Every website is at constant security risk. And though WordPress as a content management system (CMS) is very secure, it’s not immune to issues. There are thousands of known vulnerabilities in the WordPress ecosystem, and protecting your sites is critical.
Fortunately, understanding the basics of WordPress hardening and why it’s necessary will help ensure that your projects remain safe. That means following key security best practices and knowing how to adapt them to your organization’s specific needs.
In this article, we’ll cover both foundational and advanced ways of hardening WordPress security. We’ll discuss why each security measure is necessary, and talk about how to implement them.
Understanding the threat landscape
It’s important to understand that WordPress is inherently secure. The software gets regular security updates, and it’s possible to create websites that are nearly impossible for attackers to access.
The primary issue with WordPress is simply its incredible popularity. Approximately 43.1% of all known websites use WordPress. That includes everything from enterprise‑level websites with advanced security to hobbyist sites with lax safety measures.
This matters because WordPress’ popularity makes it a target for attackers. Any small vulnerability in a well‑known plugin or theme can lead to thousands of breaches or infections, due to users forgetting to update the CMS or its components. At the time of this writing, there are over 43,000 known WordPress vulnerabilities, and that number will likely continue to grow.
The takeaway from these figures shouldn’t be that your organization needs to avoid WordPress — quite the opposite. But if you choose to use this CMS, you shouldn’t become complacent and must still understand the need to take responsibility for securing your company’s digital assets.
The good news is that there are dozens of ways WordPress enables you to do that. Thanks to its open‑source nature, it’s more flexible in terms of security than many other popular solutions.
Eight foundational security measures
To protect all of your websites, you’ll need to know what steps to take. There are hundreds of methods and techniques, so it can be difficult to determine where to start.
That’s where this list comes in. First up, the following eight security measures cover the basics. A hobby or personal website that implements these techniques could be considered reasonably secure. For an enterprise site, they offer a great starting point for keeping your user and organizational data safe.
1. Implement real‑time backups
Implementing real‑time backups means that as you make changes to your site, copies will be regularly created and stored. This approach to backups is much more secure than creating daily or weekly copies of your site. With real‑time backups, every update, edit, or other action on your site is saved as it happens.
Jetpack VaultPress Backup offers a powerful, real‑time backup solution that allows for swift recovery in case anything goes wrong. The service backs up your website to the cloud as you make changes, and you can restore those backups at any point.
It’s important to note there are costs associated with implementing real‑time backups. Tools like VaultPress Backup charge monthly fees, and you also need to take storage into account. If your chosen backup solution doesn’t include storage, redundant copies of those files will need to live in multiple places for optimal security.
VaultPress Backup includes storage and saves multiple copies at off‑site facilities trusted by some of the world’s top companies like Salesforce, Meta, and Slack. Plus, you can quickly restore a backup in just a few clicks.
2. Install a reputable security plugin
The field of “security plugins” can be very broad. There are those that protect WordPress websites in small ways, like by adding two‑factor authentication (2FA) or security logs. In this case, however, you’ll want to examine packaged solutions that incorporate a battery of measures to protect your site.
For instance, Jetpack Security encompasses backup tools, malware scanning, anti‑spam functionality, brute force attack protection, and more. Using this kind of tool means you don’t need to install dozens of plugins to protect your site.
The security plugins you choose to use will depend on your organization’s needs (and your budget). Before deciding, it’s best to consider multiple options, and review what features they offer and how they can benefit the types of sites your company manages.
3. Keep all software up to date
Updates are vital to security in just about any context. When it comes to WordPress specifically, this means keeping the CMS and all of your site’s components up to date. That includes WordPress plugins, themes, and the PHP installation on the server.
Outdated plugins and themes are one of the key weaknesses behind attacks on WordPress. Attackers look for security flaws in these components, and if they’re not patched, they can provide access to your site and its private files.
Most reputable developers update their plugins and themes regularly to patch these vulnerabilities as they appear. If you choose not to implement those updates, you leave your website open to breaches.
