50 Expert Wordpress Security Tips

Is your website built on Wordpress? Here are 50 tips on how you can secure your Wordpress site and prevent web-based attacks.

According to W3 Techs, 37.6% of websites use WordPress, giving WordPress a market share of 63.6% among content management systems (CMS). WordPress 5.4 has been downloaded nearly 50 million times (and growing), and among the top 100 websites, 14.7% are based on WordPress. With billions of websites trusting WordPress, it's easy to fall into a false sense of security. If so many websites trust the platform, it must have rock-solid security – right? The truth is that WordPress is one of the most secure platforms, but hackers will target any website on the internet and exploit vulnerabilities that they discover. Your WordPress website isn't necessarily immune to threats. There are, however, many things you can do to boost your WordPress website's security, from carefully configuring built-in WordPress security features to leveraging tools and technologies that help to secure your website.

Web-based attacks are the second most common cyber attack targeting small to medium businesses, and half of SMBs have experienced a web-based attack. Web application vulnerability scanners like Zeguro's Monitoring solution find security issues with your web apps – including your WordPress website. Zeguro's Monitoring module produces actionable reports that identify vulnerabilities based on priority, evidence showing where each vulnerability exists, and suggested fixes for each vulnerability to help you secure your applications. By identifying and patching vulnerabilities on a routine basis, SMBs reduce the risk of a web-based attack.

Website application monitoring is one of the most important practices for web application security, but there are other best practices to follow to secure your WordPress website, too. Below, we've rounded up 50 expert WordPress security tips and best practices to help you bolster your website's security and protect your business's valuable data:

1. Lock down file permissions as much as possible. "Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment.

"It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files.

"Here is one possible permission scheme. All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be writable by the web server, if your hosting set up requires it, that may mean those files need to be group-owned by the user account used by the web server process." - Hardening WordPress, WordPress.org; Twitter: @WordPress

2. Keep plugins up to date easily with WordPress' built-in update function. "Updating your WordPress plugins is a very similar process to updating WordPress core. Click into 'Updates' in your WordPress dashboard, select the plugins you want to update, and click on 'Update Plugins.'

"Likewise, you can also update a plugin manually. Simply grab the latest version from the plugin developer or WordPress repository and upload it via FTP, overwriting the existing plugin within the /wp-content/plugins directory." - Brian Jackson, WordPress Security – 19 Steps to Lock Down Your Site, Kinsta; Twitter: @kinsta

3. Turn on automatic WordPress Core updates. "One of the advantages of using a popular CMS like WordPress is that there are many people with a vested interest in keeping it secure. Thousands of people are contributing to WordPress security by reporting vulnerabilities to the WordPress team. This widespread collaboration means most holes are patched relatively quickly. But, if the updates that contain those fixes are not applied, you leave your site vulnerable to attack.

"The best way to ensure your WordPress core updates happen quickly is to turn on automatic updates. This way your WordPress site will be kept up-to-date without you having to do anything." - Lizzie Kardon, The Comprehensive Guide to WordPress Security in 2019, Pagely; Twitter: @Pagely

4. Use appropriate user roles. "Limiting access also includes the use of appropriate user roles. This is especially important when you have more than one person working on your website. For example, if you have employees, authors, editors, or anyone else accessing your WordPress website, you should provide them with their own login credentials that are appropriate for the work they are doing. Don't assign an administrator role unless a person actually requires admin functionality." - Jamie Spencer, WordPress Security: An Introduction to Hardening WordPress, MakeaWebsiteHub.com

5. Disable the WordPress API. "WordPress offers a REST API for developers who want to integrate their own programs into WordPress. However, there are some issues with the REST API -- most notably that the REST API can actually bypass WordPress's authentication system, including two-factor authentication. Unless you are using it for a custom-built application, it's a solid practice to simply disable the WordPress API entirely. This can be done through a plug-in, such as Disable REST API. All you need to do is 'Install Now' and then 'Activate.'" - The Blogger's Guide to WordPress Security, BestVPN

6. Disable XML-RPC. "XML-RPC is a special WordPress feature that enables remote access and posting. This can be a security issue, as it creates another way that a malicious user could potentially access your site. If you're interested in publishing posts remotely, you may need to leave XML-RPC enabled (it is enabled by default). If you are not publishing posts remotely, there's no way to add an additional vulnerability. The easiest way to disable XML-RPC is to install the Disable XML-RPC plug-in. Though there are other ways, it would require modifying the code of a different plug-in. Again, all you need to do is click on 'Install Now' and then 'Activate.'" - The Blogger's Guide to WordPress Security, BestVPN

