43 WordPress Security Best Practices (2021 Definitive Guide)

wordpress security best practices

When it comes to running your WordPress website, you want to make sure that you abide by the WordPress security best practices.
Considering the dangers that can come from online threats, it’s imperative that you’re doing so safely and effectively.
Regardless of the kind of site you run, everyone can benefit from following these WordPress security protocols.


Understanding The Possible Threats

Understanding The Possible Threats

The internet is a big place, and threats can come from anywhere.
An estimated 63% of computers are controlled by hackers (source) and that percent will rise if we don’t stay vigilant.
Why do you need to know this?
It’s important that you recognize all of the potential areas where your WordPress site could be vulnerable.

Online threats can come from anywhere.
This includes the computer you use to update your website. The basic security steps start at you computer.

You should have a firewall and a computer virus scanner to prevent getting hacked.
Another form of threat that are most common are sent via email.
Every day, millions of emails are sent, so it makes sense why hackers and viruses are sent through email. Just like this one…
It looks legit right?
There are 6 well-known types of threats that can take advantage of your WordPress security vulnerabilities:

Viruses and Malware

In many cases, the threat will come from malicious software trying to access your website and possibly your computer. These programs can target sensitive information, or they could simply try to disrupt your site’s systems, causing it to crash.


Ransomeware is fast becoming a favorite scheme among hackers. Threatening your site with an attack unless you pay a fee to keep it safe. The United States is by far the most vulnerable country, with almost two-thirds of victims willing to pay the ransom, which means that it will only get worse over time.

SQL Injection Attacks

SQL injection is a common form of attack. SQL inject can steal user information such as credit card, passwords, etc.

SQL Injection Attacks

But in most cases, it is used to take over websites. As reported by Acunetix, SQL injection is a high severity vulnerability.  23% of the scans they executed were vulnerable to SQL injection.

Big Brother Is Watching

Recently, we’ve seen situations where governments are using targeted attacks to disrupt systems or retrieve potentially sensitive information. Whether it’s Russia hacking the US election or North Korea trying to access bank software, sometimes the threat can be much more than a hacker in a basement.

Email Scams and Phishing

Email Scams and Phishing

Sometimes, the call can be coming from inside the house, especially if hackers have access to accounts that are in your contact list.

This way they can gain entry much more easily without having to rely on brute force attacks.

Denial-of-Service Attacks

Stop Denial of Service Attacks

Attempts to disrupt the network by cutting out service. Networks are invaded with high volumes of connection requests, shutting it down.

Brute Attacks

If you’re not familiar with a brute force attack, it’s when hackers overwhelm your security systems with wave after wave of software. Eventually, the system crashes, and they can access all of your sensitive data.

So What Can You Do About It?

First and foremost, you can understand where your WordPress security vulnerabilities lie and take steps to correct the issue.

In many cases, simply updating your WordPress and taking extra precautions about storing sensitive data can be all you need to make sure that your site is safe.

The other part of being safe on the internet is that if you become vulnerable, you can put others at risk. If your site gets infected, it could spread to your users without their knowledge and become an even bigger problem.

Also, considering that WordPress is an open-source program, if you are hacked, then it could affect the millions of people who rely on the system to run their sites.

In the end, we must all do our part to ensure that we are following WordPress security best practices.


How Is WordPress Affected by These Threats?

How Is WordPress Affected by These Threats

Since WordPress is an open-source platform, that means that anyone can go in and make updates to it. It also means that anyone can create programs and plugins to work with WordPress. While this level of interactivity can be beneficial for a lot of reasons, the fact is that it also opens it up to a fair amount of risk.

Is WordPress Safe to Use?

At its core, WordPress basic programming is more than secure enough for users to utilize it without worrying about surprises lurking inside the code. The problems begins when you forget to update your WordPress install or when you start to adding plugins and other add-ons. According to research, over 83% of sites that used WordPress were vulnerable to attacks.

In many cases, the threat will come from malicious software trying to access your website and possibly your computer. These programs can target sensitive information, or they could simply try to disrupt your site’s systems, causing it to crash.

