Being used by one-third of the total websites, WordPress always manages to catch the eye of hackers. In recent years, the extent of attacks on WordPress is alarming and calls for action. Despite the attacks, WordPress Security is still a massively misunderstood and underappreciated concept. And, web owners find it more convenient to overlook it. 

This Blog Includes show

However, in the wake of these exploits, a lot of people are coming to terms with the need to upgrade their WordPress security standards. But they often find themselves at sea deciding what security practices are legit and what aren’t. Don’t worry! We have done the research for you. In this article, you are about to find the complete list of essential & actionable WordPress security measures for your site. Further, this list is independent of your tech-savviness and can be easily applied by anyone. 

Also, go through the below URLs if you are looking for

WordPress Security – Let’s Talk About Numbers

WordPress is maintained by a group of competent developers. Still, it remains the most viciously attacked CMS in the world. According to a study, more than 70% of WordPress websites are vulnerable to attacks. Moreover, the recent hacks on WordPress plugin like GDPR, WP Live chat have put thousands of websites on risk. Also, CVE details reveal that most of these attacks are of cross-site scripting.

As you can see in the graph, most WordPress sites have suffered XSS, followed by Code Execution. Additionally, another research unveils that 40% of all attacks are targeted at small and medium websites. So, people believing that only big websites get hacked get the answer.

Further, most of these attacks are a direct result of neglected WordPress security. According to Kinsta, 55% of hacked websites had outdated versions of plugins, themes or CMS.

Now, we already know that the consequences of a hack can be disastrous for a business. There are a whole lot of things that can go wrong. For instance, the attacker can meddle with your confidential & customer data. They can steal your credentials, misconfigure your website and whatnot. And if they get a hold of your financial/payment details you can be bankrupt too. Other hidden consequences of a hack may include, mistrust for your brand, loss of authority, domain value, etc. Furthermore, a hack can also result in a downfall of your site’s search rankings.

How to Harden WordPress Security

Building a worthy website requires time, effort and energy. But, all these efforts will turn to a fiasco if the security is not taken care of. Certainly, not paying due attention to WordPress security can have lasting aftereffects. 

Yet, protecting your website is much easier than you thought. So, if you diligently followed this list of WordPress security measures for your website, I guarantee that the risks will reduce to a bare minimum.

Website Vulnerability Scanner
Scan your website for 140+ security issues like header security, cookie security, CORS tests, HTTPS security etc.



1. Backup Regularly your WordPress website

Let’s face it – no one is hack-proof on the internet. So, the first thing to do for your WordPress website is proper risk management. This is to say, plan beforehand for a scenario like a hack. And, with good backups in store, you can confidently delete the hacked version and restore your website back to normal immediately. Clearly, in an event like a sudden hack, backups can save you from a complete debacle.

The motive of backup is to restore your website to its best working condition in case of a hack. Also, backups should be taken often and regularly. Now, the frequency could vary from daily to weekly to monthly depending on how often you update the website’s content.

Plus, make sure to take multiple backups (with time & date properly mentioned). Since a hack may remain hidden for days, in that case, you might need a backup dated way back.

Hence, to make your backups more functional, you should include the following files and folders in your backup:

1. The WordPress Files

2. The WordPress Database

The WordPress database stores crucial information like details of posts, pages, comments, tags, users, categories, custom fields, etc. Hence, it is extremely important to include this in the backup.

Verifying that the backup is functional is part of the process. In the end, make sure to test if the backup completes its motive and allows quick and full recovery of your working website.

Note – Maintain your backup against a date and time stamp.

a) Backup of the WordPress Database

For the WordPress database backup, use the MySQL command line. Otherwise, administrative interfaces like phpMyAdmin can also be used.

You can take backups manually, through cPanel, cloud, etc. We have covered a few methods here:

a) How to do Manual backup of WordPress

Follow these steps to take a backup manually –

Now, backing up manually can prove to be a tedious & time-consuming task. You have to monitor the download of each & every file carefully. Further, the management of backups is again a lot of work.

