22 WordPress Security Tips – Best WordPress Hardening Guide

WordPress is one of the most popular choices for bloggers, businesses and anyone who wants to have a hassle-free blogging software with loads of features and support. Being a popular CMS (Content Management System), it is the most targeted platform for hackers. Even though the WordPress core is pretty well coded and secure, you can harden your WordPress installation even more by putting a little more effort towards the security and following the WordPress best practices.

So, how do you protect your WordPress installation?

Well, that’s easy. All you have to do is put more care towards managing your WordPress site. In case you are wondering, here are some of the best and must follow WordPress security tips. Think of the below WordPress security tips as a checklist and make sure that you follow them by all means.

Note: Some of the WordPress security tips discussed below may require you to edit WordPress files. So, make sure that you manually backup your site to cloud storage services like Dropbox or Google Drive.

1. Never Use “admin” as Username

This one of the most recommended WordPress security tips. Always make sure that you never use “admin” as the username. Using a WordPress site with the username “admin” and not having a strong enough password is a deadly combination. In fact, this is one of most common reasons behind many hacked WordPress sites. Due to the obvious security reasons, WordPress itself stopped assigning “admin” as the username while installing.

If you already have a WordPress site with the user account named “admin,” then fixing it is pretty easy. Just create a new administrator account with a different username from the “Users > Add New” page, log in to your new administrator account and delete the user account named “admin.”

Delete default admin user account in WordPress.

Don’t worry, while deleting the user account named “admin,” WordPress lets you assign all the existing posts to the user account of your choice.

2. Use Strong Password

Using passwords like 123456, superman, your mobile number, date of birth, etc.., is good because you can easily remember them, but so can your friends and foes. So, never use passwords that are so obvious to guess and easy to brute-force. Having a good and strong password to protect any of your online or offline accounts is really important.

To create a strong password, always follow the rules below.

  • The password must be 12 characters or more.
  • The password must contain small and capital letters, numbers and special characters.
  • The password should not contain complete words.
  • The password should not contain any of your personal information.
  • You should not use the same password to secure any other account.
  • Finally, be creative.

If you think the password created using the above rules is pretty complex to remember or to enter in the web forms, then use software like LastPass or KeePass. These apps lets you securely manage all your passwords.

3. Only Use the Administrator Account When Needed

This is one of the most ignored WordPress security tips, but the thing is, you are not going to need the administrator access to your WordPress site every time. The best practice is to use the administrator account to do only the administrative tasks like updating WordPress plugins and themes, managing WordPress configurations, etc. You don’t need administrative privileges to edit or publish posts, to moderate comments, etc.

So, depending on your needs, create a new user account with Author or Editor user role and manage all the general tasks using that user account. You can know more about the Roles and Capabilities from the WordPress codex.

WordPress User Roles List

4. Block Access to WordPress Login Page

Using a strong password to protect your WordPress is good and all. But, you can increase your WordPress site security two-fold by simply blocking the access to your WordPress login page (wp-login.php) except for you and anyone approved by you. You can achieve this by limiting the access to selected IP addresses. This approach is particularly helpful to protect yourselves from the brute force attacks.

WordPress login page blocked by IP address.

To block access to the WordPress login page, open the .htaccess file in the root directory. Now copy and paste the below code on the top of the file. Don’t forget to replace “xx.xxx.xx.xxx” with your actual IP address. In case you are wondering, you can get your IP address details by simply asking Google.

# Limit access by IP address
<Files wp-login.php>
        order deny,allow
        Deny from all

# whitelist IP address one
allow from xx.xxx.xx.xxx

# whitelist IP Address two
allow from xx.xxx.xx.xxx


5. Limit Login Attempts

In some cases, you may not be able to implement the above method of blocking access to the WordPress login page because you have multiple backend users and/or the IP addresses are dynamic. In those cases, you need to limit the login attempts. i.e, after a predetermined number of failed attempts, the user or the IP address is locked out for a pre-determined period of time.

