Just Say No to Hackers: How to Harden Your WordPress Security

By now you’ve probably read about the recent massive botnet attacks on WordPress websites. While it’s true that WordPress core developers work hard to keep the WordPress platform safe, if you own or operate a WordPress website then you also have a responsibility to keep your site from being compromised.

Here are some of the ways to harden your WordPress security:

  1. Best practices
  2. Security plugins
  3. Signing up for CDNs
  4. Configuring .htaccess

1. WordPress Best Practices

Some of the most important things for hardening WordPress include:

  • Making sure your WordPress installation has the latest updates
  • Minimizing the number of plugins you use (and deleting the ones you don’t)
  • Choosing passwords that are difficult to crack
  • Performing regular data backups
  • Protecting your WordPress using .htaccess

Once you apply these, you can then install a plugin which will monitor your WordPress core files and traffic.

2. WordPress Security Plugins

Wordfence is a great plugin that will block any IP address that tries to flood or spam your website. It will limit the number of login attempts and monitor all live traffic. It’s being updated and maintained regularly, so you can count on it being on top of all your security issues.

Better WP Security is another great plugin that will allow you to sleep a little better at night. It’s really a full package, but you should read the FAQ section first before activating it, as it makes some significant changes to your database that you should be aware of.

BackWPUp is a free plugin that backs up both your WordPress files and database. I can recommend this plugin because I use it on many websites and I’ve never had any issues with it. There are, of course, a lot of other free and paid backup plugins out there and you are welcome to try them all until you find the one which suits you, but please put one to use.

WordPress Security Plugins

WordPress security plugins are your watch towers.

3. Free CDNs

There has been a lot of talk whether free content delivery networks actually do any good or do they exist only to lure you into one of their paid services. Well, I’ve tested the two most popular free CDNs and I can honestly recommend both, even without the paid add-ons.

CloudFlare is a free content delivery network that filters all your traffic and minimizes the risk of your WordPress website from becoming a target.

PageSpeed Service by Google does something similar and we can all presume that Google takes online security seriously.

Read a complete list of pros and cons of Google PageSpeed and CloudFlare CDN.

4. Configure .htaccess

.htaccess stands for Hypertext Access. It’s a configuration file which controls the directory in which it is placed and all sub-directories. We’re going to talk about configuring .htaccess for Apache webservers and Linux.

Editing .htaccess file is a serious business and you should not play with it unless you have at least basic coding knowledge. If you don’t feel comfortable editing .htaccess, you can download and install a plugin from WordPress.org repository called WP htaccess Control. It provides an easy interface for editing the file, but also for configuring WordPress permalinks, categories, archives, pagination and custom taxonomies.

You can easily become overwhelmed by the number of options this plugin offers, so just go straight to “htaccess Suggestions” tab once you get to the plugin configuration page. You can then check all the options and your .htaccess will become configured for security.

If you don’t want to install a plugin or need maximum control and want to manually configure it, you can read this post on WordPress Security through .htaccess.

There isn’t a way to make your WordPress 100% secure, but limiting your website vulnerabilities will repel almost all malicious attacks, because hackers are not known for their patience. If you do however become a victim of a WordPress security breach, you can read and get informed about what to do on WordPress official My site was hacked page and you can report all security issues here.

As you already know, prevention is the best cure, so what are your plans to harden WordPress security?

Dragan Nikolic

Dragan Nikolic

Blogger for hire at Dragan Nikolic
I'm a co-founder of ThematoSoup and a blogger for hire. Get in touch with me through my personal website at http://dragannikolic.com or via any of the social networks.
Dragan Nikolic

Comments are closed.

34 thoughts on “Just Say No to Hackers: How to Harden Your WordPress Security

      1. Absolutely, also changing the the admin folder name to something other than wp-admin (although it may break links in themes that link to it) and using HTACCESS deny rules to limit access to ip ranges you trust helps too.

    1. Great post Dragan. Absolutely Deepanker! Whatever we do wordpress attacks are still common. I sometimes think that there is no better option then having a very strong password.

  1. Better WP Security install gave me a white screen of death for my blog! I would not install or activate without mapping out the configuration.

  2. The attack is still very much ongoing. One of my sites’ login limiter has blocked 2,500 IPs in the past 2 hours.

    1. You’re right. I don’t see these attacks diminshing any time soon. I think Wordfence security plugin has that option for limiting login attempts.

  3. The problem with relying on plugins to protect your site from brute force attacks is that php still has to be executed and database calls still have to be made so they don’t really reduce the impact of the attack in terms of server load unless they are plugins that dynamically modify the .htaccess file and add deny rules.

