Reading Time: 2 minutes

WordPress Site Security Best Practices

I always recommend consulting with your internal team(s) to understand your specific requirements for securing your site.

It may also be beneficial to run a security audit on the site to uncover any potential vulnerabilities or issues that need to be addressed that wouldn’t be found without the audit. 

Using a security plugin to block requests on the site can be resource intensive, so it’s best to add any blocks to your WAF (at the edge). This way, requests are blocked before they reach your origin/web server. 

Below, you’ll find information I use to secure my WordPress hosting sites. This isn’t a complete list, so feel free to add or remove items as needed for your use case. Click through each section to learn more. 

Glossary of terms

  • Edge Security: this is security at the edge where traffic comes from the internet before it reaches your origin (the hosting platform/vendor where your content is hosted)
  • Host Security: pertaining to the host or vendor your site is hosted on
  • Access Permissions: related to accessing your host and other non-WordPress related accesses
  • Login Security: pertaining to login security of your WordPress site
  • WordPress Core: pertaining to WordPress itself
  • Use Cloudflare, Sucuri or other web application firewall (WAF) service (bonus if it includes a CDN)
    • Block visitors outside TAM (total addressable market)
    • Challenge bots (Cloudflare has extra bot settings that make this easy)
  • Block or disallow PHP files write access in /wp-content/uploads folder
  • Make daily site backups
    • Encrypt and store backups off-host (when possible)
  • Disable plugin and theme file editing from within wp-admin
    • This also includes File Manager plugins
  • Disable directory listing
  • Block edit access to wp-config.php (including encoded versions of the file)
  • Block access to sensitive files and disallow them (no .env in site root)
  • Add security headers such as:
  • Ensure software services are up to date and have a regular patching/update schedule
  • Ensure you’re on modern PHP versions
  • Subscribe to vulnerability database(s) to ensure you’re notified of threats
  • Ensure HTTP/2 is used
  • Ensure modern TLS ciphers for SSH, SSL and SFTP connections
  • Block unnecessary ports
    • If using cPanel, see about blocking WHM/cPanel ports to specific user’s IPs
  • Secure file and directory permissions and owners for the software you’re usin
  • SSH keys for all SSH access and strong keys
  • Require SFTP and either use a key or strong password
  • Rotate administrator passwords every quarter for public-facing systems or access
  • Ensure WordPress database user has permissions to WP database only, not other databases
    • Create other users if needed, and use least privilege principle when assigning access
  • No “admin” in usernames
  • Use WPS Hide Login, WP Ghost (fka Hide My WP), Solid Security or other security plugin to change the default login URL
  • 2FA or MFA for administrators (not a hard requirement, but strongly urged)
  • Use Limit Login Attempts Reloaded or similar settings in another security plugin to limit login attempts
  • Limit access to WP Admin by IP (follow least-privilege principle)
  • Force strong user passwords 
  • Logout idle users automatically
  • Use as few plugins as feasible possible
  • Use only trusted plugins and themes
  • Adopt a plugin and theme update strategy
    • Regularly audit plugins and themes for abandonment (not receiving updates)
  • Use custom table prefix (default is wp_)
  • Disable XMLRPC requests
  • Limit access to WP REST API
  • Disable comments (unless absolutely necessary)
  • Add a captcha to login pages and contact forms
  • Track user activity using WP Activity Log or other security plugin