WordPress Security Checklist
Introduction
Basic WordPress Security Tips:
Below are some of the best but simple to implement WordPress security tips. By implementing them, your WordPress website will be more secured
- Change your admin username
- Strong WordPress Password
- Update WordPress Site
- Best Security WordPress Plugins
- WordPress SSL Certificate
- WordPress File Permissions
- Cloud Managed WordPress Hosting
Advanced WordPress Security Tips:
These are advanced WordPress security tips, so if you are not 100% sure what to do, leave someone else to implement these settings. You have to pay major attention, because everything wrong implemented may broke the site. For example, if you change just a letter or symbol from inside the wp-config.php file, your WordPress website will be down in no-time.
- Server Level Layer of authentication
- WordPress Restrict WP-Config.PHP
- WordPress Login Hints
- Change WordPress Admin URL
Note:Â No system is 100% secure! The listed measures are necessary to harden a system from scratch and protect it against the most common attacks from script kiddies. Bots are the most common enemies of a WordPress installation and act somewhat randomly, automated, exploiting vulnerabilities. That someone sits in front of his device and says, “yes, I want to hack XY’s website now,” happens less often but is much more challenging to prevent. Let’s be clear: If someone wants to do it and has the means, the chances are that they will find a point of attack and thus an entry point, despite all the measures.
Even if this is a bit discouraging at the beginning of this article: It is best to have your WordPress website secured by a professional. Only those who are sure in the field know where he has to reach and what has to be done so that a website is secured as far as possible. In the following article, I try to keep the steps to secure even for non-professionals comprehensible. But if you are a little unsure, you should ask someone who knows how to do it.
Why WordPress security measures?
Wordfence, the maker of one of the most popular WordPress security plugins, shows in recent statistics that there are 3 million attacks on WP websites every hour in its secure network alone. That’s about 80 million attacks per day. The number of unreported attacks is probably many times higher since A) not every website uses Wordfence and B) many websites are not secured at all. The sheer mass of attacks alone shows that most attacks are mainly automated. These must be prevented or blocked.
WordPressâs overwhelming popularity makes it a target for hackers. Specifically, itâs seen thousands of attacks by bots (networks of computers infected with malicious software) trying gain entry into these sites by brute-force.
Most of these attacks are using the simplest method possible to gain access to a site: trying username and password combinations until they can login. This method relies on user error in that a lot of WordPress users are unaware of their responsibility to keep their site secure.
When thatâs the case, the botnets can try to log in to these sites countless times, since thereâs simply nothing to stop them from it.
Why is WordPress being targeted by hackers?
Since December 2020, WordPress CMS is the most used form of script utilised in the Website Development Process from the Entire WWW. Hand-coded languages (excluding the Content Management Systems / CMS. HTML language is a good example) have been the most used kind of websites since the WEB was born. And from December 2020, this title has been awarded by WordPress.
Users that arenât proactive in protecting their site or donât update old plugins/WordPress versions, can unknowingly be exposing potentially major site vulnerabilities. In this way, the hacked WordPress websites will give the possibility to the hackers to gain access inside. Here are some of the best WordPress security tips to help you better secure your site against all kind of attacks (brute force attacks, WordPress login attacks, and many more).
If you don’t have time to administrate your Business Website, check this: WordPress Website Maintenance Services
Is WordPress Website Secure?
Yes and No. Anything can be hacked, and WordPress CMS makes no exception. But, if you follow my piece of advice below, you will secure your WordPress site.
Generally speaking, WordPress CMS is one of the most secured forms of Web. WordPress suffers from minor security issues every now and then. Some of these security loopholes are patched quickly due to the active developer community. However, most of the security issues can be avoided by hardening the WordPress setup.
This guide forces the approach of better security practices that you can follow to safeguard your setup from common threats. Youâll learn some common fixes that can help your WordPress setup. Youâll also learn about files which are required to be modified in order to harden the security.
Never take WordPress security issues lightly!
Even minor plug-in or theme change can lead to a security flaw in WordPress. Remember, as software evolves so does the security flaws. The best thing that you can do is take precautions and avoid the common grounds from which security flaws are likely to affect your WordPress site.
Basic WordPress security tips for a more secure WordPress install:

ATTENTION! BEFORE CHANGING ANYTHING, MAKE A BACKUP COPY OF YOUR WORDPRESS SITE!