In that time period, the user cannot login even with a valid username and password. This simple precaution can save your WordPress site from brute force attacks and guess works.

WordPress login page secured with Limit Login Attempts plugin.

To enforce a limit on the login attempts, you can use the plugin Limit Login Attempts. The best thing about the plugin is that you can configure the lockout rules as required using the respective settings page.

6. Hide Login Error Message

Whenever there is a failed login attempt, WordPress displays an error message something like “The password for ‘username’ does not match.” If you read the error message clearly, WordPress is indirectly hinting that the username is correct.

The worst thing about this error message is that it lets the hacker know whether the username is correct or incorrect.

Remove WordPress login error message.

So, the good thing to do is to disable or hide the actual login error message. To do that, open your theme’s functions.php file, copy and paste the below code at the bottom of the file.

// Hide login message on WordPress login page
add_filter('login_errors',create_function('$a', "return null;"));

That’s all there is to do. From this point forward, the login error message is disabled.

7. Disable Directory Browsing

By design, when a web server has no default index file in a directory, it simply displays all the files and folders in that directory. This could be a big loophole in your WordPress security. This is called as directory browsing. This loophole can be used by hackers to gather sensitive information like the plugins used, vulnerable files, etc.

WordPress directory browsing.

To disable directory browsing, open the .htaccess file in the root directory, copy and paste the below code in it.

# Disable directory browsing
Options -Indexes

If you are uncomfortable editing the file, you can also disable directory browsing from cPanel.

8. Disable WordPress Editor

In WordPress, you can easily edit all your theme and plugin files using the built in WordPress code editor. As useful as it is, a hacker can use it to edit theme and plugin files to add some malicious code once he has access to your WordPress site. Moreover, when is that last time you’ve used the build it code editor to edit theme or plugin files? If you’ve ever used it, then you should just avoid that practice, for real.

WordPress plugin and theme editor.

To disable the WordPress Editor, open the wp-config.php file, copy the below code and paste it at the end of the file. That’s all there is to do. From this point forward, the built-in WordPress editor is no longer accessible.

// Disable WordPress Editor
define( 'DISALLOW_FILE_EDIT', true );

Don’t worry, even after disabling the WordPress editor, you can alway edit the theme and plugin files through FTP.

9. Change WordPress Table Prefix

Whenever you install WordPress without changing table prefix before hand, it will be installed with the default table prefix. Often times, this default table prefix could make your site vulnerable to automated or manual SQL injections.

So, in order to protect your site, you can change your default table prefix from wp_ to something random like wp_bs645t_.

Change WordPress Table Prefix - Default WordPress Table Prefix.

Changing WordPress table prefix isn’t anything hard. But if you don’t want to make your hands dirty, then using a plugin like Change DB Prefix can be helpful. This simple change makes your site a bit more secure from the hack attacks.

10. Protect “wp-config.php” File

If you are using WordPress for any span of time, then you will probably know that the wp-config.php file is one of the important files in your WordPress installation. This file holds all the important configuration information like the database username and password, table prefix, etc. So as a precaution, you need to protect this file at all costs.

To protect the wp-config.php file, copy and paste the below code snippet in the .htaccess file located in the root directory.

# Protect wp-config.php file
<Files wp-config.php>
   order allow,deny
   deny from all

11. Protect “.htaccess” File

Hypertext Access file (.htaccess file) is a directory level configuration file and is it is also one of the important files in your WordPress installation. This simple file holds some of the important configurations that can affect the web server directly. Just like the wp-config.php file, you should also protect the .htaccess file. To protect the .htaccess file, simply copy the below code and paste it in your .htaccess file.

Quick tip: download all essential htaccess rulebook for WordPress.

