The Ultimate Guide to Harden WordPress Security

WordPress is continuously growing and becomes a very popular CMS. As much as it became popular, hackers are also taking a keen interest in breaking its security. Security in WordPress is the most sensitive and essential issue.

Website owners do their best to make their site successful. They work hard to protect their site from hackers. No doubt, having your site attacked is the most disappointing things that can happen to an entrepreneur. At such an instance, you look for host support. But they are not always readily available.

To make it not to get attacked, you must provide security to your site because it is always better safe than sorry.

Providing security to your site means reducing the chances of being attacked. It is a continuous process that you should manage. It’s all about utilizing the proper security controls that best help address the dangers and dangers as they relate to your site.

Security mainly involves three factors: people, process, and technology. Each element works in synchronous harmony with each other. Without the people, and their operations, the technology itself would be useless.

In this guide, I will provide you basic security concepts that will help you to harden WordPress security.

Web Hosting:

To drive any website, you need to own a self web-host to have a wide range of options. Choosing web hosting comes in varieties- managed hosting, shared hosting, VPS hosting, etc. Each host handles security disparately.

Some of them provide:

With hosting option, the site owner is also responsible for securing the areas that he/she want to have control over and for changes made.

Security Concepts:

Harden WordPress security is a super important step for keeping your digital empire safe. The main aim of this guide to provide some basic security concepts that you shouldn’t skip. Here are some security concepts that you should know:

  • Working Environment
  • Deep Defence
  • Least Privilege Principle
  • Web Server Security
  • Database Security
  • FTP or SFTP
  • Other Security Controls

Working Environment:

Workplace safety should never be taken lightly with any business. Due to the sensitivity and regulations associated with our data, it is essential to protect it and lower the security incidents.

While securing Working Environment, keep these factors in mind:

  • Use an updated version of your local computer, browser, and routers.
  • Always use anti-virus to protect from spyware, malware, and virus infections.
  • Use a VPN while moving in public places and using public hotspots to encrypt your online communications.

Deep Defence:

This concept promotes the use of every single security approach on every layer. It involves using a firewall at very basic to avoid external attacks, using a security scanner to find threats in events, authentication control to prevent unauthorized access. Keep this in mind; every security aspect are designed to fix the bugs, warnings, and attacks directly.

Least Privilege Principle:

If you are allowing multiple editors and authors to access the site, make sure you are enabling them with only limited resources that are essential.

The principle-based on this idea: all user accounts at all times should run with as few privileges as possible. It’s all about giving limited access to users they require.

It provides:

  • Better System Stability
  • Better security
  • Ease of deployment
  • Protection of data and functionality from faults and malicious behavior

Web Server Security:

Web server configuration plays a critical role in your Web application’s security. A small mistake can make lots of problems to face. The term involves the protection of information assets that can be accessed from a Web server.

Sometimes a web server and the software contains vulnerabilities. While managing your host, always install security updates to the operating system, web server, PHP, and any applications.

Generally, the Secure Sockets Layer (SSL) certificate is used to carry out Web server security. If you don’t have SSL on your site, you can setup Cloudflare flexible SSL on your website.

Database Security:

The database is the backbone of any site or blog. It holds the overall data of the website. They are complex, and an administrator does not always know the implications of not ensuring database security.

Not ensuring database security may invite hackers to get in and out of a database with a goldmine of data. The risks involved with databases vary depending on the type of information and the amount of importance it holds.

So, staying secure is essential to prevent embarrassing and costly incidents. Database security involves using the terms that protect databases against compromises of their confidentiality, integrity, and availability.

It involves encryption while data transmission, defining user access control system, etc.

Providing Database Security:

  • Use parameterize queries to keep malicious requests out of your database and prevent from SQL injects.
  • Keep features and services only that are essential.
  • Keep your databases up to date. Remove any unknown components, and enforcing least privilege parameters to ensure the confidentiality, integrity, and availability of your databases.
  • Use UPS to make sure any forced shutdown doesn’t cause data loss.
  • Keep your database clean. Use Advanced database cleaner to clean and optimize the database.


FTP is an abbreviation for File transfer protocol. The protocol is being used to transfer files between computers on a network. FTP is a popular method of transferring data between two remote systems.

Many experts suggest, instead of using FTP, you must use SFTP. SFTP stands for SSH File Transfer Protocol or Secure File Transfer Protocol. Initially, it is a separate protocol packaged with SSH that works similarly over a secure connection.

SFTP is preferable to FTP because of its underlying security features and ability to piggy-back on an SSH connection. It also involves many graphical tools.

Other Security Controls:

Consistently growing hacking attacks are a severe concern for bloggers. So, staying alerted and maintaining security helps you protect reputation. It also offers your best service to the visitors.

Create a Unique Username and long-tail passwords:

WordPress gives common username ‘admin’ during installation; you can either create a new account with administrative access and drop the old account or change the username from the database.

WordPress has a current admin URL is ‘wp-admin’ that hackers can easily find. But for security concerns, change this URL, or you can password protect admin directory.

By doing this, hackers won’t get the login URL. It reduces the chances of being attacked.

Similarly, short and simple passwords are easy to remember. Using strong and long-tail passwords can slow or often defeat various attack methods.

