15 Ways to Improve the Security of your WordPress site

November 15, 2017

Perfection is an illusion. The saying is applicable when we talk about WordPress security. You cannot secure your WordPress website completely against security breaches. Do you know that 70% WordPress installations are vulnerable to security threats? Don’t worry; we don’t want to scare but alert you on the security aspects.

If you abide by certain guidelines, you can strengthen the security of your WordPress website or blog. The following ways can be executed by both the novice and the professionals. Safeguard your precious and confidential data by adopting these feasible strategies.

1. Updating Themes and Plugins

Half of the problems are eliminated when you keep WordPress themes and plugins updated. You will get a notification when a particular plugin or theme needs an update.

In addition to this, always rely on themes and plugins that are regularly updated. According to WordPress, if a plugin has not need to be updated for the past two years, it is no longer active.

2. Updating WordPress CMS

Keep vulnerabilities at bay by updating WordPress with the latest version. According to a research, around 58% websites had an outdated CMS at the particular time of infection.
You should regularly update WordPress, and in case you forget to do so, you can insert this code in wp-config.php that will trigger auto-updates.

3. Removing Outdated Themes and Plugins

The outdated plugins and themes are on the priority list of the hackers. Hence, you should immediately weed out any redundant or unused themes and plugins. If you wish to keep them, ensure that they are regularly updated.
Apart from enhancing security risks, it will slow down your website performance by occupying unnecessary space.

4. Avoid Unreliable Sources and Developers

Always rely on verified sources or developers for downloading themes and plugins. How can you verify the source? A simple way is to look at the reviews left by the users. Secondly, you can do some research on the web.
Avoid suspicious sources to prevent malware injection such as backdoors, phishing, spam-SEO, and so on.

5. Install a WordPress Security Plugin

This is a highly recommended step for all the WordPress website owners. A reliable WordPress security plugin will take care of the security aspects related to the scan.
Moreover, it will perform regular scans and monitor suspicious activities to prevent a security breach. Wordfence and Sucuri Security are two of the most reliable security plugins.

6. Using Two-Factor Authentication

Using a strong username and password can render most of the hacking attempts harmless. To boost the security aspect, enable two-factor authentication for verification during login.
In this authentication process, you will receive a verification code on your mobile phone, thus, dual login protection. Google Authenticator – Two Factor Authentication is a trustworthy plugin for the purpose.

7. Editing .htaccess file

The file allows developers and users to change the configuration for enhancing the functionality of the website. The best way to secure your .htaccess file is to change the permissions to 644. The permission settings allow everyone to read the file contents but restrict the authority to make changes.

8. Changing wp-config.php Permissions

The wp-config.php file contains crucial information pertaining to your WordPress websites such as usernames, passwords, and database content.
The simplest method to secure the content of the wp-config.php file is to insert the following code in .htaccess file. It will block access attempts from all other IPs except yours.

9. Changing Files and Folder Permissions

From the cPanel account, you can manage permissions of files and folders that contain confidential and important information. Avoid using 777 permissions at all costs.
For folders, you should configure 750 or 755 permissions. For files, such as .htaccess, you should configure 644 permissions. The wp-config.php file permissions can be set to 600, restricting access to you only.

10. Strong Username and Password

You like your pet’s name or you consider your birth date as your identity, you should never use these in your username and passwords. The hackers can apply various tactics to gain unrestricted access to your website. Brute force attacks seem to be the most deadly weapon. To avoid these, you can use a security plugin such as iThemes Security. To generate a strong password with all the possible combination, you can consider Strong Password Generator tool.

11. Take Scheduled Backups

Precaution is always better than cure. You should schedule regular backups so that you don’t lose your data if a security breach happens. Although most of the hosting providers provide data security, you should take precautions at your end. You can also use a plugin such as VaultPress for backing up the data.

12. Purchase SSL Certification

Security Sockets Layer (SSL) protection is mandatory if you are hosting confidential information on your website. The information may include credit card details, bank account details, and other classified information. SSL encrypts the data while it is in transit between web servers, thereby, preventing unauthorized access from anywhere around the world.

13. Use CAPTCHA Texts

In most of the cases, bots play a major role in breaking the security barrier. To prevent bots from accessing your content, you can enable CAPTCHA on the login page.

For example, it uses disfigured texts, images depicting certain features, and so on. Humans can identify the pattern but it is difficult for bots to do so.

14. Use SFTP instead of FTP

Most of the times, WordPress users deploy FTP to upload data to the web servers. While doing so, you are compromising with the security aspect as your data is not encrypted.
Use SFTP (Secure File Transfer Protocol) for managing data on your WordPress website.

15. Restricting Users Roles

WordPress gives you an option to manage different roles on your website. For example, Editors can write, edit, and publish posts, both theirs and others. The Author has the permission to manage and publish own posts. The Contributor has the permission of just writing and saving the draft.


We can always strive to perform beyond our capabilities. But the outcome is not always in our control. These practical suggestions will secure your WordPress website against all unethical attempts. Keep up the good work without compromising on the security aspect by adopting these proven strategies.

Looking for more ways to increase your WordPress site security?

Our friends at First Site Guide, have a huge collection of resources where beginners can access many helpful materials regarding WordPress security issues, backups, permissions and a lot more. Definitely worth browsing their content, so if you haven’t already, visit their website.


Anil Parmar

Anil Parmar is the co-founder of Glorywebs, a custom wordpress website development company aiming to help clients with services like mobile apps development, web design, digital marketing and more. Mobile apps & plugins we develop have a common # 1 goal: Keep it as simple as possible for end users. Find him on Twitter @abparmar99 & say Hi!