Knowledge Base

Securing WordPress


One of the most popular CMS (Content Management System) applications is WordPress and this unfortunately also makes it one of the most targeted website forms on the internet. So making sure your WordPress site is secure from every angle is an approach we encourage. This article will list some of the more common security features you can make use of and the steps you can take to further increase the security of your WordPress installation.

1.) Keep WordPress Updated

Always remember to keep your Wordpress installation up-to-date with the latest version release as this will in most cases help it prevent any loopholes for malicious access to your sites or files. Wordpress also gives you the ability to easily update your installation via the WordPress dashboard for any major releases. Minor updates will automatically be updated.

Update Wordpress in Admin interface

Since WordPress uses a lot of plugins and themes which are developed and maintained by third-party developers, it is required that you also keep those plugins and themes updated regularly when new updates are released by the plugin's developers.

Updating Plugins screen in Wordpress

2.) Having a Strong password

Always use a strong password for your domain with at least 8 alphanumerical values, including capital-small letters, digits, and special characters which are difficult to break for any brute-force attempts on your username/password combination. Remember to also keep this rule for your WordPress admin's email accounts, FTP, database, and any other login details you might have under your domain to ensure complete safety.

3.) Denying access to certain abilities for other users

Yet another way to increase your WordPress website's security is by limiting access directly to your dashboard. WordPress has a unique User Roles feature to control access given to a specific user. So when sharing your Wordpress details to a Writer, Employee, or similar always make sure to give them a user account with only access to what they should be given. 

So for instance, if you were to have a writer for your WordPress website, you would create an account that would only have the ability to write and edit posts as well the ability to access media and other forms of basic user-access that a Writer would require.

4.) Limit WordPress Login attempts

In most cases, your website hosting provider will block a certain amount of login attempts to your wp-login.php page, but there are further steps you can take to ensure that login attempts are limited to your dashboard. Our servers will automatically block IP addresses that attempt more than 10 different password attempts within a 10 minute time period.

To limit login attempts to your wp-login page, simply download a login-limiter plugin. We usually recommend Loginizer as its both free and does an awesome job at limiting brute attempts to your wp-login.php page.

5.) Disable file modifications via the WordPress Dashboard

WordPress has a built-in feature to edit files related to plugins/themes which is a handy tool if you're experienced in coding, but for most regular users the tool won't be of use and can actually be a security problem as a malicious actor can use that same editor to inject malicious code. This can be prevented by adding the following code to your wp-config.php file which can be found in the default installation WordPress folder.

define(‘DISALLOW_FILE_EDIT’, true);


You could also hide the wp-config.php file under your domain to further improve security. To do this, simply add the following code to your .htaccess file.

<Files wp-config.php>
order allow,deny
deny from all

6.) Changing the default WP login URL

Usually, your WordPress admin panel login URL is “”, while it does make it easier to remember it can pose other issues as most malicious bots scan WordPress sites for their wp-login.php page to brute-force their way in. This is why changing the name to something like "domain-login.php" or similar can help circumvent the bots ever finding the login page.

A couple more security measures you can take

a.) Prevent access to the XML-RPC file.
b.) Enable two-factor authentication or enabling a CAPTCHA plugin for the login page.
c.) It is highly recommended to monitor the traffic to your site if you suspect malicious activity. You may also get-in-touch with us if you would like us to have an in-depth look at your WordPress Site if you suspect it might have been breached.
d.) Using Cloudflare to prevent/block bots from ever reaching your website.

In most cases, keeping your WordPress update to date will circumvent most malicious attacks. We usually always recommend our clients to keep their WordPress installations set to automatically update so you do not have to worry about forgetting to keep your installation up-to-date.

Please rate this article to help us improve our Knowledge Base.

1 0