83 of WordPress Blogs that are Hacked

Out of the ten most insecure plugins, half of them were commercially available for purchase. That shows how easy it can be to become a victim of online threats.

For most WordPress users, they think that all plugin codes have been tested and retested for security breaches, but many of them aren’t.

In fact.. some security plugin can be vulnerable to attack, which means that you can’t even trust plugins designed to keep you safe. In many instances, site builders believe that they can make simple changes that will offer total protection, or they believe that they are not important enough for hackers to target. 

This is a mistake. WordPress protection is needed If you want to follow the best security practices for WordPress. You need to be proactive, not reactive.

Always Do Your Homework

Considering that plugins and other add-on programs are the most significant source of vulnerabilities, you have to take extra precautions to ensure that what you’re using is safe. 

I will go over some more details about testing plugins later. The important thing to keep in mind is that you want to plan for the worst and hope for the best. As soon as you let your guard down, your site can be attacked.


Don’t Make These WordPress Mistakes

Dont Make These WordPress Mistakes

Many users, especially first-time users, make some common mistakes. Absent-mindedness or just not knowing what to do will make a website easy to hack. Before I jump into getting your website protected, here are some common mistakes to avoid.

1. Bad Hosting Company

While the onus is ultimately upon you to make your site secure, the fact is that you are only part of the equation.

If you have a bad hosting company that doesn’t offer secure servers, then you could be setting yourself up for failure. 41% of blogs get hacked because of their web host. (I’ll share with you my top hosting companies in chapter 5.)

Be sure to use reputable hosts to get your site online, and check to see if they follow WordPress security best practices.

2. Not Updating Your WordPress Plugins and Installs

WordPress Security Best Practices Not Updating Your WordPress

How often are you updating your WordPress Install and plugins?

Furthermore, do you have the latest version of WordPress and all of your various plugins?

Go to your WordPress Dashboard and click Updates. 

You will see all the updates you need to update.

Updates come out all the time, which means that if you don’t stay on top of them, you could wind up with obsolete WordPress install or plugins, which is a hacker’s dream.

3. Using Weak Password

WordPress Secuirty Using Weak Password

For many people, their passwords can be their undoing. If you are using the same one for multiple sites, that means that hackers can access each one if they figure it out.

 Similarly, if you use simple passwords that are easy to crack, you are leaving the keys in the front door of your house. Not only should you have a strong password (including letters, numbers, and capitalizations), but you should change it often so that it never becomes a problem down the line.

WordPress Secuirty Strong Password

How To Change Your Password In WordPress: Click on users

WordPress Secuirty Users

choose your user account. WordPress will choose a random password for you.

4. Not Removing Inactive Plugins

WordPress Secuirty Not Removing Inactive Plugins

It’s easy to accumulate plugins and other old data remarkably fast. Unfortunately, as it sits around unused, it can be exploited by hackers to gain access to your site.

Even if the information itself is not “valuable,” it could be hiding a clue that they need to figure out the best way to get into your website.

5. Who Do You Trust?

Never download a plugin from a source that isn’t reputable. WordPress.org popular is a good place to start.

There are several ways to verify the source, including looking at user reviews and number of downloads. But it’s better to keep a sharp eye on all WordPress plugins, especially if they are new or seem too good to be true.

6. Failing to Backup Your Website

Backups are crucial to securing information. Even if your website is hacked, you can recover any files.

The Ransomware attack proved how difficult it can be to recover stolen data and media. I will cover backups in more details in


How To Use Plugins to Your Advantage

How To Use Plugins to Your Advantage

Plugins are useful tools that will enhance your website, and make it more enjoyable.

Even though I’ve been highlighted the fact that third-party programs such as plugins can be a huge part of the security problem, the reality is that many of them can be incredibly helpful.

Before I give you access to the top security plugins for WordPress, these are steps you need to make sure you are choosing the right plugin.

How to Verify if a Plug-In is Safe

Wordpress Plugins

As you have probably noticed, plugin links go to the WordPress page that describes the plugin, rather than the original site itself.

