WordPress is one of the most popular choices for bloggers, businesses and anyone who wants to have a hassle-free blogging software with loads of features and support.
Being a popular CMS (Content Management System), it is the most targeted platform for hackers.
Even though the WordPress core is pretty well coded and secure, you can harden your WordPress installation even more by putting a little more effort towards the security and following the WordPress best practices.
So, how do your secure your WordPress installation?
Well, that’s easy. All you have to do is put more care towards managing your WordPress site. In case you are wondering, here are some of the best and must follow WordPress security tips.
Think of the below WordPress security tips as a checklist and make sure that you follow them by all means.
Note: Some of the WordPress security tips discussed below may require you to edit WordPress files. So, make sure that you manually backup your site to cloud storage services like Dropbox or Google Drive.
1. Never Use “admin” as Username
This one of the most recommended WordPress security tips. Always make sure that you never use “admin” as the username.
Using a WordPress site with the username “admin” and not having a strong enough password is a deadly combination. In fact, this is one of most common reasons behind many hacked WordPress sites.
Due to the obvious security reasons, WordPress itself stopped assigning “admin” as the username while installing.
If you already have a WordPress site with the user account named “admin,” then fixing it is pretty easy.
Just create a new administrator account from the Users page, log in to your new administrator account and delete the user account named “admin.”
Don’t worry, while deleting the user account named “admin,” WordPress lets you assign all the existing posts to the user account of your choice.
2. Use Strong Password
Using passwords like 123456, superman, your mobile number, date of birth, etc.., is good because you can easily remember them, but so can your friends and foes.
So, never use passwords that are so obvious to guess and easy to brute-force.
In fact, having a good and strong password to protect any of your online or offline accounts is really important.
To create a strong password, always follow the rules below.
- The password must be 12 characters or more.
- The password must contain small and capital letters, numbers and special characters.
- The password should not contain complete words.
- The password should not contain any of your personal information.
- You should not use the same password to secure any other account.
- Finally, be creative.
3. Only Use the Administrator Account When Needed
This is one of the most ignored WordPress security tips, but the thing is, you are not going to need the administrator access to your WordPress site every time.
The best practice is to use the administrator account to do only the administrative tasks like updating WordPress plugins and themes, managing WordPress configurations, etc.
You don’t need administrative privileges to edit or publish posts, to moderate comments, etc.
So, depending on your needs, create a new user account with Author or Editor user role and manage all the general tasks using that user account. You can know more about the Roles and Capabilities from the WordPress codex.
4. Block Access to WordPress Login Page
Using a strong password to protect your WordPress is good and all.
But, you can increase your WordPress site security two-fold by simply blocking the access to your WordPress login page (wp-login.php) except for you and anyone approved by you.
You can achieve this by limiting the access to selected IP addresses. This approach is particularly helpful to protect yourselves from the brute force attacks.
To block access to the WordPress login page, open the .htaccess file in the root directory. Now copy and paste the below code on the top of the file.
Don’t forget to replace “xx.xxx.xx.xxx” with your actual IP address. In case you are wondering, you can get your IP address details by simply asking Google.
# Limit access by IP address
Deny from all
# whitelist IP address one
allow from xx.xxx.xx.xxx
# whitelist IP Address two
allow from xx.xxx.xx.xxx
5. Limit Login Attempts
In some cases, you may not be able to implement the above method of blocking access to the WordPress login page because you have multiple backend users and/or the IP addresses are dynamic.
In those cases, you need to limit the login attempts. i.e, after a predetermined number of failed attempts, the user or the IP address is locked out for a pre-determined period of time.
In that time period, the user cannot login even with a valid username and password.
This simple precaution can save your WordPress site from brute force attacks and guess works.
To enforce a limit on the login attempts, you can use the plugin Limit Login Attempts available in the WordPress repository.
The best thing about the plugin is that you can configure the lockout rules as required using the respective settings page.
6. Hide Login Error Message
Whenever there is a failed login attempt, WordPress displays an error message something like “The password for ‘username’ does not match.”
If you read the error message clearly, WordPress is indirectly hinting that the username is correct.
The worst thing about this error message is that it lets the hacker know whether the username is correct or incorrect.
So, the good thing to do is to disable or hide the actual login error message.
To do that, open your theme’s functions.php file, copy and paste the below code at the bottom of the file.
// Hide login message on WordPress login page
add_filter('login_errors',create_function('$a', "return null;"));
That’s all there is to do. From this point forward, the login error message is disabled.