The one free alternative offering full backup capabilities that stand out of the list is BackWPup. You can skip all this, and use a WordPress plugin instead. Plugins like Updraftplus, Backupbuddy, etc automate the whole process of backing up and is super easy to use.

b) WordPress backup through cPanel 

Another option is to backup through Cpanel. Here is how you can do this:

c) Cloud Backup of your WordPress

Backing up on the cloud is the most convenient way for backing up a WordPress website. Various cloud services like Amazon S3, Dropbox, stash, etc simplifies the backup procedure.

2. Enhance Security by Updating CMS, Plugin & Themes to Latest Versions

After securing a backup plan, the easiest way to secure your website is to update. Every update, whether it for core CMS, or plugins or themes, comes with vulnerability patches & security amendments. Being quick with these updates can reduce risk incredibly. Even the top security experts believe that keeping your website up to date eliminates most of the risks.

But, a major update can sometimes break some functionalities of a website. Hence, it is good practice to take a backup beforehand. After that, put your website in the maintenance mode before initiating a major update.

 Moreover, the WordPress core has three different types of updates:

The minor releases are automatically updated by WordPress in the backend. So, it is only the major core releases that you have to take care of. Likewise, update the themes are plugins too.

Pro-Tip – You can use our WP Hardening Plugin to fix 12+ issues like (Stop User Enumeration, Disable XMLRPC, Hide Version No. & many more)

Again, there are two ways to update core, themes, and plugins – Manual & Automated. Both the methods have been explained below –

a) Manual

Core Update – Updating a WordPress website is pretty easy. Since WordPress automatically installs all the minor patches, you have to push the major version updates only. To do this,

Themes and Plugins Update – To update the themes and plugins, follow the following process,

b) Automated

Core Update – As discussed already, WordPress by default automates the minor security patches. However, you can override those changes by editing the wp-config.php file by adding or modifying the following statement – 

For the major updates, check the updates section in your WordPress backend and initiate updates if available.

Themes and Plugins Update – The themes and plugins can be updated automatically using filters. The best place to put a filter is in a must-use plugin. Also, WordPress doesn’t recommend putting filters in the wp-config.php file.  This is because putting filters in the wp-config.php can create conflict with other parts of the code.

To enable automatic updates for themes and plugins, add the following code

3. Update your PHP, to the latest version

Speaking of updates, there is another update that you need to take care of – the PHP version. PHP is the core programming language of WordPress. Certainly, updating it to its latest stable version will enhance your WordPress security.

Note: PHP version 7.0 and older do not have security support and are susceptible to known and unpatched vulnerabilities. Therefore, you must update to the latest PHP version i.e. 7.3.

Note: The PHP version 7.2 will no longer be supported after November 30, 2019.

Here is how you can update your PHP:

4. Remove defunct Plugins/themes

If you have not used a plugin for the longest time, you must get rid of it to secure your WordPress. This is because even though the plugin is no longer in use or is disabled, the files still exist. Further, these files might contain vulnerabilities unknown to you. Above all, attackers could exploit these vulnerabilities easily. Thus, delete the defunct plugins & themes.

Here is how you can do that:

5. Install a WordPress Firewall Plugin 

Need I say, that monitoring your website ceaselessly is humanly impossible? So, the best bet here is a Web Application Firewall. A firewall is a continuous monitoring system for your website. Most importantly, it detects and blocks malicious traffic from coming to your website. 

Although there are scores of firewalls to choose from, you should only go for the hacker-tested ones. Astra’s Firewall is a rock-solid solution. It will protect you in real-time against cyberattacks. Moreover, it works on your own server and requires no DNS change.

Related Blog – How Firewall can help you to secure your WordPress website

Here are the distinct features of the Astra firewall:

Speed and security are two desirable aspects of website security and a firewall improves both. Moreover, in this growing age of online threats and attacks, a firewall is a must.

6. Host your WordPress website on a secured server

The hosting server plays an important role in the security of your WordPress website. Choosing a host wisely can be a game-changer in WordPress security. While selecting a server you must consider the following:

7. Customize the login page to increase security against Brute-Force attacks

Protecting your login and admin pages is another way to secure your WordPress. Attackers can break into your website through brute-forcing if it is left unsecured. Now, brute-force attacks use the hit and trial method to guess the combination of username and password of your website at a freakingly high speed.