Protect WordPress Configuration wp-config.php File:

Wp-config.php is the most critical file located in your WordPress root directory. It comprises overall important information like database name and passwords. Thus, it is essential to protect this file to provide tight security to your WordPress blog/site.

Read the process of securing a wp-config.php file.

Always stay up-to-date:

Hackers can quickly identify an old version, and they don’t lose this golden opportunity. Keeping everything up-to-date ensures that your WordPress sites are secure against potential attacks.

It also involves updating the latest version of themes, plugins, web applications, etc.

Maintain Regular Backups:

With a proper backup, you can drive a blog/site with restored data. To ease this task, WordPress provides you free plugins that will easily backup and restore your entire websites in case of any problem.

Use Security Plugins:

Protecting your site from attacks or vulnerabilities keeps your website at a better position on the search engine. In its plugins store, likewise other plugins, WordPress provides security plugins too. These popular plugins help you to reduce the threats or vulnerabilities and secure your site.

Two-Factor Authentication:

Two-factor authentication is nothing but the two-step verification process. It provides an extra security layer and stops gaining hacker access to the user’s account.

The most common types of attacks are the Brute-force attack. In this attack, hackers try many combinations of usernames and passwords multiple times, until it gets in.

Two-factor authentication secures your website by requiring a password to log in, and a unique code sent to your mobile.

WordPress provides two-factor authentication plugins.

If you are using JetPack, I recommend using the Single Sign-On feature. It handles the authentication part of WordPress.

Files and Directory Permissions:

To enable certain functions, WordPress may need access to write files in your wp-content directory. To do so, you need to specify files and directories with who and what can read, write, modify, and access them.

Permissions changes host to host. These variations include changing them to be more restrictive.

The default permission scheme should be:

Folders – 755
Files – 644

For security concerns, avoid having any file or directory set to 777.

If you want to change the permissions, you need to give the following commands:

For files:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

I recommend doing this by using FTP/SFTP.

Disable File Editing:

WordPress mostly recommends disabling file editing within the WordPress dashboard. Do this by adding the following lines of code in wp-config.php:

// Disable File Editing in WordPress Dashboard

define('DISALLOW_FILE_EDIT', true);


If you don’t want any scripts to be accessed by any user, you can block them by using mod_rewrite in the .htaccess file.

Add following code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file.

# Block the include-only files

<IfModule mod_rewrite.c>
   RewriteEngine On
   RewriteBase /
   RewriteRule ^wp-admin/includes/ - [F,L]
   RewriteRule !^wp-includes/ - [S=3]
   RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
   RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
   RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress


It is the directory where all files are uploaded separately. Thus, it is must to avoid PHP execution here. To do so, add the following lines of code in .htaccess at the root of /UPLOADS.

# Kill PHP Execution

<Files *.php>
    deny from

Check indexing status and optimize visibility:

You can check your site status, including indexing and optimization, by using free services like Google search console, Bing Webmaster tool.

These tools are also known for reputation monitor tools.

So, these are some essential tips for security fundamentals that will surely help you to harden WordPress security and what action you should take next so. Did I miss something? Let me know in the comments.

Comment Policy: Your words are your own, so be nice and helpful if you can. Please, only use your real name and limit the amount of links submitted in your comment. We accept clean XHTML in comments, but don't overdo it please.


Please enter your comment!
Please enter your name here


WP Rocket

Get 35% discount on WP Rocket plugin Now!


Start WordPress Blog: Ultimate Guide For Beginners

Here is our step by step guide for beginners to start a WordPress blog.

Top 6 Best WordPress Theme Frameworks

There are many websites themes which are created by using a framework. Likewise, WordPress Theme frameworks also becoming so popular. The framework allows you...

The Most Essential WordPress Plugins

Here, I have listed some excellent plugins which will surely add more features and new functionality to your WordPress blog.

Tips to Speed Up WordPress Performance

Here, I am sharing some tips to speed up WordPress performance. All you need to modify .htaccess file on your server and add some plugins.

The Ultimate Guide to Harden WordPress Security

Learn how to improve WordPress security. Here are some basic security concepts that will help you to harden WordPress security.

How to Setup CloudFlare Free SSL for WordPress Blog

Google has announced that they will count HTTPS as a ranking factor which means if you using HTTPS you will get a higher position...


Get almost 100% PageSpeed on Newspaper theme

The newspaper theme is the most popular premium theme for a self-hosted WordPress blog. The theme is developed by team tagDiv. You...

How to Delete Multiple Images in WordPress Media Gallery

Hey, guys today one of my friends asked me a question, How can I delete Multiple Images in WordPress? I replied, "It's very simple." Yeah,...

How to setup CloudFlare CDN for WordPress blog

In today's world website speed is a crucial element to getting good ranks on the web. Website speed also aids in indexing...

How To Reduce Admin-Ajax Server Load In WordPress

To increase better user experience, we always end up by increasing site speed. After clicking a website link seems like a simple...

How to Remove jQuery Migrate in WordPress?

jQuery Migrate greatly simplifies the process of moving older jQuery code to a higher jQuery version by identifying deprecated features. It then restores deprecated...