WordPress is a powerful platform but also a major target for hackers. Hardening your site means reducing the risk of attacks by improving its defenses. Below are 10 actionable ways to secure your WordPress website and keep it safe from common vulnerabilities.
01. Keep WordPress Core, Themes, and Plugins Updated
Outdated software is the number one entry point for attackers. Always use the latest version of WordPress core, and regularly update your themes and plugins. Delete anything unused to reduce your attack surface.
02. Use a Web Application Firewall (WAF)
A WAF like Wordfence blocks malicious traffic before it reaches your server, shielding your site from common threats and bots.
03. Use Strong Passwords and Two-Factor Authentication (2FA)
Use complex passwords for all users, especially admins. Enforce 2FA using plugins like Wordfence to add a second layer of protection.
04. Limit Login Attempts and Rename the Login URL
Prevent brute-force attacks by limiting login attempts, Wordfence has this built in feature and you can change the default /wp-login.php with a plugin like WPS Hide Login.
05. Change the Default Admin Username
Never use ‘admin’ as a username. Create a new administrator account with a unique name and delete the default one to reduce bot-targeting.
06. Enable Activity Logging and File Change Monitoring
Monitor logins, plugin changes, and file edits with tools like WP Activity Log or Wordfence to catch suspicious behavior early.
07. Implement WordPress Security Headers
Use HTTP security headers to strengthen browser-side security and reduce the risk of attacks like Cross-Site Scripting (XSS) and Clickjacking. Important headers include X-Frame-Options, X-XSS-Protection, and Content-Security-Policy. The Headers Security Advanced & HSTS WP plugin lets you implement best practices with a single click.
08. Secure wp-config.php and .htaccess
Your wp-config.php and .htaccess files are the backbone of your WordPress site’s configuration and security – protecting them is critical to prevent site-wide vulnerabilities.
- Set file permissions for wp-config.php to 400 or 440
- Add the following to the .htaccess file to block unauthorised access:
<Files wp-config.php> order allow,deny deny from all </Files>
<Files .htaccess> order allow,deny deny from all </Files>
09. Disable XML-RPC Unless Needed
If you’re not using Jetpack or remote publishing, disable XML-RPC as it’s a popular attack target.
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
10. Automate Off-Site Backups
Regular backups are essential for recovery and off-site is crucial because if your server is hacked or goes down, on-server backups may be deleted or corrupted too. Use a plugin like BlogVault to store backups in a safe off-site location.
