Improving the Security of WordPress Websites

Security is a critical component to the successful management of websites built using WordPress. Since WordPress is the most popular content management system (CMS), WordPress sites are frequently the targets of professional hackers and are vulnerable to various security threats if not properly protected, maintained, and hardened.

Here are some of the practices that we employ to harden and protect WordPress websites for our clients:

  1. Keep WordPress Core Files, Themes, and Plugins Updated: On a monthly basis, we take a complete backup of your WordPress site and update the WordPress core, WordPress themes, and WordPress plugins. Updates include security patches that address security vulnerabilities.
  2. Assure the use of Strong WordPress Login Credentials: The use of unique usernames along with complex passwords (called credential "hygeine") is critical to the ongoing security of WordPress websites. We always avoid using "admin" as the username, and it's preferable to enable two-factor authentication (2FA) to access the WordPress backend for added security.
  3. Limit Login Attempts: We install and configure WordPress plugins and server configurations to limit the number of login attempts. This prevents brute-force WordPress attacks where attackers attempt various credential combinations to access the WordPress backend.
  4. Select Secure Web Hosting: With WordPress hosting, you frequently get what you pay for. Reputable hosting providers -- especially those specializing in the hosting of WordPress websites -- offer more robust security features such as regular backups, quality technical support, and the ability to update WordPress websites to utilize the latest PHP and MySQL versions.
  5. Installation & Configuration of WordPress Security Plugins: We use WordPress security plugins like Wordfence, Sucuri, or iThemes Security to improve the security and prevent hacking attempts on all of the WordPress websites that we maintain. These security plugins help to monitor, detect, and prevent security threats, hacks, and intrusions.
  6. Robust Backups Regimen for WordPress Installations: We create and maintain regular backups of your WordPress site, going back up to 180 days. Frequently, in the case of WordPress website hacks, the security intrusion on the WordPress website is not immediately obvious. As a result, it's imprerative to have WordPress backups going back in time in order to assure the existence of a clean WordPress backup for re-installation.
  7. Maintenance of Secure WordPress File Permissions: We set and maintain appropriate file permissions on the WordPress web server to prevent unauthorized access to WordPress files and directories.
  8. Use of SSL Certificates to ensure secure connections to the WordPress admin login page: The encryption of data transmission between the user's browser and your WordPress server through the use of an SSL certificate (HTTPS) secures sensitive information like WordPress login credentials and personal data.
  9. Disabling WordPress File Editing: Disable the ability to edit plugins and themes from the WordPress admin website dashboard. This adds an additional layer of security by preventing attackers that access the WordPress administrative backend from directly modifying Themes and plugin code from within the WordPress interface.
  10. Monitor and Audit Server Logs: We regularly review your WordPress site's access logs and audit logs to identify any suspicious activity, hacks, or intrusions.
  11. Implement Web Application Firewall (WAF): WAFs filter and monitor web traffic between a WordPress web application and the exterior world.

WordPress security is an ongoing process that requires continuous attention and updates to WordPress core files, plugins and themes as new vulnerabilities emerge. By implementing these best practices, we can significantly enhance the security and safety of your WordPress website.

For help with WordPress site security and hardening, please call us at (801) 633-4262 or email us at