WordPress Security Tips

Anyone who is determined to hack into a WordPress site will always find a way in. The more secure the site is, the greater the challenge to hack it, and the more determined the hacker desires to undress it.

The 4 key factors of any security bolstering plans for a WordPress site are:

  • Pre-Installation
  • Installation
  • Post Installation
  • Ongoing Administration

Pre Installation

Use a reputable host

This is the simplest of all security steps.

Use a reputable host with a proven track record of great server security. Use a host that hires trustworthy staff and that is honest about security breaches and steps taken to fix them. Choose a host with 24 hour support so if your server or site is hacked your host can help you get your site back. We recommend Namecheap.

Dedicated or shared web server?

The security of a dedicated server is not hampered by the moral integrity and technical ability of multiple webmasters. Although expensive, a properly installed and properly managed dedicated server can be more secure than a shared or virtual dedicated server.


The Database Prefix

The default database prefix used by WordPress for all the tables it creates is wp_. During installation WordPress lets you set an alternative prefix. Do so. Hackers will try to run SQL exploits on the basis that your site uses the wp_  prefix. By using a non standard prefix you will hinder the success of automated attacks against your WordPress site.


Choose a username other than admin, administrator, moderator, editor, subscriber, guest, poster or similar.

Use a username that is different to your displayed author name.

As soon as WordPress is installed go to Users > Your Profile and change your display name.


Choose a hard to remember password. Make a note of it and place it somewhere secure.

Stay clear of common words and phrases when choosing a password.

Include numbers and non-alphanumeric characters like *,#$%^.

If you struggle to remember and recall passwords, try splitting them up (chunking them) into smaller more easily remembered character sections or try to relate them to a rhyme or imaginary shopping list.

Post Installation

Protect WP-Config

Protect wp-config as soon as the WordPress installer has completed.

wp-confg.php contains sensitive information that hackers can use to gain access to your website.

Some of the data in wp-config includes

  • the database name
  • the database table prefix
  • the database username
  • the database password

The easiest way to protect wp-config.php is to tell the server hide it from public view. Use the cPanel file manager to add these lines to the site’s .htaccess file:

#Deny the public from viewing your directory index (list of files in a directory)

Options All -Indexes

# Deny public access to .htaccess

<files .htaccess>
order allow,deny
deny from all

# DENY PUBLIC ACCESS TO YOUR wp-config.php File

<files wp-config.php>
order allow,deny
deny from all

Change the cookie Secret Keys

Edit wp-config.php to add (or replace) the secret keys required for browser cookies. Go to https://api.wordpress.org/secret-key/1.1/salt/ to get new unique secret keys for your site and replace the default ones which will look similar to

define('AUTH_KEY',         'Oud0/NWd5i6lynB:.|(m/Ie/pR?ib0r]5.F6+PTP+?W=&+]+u6|@W?.mOJ[<-,F~');
define('SECURE_AUTH_KEY',  '+mgR60:}h,6;I)|-jFl0Z`-ADvo5&^goqVW`H[SE:CA;G}*oUa8jtumQ*.sUNUdK');
define('LOGGED_IN_KEY',    '^OXLqR`)=@Ygp80xD4VH~X}8u3(p~X0{3;whSd$Jw+qMyM|oAuGcaV]P)a _h3+@');
define('NONCE_KEY',        ';~GrEvVq6xX-AKYjnKR`q9EyFo|PAHpX2YC~.xeL]l|}Jt7{jj;$C0M(*DxhJva_');
define('AUTH_SALT',        '+xa&&iE8)pZO2Hnla}b_bJCYC:c+E=3fw;nc_{C:k0o]2-+jndYV^3O2oATg9I]Z');
define('SECURE_AUTH_SALT', 'e <S,jRMiEuo-+#|q]p_fdVH-PD^-`O*Gkne|p)@Z.JSLE< )6$r0o _7:*[kg{y');
define('LOGGED_IN_SALT',   'qS=0B]hc)+>7K7M|R<bN6uqmeL}7rVR64z+ ;)<?ZC$-gMt37X>~dk/:$0@#G|0`');
define('NONCE_SALT',       '+tyG{|8o+`7%*E;Tu+#;?3avQ?_BhvjnnI^wbnV.a$>Jz{rY,u;Kx?GZ}|rAV(B_');

The secret keys can be changed at any time. Changing them will invalidate any current login sessions so users will need to log back in as soon as the keys are changed.

Remove Redundant Files

Delete the following files from your WordPress installation directory:

  • license.txt
  • readme.html

WordPress Security Enhancement Plugins

There are many WordPress security plugins. I recommend these ones

Wordfence Security

Look-See Security Scanner


A regularly cleaned, optimized and updated WordPress site with up to date plugins and security conscious configuration settings is quicker and  more secure than one that is not. Protect your wp-config.php and .htaccess files, deny directory browsing to visitors and keep aware of the latest WordPress security news and security plugins.

Plugins are a common cause of WordPress security breaches. Only use those plugins you need and try to not use plugins that perform the same tasks as each other. Some plugins may be disabled after first use without affecting their purpose; others should only be enabled when required. Be diligent about the plugins you use by listening to what others say about them.

Lastly, remember to regularly back up your WordPress database, wp-config.php, htaccess and your wp-content directory. I also suggest you back up any non-standard directories created outside of wp-content. Some hosts dislike backups being made to your server but a good place to back up your files is in a directory above /public_html (surfers cannot view above there). It is also a good idea to re-install the WordPress core files every so often by visiting Updates>Re-install in your dashboard.

Sharing is caring!

Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x