1. Change The WordPress Admin Username
Do not use admin (or anything simple) as a username for your site. This is the most targeted username these attacks use. Other usernames to avoid are administrator, manager, root, support, test, and user. The WordPress dashboard is the first “door” the hackers try to broke. Be smart.
To change a username in WordPress:
- Login with your administrator account and add a new user, with administrator privileges. Make sure your display name is different than your username.
- Once done, logout and login as your new user. Delete your old administrator account.
- Youâll be asked about what should be done with posts owned by this user, choose âattribute all posts toâ and select your new username.
2. Strong WordPress Password: BE CREATIVE!
Creating a WordPress password that contains numbers, symbols, lower and uppercase letters, and lots of characters, youâre making it a lot harder for those nasty bots to guess your password. Hereâs a list of passwords that you should definitely avoid:
Worst WordPress Passwords of 2020 – You must avoid each of them:
123456
123456789
picture1
password
12345678
111111
123123
12345
…and so on. You got the idea: Choose your p4S$W0rDs with creativity!
I would also suggest staying away from passwords like âWordPressâ and âadminâ â you get the idea.
Strong password=Safe website.
How do I enforce strong passwords in WordPress?
There are some of the services that offer to generate secure and longer passwords (even cPanel provides you this kind of feature). Here are some of the options to generate the secure passwords. You can also use programs like Lastpass to store your passwords and use it for the autologin.
Best WordPress Password Managers:
Donât store the passwords in the normal text or word files. Donât store the passwords in the FTP programs. Donât store passwords in any program that gives access to any other user than you.
3. Update Your WordPress Site!

WordPress is updated every so often and with that, problems are fixed. Security issues which come to light are addressed, and by not updating you are creating vulnerabilities. Itâs important to keep your WordPress installation up to date, and especially true for plugins and themes.
Since this is the case, itâs also a good idea to remove all of the plugins that arenât used on your site. Always make sure to backup your site before making any changes (installing new plugins, tweaking the theme, updating plugins or theme, etc).
4. Best WordPress Security Plugins
Do You Need WordPress Security Plugin?
A strong WordPress security plugin can be much more convenient and time-saver for a non-technical persona. But if you have enough spare time and you want to secure your site without using a security plugin, you can follow the tips from this article (in the Advanced section).
Free or Premium WordPress Security Plugin?
It is not easy to select the type of the plugin suitable for your setup. Some of the premium plugins are suitable if your WordPress data is critical for your business. If you run a hobby blog or non-commercial blog, you donât have to invest into a premium plugin. Keep in mind, the more important data that is being handled by WordPress, the harder your security setup should be.
How many WordPress security plugins should I use?
Short response: As few as possible. Avoid using unnecessary plugins and don’t forget to delete the inactive ones.
I have listed plenty of plugins for you to choose from and to install on your dashboard. However, you donât have to install a ton of plugins. For example, If you are planning to optimize your site speed, you shouldn’t install 3 cache plugins, 5 image optimizers, or 500 CDN plugins (you got the idea). You should use a plugin which incorporate many features (image optimization, caching, script optimization, etc). This is also the case of the security plugin: Install a good one and that’s it. There isn’t any logic to use 3 plugins for the same goal, simultaneous. Do note that some of the hosts do not allow certain WordPress plugins.
Which is the best security plugin for WordPress?
In order to choose the best security plugin for your WordPress site, use the following checklist:
- The number of downloads. Select the higher downloaded plugin.
- How many issues are reported on the plugin official page, on WordPress.org.
- The plugin authors activity in the Forum. Another best way is to search on Reddit about him.
- The number of updates of the plugin.
- Ignore the star rating of the plugin.
- How the plugin makes use of unique namespace items.
- How the plugin makes use of settings API in the features.
- The Hooks, Filters, and Actions inside the plugins.
- If the plugin has properly sanitized data and MySQL statements.
- The plugins that use nonces instead of browser cookies. If the more than one plugin does the same task, choose the plugin with higher download count and reviews.
- The reputation of the plugin author in the WordPress community.
These are the criteria to look at while selecting the security plugin from the WordPress Support repository. If you choose to install the premium version of the plugins then you have to search online for the reviews. Also, test drives their free plugin or trial service before you buy the plugin.
a. Best WordPress Security Plugins in 2021 – The Ones I Have Personally Used
Below I will show you the best WordPress Security Plugins in 2021 and not only. Installing some of the essential plugins from the list below may ensure safety to your WordPress setup. Here are some of the plugins that I have personally used on many WordPress sites.