7. Disable Directory Browsing
By design, when a web server does not file the default index file in a directory, it simply displays all the files and folders in that directory.
This could be a huge loophole in the sense of WordPress security as all the directories in your WordPress installation which have no default index file can be accessed publicly.
This directory browsing can be used by hackers to gather sensitive information like the plugins used, vulnerable files, etc.
To disable directory browsing, open the .htaccess file in the root directory, copy and paste the below code in it.
# Disable directory browsing
If you are uncomfortable editing the file, you can also disable directory browsing from cPanel.
8. Disable WordPress Editor
In WordPress, you can easily edit all your theme and plugin files using the built in WordPress code editor.
As useful as it is, it could be a huge security risk as a hacker can use it to edit theme and plugin files to add some malicious code once he has access to your WordPress site.
Moreover, when is that last time you’ve used the build it code editor to edit theme or plugin files? If you’ve ever used it, then you should just avoid that practice, for real.
To disable the WordPress Editor, open the wp-config.php file, copy the below code and paste it at the end of the file.
That’s all there is to do. From this point forward, the built-in WordPress editor is no longer accessible.
// Disable WordPress Editor
define( 'DISALLOW_FILE_EDIT', true );
Don’t worry, even after disabling the WordPress editor, you can alway edit the theme and plugin files through FTP.
9. Change WordPress Table Prefix
Whenever you install WordPress without changing table prefix before hand, it will be installed with the default table prefix.
Often times, this default table prefix could make your site vulnerable to automated or manual SQL injections.
So, in order to protect your site, you can change your default table prefix from
wp_ to something random like
This simple change makes your site a bit more secure from the hack attacks.
10. Protect “wp-config.php” File
If you are using WordPress for any span of time, then you will probably know that the wp-config.php file is one of the important files in your WordPress installation.
This file holds all the important configuration information like the database username and password, table prefix, etc.
So as a precaution, you need to protect this file at all costs.
To protect the wp-config.php file, copy and paste the below code snippet in the .htaccess file located in the root directory.
# Protect wp-config.php file
deny from all
11. Protect “.htaccess” File
Hypertext Access file (.htaccess file) is a directory level configuration file and is it is also one of the important files in your WordPress installation.
This simple file holds some of the important configurations that can affect the web server directly. Just like the wp-config.php file, you should also protect the .htaccess file.
To protect the .htaccess file, simply copy the below code and paste it in your .htaccess file.
That’s all there is to do and download all essential htaccess rule book for WordPress.
# Protect htaccess file
deny from all
12. Protect readme.html and license.txt Files
Whenever you install or upgrade your WordPress site, WordPress automatically creates two files named readme.html and license.txt in the root directory.
These files are not at all required by your WordPress site and may sometimes be used to gather your WordPress version information.
To protect your WordPress site, you can just delete them, but the thing is, they will be created whenever you upgrade your WordPress site. So, the best way is to protect these files from being accessed by the public.
To protect the readme.html and license.txt files, simply copy the below code and paste it in your .htacess file located in the root directory.
# Protect readme.html File
deny from all
# Protect license.txt file
deny from all
13. Protect install.php File
After installing WordPress, there is no need for the install.php file.
In fact, if you execute the URL http://exmple.com/wp-admin/install.php, you will see that WordPress gracefully informs you that you’ve already installed WordPress.
Even though this doesn’t look like much, there are instances when the installation script tried to reinstall WordPress under certain circumstances.
So, blocking the file from being accessed by the public is a good thing to do.
To do that, simply copy and paste the below code in your .htaccess file.
# Protect install.php
deny from all
14. Protect “wp-admin” Directory
For those of you who don’t know, wp-admin directory acts as the front end for the backend users like admins, editors, etc.
Considering the importance of the directory, it is always a good thing to add an additional layer of security.
This not only secures your WordPress installation from regular attacks but is also good at blocking brute force attacks.
To protect the wp-admin directory — download, install and configure the plugin AskApache Password Protect as per your needs.
Don’t forget to choose a strong password to protect your wp-admin folder.
15. Protect “wp-includes” Directory
In case you are wondering, wp-includes directory in your WordPress installation hosts all the core files and is only intended to be used by WordPress itself.
That is, there is no need or should not be any need for any user to access the contents of the wp-includes folder.
So, in order to protect the wp-includes folder from being accessed by any user, copy and paste the below code at the bottom of the .htaccess file located in the root directory.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
16. Use Security Plugins
WordPress plugin repository has a plethora of security plugins to secure your WordPress site from general exploits and hardening your WordPress site’s security.
