Let’s create something better together.

If you prefer phones, we have one of those too: +1 919 694 8000

    • Project Info
    • Technology
    • Contact Details



      How to Secure Your WordPress Site (10 Security Tips)

      WordPress is by far the leading cms for building websites. Depending on which statistics you want to look at it powers anywhere from 30% to 60% of the websites across the whole internet. With such a dominant and widely used platform, it brings its own share of challenges. Hackers try to look for vulnerabilities in WordPress and then use the scripts to hack all the WordPress sites. The number of WordPress sites hacked is on growing.

      The main reason of hacking WordPress website is its core system. Here we would like to make it clear that WordPress website is built with 3 different parts.

      1) Core of WordPress Library files
      2) Plugins
      3) Themes

      In this article we have shared some basics on how you can secure your WordPress website.

      There are many security plugins available in the marketplace which can help, but with plugins, we need to take few additional steps which will help us to prevent from hacking.

      Checklist on how to secure the website.

      Every once in a while, WordPress Core, Plugins & Theme releases updates that are important for security reason. Please keep everything updated:
      WordPress Core, Plugins & Theme Updates

      We should be very careful about the new updates. For Automatic updates of WordPress, use below option in wp-config.php

      define('WP_AUTO_UPDATE_CORE', true);
      add_filter( 'auto_update_plugin', '__return_true' );
      add_filter( 'auto_update_theme', '__return_true' );

      Disable Error Reporting for Core System :
      Disable Error Reporting For Core System

      Whenever there is an error on the site, WordPress displays a message in front-end. This message may contain the path to the problematic file. Hackers can find & use this information to understand the function of your server and attack your site. It’s a good practice to disable it by adding or updating below line in wp-config.php file

      define( 'WP_DEBUG', false);

      For WordPress Security, Permission of files & directory plays an important role. So, it’s always recommended using 755 permission for directory and 644 for files to protect your website.
      WordPress Security, Permission of files & directory

      You can use below command to change all recursive directory permission by terminal:

      find . -type d -exec chmod 755 {} \; # Change directory permissions rwxr-xr-x
      You can use below command to change all files permission by terminal:
      find . -type f -exec chmod 644 {} \; # Change file permissions rw-r--r--

      Prevent PHP Execution

      Some themes and plugins include features that allow users to upload files. However, this feature can be exploited to upload malicious code for site-hijacking. When WordPress access these uploaded files, the code is executed, and site gets damaged or compromised. To prevent from such hacking, you can add .htaccess file in uploads directory with below code, that will lock down PHP execution in uploads.
      deny from all

      Change The WordPress Database Table Prefix

      While installing WordPress you can change database table prefix at the same time with a random string-digit strong combination.

      If hackers find a security vulnerability, then it allows them to write suspicious code into the site database. Default Table Prefix would be an easy give away. By default, WordPress uses “wp_” as a prefix for all database tables, so it’s easy for hackers to guess. It’s a good practice to change the database prefix that will help to prevent the database access from hackers.

      Do Not Use Admin As Username

      With the release of WordPress version 3.xx (if you’re still using older version of WordPress, it’s time to upgrade), it became possible to change the default “admin” username to custom during the WordPress installation. But many people still use the default “admin” username and becomes the victim of WordPress brute force attacks.

      Use Strong Password

      Don’t simple password as a sequence of number or qwerty, coz hackers can easily crack this type of password and get access to your website. Also, password should not be the name of someone, like your name or your pet’s name or any directory word. A strong password should include both upper and lower case letters with numbers and special characters such as !, $, ?, ( etc.

      WordPress Malware Scan

      Generally, all hosting companies provide malware scanner add-ons, which helps to scan files regularly and detect the virus and remove. You should use security plugins which provides malware scan functionality, so if any infected file(s) are detected immediate action can be taken.

      Do Not Login Via A Public WiFi

      Don’t login to your website or hosting via public WiFi or internet cafe. It can be easily tracked by hackers and your site can be hacked. It’s recommended, to avoid logging into WordPress through an unsecured internet connection or network.
      Do Not Login Via A Public WiFi

      Always use File Transfer Protocol Secure (FTPS) instead of FTP which is unsecured to prevent your connection from being controlled or monitored. Alternatively, you can use SSH File Transfer Protocol (SFTP) instead of FTP because it’s more secure.

      Apart from the security plugins offered by hosting company, you can add additional layer of security by adding plugins on the website. These plugin(s) works itself so you can easily use this even you are non-technical.

      Here are few security plugins we’ve used extensively:

      1. Word fence Security – Firewall & Malware Scan
      Word fence Security – Firewall & Malware Scan

      Link : https://wordpress.org/plugins/wordfence/
      Active installations: 2+ million

      2. Sucuri Security – Auditing, Malware Scanner and Security Hardening
      Sucuri Security - cmsMinds

      Link : https://wordpress.org/plugins/sucuri-scanner/
      Active installations: 400,000+

      3. All In One WP Security & Firewall
      Secure WordPress Site

      Link : https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/
      Active installations: 700,000+


      We’re not reseller or partners with any of the plugins that we’ve suggested here. This is what we’ve used on different projects and we had a good experience with them. We don’t receive any affiliated fees or compensation by suggesting them.


      Always stay updated with WordPress core, Plugins & Themes, which will help you to prevent from hacking.

      Hope this article will help secure your website.

      cmsMinds is based in the heart of RTP, NC (Raleigh, Durham, Chapel Hill) and works on Drupal and WordPress websites. With an expert WordPress team, we can assist in making your website more secure. If you just need an audit report to ensure everything is set up correctly, please connect with one of our team members.

      As always, we would like to hear from you, if you have any comments or any new ideas on this article.

      We are recognized as a top New Jersey Web Design Agency on DesignRush

      Author's Bio

      Bharat Gohel
      Bharat Gohel

      With a rich background that spans over four years in managing WordPress projects alongside a steadfast dedication to QA, Bharat brings a unique blend of precision and innovation to the table. Through his writings on WordPress Development, Project Management, QA Testing, and Accessibility, Bharat shares his comprehensive insights, aiming to elevate the standards of web solutions. His articles are a reflection of his commitment to quality, client satisfaction, and the pursuit of accessible digital spaces for all.

      Share This Article:

      Recent Blogs