This is a common issue, as many WordPress users are either unaware of the importance of updates or simply forget about them. The same applies to PHP, with older versions being more vulnerable to attacks and offering poorer performance than newer releases.
To avoid this, you should check the WordPress dashboard periodically to see what updates are available. If you implement real‑time backups, you’ll be able to update websites without worrying about breaking anything, since you can always reverse the changes if needed.
You can also enable auto‑updates on your WordPress site, so you won’t have to log in and check for updates frequently. However, it’s always a good idea to check website functionality and ensure that an update didn’t break anything on your site. Consider the tradeoffs between security and functionality, and make the best decision for your specific situation.
4. Use strong authentication practices
Authentication refers to the process of accessing any system related to your websites. That includes using the WordPress login page, accessing hosting accounts, connecting with your site via file transfer protocol (FTP), and more.
Any organization is only as secure as its authentication practices. If administrators or users with high degrees of access are re‑using credentials or setting passwords that are easy to guess, those are security incidents waiting to happen.
Managers need to enforce strong authentication practices for any systems the organization uses. That means educating employees about basic security and login practices, enforcing periodic password changes, and monitoring access to ensure that unauthorized users can’t access your website.
5. Control user access through roles and permissions
Along with regulating who has access to each system using strong authentication practices, it’s important to control which permissions you assign to various roles. To give an example, the administrator should be the only user role with full access and permissions for a specific system.
WordPress comes with a default set of user roles and permissions. The administrator can change any aspect of the website, and other roles have lesser permissions. This is critical from a security standpoint because it prevents users without the correct roles from making unauthorized changes to the website.
There are tools you can use to modify the existing WordPress user roles or create new ones. This can be a smart idea, depending on what types of websites your organization runs. Whichever approach you decide to take, it’s important that no user role gets more permissions than they need to carry out their tasks.
6. Rename the admin account
A lot of WordPress websites default to “admin” or “administrator” as the username for the administrator account. This is a security vulnerability waiting to happen, as most attackers will try these types of usernames first when they’re trying to break into a website.
As a rule of thumb, no username should be easy to guess to minimize breaches. If you enforce the use of unique usernames and passwords, that will make it much harder for attackers to use brute force attacks to make their way into your website, which puts you ahead of most other organizations.
If you can’t enforce unique usernames for other employees or teams, you can limit this step to administrators. Considering that they’re the only users with full access to the website, they warrant additional security measures.
7. Use an SSL for data encryption
Secure sockets layer (SSL) certificates enable you to use HTTPS for data encryption during transmission for your website.
Obtaining and installing SSL certificates is simple, and a lot of web hosts will do it for you. Still, free SSL certificates typically aren’t best for enterprise‑level websites. Other options, like organization validation SSL certificates, can provide additional value by certifying that your website is real and that it’s owned by your organization.
SSL certificates and HTTPS use are also a factor in search engine rankings. Search engines will even warn visitors away if you have an expired certificate, or if HTTPS isn’t working properly on your site.
8. Remove unused files, plugins, and themes
There’s no reason to keep unused files or extensions on your website. If you’re not using a plugin, it should be disabled. The more plugins you use, the higher the risk of compatibility or WordPress security issues.
Review all active plugins periodically to determine whether your organization is using them. If you find plugins that don’t fulfill any purpose, disable and uninstall them.
Removing other unused files and/or themes will also help you recover server storage space.
Eighteen advanced security measures
Once you’ve covered the basics for your organization, it’s time to move on to more advanced ways of hardening WordPress. These security measures range a lot in terms of implementation difficulty, but they’re all essential for keeping your organization safe.
1. Leverage vulnerability scanning
Vulnerability scanning is a process where automated software is used to scan a system or network for issues like security holes, bugs, or network configuration errors. This type of scan can identify weak points in your system that could potentially be exploited by cybercriminals.
On WordPress websites, vulnerability scanning helps you detect security issues with plugins, WordPress themes, files, or WordPress core configuration. Early detection allows for timely remediation, reducing the likelihood of exploitation.