7. Use robust file and folder permissions. "It is a very important step to take to prevent your website from attacks. There are basically three types of file permissions (Read, Write, Execute). For optimum and effective website performance it is important to understand which files need what level of permission. You can set these file and folder permissions either through File Manager or using FTP software." - Jack, WordPress Security 101 : The Ultimate WordPress Security Guide, WPOven; Twitter: @WPOven

8. Always run the latest version of WordPress. "Although WordPress can be annoying to update, especially when you have plugins that you want to keep using that aren't being updated anymore, each update brings new tweaks and bug patches to help keep the core software of WordPress secure. Failing to update your software to the latest versions means you're leaving your website vulnerable to these security risks. It's up to you to make sure your WordPress is always running the latest version possible to stop this from being a problem." - Joel Syder, 5 Really Important WordPress Security Vulnerabilities You Need to Know About, Torque; Twitter: @TheTorqueMag

9. Implement a web app vulnerability scanner. "Web app vulnerability scanners look for weaknesses in your web apps so they can be fixed before they're exploited by hackers. Zeguro's Monitoring module makes web app scanning quick, easy, and customizable. Choose between lightning and normal scan levels and a monthly or quarterly cadence. You can even schedule your scan for a specific day and time.

"Once scans are completed, you'll get clear, actionable results. The downloadable report prioritizes vulnerabilities based on criticality, and includes evidence showing where each vulnerability exists along with a set of suggested fixes." - Monitoring, Zeguro; Twitter: @Zeguroinc

10. Add two-factor authentication using Two Factor or Google Authenticator. "WordPress does not offer two-factor authentication out of the box. When you're connecting to the back-end management interface, all you need is a user name or email address and a strong password.

"Fortunately, it's pretty easy to add two factor auth using either Two Factor or Google Authenticator. Installing and setting up either of these plugins makes quick work of adding another security layer to your site.

"The free version of Two Factor has 10,000+ active sites, and there is no premium upgrade. It's just plain free. Google Authenticator is a very deep tool with a bunch of paid upgrade options, ranging from additional authentication methods up to enterprise-level authentication and user management features." - David Gewirtz, Your WordPress site is at risk: These precautions and plugins can keep it secure, ZDNet; Twitter: @ZDNet

11. Block brute-force login attempts. "If you for whatever reason cannot turn on the two-step authentication, this is a decent alternative.

"Jetpack's Protect is like a web application firewall for your WordPress. It monitors all failed login attempts on the network of sites hosted by WordPress. It then automatically blocks all these unwanted tries from these bad IP addresses from the rest of the network.

"Another of the common ways hackers try to brute force your site is through XML-RPC. Jetpack Protect also blocks all the XML-RPC attacks so you do not need to do anything further to disable XML-RPC if you're using Jetpack. Activate the Jetpack plugin and enable the Protect add-on to turn this on." - Marko Saric, How to secure your WordPress site in 2020: The definitive guide, MarkoSaric.com; Twitter: @MarkoSaric

12. Use strong passwords with the help of a password manager. "What makes a good password?

  • Long
  • Random
  • Unique

"If you know your passwords, they're likely too weak. That's why using a Password Manager to manage your passwords is the best way to keep all your account logins secure. With the help of a Password Manager, you can generate long, random, unique passwords, and securely store them with the help of a browser extension. So the only password you'll have to remember is your master password to log into your password manager." - Michael Moore, 7 WordPress Security Best Practices, iThemes; Twitter: @ithemes

13. Install a WordPress backup solution. "Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so can yours. Backups allow you to quickly restore your WordPress site in case something bad was to happen.

"There are many free and paid WordPress backup plugins that you can use. The most important thing you need to know when it comes to backups is that you must regularly save full-site backups to a remote location (not your hosting account). We recommend storing it on a cloud service like Amazon, Dropbox, or private clouds like Stash.

"Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups. Thankfully this can be easily done by using plugins like VaultPress or UpdraftPlus. They are both reliable and most importantly easy to use (no coding needed)." - The Ultimate WordPress Security Guide – Step by Step (2020), WPBeginner; Twitter: @wpbeginner

14. Use a plugin to block hotlinking. "Let's say you locate an image online and would like to share it on your website. First of all, you need permission or to pay for that image, otherwise there's a good chance it's illegal to do so. But if you do get permission, you might directly pull the image's URL and use that to place the photo in your post. The main problem here is that the image is shown on your site, but being hosted on another site's server.

