Wordpress guide

Being used by one-third of the total websites, WordPress always manages to catch the eye of webmasters and malefactors. The extent to which attackers have been targeting WordPress in recent years is alarming and calls for action. Despite the attacks, WordPress Security is still a massively misunderstood and underappreciated concept which people conveniently tend to overlook. 

 However, in the wake of the chain of hacks & exploits on WordPress, a lot of people are coming to terms with the need to upgrade their WordPress security standards. But they often find themselves at sea deciding what security practices are legit and what aren’t. Don’t worry! We have done that for you. In this article, you will find the complete list of essential & actionable security measures for your WordPress website. Independent of your tech-savviness, theses WordPress security measures, can be easily applied by anyone. 

Go through the below URLs if you are looking for

WordPress Hacking Stats

WordPress is maintained by a group of competent developers. Still, it remains the most viciously attacked CMS in the world. Moreover, the danger that WordPress faces today is unparallelled. According to a study, more than 70% WordPress websites are vulnerable to attacks. The recent hacks on WordPress plugin like GDPR, WP Live chat have put thousands of website on risk. And according to CVE details, most of them are cross-site scripting attacks.

 As you can see in the graph, most sites were infected with XSS, followed by Code Execution. A popular belief that only big websites are targeted by hackers. Research has revealed that 40% of all attacks are targeted at small and medium websites.

Further, the reason behind most of these attacks has little to do with the CMS itself but are a direct result of neglected WordPress security. According to Kinsta, 55% of hacked websites had outdated versions of plugins, themes or CMS.

The consequences of a hack can be disastrous for a business online and equally painful for other websites too. The attacker can meddle with your confidential & customer data, steal your credentials, misconfigure your website and what not. And if they get a hold of your financial/payment details you can be bankrupt too. Other consequences of a hack may include, mistrust in your brand, losing authority, domain value, and a downfall in the search rankings, etc.

Related Guide – WordPress Security Issues 2019

How to Harden WordPress Security

Clearly, not paying due attention to WordPress security can have lasting aftereffects.  Building a worthy website requires time, effort and energy. But, all these efforts will turn into a fiasco if the security is not taken care of.

 And, protecting your website is much easier than you thought. If you diligently followed this list of WordPress security measures for your website, I guarantee that the risks will reduce to a bare minimum.

1. Backup Regularly your WordPress website

No one can claim to be hack-proof on the internet. So, the first thing to do for your WordPress website is risk management. Plan beforehand for a scenario like a hack. In the event of a sudden hack on your website, backups can save you from a complete debacle. With good backups in store, you can confidently delete the hacked version and restore your website back to normal immediately.

The motive of backup is to restore your website to its best working condition without delay in case of a hack. For a WordPress website, every backup should include the following files and folders and should be maintained beside a date and time stamp:

The WordPress Files

  • WordPress Core Installation
  • WordPress Plugins
  • WordPress Themes
  • Images and Files
  • JavaScript and PHP scripts, and other code files
  • Additional Files and Static Web Pages

a) The WordPress Database

For database backup, the MySQL command line can be used or administrative interfaces like phpMyAdmin.

Backups should be taken often and regularly. The frequency could vary from daily to weekly to monthly depending upon how often the website’s content is updated. Since a hack remains hidden for days, you must keep multiple backups (with time & date properly mentioned) for you might not know which backup is clean and which isn’t.

Verifying that the backup is functional is part of the process. In the end, make sure to test if the backup completes its motive and allows quick and full recovery of your working website.

Now, there are different ways to do a backup of your WordPress website:

b) How to do Manual backup of WordPress

In a manual backup, you would need to compress your website files & download it to your local device. Now, backing up manually can prove to be a tedious & time-consuming task. You have to monitor carefully the download of each & every file. Further, keep a track of timely backups. Properly managing all the files on your device is another thing to consider.

The one free alternative offering full backup capabilities that stand out of the list is BackWPup You can skip all this, and use a WordPress plugin instead. Plugins like Updraftplus, Backupbuddy, etc automate the whole process of backing up and it’s easy to use.

c) WordPress backup through cPanel 

Another option is to backup through Cpanel. Here is how you can do this:

  1. Log into your cPanel control panel.
  2. Click on the “Backup” icon.
  3. Select “Generate / Download a Full Backup”.
  4. Select “Home Directory” in “Backup Destination” and enter your email address, before clicking the “Generate Backup” button.
  5. You’ll receive an email when the backup is ready.

d) Cloud Backup of your WordPress

Backing up on the cloud is the most convenient way for backing up a WordPress website. Various cloud services like Amazon S3, Dropbox, stash, etc simplifies the backup procedure.

2. Update your WordPress CMS, Plugin & Themes

The easiest way to start securing your website is to update it to the latest versions. Every update, whether it for core CMS, or plugins or themes, comes with security patches and mended vulnerabilities. Top security experts believe that just keeping your website up to date eliminates most of the risks.