# Protect htaccess file
<Files .htaccess>
   order allow,deny
   deny from all

12. Protect readme.html and license.txt Files

Whenever you install or upgrade your WordPress site, WordPress automatically creates two files named readme.html and license.txt in the root directory. These files are not at all required by your WordPress site and may sometimes be used to gather your WordPress version information. To protect your WordPress site, you can just delete them, but the thing is, they will be created whenever you upgrade your WordPress site.

So, the best way is to protect these files from being accessed by the public. To protect the readme.html and license.txt files, simply copy the below code and paste it in your .htacess file located in the root directory.

# Protect readme.html File
<Files readme.html>
    order allow,deny
    deny from all

# Protect license.txt file
<Files license.txt>
    order allow,deny
    deny from all

13. Protect install.php File

After installing WordPress, there is no need for the install.php file. In fact, if you execute the URL http://exmple.com/wp-admin/install.php, you will see that WordPress gracefully informs you that you’ve already installed WordPress. Even though this doesn’t look like much, there are instances when the installation script tried to reinstall WordPress under certain circumstances.

WordPress informing WordPress is already installed.

So, blocking the file from being accessed by the public is a good thing to do. To do that, simply copy and paste the below code in your .htaccess file.

# Protect install.php
<Files install.php>
    order allow,deny
    deny from all
    Satisfy all

14. Protect “wp-admin” Directory

For those of you who don’t know, wp-admin directory acts as the front end for the backend users like admins, editors, etc. Considering the importance of the directory, it is always a good thing to add an additional layer of security. This not only secures your WordPress installation from regular attacks but is also good at blocking brute force attacks.

Password Protect wp-admin folder.

To protect the wp-admin directory — download, install and configure the plugin AskApache Password Protect as per your needs. Don’t forget to choose a strong password to protect your wp-admin folder.

15. Protect “wp-includes” Directory

In case you don’t know, the wp-includes directory in your WordPress installation hosts all the core files and is only intended to be used by WordPress itself. That is, there is no need or should not be any need for any user to access the contents of the wp-includes folder.

So, in order to protect the wp-includes folder from being accessed by any user, copy and paste the below code at the bottom of the .htaccess file located in the root directory.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

16. Use Security Plugins

WordPress plugin repository has a plethora of security plugins to secure your WordPress site from general exploits and hardening WordPress security. Some of the best security plugins include iThemes Security, WordfenceAll In One WP Security and Firewall, Sucuri (free plugin), etc. Most of the plugins available in the WordPress repository are capable of acting at WordPress level to filter and protecting your Website.

In fact, almost all the tips shared here can be managed using the above plugins. So, install the plugin of your choice and harden your site. If you want to be more secure and carefree, then spending a few bucks on premium services like Sucuri is well worth it. Moreover, services like Sucuri can even help you recover your hacked website.

17. Always Stay Updated

Whether it’s WordPress core, themes or plugins, staying up to date is like winning half the war. For those of you who don’t know, bad guys generally target out-dated and vulnerable WordPress core, plugin and theme files. To close the security holes, developers release the security patches and fixes in the form of updates. So, always stay updated and safe.

If you don’t stay updated, you will always be an easy target for the hackers. The recent MailPoet incident is a good example.

Update plugins and themes.

If you think it is too much work to manage all the plugin and theme files, then consider using secure and managed hosting services like WP Engine and SiteGround or website security services like Sucuri who can monitor and protect your WordPress site from known and zero-day vulnerabilities.

Moreover, starting from version 3.7, WordPress introduced automatic update feature which by default updates your WordPress core for all the minor releases like maintenance and security updates.

By adding the below code in your wp-config.php file, you can enable automatic updates to all the major WordPress core updates.

// Enalbe all automatic updates
define( 'WP_AUTO_UPDATE_CORE', true );

18. Delete Unused Plugins and Themes

WordPress is pretty customizable and most of the credit goes to the all the free and premium plugins that offer the extra functionality. Often times, you try different themes and plugins to find the right combination that works for your site. After that, you may just disable all the plugins and themes that aren’t needed anymore. This is good and all but the unused plugins and themes in your WordPress site may stock up without your realizing.