"From this perspective, you don't have any control over whether or not the photo remains on the server. But it's also important to realize that people might do this to your website.

"If you're trying to secure your WordPress website, hotlinking is basically another person taking your photo and stealing your server bandwidth to show the image on their own website. In the end, you'll see slower loading speeds and the potential for high server costs.

"Although there are some manual techniques for preventing hotlinking, the easiest method is to find a WordPress security plugin for the job. For instance, the All in One WP Security and Firewall plugin includes built-in tools for blocking all hotlinking." - 25 Simple WordPress Security Tricks to Keep Your Website Safe in 2020, CodeinWP; Twitter: @codeinwp

15. Limit login attempts with the help of a plugin. "By default, WordPress allows users to try to login as many times as they want. While this may help if you frequently forget what letters are capital, it also opens you up to brute force attacks. By limiting the number of login attempts, users can only try to login a limited number of times until they are temporarily blocked. This limits your chance of a brute force attempt as the hacker gets locked out before they can finish their attack." - Elyssa Respaut, 10 WordPress Tips to Make Your Website Secure, Medium

16. Move your WordPress login URL. "Another way to make your WordPress site extra secure is to change the login page. It's pretty common knowledge that to log into a site, you just add /wp-admin to the end of the URL. By changing that link, it's like you're hiding the door to your site, making it harder for hackers to find.

"There are a variety of different ways you can swap that link, but the WPS Hide Login plugin is a good place to start! Just don't forget what you change the URL to, and remember to share it with any other site collaborators or clients." - Morgan Smith, WordPress security tips & best practices every site owner should know, Flywheel; Twitter: @HeyFlywheel

17. Protect your input fields. "Fields like comments and contact forms are an obvious target for hackers to take advantage of. They can steal data being entered to those fields by force or by stealth (like by monitoring keystrokes). On a similar note, beware of cross-site scripting (XSS), where attackers inject client-side scripts into web pages viewed by other users. 84% of security vulnerabilities are a result of XSS attacks.

"Pro Tip: Some websites receive tons of spam comments, which is why they choose to disable comments. However, comments are a great way of communicating and getting feedback from readers and visitors. To moderate comments and proactively battle spam, install the Akismet plugin, also offered by the team behind WordPress." - Maddy Osman, An 8 Step WordPress Security Checklist for WordPress Security Issues, The Blogsmith; Twitter: @MaddyOsman

18. Add security questions to your WordPress login page. "By adding security questions to your WordPress login page, you will not only protect your WordPress login page but also harden WordPress security.

"The security question adds an extra layer of security to further authenticate your identity during login. This is very useful if you are running a multi-author WordPress blog.

"If any of your users' or your passwords have been stolen, then security questions can be key. Usernames and passwords can be hacked easily, but inputting the right security question and answer is more difficult. This way you can save your WordPress login page from hackers and brute force attacks.

"To add [a] security question on the WordPress login page, install the WP Security Questions plugin." - Jyoti Ray, WordPress Security – 24 Tips to Secure Your Website from Hackers, WPMyWeb.com; Twitter: @WPMyWeb

19. Enable reCAPTCHA on forms to prevent spam. "One of the quickest and easiest WordPress security tips for online forms is to enable reCATPCHA on them. Spam form submissions can be annoying, and reduce the quality of your email list and email marketing efforts. WPForms has some great reCAPTCHA and captcha features you can turn on for your website including:

  • reCAPTCHA V2 (I am not a robot Checkbox)
  • reCAPTCHA v3 (No Checkbox)
  • Custom Captcha
  • Anti-spam Honeypot

"For an in-depth tutorial on how to set up the different types of reCAPTCHA, check out our ultimate guide on how to stop contact form spam." - Lisa Gennaro, 12 WordPress Security Tips and Tricks for Your Online Forms, WPForms; Twitter: @easywpforms

20. Hide your WordPress version number. "Your WordPress version number is another helpful piece of information for hackers. When a hacker knows which version of WordPress your website uses, they can tailor their attack to it.

