The Ultimate WordPress Security Guide – Step by Step (2019) – WPSaviour

By WP Saviour •  Updated: 02/28/21 •  20 min read

WordPress safety is a subject of big significance for each web site proprietor. Google blacklists round 10,000+ web sites every single day for malware and round 50,000 for phishing each week.

If you’re severe about your web site, then that you must take note of the WordPress safety greatest practices. On this information, we’ll share all the highest WordPress safety ideas that will help you defend your web site in opposition to hackers and malware.


Whereas WordPress core software program may be very safe, and it’s audited often by tons of of builders, there’s a lot that may be completed to maintain your web site safe.

At WPSaviour, we imagine that safety isn’t just about danger elimination. It’s additionally about danger discount. As a web site proprietor, there’s loads that you are able to do to enhance your WordPress safety (even in case you’re not tech savvy).

Now we have numerous actionable steps that you may take to guard your web site in opposition to safety vulnerabilities.

To make it straightforward, now we have created a desk of content material that will help you simply navigate by way of our final WordPress safety information.

Desk of Contents

Fundamentals of WordPress Safety

WordPress Safety in Simple Steps (No Coding)

WordPress Safety for DIY Customers

Prepared? Let’s get began.

Why Web site Safety is Vital?

A hacked WordPress web site could cause severe injury to your online business income and status. Hackers can steal person info, passwords, set up malicious software program, and might even distribute malware to your customers.

Worst, you might end up paying ransomware to hackers simply to regain entry to your web site.


In March 2016, Google reported that greater than 50 million web site customers have been warned a few web site they’re visiting might comprise malware or steal info.

Moreover, Google blacklists round 20,000 web sites for malware and round 50,000 for phishing every week.

In case your web site is a enterprise, then that you must pay additional consideration to your WordPress safety.

Much like the way it’s the enterprise homeowners accountability to guard their bodily retailer constructing, as a web based enterprise proprietor it’s your accountability to guard your online business web site.

Retaining WordPress Up to date


WordPress is an open supply software program which is often maintained and up to date. By default, WordPress mechanically installs minor updates. For main releases, that you must manually provoke the replace.

WordPress additionally comes with hundreds of plugins and themes that you may set up in your web site. These plugins and themes are maintained by third-party builders which often launch updates as properly.

These WordPress updates are essential for the safety and stability of your WordPress web site. That you must be sure that your WordPress core, plugins, and theme are updated.

Robust Passwords and Consumer Permissions


The commonest WordPress hacking makes an attempt use stolen passwords. You may make that tough through the use of stronger passwords which can be distinctive in your web site. Not only for WordPress admin space, but in addition for FTP accounts, database, WordPress hosting account, and your customized electronic mail addresses which use your web site’s area identify.

Many saviours don’t like utilizing robust passwords as a result of they’re laborious to recollect. The great factor is that you just don’t want to recollect passwords anymore. You should use a password supervisor. See our information on how to manage WordPress passwords.

One other option to cut back the danger is to not give anybody entry to your WordPress admin account until you completely should. You probably have a big staff or visitor authors, then just remember to perceive person roles and capabilities in WordPress earlier than you add new person accounts and authors to your WordPress web site.

The Function of WordPress Internet hosting

Your WordPress internet hosting service performs a very powerful position within the safety of your WordPress web site. A great shared internet hosting supplier like Bluehost or Siteground take the additional measures to guard their servers in opposition to frequent threats.

Right here is how website hosting firm works within the background to guard your web sites and knowledge.

On a shared internet hosting plan, you share the server sources with many different clients. This opens the danger of cross-site contamination the place a hacker can use a neighboring web site to assault your web site.

Utilizing a managed WordPress internet hosting service supplies a safer platform in your web site. Managed WordPress internet hosting firms provide automated backups, automated WordPress updates, and extra superior safety configurations to guard your web site

We suggest WPEngine as our most popular managed WordPress internet hosting supplier. They’re additionally the preferred one within the trade.

WordPress Safety in Simple Steps (No Coding)

We all know that bettering WordPress safety generally is a terrifying thought for saviours. Particularly in case you’re not techy. Guess what – you’re not alone.

Now we have helped hundreds of WordPress customers in hardening their WordPress safety.

We are going to present you how one can enhance your WordPress safety with only a few clicks (no coding required).

For those who can point-and-click, you are able to do this!

Set up a WordPress Backup Resolution


Backups are your first protection in opposition to any WordPress assault. Keep in mind, nothing is 100% safe. If authorities web sites may be hacked, then so can yours.

Backups help you shortly restore your WordPress web site in case one thing unhealthy was to occur.