A major update can sometimes break some functionalities of a website. Hence, always take a backup and put your website in the maintenance mode before initiating a major update.

 Moreover, the WordPress core has three different types of updates:

  • Core development updates, known as the “bleeding edge”
  • Minor core updates, such as maintenance and security releases
  • Major core release updates

Most minor releases are automatically updated by WordPress in the backend. It is only the major core releases that you have to take care of. In addition to that, you have to update the themes are plugins too.

Again, there are two ways to update core, themes, and plugins – Manual & Automated. Both the methods have been explained below –

a) Manual

Core Update – Updating a WordPress website is pretty easy. WordPress automatically installs all the minor patches. You have to look after only the major version updates. To do this,

  1. Log into your wp-admin
  2. Go to the Updates section.
  3. See if there are updates are available. If there are, update all of them.

 b) Themes and Plugins Update –

To update the themes and plugins, follow the following process,

  1. Log into your wp-admin
  2. Go to the Updates section.
  3. See if there are updates are available. If there are, update all of them.

c) Automated

Core Update –

As discussed already, WordPress by default automates the minor security patches. However, you can override those changes by editing the wp-config.php file and adding or modifying the following statement

define( 'WP_AUTO_UPDATE_CORE', true )

For the major updates, you need to check the updates section in your WordPress backend and initiate if available.

d) Themes and Plugins Update –

The themes and plugins can be updated automatically using filters. The best place to put a filter is in a must-use plugin. WordPress doesn’t recommend putting filters in the wp-config.php file because of conflicts with other parts of the code.

To enable automatic updates for themes and plugins, add the following code

add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );


3. Update your PHP, to the latest version

Speaking of updates, there is another update that you need to take care of – the PHP version. PHP is the core programming language of WordPress and updating it to its latest stable version will help enhance your WordPress security.

If you are using a version 7.0 and even older versions, then you do not have security support and are susceptible to known and unpatched vulnerabilities. The latest PHP version is 7.3 and you must update to that.

Note: The PHP version 7.2 will no longer be supported after November 30, 2019.

Here is how you can do it:

  1. Log into your cPanel
  2. Navigate to the Software section. Click on PHP configuration
  3. Next, select the latest stable version of the PHP and click on update.
  4. Review the changes in phpmyinfo

4. Remove defunct Plugins/themes

If you have not used a plugin for the longest time, you must get rid of it to secure your WordPress. This is because even if the plugin is no longer in use or is disabled, the files and exist. Further, attackers could exploit a known vulnerability in those plugins and themes. Hence, delete the defunct plugins & themes.

Here is how you can do that:

  1. Log into your WordPress dashboard
  2. Go to the Plugins sections
  3. Identify the inactive plugins, and delete them.

5. Install a WordPress Firewall

A firewall is a continuous monitoring system for your website. It detects and blocks malicious traffic from coming to your website. Need I say, that monitoring your website continuously is humanly impossible.

Although there are scores of firewalls to choose from, you should only go for the hacker-tested ones. Astra’s Firewall is a rock-solid will protect you in real-time against cyber attacks with NO DNS configuration change.

Related Blog – How Firewall can help you to secure your WordPress website

Firewall working
How Astra Web Application Firewall protects your WordPress website


Here are the distinct features of the Astra firewall:

  • Filtering good traffic from bad traffic and blocking unwanted web traffic.
  • Blocking coming threats like SQLi, brute force attacks, CSRF, DDoS attacks, LFI, RFI, Cross-site scripting, bad bots, Spam, and other zero-day exploits
  • Apart from being intuitive, it is also an intelligent firewall for detecting patterns of attacks and configure itself for the next attack.
  • The Astra firewall is also a great way to block/whitelist IP addresses.
  • Further, Astra’s WAF also enhances the speed and performance of a website.

Speed and security are two desirable aspects of website security and a firewall improves both. Moreover, in this growing age of online threats and attacks, a firewall is a must.

6. Host Your Website on A secured server

Hosting server plays an important role in the security of your WordPress website. Choosing a host wisely can be a game-changer in WordPress security. While selecting a server you must consider the following:

  • Authority
  • Reviews and ratings
  • Support
  • Customization
  • Loading time

7. Customize the login page

Protecting your login and admin pages is another way to secure your WordPress. Attackers can break into your website through brute-forcing if it is left unsecured. Now, brute-force attacks use the hit and trial method to guess the combination of username and password of your website at a freakingly high speed.

Set strong and unique usernames & passwords for each of these pages. Avoid using an obvious username like ‘admin’, your website’s name, your own name, a proper word that could be found in the dictionary. Same goes with the passwords, refrain from using ‘Password’, your own name, your website’s name, etc as your password.

