Back to Posts
20 Security Essentials WordPress

Share this post

If you choose to create a WordPress website yourself then there are a lot security tasks you may not be aware of, so here are 20 recommended security essentials when working with WordPress.

30,000 WordPress websites are hacked every day so it is a huge problem and most people are not aware of the scale of the problem. WordPress is one of the simplest and cheapest platforms to create a website as it is Open Source with lots of amazing free themes.

The WordPress developers are making the software more secure but the the hackers are as slippery as eels, so they learn to get around just about anything.

If you have been hacked and need some help, please contact us immediately as it needs to be fixed swiftly to minimise long term damage.

1. Secure hosting service

The most fundamental element to a good website is the server the website is hosted on. The quality of the server is of utmost importance not only in terms of keeping personal data secure but all the additional services i.e. tracking emails, logging of IP addresses, server access etc.

Do not pick a host provider on price alone, if you do not have the technical knowledge to understand what you are getting from your host provider then either research or ask the questions.

Your host provider is tasked with ensuring the servers are secure, high spec and operating high speed for the websites hosted on them.

The host server we offer using cPanel with all the additional functionality cPanel has to offer.

2. Cloudflare

We discovered Cloudflare many years ago and continue to use their service for all our websites. Cloudflare aims to make the internet more secure.

Cloudlare offers another layer of server protection and speeds up websites.

Cloudflare firewall (WAF website application firewall) is second to none at monitoring activity, blocking malicious attacks and keeps millions of websites safe.

Website – Cloudflare – server

Cloudflare has become a highly sophisticated cloud hosting solution we recommend for all WordPress websites.

3. HTTPS encryption

We made HTTPS mandatory following the Google announcement in July 2018 that a visitors using Chrome who land on a site without https will get a warning saying ‘site is not secure’.

We took this to understand that sites without https would be downgraded by Google which is not good for our customers.

Every website should have https:// encryption as standard, not as an option.

4. PHP Management

WordPress is a Content Management System (CMS) which means the data is stored and updates connected to a database.

This database also could by vulnerable to attack if it is not using the latest version of PHP. The PHP developers work continuously to fix bugs, close security vulnerabilies and increase the efficiency so it is vital that the website is using the correct version.

We are using PHP 7.4 for our websites at the time of writing. Each PHP version is only supported for 2 years.

See the WordPress stats

5. Security plugin

Every WordPress website should have a security plugin that acts as a firewall and offers data on who is trying to access the site and functionality to improve the security of the website.

Our preference is WordFence but there are others you can try:

  • iThemes Security
  • All in One WP Security
  • Bulletproof
  • Sucuri

WordFence basic features are free to use and quite extensive for small websites. The following

  1. 2 Factor Authentication
  2. Whitelist IP addresses
  3. Premaritally block IP addresses
  4. Turn off xmlrcp.xml
  5. Email notifications of IP’s trying to access the site
  6. Scan picks up file changes and offers a repair tool
  7. Hides WordPress verions

There are lots more functions and WordFence developers offer lots of training and updates so they are a company to trust.

6. Turn off xmlrcp.xml

Xmlrcp.xml has become quite a problem for brute force attacks so the cons outway the benefits of this function. Switch it off.

We switch this off in WordFence but there are ways to do this with other security plugins.

7. Hide WordPress version

It is easy to tell the WordPress verions of a website just by looking at the page source. The WordPress version may indicate to a potential hacker that this site is out of date so potentially their next victim.

Hiding the WordPress Version is just another deterrent to hackers.

8. Database security

To create a new WordPress install you have to first create a Database.

When you create a database you a very unique and random name and the same for the user name, make it random with a good strong long password.

(Don’t call the database the same name as your business.)

When loading new WordPress install it is recommended to change the database prefix from wp_ to something else i.e. rf_ when you go through the set up process you will be given an option to change the prefix.

9. Secure login details

It is common practice to not use – admin – as your username for WordPress.

In fact, never use it! create a unique user name a very strong password and reduce the number of login attempts from 20 to 3.  Lock users out if they do not know their user name or password.

It goes without saying, keep your login details safely secured.

If they forget, they can easily reset this by using the link to reset password which sends an email to their email address to reset. If they are a hacker they won’t receive this.

10. Add 2 factor authentication

We use 2 factor authentication to access Facebook and other services so why not your most important asset?

You can switch on 2 factor in WordFence by using the Google Authentication app.

You scan the QR code WordFence shows you to your iphone then add the 6 digit code the app gives you into the website and this gives you access to the website.

Only those with access to your iphone and can get the code to access the site. Complete lockdown to accessing the site via wp-admin.

11. Disable editing

Disable editing in the the Website dashboard. No-one except you and delegated colleagues should administrator access to your website.

