15 Best Practices For WordPress Security

35% of Websites on the internet are using WordPress as a content management system. Your website is one of them. Probably you will be wondering that there are some notable websites like Techcrunch, The New Yorker, BBC America are using WordPress.

The more it is getting popular, the more it is being tried to hack. Isn’t it? So, as a WordPress user, a normal question occurs in our mind that how we can secure our WordPress website, or are there any best practices that can protect our website?

Today, we are going to discuss some important practices for WordPress that can help us to secure our site.

Before you know what are those steps, you should know what type of attack you can face while you are using WordPress. Because if you know how they attack or try to hack, you can easily stop that way.

Which are the methods that hackers use to hack a WordPress site?

WordPress was released in 2003. Since then hackers are trying to find new ways to hack all the sites using WordPress. Here, we will discuss some popular ways that are being used in 2020. Here are some of the most common attacks that you should be aware of.

1. Brute Force Attacks

This is a very common method that is used to hack most of the WordPress website. Hackers used some combinations of usernames and passwords and let the computer do the work. The programs run until they get the exact match. This is a very simple and reliable way to hack a WordPress website. If you use a long password or captcha or any OTP Verification method, they will fail to do brute force crack.

2. DDoS Attack

It is also another popular method to down your website. Basically, it’s not a hack but it’s a target to down your website. It may come from a hacker or your business competitor. They send bots traffic to your website and you can’t know until your website comes down. They send so much traffic that your server can’t handle. Thus, they destroy your server and ranking and they get higher ranking on search results.

3. Theme & Plugin-based vulnerabilities

Most of the hacks are done by this method. This isn’t a method but when a hacker gets any vulnerability or any loopholes in themes or plugins they create a new method to attack those sites using that vulnerable plugin. But whenever any vulnerability or loophole is found in theme or plugin, they release an update, a security patch. So, always update your theme and plugin. In this case, if you use any nulled theme or plugin, the chances are very high that your site will be hacked. So, it is always recommended to use the official theme and plugin which is secured.

4. Remote Code Execution

Whenever an attacker has access to your WordPress admin panel, even if it’s an author privilege, they can remotely execute codes on the site. By that code, an attacker can do any changes to your WordPress website, even in the backend. So, it is recommended that you always check users on WordPress, if you find any unknown or suspicious user, remove that user and check activity logs to see the changes were made.

These are some popular ways hackers use to hack any WordPress site. But you have to remember that these are not the only ways, there are many ways we didn’t mention because they are not as popular as these are. In the upcoming blog post, we will be sharing all the ways or methods attackers use to attack a WordPress website.

Let’s know all the other methods, those are phishing, injection attacks, DNS cache poisoning, cross-site scripting, Remote, and local file inclusion, etc.

We will discuss all the above methods in detail in an upcoming blog, until, let’s know what are those practices ways that can help you to protect your site.

Best Practices For WordPress Security in 2020

The more you become aware of the problem, the easier it would be for you to solve. WordPress doesn’t make your site secured, rather you do. There are some basic and advanced ways to make your site more secure, and it will be more complicated for a hacker to hack your site.

If you follow all the steps, attackers can’t ruin your site, or if anything happens you will not face any loose as you can recover quickly.

1. Use Good web host

Choosing a good web host should be your first priority. If you choose a good web hosting that will decrease your 50% of total work. Whenever you go for buying, be sure to check if it is using the latest PHP version and MySQL.

If you can afford don’t go for any cheap shared hosting plan for any hosting provider. Rather, go for any reputed hosting provider.

If you have a good budget, go for siteground managed WordPress hosting.

If you have less budget, go for Bluehost shared hosting

N.B:- These are our recommendations. You can purchase from any provider which is reputed and have a good performance, speed, uptime.

2. Update Your PHP Version

If you are not using the latest version of PHP it will be easy for the attackers to attack you. So, make sure that you are using the latest PHP version which are PHP 7.2.30, PHP 7.3.17, and PHP 7.4.5.

Most of the website owners don’t update their PHP version or they don’t care about PHP updates. But the chances of having vulnerabilities on the older version are very high. That the reason you should always be with the latest version of PHP.

3. Quality themes and plugins

Most of the hacks and cracks are happened for having vulnerabilities on themes and plugins. A report by WPScan showed us that 52% of website vulnerabilities are caused by plugins and 11% are by themes. So, we can take it as 60% of vulnerabilities are caused by themes and plugins.