Most of the plugins available in the WordPress repository are capable of acting at WordPress level to filter and protecting your Website.
In fact, almost all the tips shared here can be managed using the above plugins. So, install the plugin of your choice and harden your site.
If possible, do give them a try.
17. Always Stay Updated
Whether it’s WordPress core, themes or plugins, staying up to date is like winning half the war.
For those of you who don’t know, bad guys generally target out-dated and vulnerable WordPress core, plugin and theme files.
To close the security holes, developers release the security patches and fixes in the form of updates. So, always stay updated and safe.
If you don’t stay updated, you will always be an easy target for the hackers. Recent MailPoet incident is a good example.
If you think it is too much work to manage all the plugin and theme files, then consider using secure and managed hosting services like WP Engine and SiteGround or website security services like Sucuri who can monitor and protect your WordPress site from known and zero-day vulnerabilities.
Moreover, starting from version 3.7, WordPress introduced automatic update feature which by default updates your WordPress core for all the minor releases like maintenance and security updates.
By adding the below code in your wp-config.php file, you can enable automatic updates to all the major WordPress core updates.
// Enalbe all automatic updates
define( 'WP_AUTO_UPDATE_CORE', true );
18. Delete Unused Plugins and Themes
WordPress is pretty customizable and most of the credit goes to the all the free and premium plugins that offer the extra functionality.
Often times, you try different themes and plugins to find the right combination that works for your site. After that, you may just disable all the plugins and themes that aren’t needed anymore.
This is good and all but the unused plugins and themes in your WordPress site may stock up without your realizing.
When you look from the security point of view, there is no reason whatsoever to leave unused plugins and themes installed in your WordPress.
This is not only a security risk but these unused plugins and theme may clutter the database and also increases your disk space usage.
So, be a happy egg and make a habit of deleting any unused plugins and themes. After all, you can always reinstall them with just a few clicks.
19. Never, Ever Use Nulled Plugins and Themes
But, it is very tempting when you access sites which give your premium plugins and themes for free to install on your WordPress site.
Often, these kinds of resources are called as nulled plugins and themes.
The thing is, nobody gives a premium plugin or theme for free.
In most cases, these nulled plugins and themes are infected with malicious code that can effectively spread spam, hide malicious links, show eyebrow-raising ads, and/or create backdoors to your WordPress site.
So, don’t take the risk and you are better off “not” installing the nulled themes or plugins.
This is because even the genuine free themes may sometimes contain encoded code (base64) that can hide malicious links.
Moreover, the premium theme developers are quite quicker to resolve any issues with the theme security and they often provide better support to customize your theme according to your needs.
20. Have a Backup of Everything
The best defense is a good offense and creating daily and steady backups are the best thing you can do for your WordPress site.
Sure, these backups won’t stop your site from being compromised corrupted, but will surely help you to restore the site to a previous known good state.
Generally, you can create manual backup of your site, but that process is very inefficient and will be quite a hassle.
Just install one of them and make sure that you take daily backups.
Again, make use of these free or premium plugins and never neglect to create regular backups.
21. Always Use SFTP Instead of FTP
This seems pretty obvious, but considering that the regular FTP (File Transfer Protocol) has no encryption for your FTP account password, I can’t restrain myself from recommending.
So, depending on what your hosting provider supports, always use SFTP (Secure FTP) or FTPS (FTP over SSL) to transfer files to and forth.
That being said, even though the names FTP and SFTP are similar, SFTP is completely different from FTP. Know more about FTP from Wikipedia.
22. Keep Your Computer Clean and Virus-Free
This is one of the most over-looked thing’s while securing a WordPress site.
Keeping your computer clean and virus free is really important because the infected computers may leak confidential information like your account user ids and passwords.
This in turn leads to information theft, identity theft, and data loss.
So, don’t do anything crazy like clicking unknown links in email, installing pirated software, etc.., on your main productive machine.
To keep your computer free from viruses and other malicious infections, install a good antivirus and anti-malware software.
If you are a beginner, then all the above tips may seem pretty intimidating, if not nerve-wracking.
But the fact is that all most all the tips shared here to harden your WordPress security are very easy to follow and most of them are “set it and forget” configurations.
So, make sure you follow them and each and every tip you follow will make your WordPress site a little bit more secure and keeps you one step ahead of hackers and other unintended consequences.
That’s all for now and hopefully, the hardening tips will help to secure your WordPress site. If you find this article useful, then do share it with your friends.
If you think I’ve missed something, then do share it in the comments form below. That will help everyone using WordPress.