Related GuideHow to change Admin URL in WordPress

8. Set correct user roles

Not all users need to have all the privileges in your WordPress. You can distribute the required roles for each user according to their responsibilities on the website. You can better control and monitor who does what on your website with these roles. By default, WordPress defines six roles namely, in the descending order of their powers – Super administrator, administrator, Editor, Author, Contributor, and Subscriber.

 You can use the predefined set of user roles or can create custom roles as per your needs. The predefined can be assigned from the dashboard itself, whereas for custom roles a plugin would be needed. The User Roles Editor plugin is best suited for this.

 Here is how you can define custom user roles with this plugin:

  1. Install a plugin ‘User role editor”
  2. Go to ‘Users’>Other rolesStep
  3. Define/add custom roles for a particular user.

9. Protect wp-config File to harden WordPress security

 wp-config.php contains the configuration details of your WordPress website. Any absurd compromisation in this file can break your website completely. Hence, the wp-config file should be handled with extra care and must be secured with utmost urgency. Further, it also stores sensitive information about WordPress database credentials.

Some ways to secure the wp-config file are:

  • Moving it outside the root folder
  • Blocking internal access and code modifications to your wp-config.php
  • Modifying the default wp-config.php File
  • Setting 400 permission in the wp-config.php file. This means that the user and groups have permission to only read and others have no access at all.

10. Restrict Access To wp-admin

The wp-admin is the administrator area of your website. It can be said that it is the controller of your website. Hackers constantly try to brute-force it to hijack the whole website. This makes it vital to secure the wp-admin area to tighten your WordPress security. You can secure your wp-admin area as follows:

Restricting access and allowing only select IP addresses to your admin page is one way to secure it. This way, any unknown IP automatically gets blocked. In your wp-admin folder, create a .htaccess file and paste the following code there:

Order Deny, Allow
Deny from all
Allow from xx.xx.xx.xx
Edit the xx.xx.xx.xx to contain your IP address.For multiple IP whitelisting, repeat the “Allow from” in the next line and so on.

Usually, there is a Register link on your WordPress login page. Disable this Registration form to discourage access to wp-admin. 

 11. Update WordPress security keys

Secret security keys ensure the security of cookies in your WordPress website. You must set up security keys to discourage any stealing of cookie and impersonation of users. After you have set the secret security keys, it will nullify all the current sessions and will require the user to re-authenticate. Above all, the administrator must change the security keys if there is any compromisation to them or even suspicion of compromisation.

You can generate secret keys both manually as well as with the help of an online key generator. WordPress also has its official secret key generator. Generate keys from here and paste these keys in the wp-config file and you are good to go.

12. Create a unique database prefix

WordPress database is the area where important information/data regarding the website and users sits. Quite obviously, this makes it a desired target. By default, the wpdb contains 11 tables which include tables for – users data, site URLs, posts, pages, comments, etc.

Further, all these tables have the universally known default prefix wp_ before them. The names of these tables are also commonly known. In case of improper validation and sanitization rules for query insertion, a hacker can run SQL commands to fetch data from known database table.

In order to secure the database, you must change the database prefix to something else. Moreover, changing database prefix at the time of installation is the ideal way. However, if you haven’t changed it then, you can also change it by SQL command or with the help of a plugin. Both of these methods are depicted below:

a) Manual

Like mentioned earlier, database prefix can be changed by the help of SQL command. By running a series of commands. For the detailed instruction and procedure follow this link.

b) Automated

There are several plugins on WordPress that help in automating this whole process of prefix change. One such free plugin is the change table prefix plugin.

13. Limit login attempts

Another way to protect your WordPress admin area from brute-force is to limit the number of login attempts on it. Plugins like Limit login attempts & Loginizer may come handy in this.

14. Additional authentication factors

To secure your website, even more, the two-factor authentication is a smart tool. This tool ensures the true identity of a user on your website by requiring more than a password to log in. This way, it prohibits any fake, unauthenticated user to access it, even if they happened to guess your password. The two-factor authentication plugin is a great way to apply this security on your website.

15. Setup automatic logout plugin

Not all users on your WordPress are careful and vigilant enough to logout after each session completion. The stealing of cookies and session hijacking also make for major attack vectors on WordPress. You must set an automatic logout so that all the idle customers are logged out of the website.

16. Strengthen your passwords

It may look too obvious a security measure, but even then many neglect this. Always opt for unique and strong passwords for your WordPress accounts. Also, refrain from using the word password, admin and proper words from the dictionary as your passwords. Make sure that your password is a combination of letters(upper and lower case), numbers and special characters.

17. SSL data encryption for WordPress Security

Having an SSL( Secure Socket Layer) certificate for your website’s domain adds to its authority and security. It encrypts data transfer between the user and the server. Since Google rankings started getting affected by HTTPS, a lot of authorization companies sprouted. However, not all of these are deemed authoritative by Google. Hence, you must get the SSL certificate from a verified and trusted source.

