All web applications and solutions, including WordPress, have opportunities for improving security. Risks arise from default naming approaches and settings that are commonly known by those looking to exploit websites’ weaknesses. These risks need to be reduced and managed; taking preemptive steps goes a long way in closing easy backdoors for those looking at exploiting a website. Human error is usually one of the main causes of risks. Potential risks range from service disruption, stolen user information, and phishing to malware distribution to users and subscribers, website or page redirection, account takeover, and domain blacklisting.
Approaches and actions to secure a WordPress website
Stay on top of updates
- Usually, updates are triggered by publishers for known issues, incompatibilities, and vulnerabilities
found in live environments. Installing updates and patches helps secure your website from known
weaknesses. Keep WordPress and its supporting applications, like the database and PHP, updated.
- Keep WordPress themes, plugins, and third-party scripts updated.
Keep strong access approaches
- Websites are accessed by website admin login, registered user or subscriber login, and casual site
visitors. The following approaches help secure against vulnerabilities brought on by those accessing the
- Strong password strategy: WordPress has a built-in random secure password generator. It’s accessed
from the admin module > My Sites > Users > UserProfile > Security.
- Consider setting up two-step authentication as an added security approach. Once enabled,
logging in to WordPress will require entry of a unique passcode generated by an app on the
user’s mobile device or sent via text message, in addition to a username and password. This will
ensure that admins, users, and subscribers have an added level of security while logging in.
- This strong password approach should be used across different interfaces, including host/admin
accounts, database accounts, FTP accounts, and the primary site email address of the domain or
- Add more challenge interfaces: For posts, discussions, comments, feedback, and responses, you can
implement a CAPTCHA challenge before an entry is accepted to the website. This will ensure that
crawling bots and similar solutions do not create mass entries and malicious feeds in discussion
- Consider setting up auto-logout for idle users in WordPress. Plugins help monitor and log out
- Use SFTP: Secure File Transfer Protocol, or SFTP, should be used instead of FTP to keep user
information encrypted while performing transfers.
Make backups and test restorable files before trying the following changes.
- Default admin: The default administrator name in WordPress is “admin.” If this is not changed,
it becomes an open door for those looking for vulnerabilities, such as bots written to keep trying
password combinations to attempt a break-in. Similarly, the default URL for admin login is
website.com/wp-admin; changing this will ensure that those looking to execute password combination
attempts towards the default link do not get access to the admin login page. Additionally, the maximum
failed login attempts can be changed from the default to a restricted number of times, after which the
user won’t be allowed to access the website.
- Default file permissions:
- Lock down write and delete file permissions where possible. This is an effective approach
especially when files are hosted in shared environments. These restrictions can be loosened when
write access is needed. Create separate folders with limited restrictions to allow users to upload
files when needed.
- Secure the database (if you are the database admin). Disable features that are not used by your
configuration. For example, if the feature of accepting remote TCP connections is not needed,
disable it. Most operations, including posting blogs, uploading files, and posting comments, need
only data read and data write privileges to the database. Remove user database administration
access; this will ensure that an authorized user can’t change the database structure. This works as
a containment approach if the installation is compromised. Caveat: Some major updates and supporting
applications (including themes and plugins) may require access to make structural changes in the
database (including addition of new tables or a change in the schema). The work-around is to
temporarily allow the required privileges before installing or updating the plugin, theme, or
Addressing hosting-related challenges
- While selecting a hosting provider for your website, review the provider’s credentials.
- Review security practices at the hosting level. The most common hosting security features include
firewall and DDoS protection, virus protection at the host level, SSL security certificates, and domain
owner detail masking.
- Get a clear understanding of how and what the hosting provider covers in terms of protection. The
remaining unprotected portions will be the website owner or admin’s responsibility.
- A secure hosting provider that does not manage a web server usually protects the availability,
privacy, and authenticity of infrastructure resources (the physical or virtual server a website is
hosted on). The security of the web server and its applications remains the responsibility of the
Addressing theme-related challenges
- WordPress offers a choice of themes, including free, paid, or custom (imported from a third party)
- Professional themes, free or paid, are regularly updated to address known security and performance
issues. However, only minor updates may automatically apply, so it is the site owner’s
responsibility to check and test major updates before implementing them on a live site. There are
plugins that track theme updates and send a notification with information about new versions or
updates being published.
- Custom themes sourced from unknown or unverifiable developer sources present the risk of security
vulnerabilities that could expose the WordPress site to malware and hacking possibilities. These
risks could be due to poor code or malicious code that’s been inserted. Patching of security
weaknesses and similar follow-up services may not always be available, adding to the risk of custom
- For sites that retain a set theme and plugins without frequent updates or changes to the theme or
plugins, the installing provision for themes and plugins can be disabled when needed. This is possible
in WordPress through the WP-admin module.
Addressing plugin-related challenges
- The WordPress admin page has more information on listed plugins, compatibility issues, and approved
for use details. This should be checked before installing a plugin. WordPress regularly updates and
flags known issues with a plugin. This advisory remains until the plugin passes WordPress’ acceptance.
Work with plugins from the WordPress options where possible rather than import a third-party custom
- Plugins that need write access to WordPress files and directories should have their code checked. Some
resources to consider looking at to identify known issues with plugins include
https://wordpress.org/support/, other WordPress user forums, and the plugin supplier’s resources.
- Once a plugin is installed, it’s good practice to run a malware and vulnerability scan.
- Some online malware scanners check for malware through software algorithms that crawl the entered
website URL to identify known malware and suspected malicious code. There are plugins that do this
as a routine task too.
- Similarly, if site performance degrades inexplicably, running a malware scanner is a good idea.
- Disable and delete all unused plugins.
- Some plugins may need and allow PHP or other code to execute from entries in a database; this creates
risk if the website is compromised. A work-around used in conjunction with locking or disallowing file
editing is to use a custom page template to call this function.
- You can prevent users from installing themes or plugins from the WP-admin module. This security
hardening approach may work for some sites that retain the existing theme and plugins without frequent
Maintain audit logs and utilize the backup and restore capability
- An audit log helps track all activities and changes to the WordPress site. This can include user
activities, like logins, logouts, updates, and posts, and application update activities.
- You can refer to the activity log for details on any suspicious activity or changes made. There are
backup plugins that allow you to restore to a specific point in the audit log. Notifications can be set
for critical website changes that are initiated.
Making WordPress secure is an ongoing exercise. Using security strategies and actions makes it harder for
break-ins and website corruption to happen through known loopholes. In this article, we looked at securing
a website at various levels—on the application level, with stronger access criteria like passwords and
secure protocols and by masking or changing default details, and on the physical level (host servers and
networks). Using tools and plugins helps automate and monitor some of the areas that can be tracked for
Was this article helpful?
Sorry to hear that. Let us know how we can improve the article.
Thanks for taking the time to share your feedback. We'll use your feedback to improve our articles.