When you look from the security point of view, there is no reason whatsoever to leave unused plugins and themes installed in your WordPress. This is not only a security risk but these unused plugins and theme may clutter the database and also increases your disk space usage.

Delete unused themes and plugins from WordPress.

So, be a happy egg and make a habit of deleting any unused plugins and themes. After all, you can always reinstall them with just a few clicks.

19. Never, Ever Use Nulled Plugins and Themes

Premium plugins and themes like OptinMonster, Genesis Framework, Gravity Forms, etc., are well worth their price. But, it is very tempting when you access sites which give your premium plugins and themes for free to install on your WordPress site. Often, these kinds of resources are called as nulled plugins and themes.

The thing is, nobody gives a premium plugin or theme for free.

In most cases, these nulled plugins and themes are infected with malicious code that can effectively spread spam, hide malicious links, show eyebrow-raising ads, and/or create backdoors to your WordPress site. So, don’t take the risk and you are better off “not” installing the nulled themes or plugins.

Malicious code in nulled WordPress themes and plugins

If possible, even avoid using free themes in favor of using premium themes like Genesis Framework or Elegant Themes. This is because even the genuine free themes may sometimes contain encoded code (base64) that can hide malicious links. Moreover, the premium theme developers are quite quicker to resolve any issues with the theme security and they often provide better support to customize your theme according to your needs.

20. Have a Backup of Everything

The best defense is a good offense and creating daily and steady backups are the best thing you can do for your WordPress site. Sure, these backups won’t stop your site from being compromised corrupted, but will surely help you to restore the site to a previous known good state. Not to say, having reliable backups of your WordPress site including the database will give you a peace of mind to concentrate more on developing your blog or website.

Generally, you can create a manual backup of your site, but that process is very inefficient and will be quite a hassle. So to automate the WordPress backup process, WordPress plugin repository has several free and popular backup plugins like BackWPup, UpDraftPlus, WP-DB-Backup, etc.

Just install one of them and make sure that you take daily backups.

Backup your WordPress site regularly with plugins like BackupBuddy, BackWPup, etc.

If you want premium support and more reliable features, then spending a few bucks on premium backup solutions like BackupBuddy or VaultPress can help you in many ways. Again, make use of these free or premium plugins and never neglect to create regular backups.

21. Always Use SFTP Instead of FTP

This seems pretty obvious, but considering that the regular FTP (File Transfer Protocol) has no encryption for your FTP account password, I can’t restrain myself from recommending. So, depending on what your hosting provider supports, always use SFTP (Secure FTP) or FTPS (FTP over SSL) to transfer files to and forth.

That being said, even though the names FTP and SFTP are similar, SFTP is completely different from FTP. Know more about FTP from Wikipedia.

22. Keep Your Computer Clean and Virus-Free

This is one of the most over-looked thing’s while securing a WordPress site. Keeping your computer clean and virus free is really important because the infected computers may leak confidential information like your account user ids and passwords. This, in turn, leads to information theft, identity theft, and data loss.

So, don’t do anything crazy like clicking unknown links in email, installing pirated software, etc., on your main productive machine. To keep your computer free from viruses and other malicious infections, install a good antivirus and anti-malware software.

Protect your computer from viruses and malware.


If you are a beginner, then all the above tips may seem pretty intimidating if not nerve-wracking. But the fact is that all most all the tips shared here to harden your WordPress security are very easy to follow and most of them are “set it and forget” configurations. So, make sure you follow them and each and every tip you follow will make your WordPress site a little bit more secure and keeps you one step ahead of hackers and other unintended consequences.

That’s all for now and hopefully, the hardening tips will help to secure your WordPress site. If you find this article useful, then do share it with your friends. If you think I’ve missed something, then do share it in the comments form below. That will help everyone using WordPress.

If you find this article useful, then do share it with your friends. If you think I’ve missed something, then do share it in the comments form below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.