InfoPhilicWordPressThe Ultimate Guide to Harden WordPress Security

The Ultimate Guide to Harden WordPress Security

WordPress is continuously growing and has become a very popular CMS. As much as it became popular, hackers also took a keen interest in breaking its security. Security in WordPress is the most sensitive and essential issue.

Website owners do their best to make their sites successful. They work hard to protect their site from hackers. No doubt, having your site attacked is the most disappointing thing that can happen to an entrepreneur. In such an instance, you look for host support. But they are not always readily available.

To make it not get attacked, you must provide security to your site because it is always better safe than sorry.

Providing security to your site means reducing the chances of being attacked. It is a continuous process that you should manage. It’s all about utilizing the proper security controls that best help address the dangers and dangers as they relate to your site.

Security mainly involves three factors: people, process, and technology. Each element works in synchronous harmony with the other. Without the people and their operations, the technology itself would be useless.

This guide will provide essential security concepts to help you harden WordPress security.

Web Hosting:

You need to own a self-web-host with many options to drive any website. Choosing web hosting comes in varieties- managed hosting, shared hosting, VPS hosting, etc. Each host handles security disparately.

Some of them provide:

The site owner is also responsible for securing the areas they want to control and for changes made with the hosting option.

Security Concepts:

Harden WordPress security is a super important step for keeping your digital empire safe. The main aim of this guide is to provide some basic security concepts you shouldn’t skip. Here are some security concepts that you should know:

  • Working Environment
  • Deep Defence
  • Least Privilege Principle
  • Web Server Security
  • Database Security
  • FTP or SFTP
  • Other Security Controls

Working Environment:

Workplace safety should never be taken lightly by any business. Due to the sensitivity and regulations associated with our data, it is essential to protect it and lower security incidents.

While securing Working Environment, keep these factors in mind:

  • Use an updated version of your local computer, browser, and routers.
  • Always use anti-virus to protect from spyware, malware, and virus infections.
  • Use a VPN while moving in public places and using public hotspots to encrypt your online communications.

Deep Defence:

This concept promotes the use of every single security approach on every layer. It involves using a firewall at very basic to avoid external attacks, a security scanner to find threats in events, and authentication control to prevent unauthorized access. Keep this in mind; every security aspect is designed to fix bugs, warnings, and attacks directly.

Least Privilege Principle:

If you are allowing multiple editors and authors to access the site, make sure you enable them with only limited resources that are essential.

The principle is based on this idea: all user accounts at all times should run with as few privileges as possible. It’s all about giving limited access to users they require.

It provides:

  • Better System Stability
  • Better security
  • Ease of deployment
  • Protection of data and functionality from faults and malicious behavior

Web Server Security:

Web server configuration plays a critical role in your Web application’s security. A slight mistake can cause lots of problems to face. The term involves protecting information assets that can be accessed from a Web server.

Sometimes a web server and the software contain vulnerabilities. While managing your host, always install security updates to the operating system, web server, PHP, and applications.

Generally, the Secure Sockets Layer (SSL) certificate is used to carry out Web server security. If you don’t have an SSL certificate installed on your website, you can set up Cloudflare flexible SSL on your website.

Database Security:

The database is the backbone of any site or blog. It holds the overall data of the website. They are complex, and an administrator does not always know the implications of not ensuring database security.

Not ensuring database security may invite hackers to get in and out of a database with a goldmine of data. The risks involved with databases vary depending on the type of information and the amount of importance it holds.

So, staying secure is essential to prevent embarrassing and costly incidents. Database security involves using the terms that protect databases against confidentiality, integrity, and availability compromises.

It involves encryption while data transmission, defining user access control system, etc.

Providing Database Security:

  • Use parameterized queries to keep malicious requests out of your database and prevent SQL injects.
  • Keep features and services only that are essential.
  • Keep your databases up to date. Remove any unknown components and enforce the most minor privilege parameters to ensure your databases’ confidentiality, integrity, and availability.
  • Use UPS to make sure any forced shutdown doesn’t cause data loss.
  • Keep your database clean. Use an Advanced database cleaner to clean and optimize the database.


FTP is an abbreviation for File transfer protocol. The protocol is being used to transfer files between computers on a network. FTP is a popular method of transferring data between two remote systems.

Many experts suggest that instead of using FTP, you must use SFTP. SFTP stands for SSH File Transfer Protocol or Secure File Transfer Protocol. Initially, it is a separate protocol packaged with SSH that works similarly over a secure connection.

