WordPress Security 15 Steps to Secure & Protect Your Site

Secure & Protect Your Site

Written by Jeremy Earle, JD

May 17, 2022

What to do if your WP site is hacked? These 16 security recommendations will help you learn how to safeguard your site.

It’s impossible to find a WordPress-specific kind of security. Website and application security issues are the same for everyone.

Because WordPress is open source and runs 40% of the web, its security issues are of enormous importance. When a flaw in WordPress or one of its plugins is discovered, other websites that utilize the platform are also at risk since they share the same source code.

On the other hand, there are several plugins available to help strengthen the security of your website.

While this essay focuses on hardening WordPress sites against specific vulnerabilities, the principles discussed here may be applied to any form of online application.

Preventing WordPress Security Vulnerabilities

Vulnerabilities of the following sorts are the most common:


Pharma swindlers.

Attempts to log in via Brute Force.

Deceptive Links.

Web Scripting Over the Web (XSS).

Denied Access (DDoS).

Although these are the most prevalent security flaws, they are not the only ones. When it comes to security, it’s essential to consider holistically.

There is no such thing as a one-size-fits-all approach to hacking a website. There are a variety of ways attackers might access your site.

There are several ways for them to get access to your computer, such as stealing your PC. When using a public network to access your website, they may spy on your passwords using surveillance tactics.

To make things a bit more difficult for attackers, let’s look at how to harden our WordPress installations.

Here are 16 additional strategies to protect your WordPress site against cyberattacks:

Ensure that your website is secure by using HTTPS.

Ensure that your passwords are strong.

Keep your passwords safe using password managers.

Login forms should have Captcha enabled.

The goal is to stop brute-force logins.

Authenticate using two-factor verification.

Make sure your plugins are always up to date.

Make sure that your HTTP headers are secure.

Make sure WordPress files have the necessary permissions.

WordPress should not be able to alter files anymore.

Disable any features that aren’t essential.

Hide the WordPress version

WordPress firewall installation is a must.

Always have a copy of your data in a safe place.

Use the SFTP protocol.

Track the activity of your users.

1. Use HTTPS to Protect Your Website

Our first step will be to secure the website using HTTPS.

Wire wires and the network carry everything you do.

The data sent between the browser and the server over HTTP is plain text. Anyone who has access to the network between your server and browser may see your unencrypted data.

If you don’t secure your connection, you put yourself and your company in danger. Even if an attacker gains access to your network, they will not read the data delivered thanks to HTTPS, which encrypts it.

Enabling HTTPS is the first step to safeguarding your website. Use this tutorial if you haven’t converted your WordPress site to HTTPS.

Tools and Plugins for HTTPS Migration in WordPress

Search Replace is better.

Script for finding and replacing records in a database.

2.Ensure that your passwords are strong.

Weak or pwned passwords are the most frequent method hackers gain access to websites. A brute-force assault is more likely if you have them.

Using strong passwords is the most effective technique to increase your website’s security.

Ensure that your passwords are strong and that they haven’t been hacked by routinely checking whether they’ve been compromised.

Plugins for WordPress to Improve Password Security:

Pwned Passwords can’t be used.

Password Policy Manager may be downloaded.

bcrypt is the password algorithm.

When it comes to password storage, use password managers.

Anyone might be observing what you type on your laptop or capturing your credentials when you connect in from a public network.

Use password managers to store and access your credentials in a safe and convenient location.

Your credentials will remain safe even if your computer is hacked. Browser-based password managers, not WordPress plugins, are the norm these days.

3.Add-ons for Password Managers:




4.On the Login and Registration Form, add a CAPTCHA.

You’ve already made things difficult for hackers by securing your website with HTTPS and using strong passwords.

CAPTCHAs may be added to login forms to make it even more challenging.

Login forms using captchas are far more secure against brute-force assaults.

Captcha Plugins for WordPress:

reCAPTCHA is not required for login.

Use reCAPTCHA to protect your account login.

5. Prevent Login Attempts by Brute Force

It is possible to defend yourself against brute-force attacks to a certain extent by using a CAPTCHA on your login page. Captcha tokens are often valid for a short time after they have been solved.

ReCaptcha services like Google ReCaptcha have a two-minute validity. Attackers may use these two minutes to perform brute-force login attempts on your login form.

You may fix this issue by blocking unsuccessful login attempts by IP address.

Anti-Brush-Force WordPress Plugins:

WordPress limits the number of times a user may log in.

Reloaded limit on login attempts.

6. Enable Two-Factor Authentication (2FA)

You are better secured with strong passwords and captchas on login forms.

However, what if your website’s password was caught on camera by hackers using surveillance methods?

Two-factor authentication is the only way to safeguard your website from hackers if they already know your password.

7.Two-Factor Authentication Plugins for WordPress:


Google’s Authenticator.

WP Two Factor Authentication (2FA, MFA).

Updating WordPress and its plugins is essential.

WordPress core and plugin vulnerabilities are often discovered and reported. Make sure your plugins are up-to-date to avoid websites being hacked via known and documented weaknesses in files.

Automatic updates should not be used since they may damage your websites without awareness.

That being said, it’s highly recommended that you activate WordPress core’s minor updates in wp-config.php since these updates contain security fixes for the core.

A small update to the core of WordPress is all that is required.

8.Ensure that your HTTP headers are secure.

When browsing a website, security headers provide an additional layer of security by limiting what may be done between the browser and the server.

Security headers have been included to prevent clickjacking and cross-site scripting (XSS) attacks.

The security headers are.

Transportation Security (HSTS).