"Anyone can view your WordPress version number by viewing your site's source code. Depending on the version, they can even take advantage of specific vulnerabilities. For example, if you're running an older version of WordPress, a hacker may target a vulnerability that a later version fixed.

"Hide your site's version number by using a security plugin, like Sucuri Security or iThemes Security. You can also approach the problem manually, having a developer modify your functions.php file to stop your WordPress version number from appearing in places like an RSS feed." - Sarah Berry, Is My WordPress Site Secure? 13 Tips for Locking Down Your WordPress Site, WebFX; Twitter: @the_Berry_Bot

21. Prevent cross-site scripting attacks. "One of the most common attacks is Cross-Site Scripting also known as a XSS attack. In this type of attack, the attacker injects malicious code into a website to collect user data or to possibly redirect to other malicious sites affecting the user experience.

"How to prevent, and fix Cross-Site Scripting: To avoid this type of attack, use proper data validation across the WordPress site. Use output sanitization to ensure the right type of data is being inserted. Plugins such as Prevent XSS Vulnerability can also be used." - Ibad Rehman, The 6 Most Common WordPress Vulnerabilities (and How to Fix Them), WebsiteHostingRating.com; Twitter: @hosting_rating

22. Protect your computer with antivirus software. "If your computer is compromised, then hackers could be able access your WordPress site, or find your login details from saved browser passwords. Therefore antivirus protection for your computer is a must.

"Norton Antivirus Security software protects your computer from malware, spyware, viruses, and lots more. Once installed, it runs regular automatic scans, so you can go online with confidence. Most importantly, it means that your WordPress website won't be corrupted via your computer." - Joe Fylan, Improve Your WordPress Site Security, WPExplorer; Twitter: @WPExplorer

23. Get notified if your password has been breached. "Even if you take all the necessary precautions, the unfortunate can still happen and your site or a service you are subscribed to can get hacked. In such case, you need to know as soon as possible so you can change your password. The website owner is obliged to advise you when there is a data breach, though this doesn't always happen. Therefore you can to subscribe to Have I Been Pwned, a free service that alerts you if any of your emails and passwords are identified in data breaches." - Robert Abela, The Guide to WordPress Password Security, WP WhiteSecurity; Twitter: @wpwhitesecurity

24. Ensure that automatic updates are turned on for security releases. "By default, all WordPress sites have automatic updates turned on for minor security releases. As long as you or your host doesn't turn this feature off, your WordPress core should always be secure. If you're not sure whether or not you have automatic security updates enabled, you can use the free Easy Updates Manager plugin to check." - Colin Newcomer, A No-Nonsense Guide To WordPress Security: Doing The Things That Matter, Presslabs; Twitter: @presslabs

25. Install a SSL Certificate "If you want to establish a secure connection between your website and your client, you need to install a SSL Certificate on your web server. There are several types of SSL Certificates:

  • Single SSL: A Single SSL Certificate is installed to confirm the identity of the domain name, for example "www.mydomain.com", that is operating the web site, encrypts all data between the server and the visitors, and also guarantees the integrity of the transmitted data.
  • Multi Domain SSL: A Multi Domain SSL Certificate is used to secure multiple domain names with a single certificate. For instance, you got a multi domain SSL certificate for mydomain.com, and the same certificate protects mydomain.net, mydomain.org, and even yourdomain.com.
  • Wildcard SSL: A Wildcard SSL Certificate is installed to secure multiple subdomains with just a single certificate. If you have only one domain but several subdomains. then a Wildcard Certificate is considered more logical than a Multi Domain SSL Certificate, as it allows for indefinite subdomains and you do not require describing during purchase. For example: This certificate can be used for the domain name mydomain.com, my.mydomain.com, my1.mydomain.com and any other subdomain."
  • - 7 Ultimate WordPress Security Tips, WPFixIt; Twitter: @WPFixItFast

    26. Enforce strong passwords. "For one, you should educate your users about smart password choices. Make them aware about social engineering attacks, and the negative impact on the business weak passwords can have. A lot of sites try to do this during the sign-up process. However, it also pays to be realistic. This means understanding that a lot of people won't follow good practices unless you force them to.

