How to Secure Your WordPress Site Against 99% Attacks

How to Secure Your WordPress Site: Having your WordPress site hacked can be an absolute nightmare. At best, it means downtime, lost traffic, and angry users. At worst, it results in stolen customer data, financial fraud, and a trashed reputation.

WordPress powers over 40% of all websites, which makes it a huge target for cyber attacks. Yet many site owners fail to take proper precautions, leaving themselves vulnerable.

Don’t let your WordPress site become a casualty! By following the expert tips in this guide, you can lock it down tight and thwart nearly all hacker threats.

We’ll cover essential security plugins, hardening your server, strong passwords, file permissions, automated scans, and more. Whether you’re a total beginner or seasoned pro, you’ll find invaluable advice to secure your WP site like Fort Knox. Let’s get started!

Use Trusted Security Plugins

The easiest way to add layers of security to WordPress is by installing robust security plugins. Here are some of the top ones to consider:


Wordfence is the most popular security plugin with over 3 million active installs. It includes:

  • A firewall to block malicious traffic
  • Blocking of known attack patterns
  • IP blacklisting
  • File change monitoring
  • DDoS protection
  • Security scan for vulnerabilities

Wordfence offers both free and paid plans with the premium options providing deeper scanning and support. For maximum protection, it’s a must-have plugin.

iThemes Security

iThemes Security hardens your WordPress install by:

  • Changing default admin usernames
  • Disabling file editing
  • Strengthening passwords
  • Banning troublesome IPs
  • Hiding error messages
  • Adding security keys
  • Blocking brute force attacks

With extensive scan features and in-depth recommendations, it significantly bolsters security.


Sucuri focuses heavily on malware detection and removal. It performs detailed file scanning to check for any modified/infected files.

It also cleans up affected code, monitors server headers for issues, offers DDoS protection, and provides an IP blacklist. The premium version expands monitoring with hourly scans and automatic remediation.


VaultPress emphasizes real-time threat detection and recovery. It:

  • Performs millions of security checks daily
  • Sends instant alerts of threats
  • Allows one-click restores
  • Provides priority support

The live monitoring and recovery make it invaluable insurance for high-risk sites.

WordPress Security Plugins Conclusion

A robust security plugin (or two) lays a solid defensive foundation for your site. Enable the security features you need based on your traffic level, risk tolerance, and technical abilities.

But don’t rely only on plugins! Use them in conjunction with the other proactive measures outlined in this guide for full protection.

Harden Your Site With .htaccess Rules

The .htaccess file lets you configure your WordPress site’s server environment directly. It works alongside your security plugins to further lock things down.

Useful .htaccess security rules include:

  • Disabling file execution – Prevents scripts from running.
  • Blocking common hacker tools – Ban sniffers, scanners, and bots.
  • Limiting file access – Restrict who can access php, json, txt and other files.
  • Protect wp-config.php – Block access to this sensitive file.
  • Add rate limiting – Slow brute force attacks with throttling.
  • Disable directory browsing – Don’t let attackers scout your site structure.
  • Filter query strings – Sanitize inputs that may contain malicious code.
  • Set cross-origin restrictions – Prevent other sites from accessing files.

With a few tweaks to your .htaccess file, you can significantly limit attack vectors and unauthorized access attempts.

Manage Users and Passwords Carefully

Weak or compromised admin accounts are the most common way WordPress sites get hacked. That’s why smart user and password management is non-negotiable for security.

Here are some best practices to follow:

  • Use strong passwords – Utilize a random mix of letters, numbers and symbols. Avoid common words.
  • Change passwords routinely – Update admin logins quarterly, semiannually, or annually.
  • Limit admin users – Have just 1 or 2 trusted admins, not 10+. Fewer accounts means less exposure.
  • Add two factor authentication – Require an extra step like SMS code to log in. Plugins enable this.
  • Use a password manager – Generate and store unique, complex passwords with a tool like LastPass.
  • Eliminate stale users – Remove accounts no longer needed to decrease attack surface.

Following strong user account hygiene makes it exponentially harder for hackers to break in through the back door. Don’t give them an easy opening.

Lock Down File Permissions

If your files have lax permissions, it allows hackers to modify or infect WordPress core, plugins and themes for malicious purposes.

That’s why you need to lock down file permissions by:

  • Setting wp-config.php to 400 or 440 – Removes global write access.
  • Making wp-content read-only – Avoids uploads getting modified or deleted.
  • Restricting plugins/themes – Should be set to 400, 440 or 644 for safety.
  • Removing execute permissions – No files should have exec rights unless required.
  • Fixing ownership/group issues – All files should be owned by your user/group, not root.

Proper file permissions prevent malware injection and make unauthorized changes much harder. Review yours regularly.

Limit Login Attempts to Block Brute Force

Hackers will often try to guess passwords by running through millions of combinations. This brute force attack allows them to break into accounts.

You can limit login attempts to block this strategy:

  • Via login lockdown plugin – Use a plugin like Cerber Security to lockout IP addresses after a certain number of invalid login tries.
  • Through web server rules – Add .htaccess directives or Nginx rules to rate limit and blacklist IPs abusing logins.
  • With your hosting control panel – Many hosts like Bluehost let you set login attempt limits at the account level.
  • By monitoring logs – Manually inspect logs regularly and block sources with frequent failed logins.

Rate limiting defenses make brute force extremely tedious and time-consuming for attackers. It thwarts this common break-in method.

Hide Error Messages from Users

By default WordPress displays verbose PHP errors and notices to visitors and admins. This provides valuable debugging info but also leaks sensitive details about your site’s code to potential hackers.

To hide errors:

  • Disable WP_DEBUG in wp-config.php – This prevents errors from being shown.
  • Add an .htaccess rule – You can hide errors with custom Apache directives.
  • Use a security plugin – Most will conceal overly-revealing errors.
  • Switch to production mode – Prevents error display in live environments.
  • Adjust error display in php.ini – Can limit messages sent to browser.

Obscuring errors forces hackers to make guesses rather than getting info handed to them. Don’t reveal vulnerabilities.

Perform Automated Vulnerability Scans

It’s impossible to manually check your site for every conceivable vulnerability. That’s why running automated website security scans is so valuable.

Tools like Sucuri SiteCheck, WordPress Scanner, and Quttera crawl your site looking for weaknesses. They check things like:

  • Outdated software with security holes
  • Wrong file permissions
  • Cross-site scripting flaws
  • SQL injection vectors
  • Malware infections
  • Blacklisted URLs/IPs
  • Invalid security headers
  • Weak user credentials

The scans produce a report identifying issues to address. Run them monthly to detect any new vulnerabilities that arise.


Securing WordPress doesn’t have to be overwhelming if you follow proven best practices. Implement a robust security plugin, harden your server environment, enforce strong passwords, restrict file access, limit login attempts, and scan routinely for vulnerabilities.

These measures working together will lock down your WP site like Fort Knox. Stay vigilant in keeping it secure. Don’t become another headline about a hacked WordPress site! With a bit of effort, you can confidently defend your site against 99% of hacker attacks.

Leave a Comment