Beyond keeping your website safe, WordPress vulnerability scanning can protect your organization in various ways. These include:
- Compliance with regulatory requirements. Many industries are subject to regulatory requirements that mandate periodic vulnerability assessments to protect sensitive information. Consistent vulnerability scanning helps in meeting these requirements, protecting your organization from legal repercussions.
- Protecting customer data. Businesses often store sensitive customer data. Identifying and patching vulnerabilities protects this data from unauthorized access, maintaining customer trust and safeguarding the organization from reputational damage.
- Reducing costs. Experiencing a security breach can be financially crippling due to the associated data loss, legal consequences, and reputational damage. Regular vulnerability scanning can be a cost‑effective way to prevent breaches, saving the organization from significant financial loss.
- Resource optimization. Vulnerability scanning can help you identify your organization’s weak points when it comes to WordPress security. This will allow you to allocate resources more effectively towards areas that need improvement.
To help you handle this task, WPScan offers the largest database of WordPress security vulnerabilities. It collaborates with security experts and developers to keep the database up to date. Organizations can access that database in several ways, including via WP‑CLI.
2. Use a web application firewall (WAF)
A WAF is a protective barrier that sits between a website and the internet. It monitors, filters, and blocks harmful traffic and attacks like SQL injection, cross‑site scripting, and others that target vulnerabilities in web applications.
WAFs can help protect against zero‑day exploits (vulnerabilities that are exploited before the vendor releases a fix) by using heuristics and behavioral analysis to block suspicious traffic, even if the specific vulnerability hasn’t yet been patched.
Implementing a WAF for your WordPress website can also improve its performance by blocking malicious traffic and DDoS attacks. Plus, blocking known malicious actors can prevent data breaches.
The easiest way to implement a WAF is to use a WordPress web host that offers one as a feature. Otherwise, you can use a tool like Jetpack, which includes a WAF alongside its other WordPress security tools.
3. Block PHP execution in unknown folders
Blocking PHP execution in unknown folders involves restricting the execution of PHP scripts in directories that are not explicitly allowed to run those scripts. This can prevent malicious scripts from executing in various folders where they shouldn’t be running, which is a common tactic used by attackers to exploit a system.
This security measure can help you harden WordPress significantly against attacks. Aside from preventing unauthorized code from running, blocking PHP execution can also benefit your website in the following ways:
- Minimizing attack surface. This strategy reduces the attack surface of your web application by limiting the areas where PHP code can be executed, making it more difficult for attackers to find vulnerabilities to exploit.
- Providing protection against malware. Blocking PHP execution in unknown folders can prevent malware or backdoors from functioning if they are uploaded to your server. This is because these malicious scripts often rely on the ability to execute PHP code in various directories to create backdoors into the website.
- Conserving server resources. Preventing unauthorized scripts from executing helps conserve server resources. Malicious scripts can slow down your website (depending on how they’re coded), leading to a poor user experience for visitors.
You can use the .htaccess file to disable PHP execution in specific WordPress folders. This involves creating new .htaccess files for the directories you want to protect, and adding code that blocks PHP files from executing in these folders.
4. Implement a content security policy (CSP)
A CSP is a set of rules that dictates how resources on a web page can be loaded and executed. It is instrumental in preventing a range of attacks. That includes the infamous cross‑site scripting (XSS) attacks, where malicious scripts are injected into websites that are then viewed by other users.
Implementing a CSP ensures that only content from trusted sources is allowed to execute, which restricts the ability of attackers to exploit web application vulnerabilities. It gives website administrators granular control over the various resources a web page can access and interact with, like fonts, forms, images, and scripts.
Having a CSP in place can also mitigate clickjacking attacks. This is where an attacker tries to trick visitors into clicking on something different from what they intended to. A CSP can enforce strict guidelines that define which domains the browser should consider as safe for fetching resources, significantly minimizing the risk of content injection attacks.
5. Secure your wp‑config.php file
The wp‑config.php file is essentially the heart of any WordPress installation. It contains sensitive information like database connection details, authentication keys, and other crucial settings that govern the behavior of a WordPress website. Due to how much sensitive data the file stores, it’s a popular target among attackers.
