamental.

Choosing Secure Hosting

• Use managed WordPress hosting from providers like WP Engine, Kinsta, Cloudways, or SiteGround. These providers implement server-level security measures, automatic backups, and malware scanning.
• Ensure your host supports the latest PHP version. Older PHP versions have known vulnerabilities and receive no security patches. As of 2026, you should be running PHP 8.2 or later.
• Verify that your host provides SSL certificates and enforces HTTPS across your entire site.
• Check that your host provides server-level firewalls and intrusion detection.

SSL and HTTPS

Every WordPress site should use HTTPS without exception. SSL certificates are available for free through Let’s Encrypt, and most hosting providers offer one-click SSL setup.

• Install and activate an SSL certificate
• Force HTTPS for all pages, including the admin dashboard
• Update your WordPress Address and Site Address settings to use https://
• Redirect all HTTP traffic to HTTPS via .htaccess or server configuration
• Check for mixed content issues using browser developer tools or an online scanner

Monitor and Audit Your Site

Proactive monitoring allows you to detect and respond to security incidents before they cause significant damage.

Security Monitoring Tools

• Wordfence: Provides a firewall, malware scanner, login security, and real-time traffic monitoring.
• Sucuri Security: Offers malware scanning, file integrity monitoring, security hardening, and a cloud-based WAF.
• iThemes Security: Provides file change detection, 404 detection, strong password enforcement, and more.

What to Monitor

• File integrity changes: Unauthorized modifications to WordPress core files, theme files, or plugin files can indicate a compromise.
• Failed login attempts: A sudden spike in failed logins may indicate a brute-force attack in progress.
• New user accounts: Unauthorized admin accounts are a common indicator of compromise.
• Outgoing connections: Malware often phones home to a command-and-control server. Monitor outgoing connections for suspicious activity.
• Uptime monitoring: Use a service like UptimeRobot or Pingdom to alert you if your site goes down, which could indicate a DDoS attack or a compromise.

Security Audit Checklist

Perform a security audit at least quarterly:

1. Review all user accounts and remove unnecessary ones
2. Verify all plugins and themes are updated and actively maintained
3. Check file permissions on the server
4. Review and test your backup restoration process
5. Scan for malware using multiple tools
6. Review server access logs for suspicious activity
7. Test your WAF rules and configuration
8. Verify SSL certificate validity and renewal schedule

Develop an Incident Response Plan

Despite your best efforts, a security incident may still occur. Having a plan in place ensures you can respond quickly and effectively.

Response Steps

1. Identify the breach: Determine what happened, when it happened, and what was affected.
2. Contain the damage: Take the site offline if necessary. Change all passwords immediately (WordPress admin, database, FTP, hosting panel).
3. Assess the scope: Determine what data was accessed or modified. Check for backdoors and malicious code.
4. Clean the infection: Restore from a known-clean backup or manually remove malicious code. Reinstall WordPress core files.
5. Harden and patch: Address the vulnerability that was exploited. Apply all available updates. Implement additional security measures.
6. Monitor closely: Watch the site carefully for days and weeks after the incident for signs of re-infection.
7. Document and learn: Record what happened, how you responded, and what you will do differently to prevent a recurrence.

Conclusion

WordPress security is not a one-time setup but an ongoing practice. The combination of keeping your software updated, using strong authentication, implementing a web application firewall, maintaining robust backups, hardening your installation, choosing secure hosting, and monitoring your site continuously creates a defense-in-depth strategy that is difficult for attackers to penetrate.

No site is completely immune to attack, but by implementing the practices outlined in this guide, you dramatically reduce your risk and ensure that if an incident does occur, you can recover quickly and with minimal impact. Security is an investment in the longevity and trustworthiness of your online presence – and it is an investment that always pays off.