So, it’s very essential to use quality themes and plugins. There are many stores where you can get various types of WordPress themes and plugins. We are not saying that you should not use them or test them, but be sure that the store is trusted and their review is good in the various review platforms.

Before you buy themes from anywhere check them if their support is excellent and they give regular updates. If the theme that you are going to use, is quite old, then check reviews if that was secured for those users who used before you.

4. Modify wp-admin dashboard link

If we install WordPress, we get a dashboard panel to manage our site. And to access that we got a default link like domain.com/wp-admin.

Attackers use this page to do brute force attacks. We mentioned above what brute force attack is. In this attack, attackers make some combination of password and let the computer do the rest work. If you modify this page, you can save your site from this attack.

To modify the link, there are various plugins over there. You can use anyone to modify the link. You can also use Easy Hide Login plugin to hide your login page.

You can make your own URL and also change frequently to be more secured.

5. Don’t Use “Admin” as a username

Admin username is generated automatically when you install WordPress. It is recommended not to keep “Admin” as a username. Because if attackers are sure about the username, they don’t have to bother about that. Rest, they will make some password combinations.

But if you use another username, they have to find both username and password, which makes you quite secured.

6. Keep Up-to-date

If any security vulnerabilities are patched, a new version of that product is released. There are many plugins that ask permission for auto-update. But it will be better if you update manually. Many updates break or destroy the site, so it is recommended to take a backup before you make any major updates. That the reason we told not to give permission for auto-updates.

It may be for WordPress updates, or any theme or plugin updates, always be updated with the latest version. The latest version always comes with great security.

7. check user activity logs

If you are running a site and if there is more than one writer, then to track the activity you should check user activity logs. Or if you have a site where people sign up. To track their activity, you should use a plugin that will show you all the activities.

If you see any changes that they are doing, but they were not told to do that, you can take any step against them. We mention above if anyone has access to your admin panel, they can be a reason for your site hack.

8. Delete unused themes and plugins

Whenever we install WordPress, some basic themes or plugins are installed automatically. Or, sometimes we install some themes or plugins for testing purposes and forget to delete them.

Though it’s obvious that if we install one theme another will be automatically deactivated. But deactivate and delete are different things. If you deactivate the theme the codes of the theme will still be there in the file, but if you delete the theme no codes will be in the file.

So, if there are any unnecessary themes or plugins installed in your WordPress, it’s recommended to delete them, because if any vulnerability is found on those themes and plugins, your site may be affected by that.

9. Use a strong password

As you already know that brute force attack is done with some combination of passwords. They set a formula to generate a password and that script keeps generating passwords until it becomes successful to attempt login. In this case, if you use a strong password, attackers will face more difficulty to hack your site or maybe it will be impossible for them to do a brute attack. So, whenever you set a password, try to make it longer (8-12) and use uppercase, lowercase, numbers, and special character.

10. Limit login Attempt

Being an owner, you know the WordPress login password. So, you will not try to login again and again. It is the attacker who will run an auto script to hack your site. So, he must try to log in again and again. If you set the limit to attempt, you will be notified if anyone tries to attack you and log on that page again and again. In this way, you can keep your site safer.

11. Disable File Editing

WordPress automatically enables fie editing. If you have the tag of administrative, then you can edit the file. So, for an attacker, it becomes easy to hack if somehow he gets access to your administrative account. So, it’s recommended to disable the file editing access.

12. Install SSL Certificate

SSL is not only good for you but also it helps your user. All the sensitive information that is being passed on the internet is not secured. Whenever any user gives his sensitive information like credit card details or fills personnel details, any imposer or attacker can steal that data if that site is not using SSL.

SSL doesn’t only show a website secured, rather it really makes a website secure. If you are running any multiuser site when users sign up or eCommerce sites where use buy by giving their payment details, it is mandatory to install an SSL certificate.

13. Use Two-factor-authentication

It is a very useful method to protect your website from attackers. If even any attacker somehow gets the login password, he can’t log in if two-factor-authentication is enabled. With two factor authentication, We would also suggest using ReCaptcha in the login page to protect from the brute force attack. These methods will secure your website more.

14. Disable XML-RPC

WordPress automatically enables XML-RPC for your WordPress site. That means you can operate your site remotely from a mobile application or any third-party application. If anyone does brute force attack based on a remote device there will be no login limits whether you activated the log in limit or not. This is a great chance for an attacker to hack your site and execute code remotely.

