WordPress Security Best Practices: Essentials Every Website Owner Should Know
WordPress powers roughly 40% of the web, making it a high-value target for attackers. Implementing WordPress security best practices is not a one-time task — it’s an ongoing process that balances usability, performance, and risk mitigation. This article walks you through practical, prioritized steps you can take right now to dramatically reduce your exposure to common threats while keeping your site stable and performant.
Why WordPress Security Best Practices Matter
- High adoption = high target surface: Plugins, themes, and outdated core files are common entry points.
- Reputation and SEO risk: Malware or blacklisting can destroy traffic and rankings.
- Legal and business risk: Data breaches can result in regulatory penalties and client trust erosion.
Core Principles to Follow
- Keep the attack surface small
Remove unused plugins/themes, disable features you don’t need, and refuse to run code you don’t control. - Apply least privilege
- Give users and system accounts only the permissions they actually need.
- Assume compromise and prepare to recover
- Automate backups, monitor changes, and test restores so you can recover quickly.
Actionable WordPress Security Best Practices
- Choose secure hosting
Use a reputable host that specializes in WordPress-managed hosting or provides hardened LAMP/LEMP stacks, automatic core updates, server-level caching, malware scanning, and daily backups.
Ensure the host supports recent PHP versions (PHP 8.x), HTTP/2/3, and has a web application firewall (WAF) or easy Cloudflare integration. - Keep WordPress, themes, and plugins updated
– Core: Enable automatic minor updates (these are safe and critical). Consider automatic major updates for non-critical sites or test major updates in staging.
– Plugins/Themes: Update promptly. Remove unused or abandoned plugins/themes.
– Example: Use a staging environment to test plugin/theme updates before pushing to production. - Strong authentication and access control
Use strong, unique passwords and a password manager for all accounts.
Enforce two-factor authentication (2FA) for admin accounts (TOTP apps or WebAuthn).
Limit login attempts and consider reCAPTCHA on login forms.
Avoid using “admin” as a username. Rename default admin user.
Example plugins: Many security plugins provide 2FA and rate-limiting (WordPress.org alternatives available). - Secure wp-config.php and database
Move wp-config.php one folder above web root if your host allows it.
Set secure keys and salts via the WordPress.org secret-key service and add them to wp-config.php:
Generate: https://api.wordpress.org/secret-key/1.1/salt/
Disable file editing inside the dashboard:
Add to wp-config.php: define(‘DISALLOW_FILE_EDIT’, true);
Protect wp-config.php file permissions: chmod 600 wp-config.php
Use a strong database user password and grant only necessary privileges (SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER as needed). Avoid using root-level DB users. - File and directory permissions
Recommended baseline:
– Directories: 755
– Files: 644
– wp-config.php: 600 (or 640)
– Ensure files are owned by the correct user/group (often your SSH user and the webserver group). Avoid making files world-writable. - Harden .htaccess / webserver configuration
– Block access to sensitive files
– Disable directory browsing
– Protect wp-config.php
– Disable xmlrpc.php if not needed - Disable or protect XML-RPC and REST where appropriate
– If you do not use Jetpack, remote publishing, or XML-RPC, block xmlrpc.php.
– If the REST API is exposing sensitive data, use filters to restrict endpoints or require authentication for certain routes. - Backup and recovery strategy
– Follow 3-2-1 rule: 3 copies, on 2 different media, 1 offsite.
– Automate daily backups (files + database) and keep multiple historical copies.
– Test restores regularly (a backup that can’t be restored is useless).
– Use incremental backups for large sites to reduce overhead. - Web Application Firewall (WAF) and malware scanning
– Use a WAF (Cloudflare, Sucuri, or host-level) to block common attack patterns.
– Use malware scanners and file-integrity monitoring to alert on unexpected changes.
– Monitor Google Search Console for security warnings and act fast on any notices. - Monitoring, logging, and alerting
– Enable server and application logs; forward them to a centralized system if possible.
– Enable file-change monitoring (plugins or server-level tools).
– Monitor uptime and unusual traffic spikes. - Protect /wp-admin and wp-login.php
Limit access to /wp-admin by IP where practical (e.g., via .htaccess or Nginx allow/deny).
Use HTTP authentication for /wp-admin as an additional layer (Basic Auth).
Move login URL with caution — it increases obscurity but is not a true security layer. - Database prefix and other small hardening steps
– Changing the default table prefix (from wp_ to something unique) can reduce some automated script impacts, though it’s not a strong defense.
– Remove the WordPress version meta tag (or restrict exposing it) to reduce targeted attacks on known vulnerabilities.
Examples and Quick Implementations
Example: disable file edits and auto-enable minor updates in wp-config.php
define(‘DISALLOW_FILE_EDIT’, true);
define(‘AUTOMATIC_UPDATER_DISABLED’, false); // leave core minor updates enabled
Example: .htaccess to block XML-RPC and directory listing (Apache 2.4+)
# Prevent directory browsing
Options -Indexes
Example: Nginx snippet to block xmlrpc.php and disallow PHP in uploads
location = /xmlrpc.php {
deny all;
return 403;
}location ~* /wp-content/uploads/.*.php$ {
deny all;
return 403;
}Post-Incident Response: If You’re Hacked
- Isolate: Take the site offline or switch to maintenance mode if necessary.
- Identify: Scan for malware and check modified files, cron jobs, and users.
- Restore: If you have a clean backup, restore and update everything immediately.
- Change passwords & secrets: Rotate all passwords, keys, and salts.Post-mortem: Identify the entry point and close it; test backups and hardening.
- Notify: If user data was compromised, follow legal and communication obligations.
Recommended Tools and Plugins (Non-exhaustive)
- Backups: UpdraftPlus, BlogVault, or host-provided backups (ensure offsite copies).
- 2FA and access control: Authenticator-based plugins or SSO where appropriate.
- WAF/Malware: Sucuri, Cloudflare, or built-in host WAFs.
- Hardening and auditing: Security plugins can help (use reputable ones), but don’t rely on a single plugin for everything.
WordPress Security Best Practices Checklist
- Hosting: secure, up-to-date, WAF/backups available
- Core/plugin/theme: updated and unused items removed
- Backups: automated, offsite, tested
- Authentication: strong passwords, 2FA enabled, admin username changed
- File permissions: directories 755, files 644, wp-config.php 600
- SSL: HTTPS enforced and HSTS enabled
- File editing disabled in dashboard
- XML-RPC and REST: restricted if not used
- Monitor: file integrity, logs, uptime, Google Search Console
- -WAF and malware scanning enabled
Conclusion
Implementing WordPress security best practices is a mixture of preventative hygiene (updates, permissions, backups) and active monitoring (WAFs, scans, logs). The most effective defenses are simple: keep software updated, restrict access, automate off-site backups, and test restores. For business-critical sites, combine secure hosting, a WAF, and a robust incident response plan. Apply the steps outlined here as a prioritized roadmap—start with hosting, updates, backups, and authentication—then iterate through the remaining hardening measures.
