WordPress Security Best Practices

Authored By: Rommel G

15 Steps to Lock Down Your WordPress Website





WordPress websites are a common target of hackers because WordPress is the world’s most popular website platform. WordPress security best practices use a layered security approach to maximize your protection.  

  • Secure server environment
  • Website firewall
  • WordPress security procedures

Start With a Secure Server Environment

Start with a high quality hosting provider. You will want a company that knows how to harden a server and secure it for WordPress. Here are some things to look for as you are comparing hosting services.

1. A high uptime guarantee. It should be 99.99% as a minimum SLA.

2. Active scanning for malware. This helps delete or quarantine malware before they become active.

3. Server hardening & Firewall. The server firewall will block malicious attacks and hardening will eliminate server systems vulnerabilities.

4. 24/7 Security Monitoring should be present  to monitor and react to attacks as they occur.

5. Daily backups and fast website restore (when down) allows for a quick recovery if a hack occurs.

6. Server software and hardware should be updated regularly to prevent hackers from exploiting a known security vulnerability in an old software version.

Website Firewall

The next layer of protection is at the website level. Use a comprehensive firewall and malware scanner. There are a number of good WordPress security plugins. My preferred plugin is Wordfence Premium. This is the paid version of Wordfence. Sucuri is another excellent security plugin.

7. Install a WordPress security plugin. The security plugin will supply many security functions. You can use security plugin to limit login attempts to a small number which helps stop brute force attacks.

WordPress Security Procedures

As you manage and maintain your website, you will need to follow WordPress security best practices. Hackers and bots are constantly looking for security weak points. Here are a list of WordPress security best practices.

8. Move your site to HTTPS. Add an SSL to protect data by encrypting as it is being sent between the user’s web browser and your web server are delivered.

9. Use a unique username. Use your email address or other unique login. Never use the default login username for WordPress which is admin.

10. Use a strong password. WordPress will always recommend a strong password, but a user can enter their own weak password like password123. If you have multiple users, you can enforce a secure password using a plugin that prevents the use of weak passwords. You can use a password manager to remember these strong passwords.

11. Regularly update plugins, themes and core files. This should be done weekly or bi-weekly. Known vulnerabilities are published on the web and are known by hackers. Most of the updates you see are to close these vulnerabilities. If you do not keep your site updated, you are inviting and attack.

12. Only use plugins and themes that are regularly being updated. Some are not updated or maintained by the developers that created them. Over time plugins / themes develop vulnerability that hackers exploit to break into a site. Plugins can be researched on wordpress.org to see the date they were last updated.

13. Add two factor authentication. Two factor authentication requires first the normal username / password login followed by an authentication using a separate device or app. This can be done through your security plugin or by adding a separate plugin such as Two Factor Authentication or Google Authenticator.

14. Add a security question to the WordPress login screen. The security question acts as a second password that a hacker will have trouble guessing. Use a security question plugin such as WP Security Question.

15. Automatically log out idle users. When a user stays inactive for too long after logging in, hackers can use a session or cookie hijacking method to gain unauthorized access to your site. Use a plugin such as Inactive Logout to ensure users are automatically logged out.


To achieve WordPress security best practices, you will need to apply the three layers of security to protect your WordPress website. Each layer increases the protection to your website and reduces your risk of being hacked.

  1. Secure server environment
  2. Website firewall
  3. WordPress security procedures

If you would like assistance in securing your WordPress website or secure managed WordPress hosting, contact Techna Digital Marketing at (360) 200-8688

Let’s Work Together

To Take Your Business To The Next Level

Make the First Move