Protecting the wp‑config.php file can secure your website against multiple types of attacks. There are several ways to do so, including:
- Restricting access to wp‑config.php. You can limit who can connect to your website via FTP or your web hosting control panel by enforcing the use of strong credentials and encouraging employees not to share them.
- Modifying the file’s permissions. You can modify the permissions for the wp-config.php file to control who can read, execute, or modify it. As with any other core file of this level, the administrator should be the only party with full access to it.
If an attacker gets access to the wp‑config.php file, you can assume they can access the rest of the WordPress root directory. In practice, this means they have control over your website, and it translates to a massive security breach.
6. Secure wp‑includes in your .htaccess file
The wp‑includes folder contains core WordPress files that are vital for the proper functioning of the website. These files should rarely, if ever, be accessed by users or even administrators, as they primarily contain codes that operate in the background to keep the website running smoothly.
Attackers often target this directory to inject malicious code or alter how your website works. You can protect against this using the .htaccess file.
The .htaccess file can help you restrict access to your website and specific files and directories, like wp‑includes. You can also use it to prevent unauthorized PHP code from executing, which is one of the security measures covered earlier.
Here’s an example of code you might use to restrict access to wp-includes through .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/.*\.php$ - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>With that said, it’s important that your developers review any code you use on your website. Any third‑party code you implement in WordPress may lead to further vulnerabilities if not vetted carefully.
7. Lock down your file permissions
File permissions determine who can read, write, and execute a given file. By locking down these permissions, you can regulate access to your website and its core files.
Overly permissive settings can inadvertently give attackers leeway to manipulate, alter, or delete critical files. Striking the right balance ensures that your website works properly but remains safe.
As a rule of thumb, file permissions should vary depending on the user role. Only the administrator should have unfettered access to all files and directories. That applies not only to WordPress, but to any software system you use.
If you need help determining what permissions to assign to which user roles, follow the rule of least privileges. That means no user should have access to more permissions than they absolutely need to carry out their tasks.
8. Restrict FTP access by IP address
Restricting FTP access to specific IP addresses means only users within your organization should have access to your site’s core files and directories. WordPress houses all of its files in the root directory, so restricting access to it is essential.
Only a very few, select users should engage with your website via FTP. That includes the administrator and any other employees who need to modify core files or access the root directory for troubleshooting.
In the case of suspicious activity or security breaches, having restricted access makes it relatively easier to pinpoint the source or nature of the threat, since the number of potential entry points is limited. This can be an invaluable asset in not only resolving the issue quickly, but also in strengthening security protocols to prevent future incidents.
9. Disallow file editing
Disallowing file editing within the WordPress dashboard is a critical security measure. If this file editing feature is active, it permits anyone with the right permissions to modify core files directly from the dashboard.
While convenient, this also opens up substantial security risk. If an unauthorized user gains access to the WordPress dashboard with the right permissions, they’ll be able to edit core files to leave malicious code or scripts.
Moreover, disallowing file editing fosters a controlled environment, where changes to the site can only be made through secure and well-monitored channels. Typically, modifications would be made through FTP or a control panel directly on the server, which usually have additional security measures in place.
10. Disable directory listing and browsing
Disabling directory listing and browsing is a security measure that can prevent unauthorized users from viewing or accessing the files and directories that make up your website. This can protect your organization’s website in several ways, including:
- Preventing information leakage. Knowing the directory structure can reveal a lot about the underlying technology and potential vulnerabilities. Sometimes sensitive files (like configuration files or backup files with possibly unfiltered data) are inadvertently stored in publicly accessible directories.
- Protecting against unauthorized access. Obscuring the directory structure can add a layer of protection by making it more difficult for attackers to find and exploit known vulnerabilities. Moreover, disabling directory listing ensures that users can only access files if they know the exact URLs, which can prevent unauthorized access to non‑public files.