    Changing or deleting the admin user and using a strong password will make things more secure but they wont block the attack and for many smaller sites its the sheer numbers of attempts from a huge number of compromised machines that is the problem

  4. Thanks Dragan ,

    all wordpress security plugins insert some code to .htaccess file , thats better to not to change the htaccess manully if you are using such plugins ,

    but , i never could trust to free CDNs even there are famous ( Cloudflare… )
    cuz they do as a gate that all information passes through the gate ( user/password ) . and such a big bridge of important info attract great hackers .


    1. Ben, you’re right when it comes to .htaccess. People shouldn’t do it both manually and let plugins do it, but choose one over the other.

      As for CDNs and important info, could you explain that to me, I’m not sure I understand?

  5. Does anyone have suggestions for WordPress plugins that actually stop spammers? It seems that no matter what you do, some of them will get through.

  6. Is installing wordpress via an FTP client like FileZilla the most secure option? Or does uploading via c-panel work the same way? I am about to install and am not clear on why to choose one method over the other. My understanding is that simple scripts is not the way to go, but I don’t understand the difference between the manual- install options.

  7. some awesome tips, though I am using the bulletproof wordpress plugin. its also an awesome plugin. Its protect sql injection too. & yea performing daily backup is also important

  8. Thanks for the list the two i use are Better WP Security and BackWPUp works great also i didn’t know about PageSpeed Service by Google i’ll have to look into this :) . Thank you Dragan

  9. Great post Dragan,

    I have tried several techniques to harden WordPress – some worked, others brought down my site (and I actually had to spend more time figuring out what went wrong). There are also some great free plugins. I personally went for Sucuri – they are so professional and their monitoring tools (especially the WPplugin) are awesome. I have blogged my personal opinion about WordPress security and Sucuri here – http://usabilitygeek.com/wordpress-security-sucuri

    1. Hi Justin,

      Which techniques brought down your website? I’m curious not to make those mistakes, myself. Nice post you wrote there, I’ll try Sicuri for sure. But, where can I find their plugin you’ve mentioned in the post?

      1. Hi Dragan,

        With regards to the plugin I assume you are referring to the Google Authenticator… it is this one: http://wordpress.org/plugins/google-authenticator/ . As for the Sucuri WordPress plugin, this is available with any subscription service that they offer.

        As I have said, I have tried several techniques and plugins such as Better WP Security (that you mention here). To tell you the truth, the plugin is very advanced but when I changed my database prefixes with it, it created havoc. But I may have hurried too much and did not read the documentation or forum well. Also, some of my worst experiences were mainly when I made modifications to my .htaccess files.

      2. Oops I thought I mentioned the Google Authenticator in my comment. Well, now that I mentioned it, it is worth mentioning here since it adds an extra layer of security :)

  10. Point 1: I use Better WP Security and have for some time on many sites. Previously I used both Better WP Security and Bullet Proof Security. NOT GOOD. I opted to delete BulletProof because it totally owns the htaccess file or it doesn’t work. Thus cutting out other security plugins settings.

    Others here have mentioned Better WP Security causing issues. My first reaction is that there are some features you should avoid such as Away, Dir, Hide, and Tweaks. I don’t use them – they all have warnings that there could be conflicts. Heed them! The other features are very good.

    Point 2: BackWPup was my backup plugin of choice until they went to a paid model. At that time they changed their code base and several times the plugin brought my site down. I switched to BackupBuddy (had to buy it) and have been very pleased.

    Point 3: A few weeks ago I had somewhat of a DDoS attack and it would cause MySQL to get overloaded and restart. (I have a ServINT VPS) After opening a support ticket with ServInt about it, they enabled a password protect feature for the wp-login.php file using .htaccess. Apache itself requires a login and password before the wp-login.php script gets called. You can find more info on how to do it with a Google search. It’s very much like passwording a directory using cPanel, but with a small code change. Folks, this STOPPED all the automated login attempts. I’ve not had a single one since. It’s not the only security mechanism in my arsenal, but it for dang sure is the front runner now.

    Hope this helps someone.


    1. Mark,

      All I can say is “Wow!”. You’ve really made this article valuable with your security tips. Thanks so much for sharing your insights. I’m sure a lot of people will find it useful.

      1. Thanks for the shout out. I am by NO means a WordPress security guru. I follow what the gurus say, and then make my own assessments based on my sites and circumstances.

        Your article here is a great find and I’m glad I was able to pitch in a few cents as well.