- read

20 Tips to make your WordPress site more Secure

Yanis Deplazes 17

WordPress is now powering 39.5% of all websites in 2021, up from powering 35% of sites in 2020.

WordPress is everywhere, so today it is more than important to understand your Websites vulnerabilities and take the necessary measures.

Common WordPress Security Issues

  • Brute-Force Login Attempts
  • Cross-Site Scripting (XSS)
  • SQL-Injections
  • Backdoors
  • Denial-of-Service (DoS) Attacks


  • Updates
  • Hosting
  • Firewall
  • SSL Certificate
  • Backups
  • Secure passwords
  • No admin username


  • Disable indexing and browsing
  • Sanitize/Escape Data
  • Filter out characters from user input
  • Disable PHP Execution
  • Disable File Edit
  • Block IP address
  • Disable XML-RPC
  • Change WP Prefixes
  • Hide your WordPress Version
  • Tighten the server access rights


  • Limit login attempts
  • Auto logout
  • DDoS Protection

Common WordPress Security Issues

Brute-Force Login Attempts

A brute force attack attempts to figure out passwords or keys by randomly trying combinations of characters. The brute force method is a popular attack method for finding out passwords or decrypting data.

Cross-Site Scripting (XSS)

Cross Site Scripting (XSS) is one of the most commonly used attack methods on the Internet. The goal of cross-site scripting is to obtain confidential data, take over applications, or cause other damage. XSS embeds the attack code in a supposedly secure context.


An SQL injection uses a security hole that occurs when the connection between the web application and the database is incorrectly configured. Data records stored in the database can be accessed in this way.


A backdoor is a method tthat allows an attacker to bypass the standard WordPress login and access your website at any time via a code.

Denial-of-Service (DoS) Attacks

In DoS attacks, a server is deliberately bombarded with so many requests that the system can no longer cope with the tasks and, in the worst case, collapses.



This is something that is not said often enough. Update your wordpress and plugins versions! Wordpress, plugins and php show security vulnerabilities over time that are fixed with new updates. With the updates, these new security vulnerabilities are exposed and exploited within short time. That’s why it’s important to keep your WordPress, Plugins and PHP up to date!


Choosing the right host for your website is very important, because their server is the service you will be using to have your private data on. Thus, knowing your needs and trust are important decision points for choosing the right host. There are many security points to look out for in a host as an individual or agency, such as SSH, Database, SSL, Domain protection, DDoS protection, Backups, Firewall, Data validation, User Permissions, etc.


A firewall is located between the host’s network and all other networks and blocks unauthorized traffic. There are also web application firewalls to protect your WordPress site.

SSL Certificate

Since HTTP isn’t a secure protocol, it allows anyone with a little know-how to eavesdrop on your connection and even manipulate the data you send.

An SSL certificate prevents this by allowing your website to establish secure HTTPS connections with its visitors. This way, all data transferred between your website and its visitors is encrypted.


With scheduled backups, Wordpress sites can be reset in case of hacks and specific security issues can be checked. It is therefore recommended to perform weekly or even daily backups with a plugin or the host.

Secure passwords

I think it’s no secret that the most used password in 2021 was 123456. Using brute force attacks, weak passwords can be cracked within seconds. So it is recommended to use a password manager and let it generate the passwords. I recommend at least 12 characters, with numbers, upper and lower case letters and special characters.

No admin username

Since usernames already account for half of the credentials and would be another vulnerability for bruteforce attacks, it is recommended to rename the username “admin” to antother name. There are 3 ways to change the username for the administrator account:

  1. Create a new admin username and delete the old one.
  2. Use the Username Changer plugin
  3. Update username from phpMyAdmin


Disable indexing and browsing

To prevent hackers from finding out if you have files with known vulnerabilities that they can exploit to gain access, you need to disable indexing and browsing.

Paste the following code at the end of the .htaccess file:

Options -Indexes

Sanitize/Escape Data

To prevent hackers from using your input for malicious strings, you need to sanitize the special characters in the user’s input.

Sanitization is the process of cleaning or filtering your input data. Whether the data comes from a user, an API, or a web service, you use sanitization when you don’t know what to expect or don’t want to be strict with data validation.

The easiest way to clean up data is to use WordPress’ built-in functions.

The sanitize_*() set of helper functions is an effective way to ensure that your data is safe, and it requires minimal effort on your part:

WordPress has created well-written documentation on how to sanitize/escape data securely.


To make your WordPress website more secure, you should disable the execution of PHP files in directories where they are not needed.

Paste the following code in your .htaccess file:

<Files *.php>
deny from all

Disable File Edit

WordPress comes with an editor which allows you to edit your theme and plugin files right from your WordPress admin area. This can be a vulnerability in the wrong hands.

Paste the following code in your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

Block IP address

To block certain IP addresses from accessing your website, you can use a plugin or edit the .htaccess file.

Paste the following code in your .htaccess file:

order allow, deny
deny from (the IP address that you have noted)
deny from
allow from all

Disable XML-RPC

XML-RPC is a feature of WordPress that enables data to be transmitted, with HTTP acting as the transport mechanism and XML as the encoding mechanism and was enabled by default in WordPress 3.5.

XML-RPC can be vulnerable to brute force attacks because you can log in to the website.

Paste the following code in your .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all
allow from all

Note: If you want to access and publish to your blog remotely, then you need XML-RPC enabled.


Change WP Prefixes

Wordpress standard prefix for all database tables is wp_ .Therefore, for hackers it is easier to get the name of your table if your WordPress website uses the default database prefix. For this reason, I recommend that you change it.

How to Change the WordPress Database Prefix to Improve Security

Hide your WordPress Version

If hackers know what version of WordPress you are using, they will know what vulnerabilities you are exposed to. That’s why I recommend hiding your WordPress version.

Paste the following code in your functions.php file:

function remove_version_info() {
return '';
add_filter('the_generator', 'remove_version_info');

function remove_wp_version_rss() {
return '';
add_filter('the_generator', 'remove_wp_version_rss');

Hackers can also scan your WordPress readme.html file to get to the WordPress version number.

That is why I generally recommend deleting this file.

Tighten the server access rights

Setting incorrect WordPress file permissions can cause you to inadvertently grant access to users other than you intended. In the worst case, this can allow an attacker to change the contents of an important file that they should not have access to.

It’s time to adjust the permission modes. To make things simpler, you’ll only need to remember the following:

  • All files should be 644.
  • All folders should be 755.
  • wp-config.php should be 600.
  • .htaccess should be 644 or 600.
sudo find . -type f -exec chmod 664 {} +
sudo find . -type d -exec chmod 775 {} +
sudo chmod 660 wp-config.php
sudo chmod 644 .htaccess



Limit Login Attempts stops brute force attacks on WordPress login and XMLRPC. These Plugins can block an IP after a limit of retries has reach, making attacks almost impossible.

Limit Login Attempts Reloaded
WP Limit Login Attempts + Captcha Verification

Auto logout

In order to automatically log out idle users in WordPress to avoid unauthorized users from accessing accounts or hijacking them I recommend a plugin for auto logout:

Inactive Logout
Idle User Logout

DDoS Protection

With Cloudflares plugin you have the possibility to use Cloudflare’s DDoS protection for free on your WordPress website (Layers 3, 4, 7). Normally, your hoster should block DDoS attacks with their services, but if you want a third party service protection, I recommend the Cloudflare plugin. (Free)