Blog / WordPress / 10 ways to harden WordPress security

10 ways to harden WordPress security

harden WordPress security

WordPress is the most popular Content Management System (CMS) worldwide, but its popularity also makes it a prime target for cyberattacks.

Security is an ongoing process, and staying vigilant and proactive is essential in protecting your online presence.

By implementing these ten security measures, you can significantly harden your WordPress website against potential threats.

Keep WordPress core, themes and plugins updated

update wordpress core
Always ensure you’re running the latest version of WordPress core, themes, and plugins. Developers frequently release updates to fix security vulnerabilities and bugs. Regularly check for updates and be cautious when choosing third-party themes and plugins; only use reputable sources from the official WordPress repository or trusted developers.

Before updating the WordPress core or any plugins that are part of core functionality, e.g. eCommerce plugins, make sure you backup your website. This step is crucial as upgrades can fail crashing your site, so it’s essential to have a current backup in place.

If you need help check out our WordPress maintenance service.

Install a security plugin

We secure all our sites with Wordfence the top-rated security plugin. The free version is enough for most sites and comes with many powerful features that include a firewall that can block malicious traffic and bots before they can access your site, and a free malware scanner.

Change the default login URL

Install a plugin like WPS Hide Login to make it more difficult for bots to break into your website.

Implement Two-Factor Authentication (2FA)

Two-Factor Authentication adds an extra layer of security by requiring users to verify their identity through a secondary method, such as their mobile phone. Wordfence offers free Two-Factor Authentication – watch the video to see how to set it up.

Limit login attempts

Limit the number of login attempts to prevent brute-force attacks. Wordfence again has this built in function to block IP addresses that exceed a certain number of login attempts within a specified time frame – watch the video to see how to set it up.

Harden wp-config.php for enhanced security

Disable the wordpress file editor
The wp-config.php file is a powerful core WordPress file that is vital for running your website. It contains critical configuration settings, database credentials and developer options. Here are the ones we routinely set on client sites.

a. Set file permissions to 644 and directory permissions to 755.

This configuration ensures that only the owner can modify files, while others can only read and execute them.


b. Disable the file editor

This removes the ability to edit theme and plugin files directly from within the WordPress dashboard. Hackers can use this editor to distribute malware or launch DDOS attacks from your WordPress website.

define( 'DISALLOW_FILE_EDIT', true );

Harden .htaccess for enhanced security

edit wordpress htaccess file
The .htaccess file allows you to define server settings and enhance security. If you are not used to editing this file use a plugin like Safely Edit Htaccess File to avoid server errors. Here are the edits we add to client sites.

a. Disable server signature

Revealing web server signature can be a security risk as you are telling attackers about known vulnerabilities of your system.

ServerSignature Off

b. Secure your wp-config.php file

Block access to your wp-config.php from internal hacking and code modification.

<files wp-config.php>
order allow,deny
deny from all

c. Protect .htaccess from unauthorized access

Prevents hackers manipulating your website through the .htaccess file.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Implement WordPress Security Headers

Implement WordPress Security Headers
Leverage HTTP security headers to enhance browser security and mitigate certain types of attacks, such as Cross-Site Scripting (XSS) and Clickjacking. Some commonly used headers include X-Frame-Options, X-XSS-Protection and Content-Security-Policy.

Headers Security Advanced & HSTS WP is a simple one click install that will set up all best practices.

Regular backups

Frequent backups are essential to mitigate the impact of a successful hack, a server crash or failure, or even an unsuccessful update. We recommend Blogvault which stores encrypted copies of your site across multiple data-centers.

Choose a reliable web hosting provider and implement SSL

ssl certificate
Select a web host that offers robust security measures and regular server updates. Ensure you obtain an SSL certificate and force HTTPS across your entire website to ensure all data transmission is encrypted.

Most hosts offer the Let’s Encrypt SSL Certificate which is a free, automated, and global Certificate Authority (CA).