If you want people to write articles they should be given the correct access rights i.e. editor. Administrator access gives them FULL access.

12. File permissions

The files on the server have user permissions to read, write or execute.

The protocol for WordPress file permissions is:

Folders – 755

Files – 644

wp-config should be 440 or 400 (this file should not be readable)

Note – No directories should every be 777.

13. Hot linking

Hotlinking is happening more and more but there are ways to stop this practice.

Hotlinking is when someone uses your image on your website to display on their website but uses your server power, not theirs.

It is stealing and is a copyright enfringement. You must have copyright on your website so you can be law sue someone hotlinking. Check to see if your images have been hotlinked by using this code provided by Google.

Contact the sites that are hotlinking and request removal.

14. Update Plugins, themes and WordPress

This is a very important website management task and should be actioned by either yourself, your web host provide or someone delegated to manage the website.

As a website host provide I update all my hosted websites, it is a service included in the hosting fee.

Most of my customers do not have the time or the inclination to manage their website updates and it is important that the sites run effectively.

A plugin update might be related to a security issues, so its important the updates are carried out promptly.

Wordfence will send you a notification when plugins need updating.

15. WordPress security keys - salt

Check your WordPress files to ensure the salt keys have been added. You can update the salt keys anytime. They look like this.

define(‘AUTH_KEY’, ‘B>ibH`[hdA-;Avyr+ymv4ss7&[dTW~ZV&B5vXT|oe`ba>8zX8h#K*?88-aMLo(=K’);
define(‘SECURE_AUTH_KEY’, ‘E={{n~BCOj[AGWjsHN?}_n%s*Nb8(~>Sb5FYYN6&&GZ|@))EC_~.{s(=.(jB6bn7’);
define(‘LOGGED_IN_KEY’, ‘X9jV?BlMq9}hN8uTyiwK*g~`~JKAm(wGbQTI7t@TnUUiB]Mt_rc}H0@?W$&`i!m6’);
define(‘NONCE_KEY’, ‘(Ei20?b/[m2W9rQHi/.iC2T$Xa_B|F|(*@UXWQJNn^e7<^WwpruSTxhhG%`cg+*.’);
define(‘AUTH_SALT’, ‘Oy[!y~2@~5mygYU6v}R XgCn],SO5UPI/*44-Vn-SM3)7oFE,sW:y-k1|d{7<aq)’); define(‘SECURE_AUTH_SALT’, ’54V` 2Hl+u&eB+=NLvVv{e+e$8RsyB+o$Sh3!q.XGSJ8!&I~_I{mmV0h5/ O3d8|’); define(‘LOGGED_IN_SALT’, ‘-|=YwQ!KDs!p6hwKwQeSa-w]C}WH?NyIa@vLd:B-tV~O0d>u>3LI-](%OXd5!WYA’);
define(‘NONCE_SALT’, ’10u`OC>khqe7-h/7G&7Plei=HyjpT-0[1,Vq?3-)%y>xh1;4DPuU%ic_Uf/X|]]k’);

Make sure these keys are included, if not copy and paste new ones, see below link.

Salt keys

16. Rename login

By default we login to a WordPress website by

Everyone know this including the hackers, therefore to keep the website more secure we change this to a different name i.e. main or work

To do this we can load a plugin that will change the name of the login url.

We highly recommend this for sites being targeted.

17. Computer must have security installed

None of what you do online will be secure if your computer is hacked and all your passwords are stored on your computer.

Norton is good, but their our others you can use but always invest in computer security as once they are in and once your pc is infected it will become a serious issue.

18. Store backups - Jetpack

We have Jetpack installed on our server so all the websites have a daily file manager and database and email back up.

If your website is hacked on 10th January, we can just restore the website from 8th January pre-hack and the hack will be clear. We will find the culprit and report them.

If  you don’t have cPanel you must have a back up plug in i.e. Backup wp.

You can manually back up your website by making a zip of the files and downloading the database.

19. Monitor and get security alerts

Set up email notifications if anyone accesses the site, changes the files or new users are added to the site.

WordFence will notify the main admin of any important security alerts.

20. Http security headers

You can check your website for security headers here


We are the internet generation where goods and services are now mostly traded online, payments are made online and we market ourselves online hence we will find more and more pilfering and opportunists.

One site I recently cleaned was a site hacked just to add Amazon links. People are so desperate to get their commission they have to hack legitimate websites to get the click through s.

In December 2021 there was over 1.6 million websites attacked by 16,000 IP addresses.

If you follow the rules and monitor your website you will manage to keep them at bay but you do need to be proactive. We manage our websites daily and monitor activity so if you want to hand the website over to us then get in touch.

If you website has been hacked get in touch and we will fix it for you.

[ms-form id=1]
Back to Posts