The “80/20” Approach to WordPress Security

Securing your WordPress site is essential, especially when your business depends on your website. Hiring someone to fix your site can get expensive. And if your website is unreachable for days, or even weeks, how much will that cost you in lost revenue?

The best approach to security is to start with prevention. It’s much faster and cheaper than having to deal with a hacked website. Although you can never secure your site completely, you can prevent the majority of attacks with a relatively small amount of effort.

Disclosure: This post contains affiliate links, which support my creation of new content. When you make a purchase through links on my website, I can earn an affiliate commission. There is no extra cost to you.

Check Your Site for Vulnerabilities

Use the free Sucuri scanner to do a quick check on your site for malware. If malware is found, or you otherwise think you’ve been hacked, you can sign up for Sucuri to have them fix your site.

If you want to fix it yourself, you can start with the Exploit Scanner plugin. It scans your WordPress installation for potentially malicious code. If you suspect your website has been hacked, run the scan to identify the source of the exploit. Keep in mind that Exploit Scanner, like most similar plugins, will often return false positives. If you’re going to fix your site yourself, you will need to have some technical knowledge about security and hacking to identify the real exploits.

Back Up Your Site

Before you make any changes to your site, it’s crucial to make a full backup of your site. Security changes, like other major site changes, will always carry a risk of breaking your site. It’s a good idea to keep regular backups anyway, but it’s especially important to create fresh backups right before making major changes. If something goes wrong, you want to be able to restore to the most current version of your site without losing your most recent changes.

I recommend using the free BackWPup plugin and setting up offsite backups to Amazon S3 (low cost cloud storage that will probably cost you less than $1/month unless you have a particularly large site and/or keep a lot of backups). I typically set up automatic daily database backups and weekly full (file) backups, and set the lifecycle for a year.

It’s important to have automatic offsite backups. You don’t want to store backups on the same server as your website. If your server goes down or gets hacked, you don’t want your backups to be in the same place.

Best Practices for Keeping WordPress Secure

1. Upgrade regularly.

Upgrade WordPress core, themes, and plugins frequently (at least once a month) in order to keep current with any patches for security vulnerabilities. Make sure to read the changelogs and be ready to fix any problems that occur from the upgrade, or roll back to earlier versions if you can’t fix the problem right away. If your hosting provider offers a staging site feature, you can use that to test your upgrades.

2. Use trusted sources for themes and plugins.

Use the theme and plugin repositories, and make sure to pay attention to the rating, downloads, update frequency, and the community sentiment in the related support threads. If you purchase third-party themes and plugins, make sure to do your due diligence. Don’t simply rely on the top results in Google searches – for instance, many of the top results for “free WordPress themes” contain themes with malware or spyware.

3. Check for unsupported themes and plugins.

Sometimes developers abandon support for their themes and plugins. You may be diligent about doing upgrades, but if the theme or plugin is no longer being developed, there will never be upgrades to fix security vulnerabilities, bugs, and compatibility issues. If a theme or plugin goes longer than a year without issuing an upgrade, consider switching preemptively to avoid future problems and conflicts.

4. Use a secure password.

Use long passwords (15+ characters) and change your passwords on occasion. Use combinations of letters, numbers, and symbols, don’t use passwords that are easy to guess, and don’t use the same passwords for different accounts. If you want an easy way to manage many secure passwords, sign up for LastPass.

5. Use a quality hosting provider.

Make sure your web host keeps their software updated and patched, and has a good track record for server-level security. If not, switch. I recommend Kinsta, Flywheel, or WP Engine for managed WordPress hosting. They will give you much better uptime, security, and site performance than cheap shared hosting, and they give you features like staging sites.

Basic WordPress Security Procedures

1. Set up iThemes Security (if you’re not on managed hosting).

The iThemes Security plugin makes it relatively easy to secure your website. If you’re using managed hosting like Kinsta, Flywheel, or WP Engine, they take care of security and you can skip down to #4.