The reason I did that is so that you can pay attention to a few critical points.

1. Number of Active Installs

WordPress Plugin Active Installs

This shows you how many people are using the plugin. The higher the number, the better the odds of it being more trustworthy, as more people are using it and providing sample data.

Last Updated

WordPress Plugin Last Update

You want to avoid plugins that haven’t been changed or amended in the last six months or so.  Since hackers are always trying new attacks, it’s imperative that your plugin stays up to date.


Wordpress Plugin Rating

while this is not a perfect way to monitor the validity of a plugin, it can provide valuable insight when you read what other users have to say.

Be sure to read both positive and negative reviews to get a better sense of what to expect.


WordPress Plugin Support

This metric shows how many problems have been resolved in the last two months.

Now that you can know how to choose the right plugin for your business, below are my picks for the top WordPress security plugins.

Top WordPress Security Plugins

iThemes Security (formerly Better WP Security)

WordPress Security Plugin iThemes Security formerly Better WP Security

IThemes Security Plugin This is the number one plugin to keep your site safe, and it comes from the team at iThemes.

It is highly rated and will provide comprehensive security for your site, such as making sure your software is up-to-date and that you are protected from brute force attacks. 

iThemes Security (formerly Better WP Security)

WordPress Security Plugin Sucuri

This is a comprehensive plugin that monitors all activity on your site and scans for vulnerabilities.

Also, it will provide a rundown of issues that need attention so that you’re never wondering if something is missing from your protection.

iThemes Security (formerly Better WP Security)

WordPress Security Plugin Wordfence

With over twenty million downloads, this is one of the most popular WordPress security plugins. It offers real-time scanning, including if someone is trying to hack your site.

It also provides solutions to any safety problems so that you can stay protected at all times.


Chapter 5 Finding a Suitable WordPress Host

Finding a Suitable WordPress Host For Your Business

As I mentioned earlier, you are but a piece of the online security puzzle.

This means that while you can do your part to ensure that your site is safe and secure, you can’t always guarantee 100% security since you have to rely on your hosting service to cover the gaps.

When trying to find the right host, you need to pay attention to some details regarding how it stores and handles your data.

user reviews and longevity can give you an accurate picture of what to expect, these features will take it a step further.

A Secure Datacenter

Check to see where their servers are located and how they are protected not only from cyber attacks but physical ones as well.

You don’t want your site to go down because of a natural disaster, so be sure that the datacenter is in a prime location that won’t be affected by such things.

Back that Data Up

Some hosts offer services that will backup all of your website files to a secure server automatically.

This can be a huge help in the event of an attack as you can restore your site much faster without losing data or programming in the process.

Up-time Guarantee

In some cases, web hosts will offer guarantees that your site will never experience any downtime.

Typically speaking, these offers are for 99% uptime, and you can get reimbursement if it ever dips below that percentage.

Positive Reviews

If possible, try to find reviews of your host on a third-party website. This will ensure more accuracy and better overall image of the company.

See what security issues other customers had in the past and see if the host took steps to correct the problem or if they ignored it.

Here are two WordPress Hosting





Ease Of Use




Price: $6.99 A MONTH


Siteground always stands out as one of the best options for users looking for a fast, secure, and excellent support team.

What really sets Siteground host apart from others is that you can reach a much wider audience.


Bluehost Review



Ease Of Use




Price: $2.75 A MONTH


As one of the most popular hosting sites in the world, you get a lot of support and features BlueHost.  Best of all, you can utilize two different options depending on your needs.

The site provides specialized WordPress hosting, or you can use cloud services instead.  Best of all, both options are the same price, so you can choose based on features rather than cost.

Since it’s so well connected and serves millions of customers, you get some of the highest speeds and best uptime guarantees in the industry.


Chapter 6 WordPress Security Best Practices

WordPress Security Best Practices And Vulnerabilities

While it’s helpful to go through your site and make changes and corrections on the back end, the fact is that you can find out much more about potential problem areas by thinking and acting like a hacker.