Further, not redirecting all of your web pages to HTTPS can also have adverse effects on your website. Having both HTTP and HTTPS pages in a website is known as MIxed Content. Now, Google regularly flags websites for mixed content. Thus, make sure to redirect all your pages to HTTPS.

18. Control Comments

WordPress is infamous for pervasive spammy comments. Hence, you must review carefully comments before allowing them on your website. Moreover, you can either disable it altogether or add several conditions to block spam. This requires manual effort. You can also choose a plugin like Askimet to do the job.

19. Set Strict Files  & Folder Permissions to ensure WordPress Security

You can achieve another WordPress security milestone by setting stricter files and folder permissions. The recommended file/folder permissions for different files/folders are:

  • For wp-config.php = 400
  • For uploads folder = 755
  • For .htaccess files = 400
  • For wp=content = 755
  • For wp-includes = 755
  • For index.php = 444

20. Hide the WordPress version number

Known vulnerabilities in different WordPress versions are easily available on the internet. These databases serve as a treasure for hackers. They use bots/botnets to hunt for WordPress websites with these outdated versions. Once a bot reaches your website, the first thing it looks for its version number and the listed vulnerability in it. When they do find one such website, they exploit the vulnerability.

 You can protect your website from these attacks by simply hiding your WordPress version number.


Hide the WordPress version number from Generator meta tag,

  1. Navigate to your root directory
  2. Go to /wp-content/themes/ directory
  3. In the functions.php file, add the following line of code

    remove_action('wp_head', 'wp_generator');

Hide the WordPress version number from the default RSS feeds as follows

  1. Navigate to your root directory
  2. Go to /wp-content/themes/ directory
  3. In the functions.php file, add the following lines of code at the bottom






function remove_wp_version_rss() {






There are plugins available which hide the WordPress version number, we recommend using the Meta Generator and Version Info Remover plugin.

21. Disable PHP execution when not needed

While WordPress automatically runs PHP file execution for all directories of the website, it’s best that you disable it for such directories as /wp-content/uploads/. You’ll be able to do this using FTP access. Here is how:

  1. Access your website with FTP
  2. Navigate to /wp-content/uploads/ directory
  3. Paste the following code and save the document under the .htaccess format.
    <Files *.php>
    deny from all

22.  Improve hardware protection

It’s only logical to protect the hardware you are accessing your website with. A non-secured PC with security vulnerabilities serves as a way for hackers to enter your website. Ensure that your gadget is well-protected by a firewall and anti-virus software installed. This will not only block WordPress attacks but also any coming online security threats.

Like in the case a website, defunct plugins are a problem, similarly obsolete & defunct applications are an invitation to the threat too. Thus, remove all unnecessary/obsolete applications from your device.

Most applications ask for different permissions right after you install them. As a thumb rule, try giving the least privileges to them.

23. Disable script injections

Disallow script injections to prevent hackers from injecting malicious code into existing PHP documents. You can disable the script injections by adding the following code:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

24.  Download plugins from reputable sources

Not all the plugins have dedicated developers behind them. A lot of plugins on WordPress aren’t even maintained that often. So, before opting for any random plugin by a third party you must consider the following points:

  • Reviews and ratings
  • Last update and the frequency of updates
  • Support

25. Scan for malware regularly

Monitoring your website is equally important than securing it. Having a proactive malware scanner which scans your website periodically is crucial for WordPress security. Scanning your site every once in a while for viruses and malware lets you be updated with the well-being of your website.

Astra’s machine-learning powered malware scanner is a perfect fit for this. Other scanners include:

Google Safe Browser

Virus Total

By scanning the website, you’ll be able to detect the risk of security breaches instead of having to deal with actual attacks as they happen.

26. Security Audit

You applied every security measure on your site, however, even then it needs regular maintenance. A premium security audit can greatly help you here. Every now and then your website needs to be checked for new vulnerabilities and broken security.

Astra’s Vulnerability Assessment and Penetration testing program has engineers look into your website for possible vulnerabilities. In a security audit like this, your source code, plugins, and themes are thoroughly audited. It also uncovers loopholes and backdoors in your website.

Related Guide –  How to WordPress Security Audit & Pentesting

Wordpress security issues & prevention


The WordPress security measures listed in this guide here are security gospels. You must persevere to apply and maintain these on your WordPress site for enhanced security. These WordPress security tips will ensure that your website remains protected from online threats.

Found this article helpful? Share it with your friends

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Ananda Krishna

Ananda is a security researcher at Astra. Working in the cybersecurity field for more than six years, he possesses acute knowledge of the subject. Moreover, he has been invited to share awareness of cybersecurity in numerous seminars.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.