    "By default, WordPress warns you if you're setting a weak password. However, users can always ignore the warning and still use a weak password. So as a WordPress site admin you have to go a step further. Using the right plugin, you can force your WordPress users to use strong passwords, [such as] with our own Password Policy Manager for WordPress plugin." - Mark Grima, 4 Reasons Password Policies Are Vital for WordPress Users, Security Boulevard; Twitter: @securityblvd

27. Make sure you're running secure and stable versions of your web server and any software on it. "The web server running WordPress, and the software on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you. If you’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take." - Hardening WordPress, WordPress.org; Twitter: @WordPress

28. Remain aware of potential vulnerabilities discovered in plugins and themes. For example, a popular WordPress plugin GDPR Cookie Consent, which helps make websites compliant with the General Data Protection Regulation (GDPR), was discovered to have a critical flaw. If exploited, the vulnerability could enable attackers to modify content or inject malicious JavaScript code into victim websites.

The plugin, which helps businesses display cookie banners to show that they are compliant with EU's privacy regulation, had more than 700,000 active installations – making it a ripe target for attackers. Threatpost is a great resource to stay on top of vulnerabilities that may affect your Wordpress site. - Threatpost, Wordpress Topic Search; Twitter: @threatpost

29. Automatically log users out of the site after a period of inactivity. "Users should automatically be logged out of your site. An idle user that walks away from their screen leaves your site vulnerable. Anyone who passes by can change the information on your website or even break your site completely. Protect yourself by idling users after a limited time of inactivity." - Susmita, 4 WordPress Security Best Practices That Are Absolutely Essential in 2019, CyberChimps Responsive Theme; Twitter: @cyberchimps

30. Post content under a contributor or editor account instead of the admin account. "Consider creating a contributor or an editor account to add new posts and articles to your site. Doing so will make it harder for hackers to do damage on your site as contributors and editors don’t usually have administrator privileges." - Brenda Stokes Barron, How to Secure WordPress (2020), WebsiteSetup; Twitter: @WebsiteSetupOrg

31. Use secure WordPress admin login credentials. "One of the most common mistakes many users still do to this day is using common usernames like 'admin,' 'administrator,' and 'test.' This is a small yet fatal error as doing so puts your site at a higher risk of successful brute force attacks.

"In case you haven’t used unique admin login credentials yet, you can follow this tutorial to change your WordPress username. Alternatively, you can create a new secure WordPress administrator account with a different username and delete the old one." - Edvinas B., How to Secure WordPress, Hostinger; Twitter: @HostingerCOM

32. Only use themes and plugins you can trust. "To detect if a theme or plugin can be trusted or not, first, read its ratings. There you can find clues to whether there have been security breaches or issues in the past, like buggy updates.

"You’ll also want to check to see when a plugin/theme was last updated. If a plugin or theme hasn’t received an update in some time (say years), then the inactiveness in that plugin/theme is a sign you should look somewhere else.

"In addition, analyzing a plugin or theme’s popularity is another way to better ensure you aren’t installing malicious code into your WordPress site.

"A plugin/theme that’s widely popular isn’t necessarily less likely to be targeted by hackers but is more likely to be updated with security patches regularly due to its wide use." - Darcy Wheeler, 15 Ways To Harden The Security Of Your WordPress Site, WP Engine; Twitter: @wpengine

33. Disable file editing. "WordPress features an internal code editor for plugin and theme files. While this is useful for admins who want to make quick changes to files, it also means hackers and high-level users can also make file changes. You can find this feature by going to Appearance > Editor in your WordPress admin. You can disable file editing in your wp-config.php file. Just open your file and add this line of code:

define('DISALLOW_FILE_EDIT', true);

"You’ll still be able to edit your plugins and themes via FTP or cPanel, just not in the WordPress admin." - Raelene Morey, 14 Ways to Secure Your WordPress Site – Step by Step, Design Bombs; Twitter: @designbombs

34. Validate and sanitize input from users. "Any data, files, URLs, embedded content, CSS, or HTML sent through your site by a user, known or unknown, needs to be reviewed and sanitized. This means only the data that you expected to receive (e.g. username for username, email address for email address, etc.) should be allowed in. Keep “bad” words like “FROM” or “WHERE” or punctuation like a single quotation mark on your radar as they can be a sign that someone’s trying to sneak malicious code into your site." - Brenda Barron, The Ultimate PHP Security Checklist of WordPress Best Practices, WP Buffs; Twitter: @thewpbuffs

35. Set a password for the /wp-admin directory. "Setting a password before you can see the /wp-admin is a great extra level of defense to thwart any evil-doers who want to gain access. You’ll need to submit the extra password every time you want to login, but it’s a very thorough way to protect your files. There are a few plugins, but manual setup is the safest." - WordPress Security Checklist, 99Robots; Twitter: @99Robots