Sucuri
Sucuri is one of the most WordPress Security plugins in 2021. They have free & premium version. Sucuri also provide security improvement suggestions and tweaks, in order to keep your website safe. Sucuri Security have the following features: Auditing, Malware Scanner and Security Hardening.
Wordfence
Wordfence is a very straightforward and easy to use plugin. It acts as a firewall and anti-virus, as well as suggests how to improve your siteâs security. Make sure to check out the âLive Trafficâ section, you can see all the failed login attempts to your site, itâs surprising.
iThemes Security (formerly Better WordPress Security)
iThemes Security This plugin will give you a more detailed review of what you can do to protect your site and more intricate security options. Be careful when activating settings that could conflict with other themes or plugins. These are highlighted in blue in System Status.
b. Other WordPress Security plugins:
All In One WP Security & Firewall
This plugin can help you run some basic security checks on your WordPress setup. You get to make few fixes from your plugin options page. You can install this plugin, run the scan and fix the minimal security issues. Once cleared the basic security fixes, you can uninstall the plugin.
Shield Security
WordPress Firewall avoids SQL injection attacks, brute force attacks, and Spambot registration attacks. It also notifies you via email when any live attack happens on your site. If you donât like email notifications, you can disable it. It also comes with one handy feature which allows you to block the IP that regularly attempts to attack your WordPress setup. You can also blacklist certain IP address for additional protection. If you want some of the IP address in a whitelist, the plugin has an option that lets you do that.
Block Bad Queries
Block bad Queries plugin is designed to monitor the request URI in the WordPress dashboard. This way it can filter out some of the common attacks. This plugin checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either âeval(â or âbase64â in the request URI. Block bad queries does a completely different job to that of WordPress firewall 2. So it is necessary to have this plugin installed with WordPress Firewall 2.
Website File Changes Monitor
It keeps track of every change in the WordPress installation. It keeps log of the changes in the files of WordPress directories. It notifies you of the changes that take place in the files. If any hacker gets access to your themes and plugins and rewrites new information on any of the file, youâll get the notification of the changes. This plugin is handy to understand which file to rollback in the previous state. You can use the backed-up files to restore the unaffected file in that place. In order to do this, you need to have a different backup plugin or manual backup on regular basis.
Limit Login Attempts Reloaded
Install the plugin and set the number of attempts on plugins options page. You can also set the number of minutes to keep the lock on a login page. It also keeps the log of a number of attempts and number of times the lock was set.
AntiVirus
AntiVirus plugin helps your WordPress setup by scanning the files for malware and virus. This plugin detects every single change in file and reports in the dashboard. It does raise the false positives sometimes when it triggers the change in require_once, includes and other updated snippets which are genuine yet reported as malicious code. If any theme uses eval, base64_decode or shell_exec then Itâll notify in the report. You can then replace such themes with those which has a more secure code.
BCRYPT
Install the ‘bcrypt’ passwords plugin. Github Page. This will significantly improve the strength of encrypted passwords in your SQL database.
Fail2Ban
Use fail2ban along with WP Fail2ban Redux. This will catch would-be hackers scanning your website for vulnerabilities and ban them early.
WP-Bruiser
WP-Bruiser is mostly used as a no-captcha method to block spam bots in your comment, contact, registration and login forms, but it also includes some useful brute-force protections, and a feature that notifies you anytime an administrator logs in. These features are available for free. This is a great light-weight option.
c. WordPress Database Backup Plugins:
You can save a lot of headache of recovering your site if you take regular backup. You can schedule some of the plugins to automatically backup your site when you post or certain times during the week. When it comes to WordPress backup there are plenty of solutions. Here we are going to discuss three methods: plugins, hosted backup services and manual backups.
WordPress Backup Plugins â These plugins can help you take backup your WordPress posts, comments, and other settings and store it wherever you wish. Some of them offer the feature of emailing your backup or uploading it to a remote server like Amazon S3, Dropbox or any other backup service.
Manual Backup â In this method, you have to take backup of the setup and keep it safe on your own. You have to store the backed up data to any other place than the hosting server. There are free and paid backup plugins available for the WordPress. You can choose one that fits your needs.
Hosted Backup Service â These services integrates with the WordPress setup and take a regular snapshot of the WordPress setup. They are basically plugins that are connected to the backup server. In this article I will talk about the first two methods.