The following are the essential changes I recommend making with iThemes Security. You can secure additional items, depending on your comfort level with technical changes. There are a lot of options, so make sure you understand what you are doing before making any changes. If you’re not sure about a change, you may want to consider skipping it rather than risk breaking something on your site.

  1. Click the button “Allow File Updates.” This gives iThemes Security permission to make more security changes.
  2. Click the button “One-Click Secure.” This performs many of the basic security changes all at once.
  3. Click the Settings tab.
    1. In the Global Settings panel, check the box for “Send digest email.”
    2. In the 404 Detection panel, check the box for “Enable 404 detection.”
    3. In the File Change Detection panel, check the box for “Enable File Change detection.”
    4. In the Strong Passwords panel, check the box for “Enable strong password enforcement.”
    5. In the System Tweaks panel, check the boxes for “Protect System Files,” “Disable Directory Browsing,” “Filter Long URL Strings,” and “Disable PHP in Uploads.”
    6. In the WordPress Tweaks panel, check the boxes for “Remove the Windows Live Writer header” (unless you’re using it), “Remove the RSD (Really Simple Discovery) header” (unless you’re using it), and “Disable File Editor.” Change the XML-RPC drop-down to “Disable XML-RPC” (unless you’re using XML-RPC), and the Multiple Authentication Attempts per XML-RPC Request drop-down to “Block” (unless you’re using XML-RPC).
    7. Click the Save All Changes button (anywhere on the page).
  4. Click the Advanced tab.
    1. In the Admin User panel, if you have a username “admin” or you are using a user ID of 1, then click the box for “Enable Change Admin User” and change the username and/or user ID.
    2. In the WordPress Salts panel, check the box for “Change WordPress Salts”.
    3. In the Change Database Prefix panel, if your database is using the default table prefix of “wp_”, check the box for “Change Table Prefix”.
    4. Click the Save All Changes button (anywhere on the page).

2. Move wp-config.php up one level.

This helps prevent access to your database information and other important data stored in wp-config.php. In your FTP program (or your web host file manager), find your wp-config.php file inside your public_html directory. Then move it up one directory level so it is outside of your public_html folder, at the same directory level as that folder.

If you have multiple websites installed in the public_html folder, or if you’re on managed hosting, skip this change.

3. Set correct file and folder permissions.

This prevents unauthorized access to your files. Use your FTP program to set all file permissions in public_html to 644, folder permissions to 755, and your wp-config.php file to 440 (some hosts may only let you do 640). You should be able to recurse subdirectories with your FTP program, so you won’t have to repeat these changes manually.

4. Delete unused themes and plugins.

Your theme and plugin files can be accessed by anyone who knows the URL (or can guess it). If any of them has a security vulnerability, a hacker could access it, even if it’s not activated on your site. You don’t want to get hacked via themes and plugins you’re not even using on your site. Reduce your risk by deleting any that you aren’t using.

5. Delete other unused software in your hosting account.

Similar to the previous item, if you have other software on your hosting account that you aren’t using, you can reduce your risk of getting hacked by deleting these files entirely.

6. Add additional directories to your robots.txt.

The robots.txt file suggests to search engines and other robots which files and directories to scan. If you do not have a robots.txt file in your public_html folder, create one and add the following lines to it:

User-agent: *
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /trackback
Disallow: /feed
Disallow: /comments
Disallow: /category/*/*
Disallow: */trackback
Disallow: */feed
Disallow: */comments
Disallow: /*?*
Disallow: /*?
Allow: /wp-content/uploads


Performing these steps and following these guidelines can get you a long way in securing your WordPress site. While there’s no way to guarantee you won’t get hacked, you can significantly reduce your risk with a relatively low investment of time.

Tips, tricks, and recommendations for improving your site

Learn from my 11+ years of experience building hundreds of WordPress websites, and turn your site into a well-oiled machine. By subscribing, you agree to our Privacy Policy.