SFTP is preferable to FTP because of its underlying security features and ability to piggyback on an SSH connection. It also involves many graphical tools.

Other Security Controls:

Consistently growing hacking attacks are a severe concern for bloggers. So, staying alert and maintaining security helps you protect your reputation. It also offers your best service to the visitors.

Create a Unique Username and long-tail passwords:

WordPress gives a common username ‘admin’ during installation; you can either create a new account with administrative access and drop the old account or change the username from the database.

WordPress has a current admin URL, ‘wp-admin,’ that hackers can easily find. But for security concerns, change this URL, or you can password protect the admin directory.

By doing this, hackers won’t get the login URL. It reduces the chances of being attacked.

Similarly, short and simple passwords are easy to remember. Using solid and long-tail passwords can slow or often defeat various attack methods.

Protect WordPress Configuration wp-config.php File:

Wp-config.php is the most critical file located in your WordPress root directory. It comprises crucial information like database names and passwords. Thus, it is essential to protect this file to provide tight security to your WordPress blog/site.

Read the process of securing a wp-config.php file.

Always stay up-to-date:

Hackers can quickly identify an old version, and they don’t lose this golden opportunity. Keeping everything up-to-date ensures that your WordPress sites are secure against potential attacks.

It also involves updating the latest version of themes, plugins, web applications, etc.

Maintain Regular Backups:

You can drive a blog/site with restored data with a proper backup. To ease this task, WordPress provides you with free plugins that will easily backup and restore your entire website in case of any problem.

Use Security Plugins:

Protecting your site from attacks or vulnerabilities keeps your website in a better position on the search engine. In its plugins store, likewise other plugins, WordPress provides security plugins too. These popular plugins help you to reduce threats or vulnerabilities and secure your site.

Two-Factor Authentication:

Two-factor authentication is nothing but a two-step verification process. It provides an extra security layer and stops gaining hacker access to the user’s account.

The most common types of attack are the Brute-force attack. In this attack, hackers try many combinations of usernames and passwords multiple times until it gets in.

Two-factor authentication secures your website by requiring a password to log in, and a unique code sent to your mobile.

WordPress provides two-factor authentication plugins.

If you are using JetPack, I recommend using the Single Sign-On feature. It handles the authentication part of WordPress.

Files and Directory Permissions:

To enable certain functions, WordPress may need access to write files in your wp-content directory. To do so, you need to specify files and directories with who and what can read, write, modify, and access them.

Permissions changes host to host. These variations include changing them to be more restrictive.

The default permission scheme should be:

Folders – 755
Files – 644

For security concerns, avoid having any file or directory set to 777.

If you want to change the permissions, you need to give the following commands:

For files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

I recommend doing this by using FTP/SFTP.

Disable File Editing:

WordPress primarily recommends disabling file editing within the WordPress dashboard. Do this by adding the following lines of code in wp-config.php:

// Disable File Editing in WordPress Dashboard

define('DISALLOW_FILE_EDIT', true);


If you don’t want any scripts to be accessed by any user, you can block them by using mod_rewrite in the .htaccess file.

Add the following code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file.

# Block the include-only files

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /
   RewriteRule ^wp-admin/includes/ - [F,L]
   RewriteRule !^wp-includes/ - [S=3]
   RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
   RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
   RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress


It is the directory where all files are uploaded separately. Thus, it is a must to avoid PHP execution here. To do so, add the following lines of code in .htaccess at the root of /UPLOADS.

# Kill PHP Execution Apache 2.2
<Files *.php>
    deny from all
# Kill PHP Execution Apache 2.4
<FilesMatch ".+\.php$">
Require all denied

Check indexing status and optimize visibility:

You can check your site status using free services like Google search console and the Bing webmaster tool, including indexing and optimization.

These tools are also known as reputation monitor tools.

So, these are some essential tips for security fundamentals that will surely help you harden WordPress security and what action you should take next. Did I miss something? Let me know in the comments.

You'll also like:
Continue to the category
Amit Malewar
Amit Malewar
Amit Malewar has been the tutorial writer since 2013. His passion for helping people in all aspects of technology flow through the expert coverage he provides. In addition to writing for InfoPhilic, Amit loves to read and try new things.

Comment Policy: Your words are your own, so be nice and helpful if you can. Please, only use your real name and limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.


Please enter your comment!
Please enter your name here


Advanced Database Cleaner

Speed up your website by cleaning up your database!