So, If you don’t use any third-party software or any mobile application to connect remotely, You should disable XML-RPC. Also, you can allow your IP selectively. That means only you will be able to access the site remotely, for others it will be disabled.

15. Secure Wp-config.php files

Wp-config.php file is the most important file for a WordPress website. By default, there are eleven tables in the database and each table contains a different function. Hackers mainly target any file and try to exploit that file. It is recommended to secure your wp-config.php file by changing the database prefix. If you change database prefix to other words, it will be difficult for hackers to exploit any of the files.

16. Take Daily Backup

You don’t know that when someone can hack your site. So, it’s always recommended that you take daily backup. There are many hosting providers who keep daily backup but for doing it with your own, you can use any plugin. If you use any paid plugin like Updraft Plus, it will do everything and you don’t have to bother about that.

Some Recommended Tools

Even, after all, you should have some security tools that will continuously scan your site and give you an audit result frequently. First of all, you should obey all the rules we have mentioned above. If you follow those rules that means your site is secured enough.

But you don’t know if a new type of attack you face, you will not even know that your site has been hacked. At that time, these security plugins will help you by notifying if any malicious code is found on the site. Let’s see what those tolls are.

1. Malcare

If you are quite serious about your website and you want your site safe even when you are asleep, you should use malcare. Both the free and paid version of malcare is available on the market. But to be honest, the free version of malcare is not competent and quite useless. If you are planning for a free security plugin then it will not be suitable for you. I will also suggest the best free plugin.

But if you want to buy then this would be great for your website because it has some amazing features and easy to use interface. What you can avail in a malcare paid plan?

  • Unlimited Automatic Malware Removal.
  • Automatic Daily Malware Scan.
  • Website Firewall.
  • Login Protection.
  • Website Hardening.
  • Personalized support.

These are the features of malcare security plugin. You don’t have to do anything. This plugin will automatically remove malware. The free version of this plugin got active 10,000 installations but the paid plugin is serving more than 20,000 WordPress websites.

2. Sucuri Security Plugin

Sucuri is also one of the best security plugins for WordPress. This is more popular than malcare as it is leading since 2010 and people are having good experience with it. This is more costly than malcare but service is really awesome. Let’s have a look at what it offers

  • Malware & Hack Scan.
  • Malware removal.
  • Hack cleanup.
  • Blacklist spam and malicious redirects.
  • Filter HTTP traffic.
  • Protect from DDoS attack.
  • Improves page speed and reduce server load.
  • Good customer support.
  • 30 Days money guarantee.

You can see how many features sucuri security plugin offers. That’s the reason sucuri is more popular in the market in terms of security tool or plugin. If we compare the sucuri security plugin with malcare, we can find most of the features are the same, but sucuri has some extra features like filtering and blacklisting. Also, sucuri security plugins offer 30 days money-back guarantee. So, if not buy, for testing purposes you can surely test the sucuri plugin.

3. Wordfence Security Plugin

If you don’t afford above-mentioned premium security plugin, then wordfence is the best tool for you. It has some amazing features in its free plan also. Though it has a premium plan, We don’t recommend the premium plan.

If you need top-notch security and want to buy a premium plugin, then sucuri or malcare would be a better choice for you. And if you don’t wanna invest in these security plugins use the free version of wordfence. Let’s have a look at what features wordfence security plugin offers.

  • Web Application Firewall.
  • Malware Scanner.
  • Malicious IP detects and blacklisting.
  • Protect from brute force attack by limiting the login attempts.
  • 2FA and captcha activation for bot traffic.
  • Prevents hack attempts

Being a free plugin, wordfence does all the above-mentioned jobs. This security plugin is awesome for those who can’t afford a premium plugin. But if you can afford and serious about your business, then premium plugin would be a great choice for you. Also, the free version of this plugin got 3M+ installations in WordPress, That’s huge.


If you follow all the steps that we have mentioned above, we hope you need not to worry about hacking. But, though you have taken all the precaution, there are many new ways being executed by hackers. So, With the update of theme and plugin, you should also update yourself with the latest wordpress news. You can follow our blog for the latest news.

After all, if you can afford any premium security plugin like malcare, sucuri etc. It’s recommended to buy and use them. They always keep their plugin updating. So, you will not have to worry about your site, they will take care of your site.

If you find this article helpful, please let us know in the comment section. Also, share this article in your feed if you find this article valuable. We will keep updating all the information with upcoming time.

Leave a Comment