Fortunately… there are tools you can use to test your site’s security by essentially trying to break in from the outside.

So far, we’ve seen how online threats can undermine your WordPress site, but now is the time to implement solutions to the most common problems.

Security is an Ongoing Process

Security Is An Ongoing Process​

One thing to keep in mind is that, regardless of the specific methods you use, online safety is something that has to be maintained on a regular basis.

Don’t assume that because your site is “secure” today that it will be the same tomorrow. You should always be on the lookout for new threats, and you should be reacting accordingly.

As they say, an ounce of prevention is worth a pound of cure.

Update Your Software (Constantly)

While WordPress itself doesn’t have updates on a near constant basis, your plugins most likely will.

Also, if you have a bunch of different plugins installed on your site for various reasons, then odds are that one will need to be updated almost every day. Part of your daily procedure should be checking for updates and install them.

 WordPress Security Best Practices Not Updating Your WordPress 1

In addition, don’t rely on automated systems to do this for you, as they can sometimes miss things.

Change Your Password

If you are worried that you will keep forgetting your password as you change it, one method to keep it relatively simple is to randomize it with capitals and numbers.

WordPress Secuirty Strong Password

But using the random password tool provided by WordPress is the best option for creating passwords.

Enable Lockout Protection

WordPress Security Limit Login Attempts Reloaded

If a hacker tries to access your site, there’s a good chance that he or she will make several attempts to do so. You can use the plugin Limit Login Attempts Reloaded to prevent this.

If you don’t make sure to limit the amount of attempts that can be made, a hacker could invariably gain access through sheer luck.

After you install the plugin, you will see this on your login WordPress Website Login Page.

Least Privilege Principle

If you have multiple people working on your site, they shouldn’t all have access to the same information.

You want to prioritize access for those who need it (such as administrators) and limit it to those who don’t.

This principle is based on the idea of breaking down sensitive information into tiers and providing clearance accordingly.

Use Two-Factor Authentication

The two step authentication may seem like a pain every time you have to log in, it will provide ample security to your site without making any significant changes. This system can also prevent brute force attacks since you have double the protection. The 2 two step authentication plugins I like are: 

Shield Security Plugin

This plugin is simple to use with some very powerful features. This includes: Two step authentication. Blocking malicious links. Keeping spam bots out. Disable automatic updates. No more brute force attack because it prevents it. And so much more.

Google Authenticator WordPress Two Factor Authentication

This plugin is very secure and the two step authentication easy to set up. This includes: Two step authentication via mobile. And so much more…

Use Two-Factor Authentication

You should be doing this already, but if not then now is the best time to start.  Check out my list of must have WordPress backup plugins. 

This way you can quickly recover after an attack and keep your site up and running without missing a beat. You should have multiple backups as well, just in case one of them gets compromised somehow.

Create a Better Username

If you are still using the default “admin” as your username, then you are simply asking to be hacked.

Make it something unique that won’t be easy to guess. The harder you make it for hackers to gain any traction, the more likely you are to repel an attack.

Overall, when it comes to preventing WordPress security vulnerabilities, you want to take extra time to do things the right way, rather than trying to make things easier on yourself.

In the end, if it’s easy for you to access your site, it will be the same for a hacker.

Advance Edits To wp-config.php File

When you install WordPress, one of the most important file is wp-config.php. It contains important information such your as databases details (username and password) that allows WordPress to communicate with the database store.

You can make changes to the wpconfig.php file to help secure your WordPress website. Below are some of the changes you can make to help secure your website. 

WARNING: Before you make any changes, please make sure you backup your website. Just in case you need to do a restore.

Change Your Database Prefix

change your databases prefix

A database prefix by default start with wp_. Changing your data prefix will make it difficult for hackers to hack your website. Change it to something random. For example: wesd_. You can make this change via the wp-config.php file:

Change Your Security Keys

WordPress Security Keys

WordPress Security Key is used to improved encryption and store cookies. The keys are, AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY. You can use the WordPress API to change your security key. After you get your key, you can replace them in the wp-config.php file.