There are various free and paid WordPress backup plugins that you should use. Crucial factor that you must know on the subject of backups is that you could often save full-site backups to a distant location (not your internet hosting account).

We suggest storing it on a cloud service like Amazon, Dropbox, or non-public clouds like Stash.

Primarily based on how incessantly you replace your web site, the perfect setting may be both as soon as a day or real-time backups.

Fortunately this may be simply completed through the use of plugins like VaultPress or UpdraftPlus. They’re each dependable and most significantly straightforward to make use of (no coding wanted).

Greatest WordPress Safety Plugin

After backups, the following factor we have to do is setup an auditing and monitoring system that retains monitor of all the things that occurs in your web site.

This contains file integrity monitoring, failed login makes an attempt, malware scanning, and so forth.

Fortunately, this may be all taken care by the most effective free WordPress safety plugin, Sucuri Scanner.

That you must set up and activate the free Sucuri Safety plugin. For extra particulars, please see our step-by-step information on how to install a WordPress plugin.

Upon activation, that you must go to the Sucuri menu in your WordPress admin. The very first thing you’ll be requested to do is Generate a free API key. This allows audit logging, integrity checking, electronic mail alerts, and different essential options.


The subsequent factor, that you must do is click on on the ‘Hardening’ tab from the settings menu. Undergo each choice and click on on the “Apply Hardening” button.


These choices assist you to lock down the important thing areas that hackers usually use of their assaults. The one hardening choice that’s a paid improve is the Internet Utility Firewall which we’ll clarify within the subsequent step, so skip it for now.

Now we have additionally coated a whole lot of these “Hardening” choices later on this article for many who need to do it with out utilizing a plugin or those that require further steps equivalent to “Database Prefix change” or “Altering the Admin Username”.

After the hardening half, the default plugin settings are ok for many web sites and don’t want any adjustments. The one factor we suggest customizing is ‘E-mail Alerts’.

The default alert settings can litter your inbox with emails. We suggest receiving alerts for key actions like adjustments in plugins, new person registration, and so forth. You’ll be able to configure the alerts by going to Sucuri Settings » Alerts.


This WordPress safety plugin may be very highly effective, so flick through all of the tabs and settings to see all that it does equivalent to Malware scanning, Audit logs, Failed Login Try monitoring, and so forth.

Allow Internet Utility Firewall (WAF)

The best option to defend your web site and be assured about your WordPress safety is through the use of an internet software firewall (WAF).

An internet site firewall blocks all malicious visitors earlier than it even reaches your web site.

DNS Degree Web site Firewall – These firewall route your web site visitors by way of their cloud proxy servers. This enables them to solely ship real visitors to your internet server.

Utility Degree Firewall – These firewall plugins study the visitors as soon as it reaches your server however earlier than loading most WordPress scripts. This technique isn’t as environment friendly because the DNS degree firewall in decreasing the server load.

To study extra, see our listing of the most effective WordPress firewall plugins.


We use and suggest Sucuri as the most effective web-application firewall for WordPress. You’ll be able to examine how Sucuri helped us block 450,000 WordPress attacks in a month.


The most effective half about Sucuri’s firewall is that it additionally comes with a malware cleanup and blacklist elimination assure. Principally in case you had been to be hacked beneath their watch, they assure that they are going to repair your web site (regardless of what number of pages you will have).

It is a fairly robust guarantee as a result of repairing hacked web sites is dear. Safety specialists usually cost $250 per hour. Whereas you will get the complete Sucuri safety stack for $199 per 12 months.

Enhance your WordPress Safety with the Sucuri Firewall »

Sucuri isn’t the one DNS degree firewall supplier on the market. The opposite standard competitor is Cloudflare. See our comparability of Sucuri vs Cloudflare (Professionals and Cons).

Transfer Your WordPress Web site to SSL/HTTPS

SSL (Safe Sockets Layer) is a protocol which encrypts knowledge switch between your web site and customers browser. This encryption makes it tougher for somebody to smell round and steal info.


When you allow SSL, your web site will use HTTPS as an alternative of HTTP, additionally, you will see a padlock signal subsequent to your web site deal with within the browser.

SSL certificates had been usually issued by certificates authorities and their costs begin from $80 to tons of of {dollars} every year. On account of added value, most web site homeowners opted to maintain utilizing the insecure protocol.

To repair this, a non-profit group referred to as Let’s Encrypt determined to supply free SSL Certificates to web site homeowners. Their mission is supported by Google Chrome, Fb, Mozilla, and plenty of extra firms.

On account of this, it’s now simpler than ever to begin utilizing SSL for all of your WordPress web sites. For step-by-step directions, see our article on easy methods to get a free SSL certificates in your WordPress web site.