Set strong and unique usernames & passwords for each of these pages. Avoid using an obvious username like ‘admin’, your website’s name, your own name, a proper word that could be found in the dictionary. Same goes with the passwords, refrain from using ‘Password’, your own name, your website’s name, etc as your password.

8. Limit login attempts

Another way to protect your WordPress admin area from brute-force is to limit the number of login attempts on it. Plugins like Limit login attempts & Loginizer may come handy in this.

9. Set correct user roles

Not all users need to have all the privileges in your WordPress. You can distribute the required roles for each user according to their responsibilities on the website. You can better control and monitor who does what on your website with these roles. By default, WordPress defines six roles namely, in the descending order of their powers – Super administrator, administrator, Editor, Author, Contributor, and Subscriber.

 You can use the predefined set of user roles or can create custom roles as per your needs. The predefined can be assigned from the dashboard itself, whereas for custom roles a plugin would be needed. The User Roles Editor plugin is best suited for this.

 Here is how you can define custom user roles with this plugin:

10. Protect wp-config File

 wp-config.php contains the configuration details of your WordPress website. Any absurd compromisation in this file can break your website completely. Hence, the wp-config file should be handled with extra care and must be secured with utmost urgency. Further, it also stores sensitive information about WordPress database credentials.

Some ways to secure the wp-config file are:

11. Restrict Access To wp-admin

The wp-admin is the administrator area of your website. It can be said that it is the controller of your website. Hackers constantly try to brute-force it to hijack the whole website. This makes it vital to secure the wp-admin area to tighten your WordPress security. You can secure your wp-admin area as follows:

Restricting access and allowing only selected IP addresses to your admin page is one way to secure it. This way, any unknown IP automatically gets blocked. In your wp-admin folder, create a .htaccess file and paste the following code there:

Usually, there is a Register link on your WordPress login page. Disable this Registration form to discourage access to wp-admin. 

 12. Update WordPress security keys

Secret security keys ensure the security of cookies in your WordPress website. You must set up security keys to discourage any stealing of cookies and impersonation of users. After you have set the secret security keys, it will nullify all the current sessions and will require the user to re-authenticate. Above all, the administrator must change the security keys if there is any compromisation to them or even suspicion of compromisation.

You can generate secret keys both manually as well as with the help of an online key generator. WordPress also has its official secret key generator. Generate keys from here and paste these keys in the wp-config file and you are good to go.

13. Create a unique database prefix

WordPress database is the area where important information/data regarding the website and users sits. Quite obviously, this makes it a desired target. By default, the wpdb contains 11 tables which include tables for – users data, site URLs, posts, pages, comments, etc.

Further, all these tables have the universally known default prefix wp_ before them. The names of these tables are also commonly known. In case of improper validation and sanitization rules for query insertion, a hacker can run SQL commands to fetch data from a known database table.

In order to secure the database, you must change the database prefix to something else. Moreover, changing the database prefix at the time of installation is the ideal way. However, if you haven’t changed it then, you can also change it by SQL command or with the help of a plugin. Both of these methods are depicted below:

a) Manual

Like mentioned earlier, database prefix can be changed with the help of SQL command. By running a series of commands. For the detailed instruction and procedure follow this link.

b) Automated

There are several plugins on WordPress that help in automating this whole process of prefix change. One such free plugin is the change table prefix plugin.

14. Additional authentication factors for WordPress admin security

To secure your website, even more, the two-factor authentication is a smart tool. This tool ensures the true identity of a user on your website by requiring more than a password to log in. This way, it prohibits any fake, unauthenticated user to access it, even if they happened to guess your password. The two-factor authentication plugin is a great way to apply this security on your website.

15. Setup automatic logout plugin

Not all users on your WordPress are careful and vigilant enough to logout after each session completion. The stealing of cookies and session hijacking also makes for major attack vectors on WordPress. You must set an automatic logout so that all the idle customers are logged out of the website.

16. Strengthen your passwords to harden WordPress security

It may look too obvious a security measure, but even then many neglect this. Always opt for unique and strong passwords for your WordPress accounts. Also, refrain from using the word password, admin and proper words from the dictionary as your passwords. Make sure that your password is a combination of letters(upper and lower case), numbers and special characters.