- Mitigating vulnerability exploits. If attackers know the directory structure, they can exploit known vulnerabilities more easily. By limiting the information available to potential attackers, you can also reduce the risk of exploitation from zero‑day vulnerabilities.
In WordPress, you can modify the .htaccess file to restrict directory browsing. Some web hosts implement this as a security feature. You can determine whether your organization’s hosting provider does this by attempting to access a directory through the browser, and checking to see if it lists internal files and folders.
11. Restrict access to the WordPress REST API
The WordPress REST API is an interface that allows developers to interact with a WordPress site programmatically, using HTTP requests to retrieve or send data in JSON format. It can be used to perform a wide variety of tasks, including retrieving posts, creating users, or even updating site settings.
Since the REST API provides access to WordPress, it can also be a potential attack vector. Restricting access to it can safeguard your website against multiple threats, including:
- Data leakage. The REST API can potentially expose sensitive information about your site, like user data and site structure, which can be exploited by malicious actors.
- Content manipulation. The REST API allows creating, reading, updating, and deleting content. Malicious actors might exploit vulnerabilities to manipulate content on your site without authorization.
It’s important to understand that the REST API is a cornerstone of the WordPress experience. A lot of WordPress plugins use the API to interact with the CMS, which means that fully disabling it can cripple your site’s functionality. The smart solution to this problem is not to disable the REST API, but to restrict access to it, like by limiting it to specific IP addresses.
12. Change the default database prefix
Changing the default table prefix on a WordPress website can enhance security by making SQL injection attacks more difficult to execute. Using the default prefix makes it easier for attackers to identify and target the WordPress database, whereas changing it makes it almost impossible for them to connect.
Many automated scripts and bots target WordPress sites with known vulnerabilities. Changing the table prefix can potentially thwart such automated attacks, as these scripts often rely on the default “wp_” prefix to locate and exploit vulnerabilities.
In case of an SQL injection vulnerability, changing the table prefix can potentially limit the damage an attacker can do. They might not be able to manipulate or retrieve data from tables with non‑default prefixes without first determining the custom prefix.
13. Hide your WordPress version
By default, some WordPress releases show the version of the CMS that you’re using in the website’s footer. This can be easy for visitors to overlook, but it can be dangerous information to make public.
If your organization is using an outdated version of WordPress, attackers might be able to target it using specific exploits. Since your website shows this information publicly, it makes the job of those attackers that much easier.
Newer versions of the CMS don’t display this information on the front end. If your website shows it, you might be using an outdated version of WordPress, which is dangerous on its own. This means it’s time for an update.
14. Hide /wp‑admin and /wp‑login.php
You can use the /wp‑admin and /wp‑login.php suffixes to access your WordPress login screen and the WordPress dashboard. These default naming conventions make the access URLs easy to remember but also easy to target.
If an attacker wants to break into your website, all they have to do is type in your site’s URL and add /wp‑login.php to the end. Then, they can launch a brute force attack on the login page.
Changing the default WordPress login URL won’t impact your organization’s work in any way. The dashboard and the login page will still work the same, but your employees will need to remember or bookmark the new URLs to access them.
There are several ways to do this, including modifying your site’s .htaccess file to rewrite the URLs or using plugins that can do it for you. For an organization, using the .htaccess approach is safer since it reduces your reliance on third‑party WordPress plugins.
15. Add password protection to /wp‑admin
To access the WordPress dashboard, you need to go through the login screen. If you’re an attacker, you might be able to get through the login screen if you gain access to internal credentials, and if there are no further website security measures set up.
Protecting the admin or dashboard with a password is an additional measure that can stop most of these attacks. When someone tries to access /wp‑admin, the browser will launch a pop‑up asking for a secondary password. If they can’t provide it, the admin screen won’t load.
This isn’t a website security measure built into WordPress, but rather one you can implement using .htaccess. The password will need to be shared among users, so it’s not as secure as unique login credentials. Despite that, the added security layer will help you foil attacks against your website.