WordPress Safety for DIY Customers

For those who do all the things that now we have talked about to this point, you then’re in a reasonably fine condition.

However as all the time, there’s extra that you are able to do to harden your WordPress safety.

A few of these steps might require coding data.

Change the Default “admin” username

Within the outdated days, the default WordPress admin username was “admin”. Since usernames make up half of login credentials, this made it simpler for hackers to do brute-force assaults.

Fortunately, WordPress has since modified this and now requires you to pick out a customized username on the time of putting in WordPress.

Nonetheless, some 1-click WordPress installers, nonetheless set the default admin username to “admin”. For those who discover that to be the case, then it’s in all probability a good suggestion to modify your website hosting.

Since WordPress doesn’t help you change usernames by default, there are three strategies you should use to alter the username.

  1. Create a brand new admin username and delete the outdated one.
  2. Use the Username Changer plugin
  3. Replace username from phpMyAdmin

Now we have coated all three of those in our detailed information on easy methods to correctly change your WordPress username (step-by-step).

Word: We’re speaking in regards to the username referred to as “admin”, not the administrator position.

Disable File Modifying

WordPress comes with a built-in code editor which lets you edit your theme and plugin information proper out of your WordPress admin space. Within the unsuitable fingers, this function generally is a safety danger which is why we suggest turning it off.


You’ll be able to simply do that by including the next code in your wp-config.php file.



outline( 'DISALLOW_FILE_EDIT', true );

Alternatively, you are able to do this with 1-click utilizing the Hardening function within the free Sucuri plugin that we talked about above.

Disable PHP File Execution in Sure WordPress Directories

One other option to harden your WordPress safety is by disabling PHP file execution in directories the place it’s not wanted equivalent to /wp-content/uploads/.

You are able to do this by opening a textual content editor like Notepad and paste this code:




deny from all

Subsequent, that you must save this file as .htaccess and add it to /wp-content/uploads/ folders in your web site utilizing an FTP shopper.

For extra detailed rationalization, see our information on easy methods to disable PHP execution in sure WordPress directories

Alternatively, you are able to do this with 1-click utilizing the Hardening function within the free Sucuri plugin that we talked about above.

By default, WordPress permits customers to attempt to login as many time as they need. This leaves your WordPress web site susceptible to brute power assaults. Hackers attempt to crack passwords by making an attempt to login with completely different combos.

This may be simply fastened by limiting the failed login makes an attempt a person could make. For those who’re utilizing the net software firewall talked about earlier, then that is mechanically taken care of.

Nonetheless, in case you don’t have the firewall setup, then proceed with the steps beneath.

First, that you must set up and activate the Login LockDown plugin. For extra particulars, see our step-by-step information on easy methods to set up a WordPress plugin.

Upon activation, go to Settings » Login LockDown web page to setup the plugin.


For detailed directions, check out our information on how and why you must restrict login makes an attempt in WordPress.

Add Two Issue Authentication

Two-factor authentication approach requires customers to log in through the use of a two-step authentication technique. The primary one is the username and password, and the second step requires you to authenticate utilizing a separate system or app.

Most high on-line web sites like Google, Fb, Twitter, help you allow it in your accounts. You can too add the identical performance to your WordPress web site.

First, that you must set up and activate the Two Issue Authentication plugin. Upon activation, that you must click on on the ‘Two Issue Auth’ hyperlink in WordPress admin sidebar.


Subsequent, that you must set up and open an authenticator app in your cellphone. There are a number of of them accessible like Google Authenticator, Authy, and LastPass Authenticator.

We suggest utilizing LastPass Authenticator or Authy as a result of they each help you again up your accounts to the cloud. That is very helpful in case your cellphone is misplaced, reset, otherwise you purchase a brand new cellphone. All of your account logins might be simply restored.

We might be utilizing the LastPass Authenticator for the tutorial. Nonetheless, directions are related for all auth apps. Open your authenticator app, after which click on on the Add button.


You can be requested in case you’d prefer to scan a web site manually or scan the bar code. Choose the scan bar code choice after which level your cellphone’s digicam on the QRcode proven on the plugin’s settings web page.

That’s all, your authentication app will now put it aside. Subsequent time you log in to your web site, you’ll be requested for the two-factor auth code after you enter your password.


Merely open the authenticator app in your cellphone and enter the code you see on it.

Change WordPress Database Prefix

By default, WordPress makes use of wp_ because the prefix for all tables in your WordPress database. In case your WordPress web site is utilizing the default database prefix, then it makes it simpler for hackers to guess what your desk identify is. This is the reason we suggest altering it.

You’ll be able to change your database prefix by following our step-by-step tutorial on easy methods to change WordPress database prefix to enhance safety.

