WordPress securty best practices  – 2019

Keep WordPress up-to-date (duh)

When you login to the wordpress dashboard and see that “Update available” banner, click it and update your site. If you’re not sure about something breaking, make a backup before installing it. The important thing is that you do it, and with regularity. Information about any security holes that were fixed from the previous version are now available to the public, which means an out of date site is all the more vulnerable.

Recommedation : enable core wordpress auto update

Keep plugins and themes up-to-date

Just as you update the WordPress Core regularly, you should also update plugins and themes. Each plugin and theme installed on your site is like a backdoor into your site’s admin. Unless properly secured (vetted thoroughly, updated regularly, etc), plugins and themes are like an open door to your personal info.

Recommedation :  Set Plugins and Themes to Update Automatically when ever possible. License and register all premium plugins.


Delete all  plugins or themes you’re not using. 

Along the same line of thinking as what’s listed above, getting rid of any plugins or themes you don’t need will reduce the likelihood of being hacked. If you’re not using them, you’re not going to want to update them, so it’s a much better idea to delete them.

Recommedation:  Deactivating plugins isn’t enough; you must actually click “Delete.”


Secure file permissions.

Avoid configuring directories with 777 permissions. If any plugin demands this setting, please don’t use them. There is always alternative plugins.

Recommedation  : You should set directories to  755 or 750, instead, according to While you’re at it, set files to 640 or 644 and wp-config.php to 600.


Recommedation  : Never use “admin” as a username. 

If you’ve already installed WordPress using “admin” as your username or something else very simple, you can change it by inputing an SQL query in PHPMyAdmin .  Its recommended to make the username hard to guess just like the password.

Also its recommended to hide author usernames from appearing under posts and pages. It gives away usernames in the database to hackers making it easy to plan a brute-force attack on the password.


Change your password often  and make them really strong

Random strings of letters and numbers are best. If you don’t feel like coming up with something manually, you can use a password generator to accomplish the task like

Norton Password Generator or Strong Password Generator.  Also wordpress user manager generates real strong passwords.


Recommedation   : Add two-step authentication to backend.

A really good way to prevent brute force attacks is to set up two-step authentication. This means a password is required plus an authorization code that is sent to your phone in order to login to your site. Often, the second login code is sent via SMS. Several plugins can be used to add this feature including ClefGoogle Authenticator, and Duo Two-Factor Authentication.


Recommedation  : Limit login attempts. 

The brute force attack is tactic #1 for hackers. If you let them, they’ll try to login to your site over and over again until they crack your password. That’s why it’s called “brute force” because the onslaught is relentless. However, there are plugins that allow you to limit the number of times a person from a specific IP can attempt to login within an allotted period of time. The user is restricted from attempting to login again for a given period of time. Login LockDown is great for offering this feature but other plugins that offer a whole set of security features often include login limiting like iThemes Security and Sucuri Security.


 Limit user access . 

A good rule of thumb is to only grant access to those who absolutely need it and even then, only give them the bare minimum of permissions to complete their assigned tasks.  WordPress allows creation of non-admin backend users, assign editor roles to everyone who are not technically capable to tweak the website global settings is recommended.

Recommendation :  Create less Administrator accounts and downgrade other accounts to bare minimum permissions to carry out their work.


Backup your site. 

Scheduled backups are an essential part of any site’s security strategy because it ensures that if your site is compromised, you’ll be able to restore it to a version prior to the damage with ease. Choose an automated solution with built-in restore options.

Recommedation:  offsite backup like DropBox or GDrive is a must.


Check for theme authenticity and conduct security scans. 

Just as you install an antivirus software on your desktop or laptop  to check for malware, so too should you install a scanner on WordPress. A security scanner will check for malicious code in your plugins, core files, and plugins to ensure nothing has been tampered with. Several scanners exist that you may wish to consider including Sucuri SitecheckCodeGuardTheme Authenticity Checker, and AntiVirus.

Themes bought from theme stores like Themeforest releases security patches time-to-time fixing major security issues in their themes. Be sure to subscribe to their mailing lists and know as the updates are released and update asap.


Limit Admin Access to limited known IPs / computers   (extreme measure)

This can really make life hard for admins to since only computers with a static IP can be used to access the wordpress backend  like from a office computer. Most of the mobile, 4G,3G routers does not have static IPs, so access will be difficult when this step is implemented.

But in a difficult to manage hacking attack, this can help until the website is secured and stabilized.


Be sure to logout from the admin when you use a public computer and don’t save passwords

Should you happen to use a public computer, like one in a library to access wordpress backend, please remember to logoff before leaving the computer to prevent others accessing the admin panel.

Just closing the browser does not end your session on the wordpress backend.

Also check if the passwords are getting saved to the browser automatically.


Recommedation  : Disable user registration

If you don’t need people to register on your website, disable WordPress user registration feature.

This stops lot of spam problems and people using email to snoop on your websites internal working like  examining email header to understand the server technology.


Remove the Plugin and Theme Editor

This online tool available to all wordpress websites allow administrators to program online using php.  This can make a hackers life easier as he does not have to bring his own tools to program and change the website if he succeeds in getting in to the website.


Disable PHP errors

Hackers use various error messages generated by the website to find weaknesses on the server and plan an attack. Always disable php errors and debug info.


Recommedation  : Install an auditing plugin to monitor backend activities.

good plugin for this purpose is  WP Security Audit Log. This free plugin maintains a log of everything that happens on your site’s backend, so you can easily view both what users and hackers are doing. This plugin keeps track of everything from when a new user is created to file management to published post changes.


Recommedation  : Hide the login URL  wp-admin and wp-login

Many plugins are available that make this simple change for you including Lockdown WP Admin as well as several of the major WordPress security plugins. This is an important step to stop automated hacking scripts from attacking well known wp-admin and wp-login urls.


Recommedation   : Use a reputed hosting service with easy to access technical support.

How well your website is secured,  there will be a day that I can get hacked, sabotaged or mal-functioning because of a user mistake. Then might we need technical support from the hosting server to  give us a backup from last working state or just to assist us on recovery process.

Better to use a hosting service with a account manager, then that person will know your website from the beginning , which make it easy to get help.


Finally : Take care of the passwords.

Don’t save passwords on computers in plain text. Most modern computer viruses scan user files to locate usernames, passwords and creditcard numbers.  If they find any, they will get sent to  automated programs that will carry out attacks on websites and servers.

Using a password manager software like Last pass is recommended.


In case of a hacking !

Let a skilled web developer/ ethical hacker do his job in recovering and then strengthening the website security.

Call us if such person is not available in handy or  you need it done at an affordable cost!

Voodoo and other forms of sorcery are also encouraged to bolster protection of the website. 😉