Get the Metadata Headers from the server’s memory.





We won’t go into great detail about each security flag, but here are a few plugins that may help.

Plugins to Add Security Headers to WordPress:

Website security is improved by using HTTP headers.

Headers for GD Security.

9.Ensure that WordPress files have the correct file permissions.

File permissions are the restrictions that govern how your WordPress files may be read, changed, and executed on the operating system that hosts them. This kind of protection is critical, particularly if you’re using shared hosting for your website.

If the wp-config.php file on a shared hosting account is configured wrong, an attacker may read any information in the file and take full control of your website when one of the websites on the shared hosting account is hacked.

There should be no files less than 644.

The default folder size should be 775 for all directories.

WordPress’s wp-config.php should be at least 600 characters long.

The web server (WordPress) may alter, delete, and read files and directories under your hosting user account.

wp-config.php is not accessible to other users. If the default value of 600 in wp-config.php crashes your website, try 640 or 644.

10.Disable WordPress’s File Editing Capabilities

You can change files in the WordPress admin backend, a well-known capability.

It isn’t essential since most developers already use SFTP and seldom utilize this method.

11.Eliminate All Unwanted Features

Many of the built-in features in WordPress are purely optional. WordPress, for example, has an XML-RPC endpoint for interacting with third-party apps. This endpoint may be used for brute-force logins by attackers.

The plugin Disable XML-RPC-API may be used to disable XML-RPC.

Another problem with WordPress is that it provides a REST-API endpoint to list all its users.

A list of user names and IDs may be found by appending “/wp-JSON/wp/v2/users” to any WordPress installation.

By putting this line of code into functions.php, you may turn off the REST API for your users.

12.Hide the WordPress Version Number

The version of WordPress is automatically included in the HTML of the page by the WordPress software. It provides an extra piece of information to the attacker, namely the version of WordPress you have installed.

Because the hacker knows you’re running on a WordPress version that’s been shown to be vulnerable, he may utilize that approach to get into your site.

Plugins to Hide WordPress Version Meta Tags:

A Meta Generator and Version Information Remover. ‘

Dawson’s WP Generator Remover.

13.WordPress Firewall: a must-have plugin

If you want to protect your website from hackers, you need a firewall. To eliminate any requests that could be harmful, it uses complex reasoning.

It is possible to override the firewall’s built-in rules to block requests. SQL injection is one of the most popular sorts of attacks.

Assume you’ve installed and activated a WordPress plugin that is susceptible to SQL injections. Even if the attacker knows about the plugin’s security issue, he will not hack the website if you have a firewall in place.

This is because the firewall blocks SQL injections.

Those requests from the IP address will be blocked by firewalls, preventing more potentially harmful requests from arriving. If too many requests come from the same IP address, firewalls may stop DDoS assaults.

DNS-level firewalls may also be used to protect web servers before queries are sent to them. Cloudflare’s DNS firewall is one example.

This approach benefits from being more resistant to Distributed Denial of Service (DDoS) assaults.

HTTP requests can get through the server’s application-level firewalls, which then block them. Server resources are being used for this purpose.

DNS-level firewalls are more resilient to assaults since they don’t use server resources.

14.WordPress Plugins for Creating a Firewall:

Protect your data using Wordfence’s security.


Security and Firewall for WordPress.

A bulletproof security.

Protect your data with the use of a shield.

In this case, instead of downloading the plugins as mentioned above, you may choose to employ firewall features such as login brute-force protection or two-factor authentication (2FA).

Keep a copy of your data in case anything goes wrong.

If your website gets hacked, the best thing you can do is restore it from the most recent version that wasn’t affected.

Cleaning up a website may be time-consuming if you don’t keep backups. And in rare circumstances, the virus may have deleted all of the data, making it impossible to recover all of it.

Do frequent backups of your website’s database and files to prevent this.

Set up regular backups with your web host’s support team and use them. To perform backups, you may install the following plugins:





15. Use SFTP to transfer files.

It’s likely that most web developers already use SFTP to connect to web servers, but just in case you haven’t, this should serve as a reminder.

SFTP, like HTTPS, encrypts data before it is sent over the network, making it very hard to decode even if the recipient has network access.

  1. Keep an eye on what your users are up to.

We’ve covered a slew of strategies for keeping your website safe from intruders. However, what happens when a member of your staff with administrative privileges on the website makes dubious additions to the information, such as links?

A dishonest employee cannot be discovered using any of the techniques as mentioned earlier of investigation…

This may be accomplished by keeping an eye on the event logs. You may discover that one of the workers updated an article that they weren’t supposed to be analyzing each user’s behavior.

Investigate any unusual activities to check if any alterations have been made.

16.WP Plugins for User Activity Tracking:

Log of Activities

Log of user activities.

A record of every activity on your site is kept in the WP Activity Log.

Maintain in mind that certain plugins may need a time restriction (or limit the number of records they keep). If you have too many, your database will be overburdened, which can slow down your website’s pace.

You’ve Been Hacked. What Now?

No matter how well you defend your website and how many security experts tell you to do so, hackers still happen.

If your website has been hacked, the following procedures must be taken:

To prevent your website from being hacked, you should first change the passwords to all of your email accounts and other personal accounts.

Make a fresh copy of your website from the most recent non-hacked backup.

All website users’ passwords must be reset.

If there are any new plugins, be sure you install them.


When it comes to security, consider all angles. Make it clear to your staff that if they don’t adhere to security policies, the firm will suffer.

In the event of a breach, you should restore your website from a backup and update all of your website and email passwords as soon as possible.

You May Also Like…