Most of the free plugins that upload the data to Dropbox or send data via email are preferred by the WordPress community members. If your WordPress data is critical then subscribing to the service like Vaultpress or Codevault is much better option. You can also use premium plugins like BackupBuddy or Backupify to backup your data.
The more important your data, the better to get your backup to hosted solution.
Here are some of the backup plugins that can solve your backup and monitoring requirements:
WP-DB Manager
This free plugin is very handy to optimize your database. It also sends the backup via email to the admin or the specific user. The plugin is not easy to use as there is no specific point for the newbie to learn from and use. However, if you are comfortable with WordPress and itâs various plugin configuration then it is not hard to use the plugin.
BackWPup
This is a free plugin that is very handy for uploading your database backup to external services like dropbox, amazon s3, Google drive and few other backup services. Restore option for a fresh install is included in the plugin. It doesnât have active support in the forums but for the free plugin it gets the job done and doesnât have critical bugs.
Very popular for backing up the database. It is very simple to use this plugin. It does only one task â which is backing up the core database. You donât get to choose the backup location. You canât backup posts and other files. There isnât much support provided for this plugin. But considering the ease of use and quick backup of the database, this plugin is perfect for newbies who canât use other advanced plugins.
Manual Backup
If you canât afford any other method of the backup service, you can backup your WordPress site manually to Google drive, Dropbox or local computer. In this method, you can use any of the database backup plugins to download the archive that is generated by the plugin. Alternatively, you can also backup the data from /uploads folder for backing up images and other media files. Posts and comments along with core settings can be downloaded by following these instructions.
Click on Tools then go to the export page. In this page, you have to select all the posts and pages and click the export button. You get WXRS file that contains the data from the WordPress core. This is basically an XML file that has the structured data which you can use to restore your posts. If you canât afford premium plugins or service for the backup. You can use free plugins that can store the backup on Dropbox or Google Drive. These two backup services can host your blog backups for free. If by any remote chance if your backup exceeds the data limit of these services, you can then go ahead and purchase the yearly subscription for storage.
I mention that I am a fan of manual WordPress backup, and I don’t recommend involving any plugin in the backup/recover process. If you want to learn how to manually backup your WordPress site, take a look here: How To Backup Your Site From cPanel
5. Install a SSL certificate (Secure Sockets Layer):

Nowadays, you have two options for the SSLs: Free SSL certificate and Premium SSL certificate.
One of the best providers of Free SSL certificates is Let’s Encrypt. A 2021’s relevant hosting provider will add this feature for free on it’s hosting clients.
For the premium SSL certificates, you have a lot of options. Premium SSL certificates are an enhanced form of the standard SSL certificate used by eCommerce websites to secure online transactions. Of course, you can use this kind of SSL certificate for your basic WordPress site, too, but for medium and big sites, where people provide personal information, credit card information, etc, it is imperative to use a Premium SSL certificate.
A premium SSL certificate’s price starts from $5/year and goes up to $1,999/year for a DigiCert (formerly by VeriSign) SSL certificate.
Why to use a SSL certificate?
Not only it will secure your WordPress site, but using a SSL certificate in 2021 is a MUST. Without SSL, your site visitors and customers are at higher risk of being having their data stolen. Your site security is also at risk without encryption. SSL protects website from phishing scams, data breaches, and many other threats. Ultimately, It builds a secure environment for both visitors and site owners.
6. File Permissions
Each file on the Linux or Unix based web server has read, write and execute levels. Users who access these files are divided into three groups â user (owner), group and the world. You can make your website more secure if you set the file permissions that restricts the anonymous users and group from modifying them. As you can see by default webserver sets some permission levels for you. Common permissions that youâll find on a web server.
755 â User can read, write and execute a file, whereas group and the world can execute and read the file. 644 â User can read and write, whereas group and the world can read. 777 â User, group, and the world can read, write and execute. 400 â User read only. Group and the world have no permissions. 444 â All user levels can read. 600 â User can read and write, whereas world and group have no permissions.
As you can see the level of strictness from these permissions, you should stick to 644 and 755 when you modify the permission levels. By default, WordPress sets file permission to 644 and folder permission to 755.
You should never set any file or folder to permission 777. Some cache plug-ins require you to set the permission of the plug-in folder to 755, if your webserver overrides it to 644. Permission settings vary from one host to another. It also depends on the Operating system that is used on the hosting account. You may find a completely different way to set the permission level for windows server.
