WordPress Security: Hardening & Securing WP

WordPress security has, especially in the past couple of years, become a serious issue. Never before have I seen so many determined and sophisticated hacking attempts directed against the sites I provide WordPress tech support for. These run the whole gamut of attack variations;

  • Blackhole Exploit Kit attacks
  • SQL Injection attempts
  • Brute Force Login attacks & Password access efforts
  • Cross site scripting XSS attacks
  • Hacking vulnerable web applications
  • Phishing attacks, where links to bank fraud efforts are made

Attacks are primarily initiated in Eastern Bloc countries such as Ukraine, Russia & Poland, along with Belarusia, Germany, North Korea, India, Indonesia, Iran, Turkey and China etc. The firewall software I use also identifies hosts being blocked from Australia, random European countries, plus sources that are unidentifiable due to IP address concealment etc.

Wordfence reports that Cross-Site Scripting(XSS) was by far the most common category of vulnerability at
1,109 submissions, accounting for nearly half of all vulnerabilities disclosed in 2022.

Over the first 6 months of 2023, the Wordfence web application firewall blocked and logged over 20,077,945,042 potentially malicious requests and exploit attempts against more than four million sites under our protection.

Source: www.Wordfence.com

How to Check Website Security

Security is a core component of my WordPress SEO Services. Generally speaking, it’s easy to minimise the potential threat by a few minutes of preemptive efforts. In other words, an ounce of prevention is better than a pound of cure! Here are some basic requirements you should have in place to protect your website – if any are missing, your website is at risk;

  1. Username and password credentials are secure. You don’t use “admin” as your administrator login and your administrator password is at least 12 characters and comprised of mixed case alphanumeric and special characters
  2. You’ve got a reputable security plugin installed and configured correctly
  3. You are blocking access to the backend of your site from known hacking troublespots.
  4. You’ve deactivated XML RPC
  5. You have an SSL Certificate and HTTPS activated
  6. You take regular backups of your site and store them safely
  7. You regularly check for WordPress and plugin updates and upgrade then promptly

Hardening & Securing WordPress

There are several basic risk elimination/reduction elements that need to be addressed as part of any recommendations on WordPress security. Security credentials such as User ID and password combinations are a high-risk aspect of site protection.

Secure WordPress User ID

The default WordPress User ID is “Admin” and you should NOT use that on your site. Doing so immediately means half of the “site credentials” equation is known, and all that’s required is the password! That’s pretty reckless in this day and age… A secure User ID ought to be a minimum of 10 characters containing a mix of upper and lower case and including a numeric and/or special character variation e.g.; $The#1Boss In addition, you should then assign a User Account “nickname” so that there is no clue as to the Admin identity if you inadvertently use the account to publish any pages or posts! Ideally, you should publish the pages and posts from “Editor” level user accounts…

Secure Passwords

Strong passwords are essential. Most people foolishly use a password related to their life in some easily remembered format. Phone numbers, wife’s name, child’s name, dog’s name etc… A little bit of research, a bit of trial and error on the part of a smart hacker or competitor and your site is wide-open! There are several websites specialising in secure online password generation…

There are also free app downloads for Windows, IOS and Android to generate and/or manage passwords.

USE one of them!

The rule of thumb for passwords isIf you can remember it, then it’s not secure!

Limit the permitted number of login attempts!

There are robust and popular plugins that limit login attempts – search for and install one that has a high rating, a large user base and shows recent updates.

2 Factor Authentication

2FA adds an extra level of security that protects your site after a successful login. Even if your credentials are guessed by a bad actor, they are thwarted by the need to provide the authentication code. Wordfence offers both login protection and 2FA…

Remove Theme & Plugin Edit Options

By default, WordPress allows the Administrator to edit theme and plugin files from within the admin console. That also means that should your Admin user ID and password be compromised, the attacker can make significant modifications at will! Disable file editing by inserting the following code into the /wp-config.php file;

define(‘DISALLOW_FILE_EDIT’, true);

Cheap Theme Dangers

Don’t be tempted by cheap or free nulled versions of premium WordPress themes as they may come pre-loaded with keyloggers, malware or phishing code!

Plugin Threats

Don’t be reckless about installing plugins. Do some homework!!! Check out the reviews and read what users say. Look at the “last updated” date and know that out-of-date plugins are a serious threat. Search online for “best XYXX plugin 2023” and see what reviewers suggest as the best solution for your requirements.

These contribute negatively to your website’s online profile. Eliminate the majority of potential issues by using the inbuilt automation options;

  • Don’t allow registration unless it is absolutely necessary!
  • Don’t allow comments, ping-backs OR track-backs on pages or posts.
  • Close comments on posts after 2 – 4 weeks.
  • Protect your forms with Google captcha or hcaptcha.

Installing and configuring Akismet or similar spam blockers is not at all difficult and these effectively screen out the worst of the garbage!

Update WordPress, Plugins and Themes

Best practices are to diligently maintain WordPress core files, plugins and themes. When a security breach or flaw occurs, fixes are put in place, but word of the potential exploit quickly circulates amongst the hacking community. Hackers immediately start looking for sites that are at risk, and target them! A ‘once a week’ login to your WordPress Admin should be a standard task, in order to check if there are upgrades available.

