Hardening and protecting WordPress websites

All applications and solutions including WordPress have default naming approaches and settings that are commonly known by users. Offering a basic starting block, these default settings give users the flexibility in implementing and building solutions as per their requirements. These, however, could be exploited if not tightened or hardened. Risks need to be reduced and managed; taking preemptive steps to harden security go a long way in closing easy backdoors for those looking at exploiting a website. Potential risks include service disruption, stolen user information, phishing, malware distribution to users and subscribers, website redirection, account takeover, and domain blocklisting to name a few.

Common avenues that compromise a website and possible interventions

The leading reasons for compromised websites have included:

  • Hosting-related security vulnerabilities
  • Theme weaknesses being exploited
  • Plugins being exploited
  • Human Error: Weak passwords, outdated software, and applications using insecure connections

1. Addressing hosting-related challenges

  • While selecting a hosting provider for the website, review the secure performance history and interventions by the provider.
  • Review security and hardening practices at the hosting level. The most common hosting security features include: Firewall and distributed denial-of-service (DDoS), virus protection at the host level, and SSL security certificate and domain owner detail masking.
  • While large hosting providers are of high interest for hackers, they tend to invest in security improvement and tightening as their experience grows. This may or may not be possible for smaller hosting providers.
  • Build a clear understanding of how and what the hosting provider protects; the remaining unprotected portions will be website owner or admin’s responsibility.
    • A secure hosting provider who does not manage a webserver, usually protects the availability, privacy, and authenticity of infrastructure resources (the physical or virtual server on which a website is hosted). The security of the webserver and its applications remains the responsibility of the web admin.

2. Addressing theme-related challenges

  • Themes are available within WordPress. There are both free, buyable, or custom (imported from a third-party) themes.
    • Professional themes available for free or for a price are regularly updated to address known security and performance issues. Only minor updates may automatically apply and it is the site owner’s responsibility to check and test major updates before implementing them on a live site. There are plugins that track theme updates and send a notification with information about new versions or updates being published.
    • Custom themes that are sourced from unknown or non-verifiable developer sources present the risk of security vulnerabilities that could expose the WordPress site to malware and hacking possibilities. These risks could be due to poor code and/or malicious code insertions. Patching security weakness and similar follow-up services may not always be an option, adding to the risk of custom themes.
  • Installing provisions for themes and plugins can be disabled on WordPress through the admin module. This hardening approach may work for some sites that use themes and plugins without frequent updates

3. Addressing plugin-related challenges

  • The WordPress Admin page has detailed information on listed plugins. This should be checked before installation; WordPress regularly updates and flags issues with plugins when discovered. This advisory remains till the plugin passes WordPress acceptance. Use WordPress plugins where possible rather than third-party custom plugins.
  • Plugins that need write access to WordPress files and directories should be code checked. To check for known issues with plugins, go to https://wordpress.org/support/welcome/, chat with other WordPress users on the forums, or reach out to the plugin supplier.
  • Once a plugin is installed, it’s good practice to run a malware and vulnerabilities scan.
    • Some online malware scanners check for malware through software algorithms that crawl the URL entered to identify known malware and suspected malicious code. There are plugins that do this as a routine task, too.
    • Similarly, if site performance degrades inexplicably, running the malware scanner is a good idea.
  • Disable and delete all unused plugins.
  • Some plugins may need and allow PHP or other code to execute from entries in a database, which creates a risk if the website is compromised. A workaround used in conjunction with locking or disallowing file editing is to use a custom page template to call the function.

4. Other actions that can be taken to harden and protect your WordPress website

Keep everything updated

  • Usually, updates are triggered due to known issues, incompatibilities, and vulnerabilities. Installing updates and patches help harden the website. Keep WordPress and its supporting applications like the database, PHP, and others updated
  • Major updates to WordPress and supporting applications may need testing before roll out. This will ensure that the website and the customizations, if any, all work as intended. If the update is found to be incompatible with other parts of the website, one approach is to assess the vulnerability that is addressed through the new patch or update and its impact on your website instance. If there is an impact, you need to decide whether to invest in upgrading or changing the incompatible portions of the website. Meanwhile, consider disabling or removing compromised sections of the website.

Keep strong access approaches

Websites can be accessed by website admins, registered users or subscribers, and casual site visitors. The following approaches help reduce vulnerabilities for those accessing and the website.

  • Strong Password Strategy – WordPress has a built-in random secure password generator capability. Admin Module > My Sites > Users > UserProfile > Security.
    • Consider setting up Two-Step Authentication as an added security approach. Once enabled, logging in to WordPress will require entry of a unique passcode generated by an app on the user’s mobile device or sent via text message in addition to the username and password. This adds another layer of security while logging in.
    • This strong password approach should be used across different interfaces including host/admin, database, File Transfer Protocol (FTP) accounts, and primary site email addresses of domain/web admins.
  • Add more challenge interfaces: Implement CAPTCHAs that users much complete before they can post, discuss, comment, offer feedback, and respond to the website. This will ensure that bots do not create mass entries and malicious feeds into your discussion threads.
  • Consider setting up auto-logout for idle users in WordPress. This will need a plugin to help monitor and logout inactive users.
  • Use Secure File Transfer Protocol (SFTP) instead of FTP to upload and manipulate files on the webserver. This keeps your user information encrypted while performing transfers.