When you upload the files to the webserver via FTP or web-based uploader, check the permissions.
7. Think about Cloud Managed WordPress Hosting Services
Hosting your WordPress platform on cheap, shared servers may put your site at more risk â you have no control over what other users on that same server will do, and that can potentially compromise your site.
In addition, performance can degrade over time as the hosting provider adds more users onto that server, having you fight amongst each other for resources.
Why to avoid a cheap shared WordPress hosting and choosing an expensive one?
A good hosted WordPress service can help keep your site fast and secure by:
- Providing constantly updated servers/up-to-date security patches
- Offering a firewall (software or hardware) â also with up-to-date security patches
- Monitoring system performances for unusual activity (database requests, login attempts, etc)
- Having technicians that can understand the situation and provide instant help
- Backing up and restoring services in the event of a compromised site
Advanced WordPress Security Tips – Secure WordPress Site

ATTENTION! BACKUP YOUR WEBSITE BEFORE DOING ANY OF THE FOLLOWING CHANGES. ALSO, DO A BACKUP AFTER EVERY CHANGE YOU MAKE, IN ORDER TO SAVE IMPORTANT TIME!
1. Add a server-level layer of authentication
Having anybody being able to access your /wp-admin login screen makes it easier for hackers and bots to do their damage.
Adding an additional level of security on the server-level ensures that you are the only one who has control of who can and canât access /wp-admin in the first place. In order to secure WordPress site, you should follow the next tips:
There are a few ways to do this:
a. IP Restrict /wp-admin
White-list only your IP (and those you trust) in your .htaccess file to ensure /wp-admin is only accessible by authorized people.
b. Add these lines to your .htaccess file:
# ALLOW USER BY IP order deny,allow deny from all allow from YOUR.IP.GOES.HERE Find out your IP address here http://www.whatismyip.com/
c. Add HTTP authentication to /Wp-admin
Add an additional username/password credential via .htpasswd to /wp-admin. Users canât even view the WP login page until they provide the appropriate username and password on the .htpasswd level.
2. Restrict WP-CONFIG.PHP access
If you can access the file, change the permission to 0644. If you don’t have access, ask your hosting provider to do this.
3. Stop the Login Hints:
I don’t know why WordPress keeps this setting, but you have to get rid of it ASAP. To disable login hints, you have to add the following code to the Function.PHP file:
function no_wordpress_errors(){ return 'What the heck are you doing?! Back off!'; } add_filter( 'login_errors', 'no_wordpress_errors' );
4. Change WordPress Admin URL
To change the WordPress Admin URL, follow these steps:
1. Add constant to wp-confing.php
define('WP_ADMIN_DIR', 'secret-folder'); define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);
2. Insert below filter to functions.php
add_filter('site_url', 'wpadmin_filter', 10, 3); function wpadmin_filter( $url, $path, $orig_scheme ) { $old = array( "/(wp-admin)/"); $admin_dir = WP_ADMIN_DIR; $new = array($admin_dir); return preg_replace( $old, $new, $url, 1); }
3. Add this to .htaccess file
RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
After these steps, your WordPress admin URL will be like: http://www.yoursite.com/hidden-folder/
5. Prevent bad code injection – Block Bad Queries
With the following plugin, you can protect WordPress from malicious URL requests. Just put the following snippet in a PHP file under wp-content/plugins and then activate the plugin in the backend.
/*Plugin Name: Block Bad Queries Plugin URI: http://perishablepress.com/ Description: Protect WordPress Against Malicious URL Requests Author URI: http://perishablepress.com/ Author: Perishable Press Version: 1.0 */ if (strpos($_SERVER['REQUEST_URI'], "eval(") || strpos($_SERVER['REQUEST_URI'], "CONCAT") || strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") || strpos($_SERVER['REQUEST_URI'], "base64")) { @header("HTTP/1.1 400 Bad Request"); @header("Status: 400 Bad Request"); @header("Connection: Close"); @exit; }
Secure WordPress Site: Conclusion
Although WordPress has seen a huge increase in attacks from hackers, with a few adjustments and some awareness you can keep your site safe from hackers. Matthew Mullengweg, the founding developer on WordPress notes in his blog that if you change your admin username, ensure you have a strong password, and keep your site up to date, âyouâll be ahead of 99% of the sites out there and probably never have a problem.â
1 Comment.
[…] How To Secure WordPress Site […]