36. Avoid using too many plugins and themes. "Using too many plugins can slow down your site but it can also leave it vulnerable to attacks if you stop using certain plugins and ignore their updates. It’s not enough to simply deactivate the plugin if you are no longer using it. The same goes for themes. All the inactive themes and plugins which are still on your server can easily be used to inject all sorts of malicious code." - Matt, updated by Marko Csokasi, WordPress Security Tips: How to Secure Your WP Blog, Digital.com

37. In fact, you should uninstall all unused WordPress themes and plugins. "Testing new themes and plugins is a good way to get the first-hand experience of the latest releases. However, once the testing is over, WordPress users usually deactivate the plugins instead of a proper uninstall.

"Note that unused or inactive themes and plugins pose a serious threat to the WordPress website. Hence, it is of utter importance that all plugins and themes that are not in use be deleted immediately to make sure that no data remains in the WordPress database. Here is a proper guide on how to properly uninstall WordPress plugins.

"As a general precaution, always download the most recent version of themes and plugins from a trusted resource to make sure that the plugin or theme does not open a new security loophole at your site." - Mustaasam Saleem, 10 WordPress Security Issues And How to Fix Them, Cloudways; Twitter: @Cloudways

38. Upgrade to HTTPS. "Don’t forget to switch your WordPress site to HTTPS in order to protect it from hackers and other security attacks. HTTPS encrypts the connection between your web browser and your web server, which will keep the attacker away when you are transferring the data from one server to the other. Plus, it can protect your site from unreliable hidden scripts available on your computer system, and a script that is used to steal data from login forms. Apart from this, WordPress has made it compulsory to have HTTPS in WordPress websites if you want to get a better ranking on Google search results." - 15 Simple WordPress Security Tips to keep your Site Secure in 2020, ThemeGrill; Twitter: @themegrill

39. Keep the number of users on your site as low as possible. "The more people you let into your site, the higher the chance that someone will make a mistake or that a user will cause problems just to be a putz. For this reason, it’s smart to keep the number of users on your site as low as possible, while not hampering its ability to grow. In particular, try and limit the number of administrators and other user roles with high privileges." - Megan Hendrickson, 10 Smart Ways to Effectively Secure Your WordPress Website, DreamHost; Twitter: @DreamHost

40. Move your wp-config.php file. "Move the wp-config.php file into the folder above your WordPress installation. This will make it inaccessible to anyone using a browser, meaning a hacker has less chance of locating it." - Adrian Try, 48 Ways to Keep Your WordPress Site Secure, Sitepoint; Twitter: @adriantry

41. Monitor your core files and take prompt action if changes are made to your core files. "When a WordPress core file changes unexpectedly, you need to take action. This is a tell-tale sign that your site was compromised. Knowing when a file change happened is very hard to keep track of manually." - WordPress Security Vulnerabilities, Array Digital; Twitter: @ThisIsArray

42. Beware of plugins that allow arbitrary file uploads. "Some websites allow users to upload their own files such as a profile picture or PDF files. Some plugins lack security measures to check what type of file is being uploaded and what content is in it. This means instead of uploading a .pdf file, a hacker could upload a .php file that contains executable code. The code could be to create a new admin account or any other type of backdoor that grants them access to your website or web application." - Melinda Bartley, 10 Most Vulnerable WordPress Plugins, BlogVault; Twitter: @blogVault

43. Implement SSL/TLS. "This is particularly important for ecommerce sites and websites sending or receiving sensitive user or business data. SSL (Secure Sockets Layer) is an encryption protocol which prevents third parties from reading intercepted data. If you have more than one domain, then SAN SSL certificate could be the best way to secure all domains under a single security protection.

"TLS (Transport Layer Security) is the updated version of this. Your webhost should be able to help you to purchase and activate a TLS certificate (often confusingly still called an SSL certificate). Your WORDPRESS site will then display the padlock icon and the HTTPS (Hypertext Transfer Protocol Secure) prefix." - 15 WordPress Security Tips and Tricks To Protect Your WordPress Website, InspirationFeed; Twitter: @Inspirationf

44. Keep each account and WordPress site isolated on a server. "Another key security feature is keeping each account and WordPress site isolated on the server. A good server architecture can protect you from cross-site contamination, which is when hackers use one infected website on a server to infiltrate and attack other neighbouring sites on the same server.

