Essential WordPress Security Tips to Keep Your Site Safe

Author:  Debra Murphy


Reading Time: 4 minutes
WordPress Security – Ensure Your Website is Protected

A small business website is a valuable asset that you want to protect from damage by some malicious hacker. In many cases, our websites are analogous to a physical store or office. And just like you wouldn’t want someone throwing a brick through your window, you don’t want someone damaging your web property.

Many of us have spent time and money on our Website design, brand identity and expert content that projects how we want people to perceive us and our businesses. With its popularity, WordPress has become a target for those trying to exploit vulnerabilities. And unfortunately, there are those misguided individuals that think hacking your website and potentially harming your business is fun.

Proactive WordPress Security Tips

Here are some simple WordPress security tips and best practices that can help thwart those who want to do harm to your online presence.

Eliminate the account called “admin”

When you install WordPress, select a name for your administrative account rather than take the default. If one exists, create another admin account and delete the default.

Add the following to your functions.php file in your child theme to block access to active user accounts.


function disable_rest_endpoints ( $endpoints ) {
    if ( isset( $endpoints['/wp/v2/users'] ) ) {
        unset( $endpoints['/wp/v2/users'] );
    if ( isset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] ) ) {
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    return $endpoints;
add_filter( 'rest_endpoints', 'disable_rest_endpoints');


Use strong passwords for all admins

Make your WordPress login as secure as your bank account and use a strong password with letters, numbers and special characters.

Add a security plugin to monitor activity

Select a WordPress security plugin to further secure your website from the back end. Set up a firewall capability to stop malicious intruders from gaining access.

  • Wordfence is a quality firewall plugin that protects your website. It has a protect login feature that you can set to lock when under attack. This gives you the ability to still log in with a predefined username/password combination.
  • Cerber Security plugin is my latest recommendation as it combines website security with antispam for forms. Looking at the activity shows you how much you truly need a security plugin that stops bad actors from damaging your website.

Keep WordPress and plugins updated

Outdated software may contain security vulnerabilities that are known to hackers. Updating your site regularly eliminates them and makes your installation more secure. You shouldn’t modify any of the core software so that you can update without breaking your site.

Only use plugins and themes from reputable developers

Do your research before you install a plugin or theme to make sure it isn’t harboring vulnerabilities that can be used to exploit your website.

Protect your critical files from being hacked

To protect your WordPress installation, add the following to your .htaccess file. Many of the security plugins today will add this to your .htaccess file for you, but if they don’t you can manually add them. If you use Yoast SEO plugin, you should have access to the file under tools > file editor:

# BEGIN protect xmlrpc.php
<files xmlrpc.php>
	order allow,deny
	deny from all
# END protect xmlrpc.php

# Prevent directory listing
IndexIgnore *
# Protect .htaccess files
<Files .htaccess>
	order allow,deny
	deny from all

# Protect wp-config.php
<FilesMatch ^wp-config.php$>
	deny from all

# Protect install.php
<files install.php>
	Order allow,deny
	Deny from all

Protect the files on your WordPress installation

Make sure all theme and plugin files are write protected (644 for the property attributes) before you go live.

Keep a recent backup of your website

Keep regular backups using All In One Site Migration. The plugin allows me to rebuild the entire site in 10 minutes as long as you have their unlimited extension. As long as your site is clean, this type of a backup will enable you to recover quickly. I run the backup every time I make a major change.

If your database is compromised, make sure you have all the pieces to rebuild your site cleanly. Do a WordPress export of the content, theme settings, plugin settings, backup the uploads directory, theme and keep a list of plugins you use. Make sure you always do a fresh backup when you make any major changes to your website. If you know your database backup is clean, a simple monthly export can help you recover more quickly from an older version if something goes wrong.

Keep hackers at bay

Don’t think it couldn’t happen to your website. Hackers don’t care if your site is small, new or insignificant. Remember, hackers will hack your site because they can.

8 thoughts on “Essential WordPress Security Tips to Keep Your Site Safe”

  1. Great list; I use many of those but will certainly try Vault as I use WPBackUp and haven’t had a response to a support request for two weeks !

    A recent plugin that I found is Dropbox Photo Siteloader. If you use Dropbox to collect your photos or receive photos from brands/PRs you work with, this plugin pulls all your selected photos from Dropbox folders into your media library. No more downloading and re-uploading !

  2. Hi Debra,

    This is a wonderfully comprehensive post on wordpress security – ensure your website is protected. I enjoyed this article. I would love to see some more such interesting article from your side.

    Thanks for writing and I hope that you’ll have a happy weekend.

    Keep up your great work!

    Mohd Arif

  3. Great article Debra!

    The strong passwords and plugin updates are common security holes we find with customers. We recommend a password be minimum 12 characters in length with special, lower, and uppercase characters. The plugin updates are trickery in that if a website is only on one server instance and does not have a beta or development website for testing purposes, updating a plugin can cause chaos on a production website. Really great insight and wonderful post.

    Looking forward to more blog posts!

    • Thanks Andrew. Interestingly I’ve only had one minor issue with a plugin update across all of my client’s sites and it was an easy fix. I’m more cautious when updating ecommerce plugins, but most others are a non-issue. Of course, I always update my site first and if it doesn’t wreak havoc there, then I update my clients :)

Comments are closed.

Featured on Upcity
DesignRush Top Digital Marketing Companies
DesignRush Top Web Design Companies
Best MA Worcester SEO Agencies