15 Step Guide To Securing Your WordPress Website

About The Author
Cabe Nolan is the founder of WP Cover where he shares his insight into WordPress, development, & entrepreneurship. Outside of WPCover, Cabe continues to run a successful WordPress development firm, Bold City Design as well as a few high profile websites, Arrivala, Two Way Resume, Dock Skipper, and a successful outdoors brand, DolfinPack.

15 Step Guide To Securing Your WordPress Website

First a few stats to astonish you:

  • WordPress sites around the globe publish 17 posts every second. That is 1,023 posts per minute, or just about 1.5 million per day.
  • The combined traffic to WordPress websites is 14.7 billion monthly pageviews. That’s billion with a B.
  • WordPress blogs received 5.5 million comments per month. It’s safe to safe humans like to talk.
  • Over 75 million sites depend on WordPress. That’s about one site per person in the country of Turkey.
  • 22% of new U.S. registered domains run on WordPress. Out of every 100 domains registered in the U.S., 22 of them will hold a WordPress website.
  • com gets more unique visitors to it’s site than Amazon (and it’s not even that close of a comparison).
  • The average WordPress developer charges about $50 per hour.
  • And to lead us into our guide, only about 22% of WordPress websites on the internet are up to date, running the latest version of the CMS platform.


A few questions to consider while reading this guide:


How much time to do you spend on your website?

The average hourly wage in the U.S. as of July 2015 was about $25/hour. The cost for a WP Cover plan starts at $79/month. Therefore, if you spend more than three hours on your website per month, performing the tasks listed below, it would probably be worth your time to invest in one of our support packages! Get back to business, let us handle your website maintenance, backups, security, and small changes.

What will be the cost if your website was hacked?

Most websites go months before the owner even realizes their website was hacked. Why? Hackers do not want to make it obvious that they’ve manipulated your website. Rather, they like to install scripts & malware in unseen places of your website, thus benefiting them & damaging your reputation with search engines. As soon as you as a website owner realize your site has been hacked, you are obviously going to take action to fix it. The longer the hackers are able to invade your site, the more benefit they get.

If your website does become hacked, you will probably incur the following costs:

  • Loss of business – If people cannot access your website, they will be unable to access your information. It reflects poorly on your as a business and damages your credibility. Cost: hundreds to thousands of dollars
  • Loss of reputation – If your site becomes hacked, you will immediately begin to fall in search engine ranking. Remember that SEO company you paid $2000 to last month to beef up your organic ranking? That money is out the door. It could take months or years to earn back your reputation. Cost: hundreds to thousands of dollars
  • Loss of website – Did the hackers destroy your website? There goes that $2,000 – $10,000 you spend developing it. Cost: hundreds to thousands of dollars.
  • Loss of time – Oh, and then there’s the week of work that you missed and loss of sleep you incurred because of all the stress in trying to get your website back up. Cost: priceless

Those are just a few of the costs you would incur due to a lack in website security. I think we can chalk it up to thousands of dollars in recovery costs.


Finally, on to the main event:


Keep WordPress, themes, & plugins up to date

If you ignore every other point in this guide, please do not ignore this one. Write it down on your planner; add it as a weekly recurring event in your phone as a reminder. It is absolutely imperative that you keep WordPress core, plugins and themes up to date. Do you think they’re releasing these updates just to make your life hard? Yes, some of the updates might be feature additions but the majority of software updates are to fix bugs, and close down security vulnerabilities.

As a side note, ensure you are taking a backup of your website prior to performing a WordPress update just in case anything goes wrong.


Cut back on plugin usage

Cutting back on plugin usage may sound hard at first but its benefits can be vast:

  • Cutting back on plugin usage will speed up your site. Less plugins, means less files to load.
  • Cutting back on plugin usage means less plugins to keep updated. This equates to less vulnerabilities and less entrances for hackers.


Use a security plugin

This may sound contradictory to point two, but it is almost always imperative to have a security plugin installed. Now, if you are a WordPress developer with good experience, it may not be necessary as you can probably perform the tasks without a plugin. However, for the masses, a good plugin like iTheme Security, will do wonders for a site and will take care of the heavy lifting for you.


Delete unused plugins & themes

If you’re not using it (meaning its not activated) it shouldn’t be there. All you are doing is providing more access points for hackers and more directories you have to keep clean. If you’re not using a plugin or theme, delete it!


Don’t download premium themes or plugins for free

This is a point that is often overlooked. You may have developed your own website, times were tough and you were trying to save every penny you could. However, not only is it wrong to download peoples hard work illegally for free, there’s a good chance it’s going to come back and bite you later! Yes, karma can sneak up on you, and quick. You know those same shady people who are stealing those plugins and themes and offering theme as a free download to you? Well, before offering up free material, there’s a decent chance they’re sticking in some malicious code into the theme or plugin so they can sneak back into your site in a couple weeks and place their own malware. It’s just not good practice, bite the bullet, support the author of the theme or plugin, and get the clean version.


