How to Keep Your WordPress Site Secure

WordPress is the world's most popular CMS - and because of that, it's also the most frequently targeted. The good news is that a well-maintained WordPress site is very difficult to compromise. Here's how to keep yours locked down.

Keep Everything Updated

The majority of WordPress hacks exploit known vulnerabilities in outdated plugins, themes, and WordPress core. Enable automatic updates for minor releases, and check for plugin/theme updates regularly in your WordPress dashboard.

Use Strong Credentials

• Never use admin as your WordPress username - create a unique admin username during setup.
• Use a strong, unique password for every WordPress user account.
• Enable two-factor authentication using a plugin like WP 2FA.

Install a Security Plugin

Wordfence Security is the most popular option and provides a firewall, malware scanner, and login protection all in one. Solid Security (formerly iThemes Security) is another strong choice.

Harden Your Installation

• Set wp-config.php permissions to 600.
• Disable file editing in the WordPress dashboard by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php.
• Limit login attempts and consider hiding the login URL.
• Remove unused themes and plugins completely - don't just deactivate them.

Enable ModSecurity

Enable ModSecurity in cPanel for your WordPress domain to add a server-level web application firewall. This blocks many common attack patterns before they reach WordPress.

If your WordPress site has been compromised or you need a security audit, contact our support team.