16. Automatically log out inactive users
Users who fail to log out can compromise your organization’s security in several ways. If the users are on‑location, other employees with different roles might get access to their accounts (and permissions) by using their devices. This can lead to security issues due to human error.
If your organization supports remote work, not logging out from user accounts becomes a much more serious issue. Depending on where employees are connecting from, their devices might be stolen or left unattended, which means people outside of the business will have access to the website.
The easiest way to remove this risk is to automatically log out users after a set period of time. This will result in employees having to log in more often, but that’s a small nuisance in comparison to the security risks that it helps you prevent.
17. Enforce MFA for critical users
Two‑factor authentication (2FA) is a form of multifactor authentication (MFA). This technique could even involve more than two factors, to enforce even higher security standards among your users.
The more important the user account is (i.e., the more permissions it has access to), the more stringent its security should be. In the case of administrators, that means enforcing 2FA at a minimum, and potentially requiring additional factors to log in.
This can be a small hassle for employees, but it’s a measure that can drastically reduce security breaches and help keep your site secure.
18. Monitor your logs for file changes
Some WordPress security plugins enable you to monitor changes to your website using logs. These logs should include information about file modifications, login attempts, changes to plugins and themes, and any other events that might impact your site’s security.
Security logs make it easier for you and your team to see everything that’s happening on your website, and to pinpoint the root causes of website security issues. If the security plugin you use doesn’t include logs, you can look into standalone tools that add this functionality to WordPress. When choosing a WordPress plugin, consider that the more comprehensive the logs are, the better.
Frequently asked questions
Let’s discuss some popular questions about WordPress hardening.
What is WordPress hardening, and why is it crucial?
WordPress hardening is synonymous with increased security. Protecting your website against attacks from third-party actors and any kind of unauthorized intrusion is essential.
Most websites house sensitive information, or are used as channels to interact with customers. If attackers gain access to that information and the site itself, it can wreak havoc on your business, leading to losses in money and customer trust.
How can I monitor my WordPress site for security threats?
The easiest way to monitor your WordPress website for threats is by combining a high‑quality security plugin with a vulnerability scanning solution. Most popular security plugins will notify you if they detect changes to your site’s WordPress core files or issues with your site’s configuration. Vulnerability scanning tools, on the other hand, should be able to detect any vulnerabilities in your site’s files, plugins, and themes.
How can I ensure that a plugin or theme I’m installing won’t introduce vulnerabilities?
The best way to determine whether a WordPress plugin is safe is to base your choice on reviews and update history. As a rule of thumb, you should only consider using plugins and WordPress themes with positive reviews that get regular updates.
Regular updates typically translate to an active development team. That means they’re on top of security issues, and can be trusted to release patches and updates in a timely manner.
What is WPScan, and who can benefit from its vulnerability database?
WPScan is the largest open‑source database of WordPress vulnerabilities. Anyone who uses WordPress can benefit from leveraging the database to check their website for vulnerabilities and security issues.
You can connect to the database in multiple ways, including WP‑CLI. The command line tool enables you to scan your organization’s website for vulnerabilities as needed.
Where does WPScan’s vulnerability data come from?
WPScan collects data compiled from multiple sources, including dedicated WordPress security experts, developers, vendors, and researchers. This communal effort benefits all parties involved by providing contributors with access to a vulnerability database they can use to protect their projects and by making WordPress a more secure platform.
WPScan: WordPress hardening solutions for enterprise sites
The WPScan database offers custom, enterprise-level solutions for organizations.
These custom solutions include instant email notifications in case WPScan detects any vulnerabilities, as well as in‑depth reporting. You can reach out to get a custom quote for your organization.
Every organization that wants a more secure WordPress website can benefit from taking steps to harden the CMS as much as possible. That starts with basic security measures like enforcing strong credentials and disabling plugins you don’t use. At the enterprise level, you’ll also need to implement more advanced safety precautions, like restricting access to the REST API.
All of these measures enable you to be proactive when it comes to protecting your WordPress website, as well as any sensitive data stored on it.
By the first to know of any WordPress site vulnerabilities with WPScan.
WPScan 