Change defaults

Take backups and maintain restorable files before making changes.

  • Default admin: The default administrator name on WordPress is "admin." If this isn't changed, it becomes an open door for those looking for vulnerabilities. Bots can keep trying password combinations (brute-force attack) to attempt a break-in. Similarly, the default URL for admin login is website.com/wp-admin. Changing this will ensure that those looking to execute password combination attempts towards the default link do not get access to the admin login page.

    Additionally, the maximum failed login attempts can be changed from the to a restricted number of times, after which the defaulting IP or user is barred from accessing the website

  • Default naming conventions: WordPress WP_ table_prefix: By default, the WordPress database uses WP_ as a prefix to data tables. Experience has shown that a number of know WordPress-specific SQL-injection attacks have used the table prefix as WP_. Changing this to another random prefix will break any SQL injection attack that uses this assumption. Changing the database prefix is done through the wp-config.php file and changing database table names is done through phpMyAdmin.
  • Default file permissions::

    1. Lock down write and delete file permissions where possible. This an effective approach, especially when hosted on shared environments allowing web server user or selected user(s) write access. These restrictions can be loosened when write access is needed. Create separate folders with limited restrictions to allow upload of files by users if needed.

    2. Database hardening:

    • Assign a unique user ID to manage each blog. Have an individual database for each blog, instead of the default user and a single database for all blogs. This can be set while setting up the WordPress installation and works as a containment strategy. If a WordPress blog installation is compromised, this stops intruders from gaining access to and altering other blogs.
    • Secure the database (if you are the database admin). Disable features that are not used by your configuration. For example, if the feature of accepting remote TCP connections is not needed, disable it. Most operations including posting blogs, uploading files, posting comments need only data read and data write privileges to the database. Removing user database administration access will ensure that applying changes to the database structure is not possible for unauthorized users. This works as a containment approach if the installation is compromised. The vaveat, however, is that some major updates and supporting applications (including themes and plugins) may require access to make structural changes in the database (including addition of new tables or changes in the schema). The work around is to temporarily allow required privileges before installing or updating the plugin, theme, or application.

Hardening through .htaccess and wp-config.php files

.htaccess and wp-config.php are important files in a WordPress installation and must be secure and protected.

  • The .htaccess is a distributed configuration file used by Apache (web server software) to understand configurations on a per-directory basis. Based on additional instructions in .htaccess, WordPress instructs Apache how files from its root directory and subdirectories must be managed. For example, the .htaccess file is modified to be able to handle Pretty Permalinks.
  • Disable PHP file and script execution in directories that do not need this facility. For example, upload folders where a user can upload a file don't need to allow PHP file and script execution. These settings can be adjusted in the .htaccess file and kept in the hardened folder. The Apache server will read these instructions in the .htaccess file and disallow any PHP file execution in the upload folder.
  • wp-config.php could be saved in a directory above the root directory that WordPress installs into. Ensure that file read/write permissions are in place for the admin and read permissions are in place for the web server.

Maintain audit logs and backup/restore capabilities

  • An audit log helps track all activities and changes to the WordPress site. This can include user activity like logins, logouts, updates, posts, and application update activities.
  • The activity log can be referred to for any suspicious activity or changes made. There are backup plugins that allow restoration to a specific point in an audit log. Notifications can be set for critical website changes initiated.

General good practices

  • Compromised computers, if used for admin-related work on the web server, can be used to gain access to confidential information through keyloggers, viruses, spyware, or malware.
  • Compromised local network: If an admin or user is on a compromised local network and accessing the web server for admin related work, confidential information could be extracted.
  • Monitor actively: Monitor logs to track changes to files and applications. Third-party applications like OSSEC help trace suspicious activity through logs and file change alerts. Plugins are available to monitor, track, analyze, and notify about suspicious activity.


Making WordPress secure is an ongoing and continuous exercise. Closing the known loopholes through hardening strategies and actions helps make it harder for break-ins and website corruption to happen. We looked at hardening at various levels, including at the physical level, like host servers and networks, along with at the application level with more vital access criteria, including passwords, secure protocols, and masking or changing default details. Tools and plugins help automate and monitor some areas that can be tracked for analysis. We looked at popular security plugins that help secure and harden a WordPress website. A good website monitoring tool can also help ensure the availability and performance of your websites.

Was this article helpful?

Related Articles

Write For Us

Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 "Learn" portal. Get paid for your writing.

Write For Us

Write for Site24x7 is a special writing program that supports writers who create content for Site24x7 “Learn” portal. Get paid for your writing.

Apply Now
Write For Us