Better yet, protect your WordPress site by enabling “Auto Update” on plugins and themes! That ensures any upgrades are done almost immediately. Having a plugin like Wordfence installed ensures you are notified immediately if WordPress, a plugin or they have upgrades available. If you are not confident to do this yourself, a professional WordPress consultant is always available…

WordPress Security Plugins

This is the first line of defence – a properly implemented WordPress security plugin will thwart the majority of hacking efforts – particularly the script-based automated ones! Where a human-driven attack is initiated, you can easily make it extremely difficult to see the internals of your website. The more difficult it is, the greater the likelihood of the attacker giving up and seeking out a softer, easier target. Even in the hacking world, time is money… As well as a raft of SEO WordPress plugins, there are also multiple WordPress security plugin applications available, each with its own methodology or variation on a theme. Selection of one over the other will often be based on the server environment – some simply won’t install if the right PHP elements or server settings are not enabled. The list of the best security apps that I have direct and extensive personal experience with are;

  1. Wordfence Security – highly recommend, robust and reliable with login protection, code scanning WAF.
  2. Block Bad Queries we application firewall – install and forget
  3. WP Security Ninja Firewall – comprehensive
  4. Sucuri Security – the hardening options are good
  5. Malcare Security – thorough scanning plus malware protection and cleaning
  6. Limit Login Attempted Reloaded – used in combination with Block Bad Queries

Each has its peculiarities, peccadilloes and quirks! Each works…


I prefer to use a single WordPress security plugin across all sites I manage, and I personally use Wordfence Security. It has a relatively simple interface. It is very robust, and the settings are easy to configure. Basically, I recommend simply selecting the following setting; “Level 4: Lockdown. Protect the site against an attack in progress at the cost of inconveniencing some users” That’s going to defeat the most determined of automated hacking efforts without impacting on the site’s usability! Wordfence can be configured to provide email warning of a variety of threats, including;

  • Alert on critical problems
  • Alert on warnings
  • Alert when an IP address is blocked
  • Alert when someone is locked out from login
  • Alert when the “lost password” form is used for a valid user
  • Alert me when someone with administrator access signs in
  • Alert me when a non-admin user signs in

Other important security aspects include;

  • Enable automatic scheduled scans
  • Scan core files against repository versions for changes
  • Scan for signatures of known malicious files
  • Scan file contents for back doors, trojans and suspicious code
  • Scan posts for known dangerous URLs and suspicious content
  • Scan comments for known dangerous URLs and suspicious content
  • Scan for out-of-date plugins, themes and WordPress versions
  • Check the strength of passwords
  • Monitor disk space
  • Scan for unauthorized DNS changes
  • Scan files outside your WordPress installation

The fast alerts on the slightest hint of a problem are comforting. I especially like the “Scan core files against repository” function!!! If a file changes or an extra one appears, the alarm bells start ringing!

WordPress Security Plugins Summary

There are several good plugins that will secure your WordPress website. Sucuri, Malcare and Wordfence are my favourites. They provide a known base from which to start your countermeasures. My pick of the litter is Wordfence – that’s because it’s reliable, has that core code verification feature and notifies you immediately of any plugin upgrades! Malware and phishing code scanning is automatic, as is IP address blocking.

Web Application Firewalls

There are two flavours of firewalls:

  • DNS-level firewalls such as Cloudflare and Sucuri intercept threats BEFORE they reach your origin server.
  • WAF -web application firewalls that are active in front of WordPress: Wordfence, Block Bad Queries etc.

Hosting Providers are an issue too

Not all hosting is created equal. If you opted for “cheap and cheerful” – that decision could turn and bite you at some inopportune time. Premium hosting (usually) provides layers of security including DDoS protection, malware code detection, reminders about overdue updates and robust backups with apps like R1soft. Denial of service attacks have grown more common in recent years. The dark web has service providers who will gladly help you out by crippling a competitor.

WordPress Hacking Recovery

Usually, the fastest way to deal with a known breach of WordPress is to;

  • Use the 1-click update in WordPress Dashboard / Updates to overwrite all core files that may have been compromised
  • Install Wordfence and do a full scan including files outside WordPress and images too.
  • Where a plugin is implicated. delete the plugin directory, and then upload a new copy
  • Where a Theme is implicated, copy your old files across to replace the compromised files

Follow that up by viewing the site files in your Control Panel file manager or an FTP application such as Smart FTP, and look for;

  • Files and directories that were altered or uploaded and don’t belong.
  • Inappropriate file permissions – e.g. directories should usually NEVER be set to 777 permissions, as this gives access to anyone to do anything… The correct directory permissions for most hosting accounts is 755.
  • Unexpected items in /uploads/ or /backups/ directories.
  • File Modified dates that don’t match up with any edits, uploads or changes you’ve made

If you are using any of the WordPress Security plugins, do a Scan from within the site. Use more than one online scanning service to examine your website. These all have strengths in different areas, and one may identify issues that another might not spot. Try VirusTotal – scan the Home page URL and get a quick report from multiple sources The overriding goal is:

  • deleting the compromised files and replacing them with the correct versions
  • ensuring secure permissions across directories and files
  • implementing a security plugin

That must be followed immediately by:

  • changing the WordPress admin password
  • changing the Cpanel / Plesk / Hsphere admin password
  • changing the FTP access password
  • deleting any “extra” User or FTP accounts that may have been added to provide easy future access for the hackers

Core File Compromises

If the /wp-config.php has been altered in any way, it is wise to reset the WordPress Database User Account password and add the new password to the /wp-config.php file. This can be done through the Admin Control Panel access to MySQL Database management. In the case of Cpanel, it’s very easy to change the MySQL password.

Secure your WordPress .htaccess file by resetting (chmod) the file access permissions from 644 to 444.


Having an automated monthly backup process scheduled, with off-server storage, makes sound business risk management sense.


  • Avoiding the problem is not particularly difficult.
  • Eliminating the problem is usually straightforward.

We provide a comprehensive Annual WordPress Maintenance Service plan that addresses all of the issues covered in this article, for a very modest annual cost.

If you are in dire need of a fast solution to hacking, we are available (at least) 12 hours a day…

Page last updated on Thursday, October 12, 2023 by the author Ben Kemp