Force the Use of FTPS

Most website hosting company will give you the ability to use FTPS. To force FTPS, add the following line to your wp-config.php file: define(‘FTP_SSL’, true);

Force your Website To Use SSL

SSL certificates is becoming the norm for website. If I don’t see the green secure lock in the address for a website, I will not make any purchases form that website.

Force your Website To Use SSL

To force your website to use SSL, add the following line to wp-config.php: define(‘FORCE_SSL_ADMIN’, true);

Protect Your wp-config.php

Copy and past the code below in your .htaccess file: <files wp-config.php> order allow,deny deny from all </files>

Additional directory protection

Copy and past the code below in your .htaccess file: <Files php.ini> Order Allow,Deny Deny from all </Files>


Chapter 8 Steps to Protecting Your ECommerce Store

If you are running an online store, security is even more crucial because you are dealing with sensitive financial information.

Websites are being hacked as you read this guide.  Norse provides real time threat intelligence on sites being hacked.

As such, you want to be sure to follow these WordPress security best practices to keep that data safe.

1. Use a High-Quality Host

We’ve already discussed the importance of having a secure web hosting service for your site in general, but you also want to be sure that it can provide comprehensive security for your commerce store as well.

Bluehost Vs Siteground Review

Don’t skimp and choose a cheaper provider that could make your site vulnerable.

Take a look at our BlueHost Vs. SiteGround Review.  These are the two best websites host online.

2. Use SSL for Checkout

If you aren’t encrypting your checkout service, then you’re opening up your customers to attack. Some hosts provide SSL certificates, but you may have to seek them out and implement them yourself.

Use SSL for Checkout

3. Don’t Keep Sensitive Data

One of the easiest ways to prevent hackers from stealing anything is to not have anything valuable in the first place. Rather than store credit card numbers online, use a system that trashes them as soon as the transaction goes through. 

Dont Keep Sensitive Data

This will put a lot less pressure on you and won’t compromise your customers if you are attacked.

4. Require Additional Verification

Overall, the more steps that your users have to take to make a transaction, the more secure it will be. Just like having two-step authentication for your site, you should have the same for your customers. Requiring an address and a CVV number will create extra protection.

Require Additional Verification

5. Don’t Allow Users to Have Weak Passwords

If your site has members who can log in via password, then you want to take the time to require something strong. This way, even if your customers aren’t following best practices, you are helping them by forcing them to create a better password. Utilize a system that requires a certain length, as well as numbers and special symbols.

Dont Allow Users to Have Weak Passwords

6. Set up Alerts for Suspicious Activity

If a single credit card is being used for a variety of purchases on various IP addresses, then it’s probably been hacked. As an administrator, it’s up to you to verify the validity of a card member to ensure that you aren’t engaging in fraudulent activity. This will also protect you as you don’t have to worry about losing money when the customer seeks damages.

Set up Alerts for Suspicious Activity

7. Train Staff to Be Vigilant

If you have anyone handling sensitive information, even just temporarily, he or she should be trained on how to properly store or dispose of that data once it’s been used. For example, if a customer gives you a credit card number over the phone, make sure that the person recording it does not keep a copy of it. 

Train Staff to Be Vigilant

Also, don’t assume that employees know what to do, either, as that can lead to security compromises.

8. Use Tracking Numbers When Possible

If you ship products to customers, then you want to enable tracking notifications so that you and they know when the package has been delivered and accepted. This will not only provide better service to the customer, but it will offer another layer of protection, especially in the event of theft.

Use Tracking Numbers When Possible

Consider a Fraud Management Service

Sometimes you can rely on a third-party company to handle fraud claims and issues. This adds a layer of protection for you and the customer as it ensures that you don’t accidentally make things worse. The cost of such services can be pricey, so only consider them if you have had such issues in the past.

Consider a Fraud Management Service

In the end, if you want to keep your customers safe, then you have to be proactive about it. Even if it seems like you’re making extra work for your users, it’s far better to do it this way than to deal with the aftermath of an attack.