17. SSL data encryption 

Having an SSL( Secure Socket Layer) certificate for your website’s domain adds to its authority and security. It encrypts the data transfer between the user and the server. Since Google rankings started getting affected by HTTPS, a lot of authorization companies sprouted. However, not all of these are deemed authoritative by Google. Hence, you must get the SSL certificate from a verified and trusted source.

Further, not redirecting all of your web pages to HTTPS can also have adverse effects on your website. Having both HTTP and HTTPS pages on a website is known as MIxed Content. Now, Google regularly flags websites for mixed content. Thus, make sure to redirect all your pages to HTTPS.

18. Control Comments

WordPress is infamous for pervasive spammy comments. Hence, you must review carefully comments before allowing them on your website. Moreover, you can either disable it altogether or add several conditions to block spam. This requires manual effort. You can also choose a plugin like Askimet to do the job.

19. Set Strict Files  & Folder Permissions in WordPress

You can achieve another WordPress security milestone by setting stricter files and folder permissions. The recommended file/folder permissions for different files/folders are:

20. Hide the WordPress version number to protect WordPress from known vulnerabilities

Known vulnerabilities in different WordPress versions are easily available on the internet. These databases serve as a treasure for hackers. They use bots/botnets to hunt for WordPress websites with these outdated versions. Once a bot reaches your website, the first thing it looks for its version number and the listed vulnerability in it. When they do find one such website, they exploit the vulnerability.

 You can protect your website from these attacks by simply hiding your WordPress version number.

Hide the WordPress version number from Generator meta tag,

remove_action('wp_head', 'wp_generator');

Hide the WordPress version number from the default RSS feeds as follows




There are plugins available which hide the WordPress version number, we recommend using the Meta Generator and Version Info Remover plugin.

21. Disable PHP execution when not needed

While WordPress automatically runs PHP file execution for all directories of the website, it’s best that you disable it for such directories as /wp-content/uploads/. You’ll be able to do this using FTP access. Here is how:

22.  Improve hardware protection

It’s only logical to protect the hardware you are accessing your website with. A non-secured PC with security vulnerabilities serves as a way for hackers to enter your website. Ensure that your gadget is well-protected by a firewall and anti-virus software installed. This will not only block WordPress attacks but also any coming online security threats.

Like in the case a website, defunct plugins are a problem, similarly obsolete & defunct applications are an invitation to the threat too. Thus, remove all unnecessary/obsolete applications from your device.

Most applications ask for different permissions right after you install them. As a thumb rule, try giving the least privileges to them.

23. Disable script injections

Disallow script injections to prevent hackers from injecting malicious code into existing PHP documents. You can disable the script injections by adding the following code:

24.  Download plugins from reputable sources

Not all plugins have dedicated developers behind them. A lot of plugins on WordPress aren’t even maintained that often. So, before opting for any random plugin by a third party you must consider the following points:

25. Scan WordPress for malware & backdoors regularly

Monitoring your website is equally important than securing it. Having a proactive malware scanner that scans your website periodically is crucial for WordPress security. Scanning your site every once in a while for viruses and malware lets you be updated with the well-being of your website.

Astra’s machine-learning powered malware scanner is a perfect fit for this. Other scanners include:

By scanning the website, you’ll be able to detect the risk of security breaches instead of having to deal with actual attacks as they happen.

26. WordPress Security Audit

You applied every security measure on your site, however, even then it needs regular maintenance. A premium security audit can greatly help you here. Every now and then your website needs to be checked for new vulnerabilities and broken security.

Astra’s Vulnerability Assessment and Penetration testing program has engineers look into your website for possible vulnerabilities. In a security audit like this, your source code, plugins, and themes are thoroughly audited. It also uncovers loopholes and backdoors in your website.


The WordPress security measures listed in this guide here are security gospels. You must persevere to apply and maintain these on your WordPress site for enhanced security. These WordPress security tips will ensure that your website remains protected from online threats.

Not a fan of reading? Learn WordPress security with videos.

Join our FREE wordPress security course.
An increasing community of 4500+ members

Found this article helpful? Share it with your friends

Was this post helpful?

This content was originally published here.