Don’t use ‘admin’ as your username

This sets your site up for major brute force issues. Since ‘admin’ was previously the standard username, hackers assume it is still probably in the system and will guess hundreds of thousands of passwords with the username admin in an effort to break into your site. Changing your default username can be done via PHPMyAdmin, or many security plugins such as iThemes Security.


Use strong passwords

In today’s day and age, this shouldn’t even need to be mentioned. Memorize a strong password and utilize is. Your site should never be broken into due to a weak password, that is just asking for trouble. A strong password is considered a string of 10+ characters using a combination of capitalized letters, lowercase letters, numbers, and symbols.


Use a trusted web host

Not all web hosts are created equal. This is an understatement. Not all web hosts are created even close to equal. A recent report cited that 41% of WordPress websites are compromised due to a hosting or server vulnerability. Ensure you are utilizing a service provider that is trusted and keeps their systems up to date. If you have a question about finding a trustworthy hosting provider, get in contact with us on WP Cover. We can assist and even handle the migration of your website for you!


Limit user logins

Hackers use brute force attacks to break into WordPress installations. A brute force attacked is characterized by an external person or robot attempting thousands of login attempts on your website every second. This not only could compromise your login credentials, it can also severely impact the speed of your site by increasing server load. Once again a plugin like iThemes Security has a feature that can block IP addresses after 5 invalid login attempts.


Eliminate the plugin and theme editor

If you’re a developer that routinely makes changes to plugins and themes via the built in editor, you may want to regard this point. For the majority of users, you are probably not touching these files very often or you are making the changes via FTP. If you are part of the majority, consider adding this snippet of code to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );


Eliminate PHP error reporting

Beefing up, or hardening, as most developers prefer to call it, is a process of closing as many holes or weak spots as possible. One way to take it a step further is to ensure that plugins or themes that may not be working correctly don’t display errors messages that hand over your full server path on a silver platter. One way to do this is eliminating PHP error reporting. To do this, simply add the following code to your wp-config.php file:


@ini_set(‘display_errors’, 0);


Protect WP-Config.php at all costs

Your wp-config.php file is the heart of your WordPress installation. It holds the probably the most important pieces of data on your entire site. Protect it at all costs! One way to do this uses the .htaccess file on your server. The .htaccess file will be in the same directory as your wp-config.php file on a standard WordPress install. Add the following code to the top of the file:

<files wp-config.php>

order allow,deny

deny from all



Changing File Permissions

You may or may not have heard of file permissions. They are in the form of 644 or 755. They control who can read, write, and execute files on your server and are very important. As a general rule of thumb for WordPress websites, folders should be given the permission of 755 and files should be given 644. More than likely if WordPress was automatically installed on your system, it already has the correct file permissions. As an extra security measure, many people recommend setting your wp-config.php file to a permission of 600. In most cases you can also set your .htaccess file to a permission of 604 for extra security.

File permissions should be changed using an FTP program. There are many guides online for changing file permissions, here is WordPress’s guide: http://codex.wordpress.org/Changing_File_Permissions#Using_an_FTP_Client


Backup Often

This should probably be up near the top of the list rather than the bottom. Backing up your website on a regular basis should be as important as brushing your teeth. Don’t trust your web hosts word that there is backup available, take your own! Store it at an external location like Google Drive, Dropbox, or an external hard drive at your home or business. Even if everything else on this list fails, having a complete backup available to deploy at a moments notice will always be your backup (get it?) plan.


Have an emergency plan

Websites get hacked, it happens. Following this guide will most definitely put your website in an almost untouchable state but there are always unforeseen issues that may arise. Ensure you have an emergency plan in place should this ever happen to you. Who will you call or email? How will you share your most recent backup with them? How will it be deployed? If your website being down could cost you thousands, why not spend a couple hundred ensuring you have a plan in place should something go wrong. Another option is to pickup a WP Cover plan. Not only do we provide security services and regular backups, we’re also able to react quickly should an issue ever arise.


Wrapping Up

Securing your WordPress site should be one of the most important things on your list. How big of an asset is your website? If you’re like most business owners, it’s probably pretty high on your list. Security plugins are great and can be a huge asset, but hopefully we touched on a few points here that your security plugin may not be taking care of. In the end, if you feel some of this is over your head, or you feel your time is better spent doing what you do best: growing your business, give WP Cover a look. We’re a team of WordPress experts that handle one thing, your WordPress maintenance & security.

Thank you for following along and making the extra effort to make the internet a safer, and more enjoyable place.


  1. Awesome article. Everybody needs their head wrapped around security, definitely some points to implement

    1. Cabe Nolan says:

      Thanks for the feedback!

Share Your Thoughts

Leave a Reply

Your email address will not be published.

Related Stuff You Might Like

WordPress News, Tips, & Code Snippets

Join the WP Cover mailing list and get wordpress news, tips, code snippets, security warnings, and more delivered right to your inbox.  We won't flood your inbox, newsletters typically go out every 1-2 weeks unless it involves an important security release.

You have Successfully Subscribed!