"Hosting servers with poor account configuration and management where users can install and create as many sites as they want, are a prime target for malicious intruders." - WordPress Security – 23 Tips to Secure Your Site from Hackers, Stable WP; Twitter: @StableWP

45. Keep your system free of malware and viruses and keep your workstation secure. "You should always keep your system free of malware and viruses, especially if you’re accessing the internet with it (which you are, of course). Workstation protection is even more essential when you are conducting transactions and have a website because all it takes is a keylogger to knock out the most hardened of websites.

"A keylogger will read all your usernames and passwords and send them to hackers - which of course is going to create a whole host of issues and problems for your website.

"Stay safe and regularly update your OS, software, and browsers on your computer. Use a good anti-virus service. Keep your eyes out for any vulnerabilities in your system and remove them before they become a massive pain. If your computer starts acting strangely, popping up ads and other dodgy stuff, you might want to check it out before accessing your website." - David Attard, 7 Ways to Fix WordPress Hacked sites + 17 Security Steps to Protect, Collective Ray; Twitter: @DARTCreations

46. Length is the most important element of a strong password. "You may have heard this before: choosing a good password is the first step towards good security.

"Contrary to popular belief, the best passwords do not contain cryptic characters, a capital letter, and a number. The most secure passwords are simply long. Security experts agree that longer passwords are harder to crack, according to The Guardian. Adding punctuation and nuances are great additions to a password, but length should come first." - Lance Cleveland, How to Make Your WordPress Login Secure, Jetpack; Twitter: @jetpack

47. Whitelist the IP addresses you want to access your site. "In some cases, you may want to ensure that only specific IP addresses can access your dashboard. This process is known as whitelisting, and it can be quite effective. Let’s talk about why:

  • You can pick and choose who uses your dashboard. IPs are unique, so this method is perfect if you work with a small team of users (who have static addresses).
  • IPs are nearly impossible to replicate. Unless someone gains access to your team members’ computers, they can’t easily get into your site.
  • It’s easy to implement. This process involves adding a few lines of code to your .htaccess file, which is quite straightforward." - John Hughes, 4 Ways to Tighten WordPress Security – Secure Your Dashboard and Login Page, ThemeIsle; Twitter: @ThemeIsle

48. Disable directory listing. "By default, when your web server does not find an index file (index.php or index.html), it automatically displays an index page showing the files and folders in that web directory. This could make your site vulnerable to attacks by revealing the critical information needed by hackers to take advantage of a vulnerability in a WordPress plugin, theme, or your server in general." - Ilinca, WordPress Security Checklist: 12 Steps to Secure Your Website, ChemiCloud; Twitter: @HeyChemiCloud

49. Use WordPress security keys to encrypt cookies. "[An] encryption/security key is a set of random strings used to encrypt the data in the form of cookies, passwords, and information, etc. [A] security key makes your data more secure by encoding information in a way [so] that only the person or browser with the key has ability to decode it.

"WordPress security keys are stored in the wp-config.php file. You can access the wp-config.php file by [logging in] to your c-panel." - Neeraj Agarwal, WordPress Security Issues: Best Practices Checklist [Complete Guide], Ink Themes; Twitter: @InkThemes

50. Remember that humans are the weakest link. "If you think the hacker world is made up of computer codes written at the speed of light inside a black terminal, then you’re wrong. The human aspect is fundamental and is also the weakest one. As for my experience, most of the times we found ourselves in front of compromised sites, we found its causes precisely due to human errors , above all weak passwords. ... Do not trust anyone, especially if you are asked for access keys or personal data and always try to know exactly who you are interfacing." - Medrit Kaimi, Guide to WordPress Security Best Practices 2020, Codeless.co; Twitter: @codelessthemes

Zeguro is a cyber safety solution and insurance provider for small to mid-sized businesses (SMBs), offering a comprehensive suite of tools for risk mitigation and compliance, as well as insurance premiums that are tailored to the size, sector and profile of a company.
Learn more →

Start My Free Trial
Ellen Zhang
Written by

Ellen Zhang

Digital Marketing Manager

Enthusiastic and passionate cybersecurity marketer. Short-story writer. Lover of karaoke.

Sign up for the latest news

Oops! Please make sure your email is valid and try again.