Word: This will break your web site if it’s not completed correctly. Solely proceed, in case you really feel comfy together with your coding abilities.

Password Defend WordPress Admin and Login Web page


Usually, hackers can request your wp-admin folder and login web page with none restriction. This enables them to attempt their hacking tips or run DDoS assaults.

You’ll be able to add further password safety on a server-side degree, which is able to successfully block these requests.

Observe our step-by-step directions on easy methods to password defend your WordPress admin (wp-admin) listing.

Disable Listing Indexing and Looking


Listing looking can be utilized by hackers to seek out out you probably have any information with recognized vulnerabilities, to allow them to reap the benefits of these information to realize entry.

Listing looking may also be utilized by different folks to look into your information, copy photos, discover out your listing construction, and different info. This is the reason it’s extremely beneficial that you just flip off listing indexing and looking.

That you must connect with your web site utilizing FTP or cPanel’s file supervisor. Subsequent, find the .htaccess file in your web site’s root listing. For those who can not see it there, then confer with our information on why you possibly can’t see .htaccess file in WordPress.

After that, that you must add the next line on the finish of the .htaccess file:

Choices -Indexes

Don’t overlook to avoid wasting and add .htaccess file again to your web site. For extra on this matter, see our article on easy methods to disable listing looking in WordPress.

Disable XML-RPC in WordPress

XML-RPC was enabled by default in WordPress 3.5 as a result of it helps connecting your WordPress web site with internet and cell apps.

Due to its highly effective nature, XML-RPC can considerably amplify the brute-force assaults.

For instance, historically if a hacker wished to attempt 500 completely different passwords in your web site, they must make 500 separate login makes an attempt which might be caught and blocked by the login lockdown plugin.

However with XML-RPC, a hacker can use the system.multicall perform to attempt hundreds of password with say 20 or 50 requests.

This is the reason in case you’re not utilizing XML-RPC, then we suggest that you just disable it.

There are Three methods to disable XML-RPC in WordPress, and now we have coated all of them in our step-by-step tutorial on easy methods to disable XML-RPC in WordPress.

Tip: The .htaccess technique is the most effective one as a result of it’s the least useful resource intensive.

For those who’re utilizing the web-application firewall talked about earlier, then this may be taken care of by the firewall.

Robotically log off Idle Customers in WordPress

Logged in customers can typically wander off from display, and this poses a safety danger. Somebody can hijack their session, change passwords, or make adjustments to their account.

This is the reason many banking and monetary websites mechanically log off an inactive person. You’ll be able to implement related performance in your WordPress web site as properly.

You have to to put in and activate the Inactive Logout plugin. Upon activation, go to Settings » Inactive Logout web page to configure plugin settings.


Merely set the time length and add a logout message. Don’t overlook to click on on the save adjustments button to retailer your settings.

Add Safety Inquiries to WordPress Login Display


Including a safety query to your WordPress login display makes it even tougher for somebody to get unauthorized entry.

You’ll be able to add safety questions by putting in the WP Safety Questions plugin. Upon activation, that you must go to Settings » Safety Questions web page to configure the plugin settings.

For extra detailed directions, see our tutorial on easy methods to add safety inquiries to WordPress login display.

Scanning WordPress for Malware and Vulnerabilies


You probably have a WordPress safety plugin put in, then these plugins will routinely examine for malware and indicators of safety breaches.

Nonetheless, in case you see a sudden drop in web site visitors or search rankings, then you might need to manually run a scan. You should use your WordPress safety plugin, or use one among these malware and safety scanners.

Operating these on-line scans is sort of straight ahead, you simply enter your web site URLs and their crawlers undergo your web site to search for recognized malware and malicious code.

Now understand that most WordPress safety scanners can simply scan your web site. They can’t take away the malware or clear a hacked WordPress web site.

This brings us to the following part, cleansing up malware and hacked WordPress websites.

Fixing a Hacked WordPress Web site

Many WordPress customers don’t understand the significance of backups and web site safety till their web site is hacked.

Cleansing up a WordPress web site may be very tough and time consuming. Our first recommendation can be to let an expert care for it.

Hackers set up backdoors on affected websites, and if these backdoors are usually not fastened correctly, then your web site will probably get hacked once more.

Permitting an expert safety firm like Sucuri to repair your web site will be sure that your web site is protected to make use of once more. It would additionally defend you in opposition to any future assaults.

For the adventurous and DIY customers, now we have compiled a step-by-step information on fixing a hacked WordPress web site.

That’s all, we hope this text helped you study the highest WordPress safety greatest practices in addition to uncover the most effective WordPress safety plugins in your web site.

gp-2535513 as-6202398

WP Saviour

I am a WordPress specialist. My mission is to help you create beautiful websites with ease!