Chapter 9 Backing Your Site Up

Back Up WordPress

I’ve talked a little bit about the importance of having backups for all of your data, but the fact is that you need to be doing it on a constant basis. This way, if something should happen, you won’t be set back significantly.

How Often Should You Back Up?

To make sure that you are as up to date as possible, you should back your system up before every update as well as every couple of days. This way you can get back on track immediately after an attack with minimal delays.

How Can You Back Your Site Up?

There are several ways to do this. First, you can backup your files on a separate hard drive by yourself. Second, you can utilize remote servers that are offered by a third-party service. Sometimes your web host will offer free backups, or you can sign up for a backup services that will do it for you. In some cases, it’s better to do both so that you have a backup for your backup, just in case either one of you is compromised.

Backup Plugins

As with everything else on WordPress, you can automate this process by using backup plugins to your advantage.  If you like the idea of backing up into the cloud, here is a list of Backup WordPress Plugins you can use.

Click Here To See The Full List Of Backup Plugins Here


Chapter 10 What If Im Hacked

WordPress security checklist and Remedying attacks

No matter how careful you are, sometimes you can still be a victim of a cyber attack. If that does happen, the important thing to remember is that it can be fixed and reversed, so don’t start panicking yet.

Hopefully, you will have systems in place to recover quickly, but even if you don’t, you shouldn’t let despair set in.

Identify the Scope of the Attack

Yes, it can happen to you. You go to your website and you see the following when you browse to your website.

Identify the Scope of the Attack

Did the attack originate from your local network, or did it come from somewhere else? Which files were compromised as a result?

Before you can attempt to recover, it’s imperative that you figure out how bad it is so that you can be sure that you remove the threat entirely.

Take Action ASAP

Change All Login Information

Regardless of where it originated, you will be much better off if you do a complete overhaul of your login credentials.

Change all usernames and passwords and be extra careful of who gets access to what.

Fixing the Problem

Whether it’s something as simple as updating your software or making a full recovery, make sure that you fix everything that went wrong. If necessary, reach out to a professional cleanup service so that they can guarantee that you are malware free.

Start Rebuilding Your Reputation

Visitors will be wary of your site after an attack, so it’s important that you address the issue head-on.

Let people know the extent of the damage (especially if customer information was threatened) and that you are taking steps to repair it.

Overall, the best thing you can do is continue to harden your security systems and work to prevent the same thing from happening again.

Follow Security Best Practices in the Future

Again, no matter how careful you are, sometimes hacks still happen. That doesn’t mean that you should change course or try something different. Stick with proven methods of WordPress protection and harden your site as much as possible.

WordPress Security Checklist

Before I go, I want to leave you with a comprehensive checklist so that you won’t forget to utilize any or all of these tools. Since online security is an ongoing mission, be sure to update your systems as much as possible and adapt as needed.

While we could offer a complete list here, the fact is that there are plenty of examples already online. Here are our top choices. 

  1. WordPress Security Checklist 
  2. WordFence Security Checklist 
  3. WP Common Security Checklist

This is actually a plugin that will make sure that when you cross something off that it has been taken care of on your site. This will ensure that your list is integrated to your actions.

WordPress Security Best Practices Resources

While this guide is going to be your best place to find out what you can do to keep your site safe, there are other resources out there that you should look at to get a more comprehensive view of the situation.

Hardening WordPress Overview of WordPress Overview of Brute Force Attacks WordPress Security Tips In the end, the safety of your site is in your hands, so be sure to take the responsibility seriously and don’t neglect your duties as an administrator.

As long as you follow these steps, your site should be well protected.

Subscribe To Our Newsletter

Get Actionable Tips and Tutorials That I Only Share With My Email Subscribers.

Scroll to Top

Want To Learn How To Build Better Websites?

Get access to our weekly roundup of our best resources, skill-enhancing and tools content to help grow your business

By entering your email, you agree to our Terms of Service and Privacy Policy