Just Say No to Hackers: How to Harden Your WordPress Security

SMS Text

By now you’ve probably read about the recent massive botnet attacks on WordPress websites. While it’s true that WordPress core developers work hard to keep the WordPress platform safe, if you own or operate a WordPress website then you also have a responsibility to keep your site from being compromised.

Here are some of the ways to harden your WordPress security:

  1. Best practices
  2. Security plugins
  3. Signing up for CDNs
  4. Configuring .htaccess

1. WordPress Best Practices

Some of the most important things for hardening WordPress include:

  • Making sure your WordPress installation has the latest updates
  • Minimizing the number of plugins you use (and deleting the ones you don’t)
  • Choosing passwords that are difficult to crack
  • Performing regular data backups
  • Protecting your WordPress using .htaccess

Once you apply these, you can then install a plugin which will monitor your WordPress core files and traffic.

2. WordPress Security Plugins

Wordfence is a great plugin that will block any IP address that tries to flood or spam your website. It will limit the number of login attempts and monitor all live traffic. It’s being updated and maintained regularly, so you can count on it being on top of all your security issues.

Better WP Security is another great plugin that will allow you to sleep a little better at night. It’s really a full package, but you should read the FAQ section first before activating it, as it makes some significant changes to your database that you should be aware of.

BackWPUp is a free plugin that backs up both your WordPress files and database. I can recommend this plugin because I use it on many websites and I’ve never had any issues with it. There are, of course, a lot of other free and paid backup plugins out there and you are welcome to try them all until you find the one which suits you, but please put one to use.

WordPress Security Plugins

WordPress security plugins are your watch towers.

3. Free CDNs

There has been a lot of talk whether free content delivery networks actually do any good or do they exist only to lure you into one of their paid services. Well, I’ve tested the two most popular free CDNs and I can honestly recommend both, even without the paid add-ons.

CloudFlare is a free content delivery network that filters all your traffic and minimizes the risk of your WordPress website from becoming a target.

PageSpeed Service by Google does something similar and we can all presume that Google takes online security seriously.

Read a complete list of pros and cons of Google PageSpeed and CloudFlare CDN.

4. Configure .htaccess

.htaccess stands for Hypertext Access. It’s a configuration file which controls the directory in which it is placed and all sub-directories. We’re going to talk about configuring .htaccess for Apache webservers and Linux.

Editing .htaccess file is a serious business and you should not play with it unless you have at least basic coding knowledge. If you don’t feel comfortable editing .htaccess, you can download and install a plugin from WordPress.org repository called WP htaccess Control. It provides an easy interface for editing the file, but also for configuring WordPress permalinks, categories, archives, pagination and custom taxonomies.

You can easily become overwhelmed by the number of options this plugin offers, so just go straight to “htaccess Suggestions” tab once you get to the plugin configuration page. You can then check all the options and your .htaccess will become configured for security.

If you don’t want to install a plugin or need maximum control and want to manually configure it, you can read this post on WordPress Security through .htaccess.

There isn’t a way to make your WordPress 100% secure, but limiting your website vulnerabilities will repel almost all malicious attacks, because hackers are not known for their patience. If you do however become a victim of a WordPress security breach, you can read and get informed about what to do on WordPress official My site was hacked page and you can report all security issues here.

As you already know, prevention is the best cure, so what are your plans to harden WordPress security?

Dragan Nikolic

Dragan Nikolic

Blogger for hire at Dragan Nikolic
I'm a co-founder of ThematoSoup and a blogger for hire. Get in touch with me if you want to secure and optimize your WordPress website.... Read Full Bio
Dragan Nikolic
Get the latest news from Search Engine Journal!
We value your privacy! See our policy here.
  • Deepanker

    Changing default username from admin to some other must be done..

    And we should backup website daily..

    nice post.

    • Dragan Nikolic

      Thanks for stopping by.

      I agree, changing the default “admin” username is one the fundamental things one should do when installing WordPress.

      I probably should have linked to official Hardening WordPress page, so I’m going to do it here – http://codex.wordpress.org/Hardening_WordPress

      • Jedediah Goodson

        Absolutely, also changing the the admin folder name to something other than wp-admin (although it may break links in themes that link to it) and using HTACCESS deny rules to limit access to ip ranges you trust helps too.

    • Sahil

      Great post Dragan. Absolutely Deepanker! Whatever we do wordpress attacks are still common. I sometimes think that there is no better option then having a very strong password.

  • Anne Haynes

    Better WP Security install gave me a white screen of death for my blog! I would not install or activate without mapping out the configuration.

    • Dragan Nikolic


      So sorry to hear that. I did mention you should check the FAQ page before activating it.

      How did you solve the issue?

    • Anudeep

      My screen went blank too. I deleted the Better WP security folder manually. But the traces of the plugin remained on the database for which i had to edit the wp config file. (http://bit51.com/what-is-changed-by-better-wp-security/ ).

      I personally dont recommend Better WP security as i faced the same issue on 3 different sites!

      • Dragan Nikolic

        Thanks for the input , Anudeep.

  • aljuk

    The attack is still very much ongoing. One of my sites’ login limiter has blocked 2,500 IPs in the past 2 hours.

    • Dragan Nikolic

      You’re right. I don’t see these attacks diminshing any time soon. I think Wordfence security plugin has that option for limiting login attempts.

  • Steve

    The problem with relying on plugins to protect your site from brute force attacks is that php still has to be executed and database calls still have to be made so they don’t really reduce the impact of the attack in terms of server load unless they are plugins that dynamically modify the .htaccess file and add deny rules.

    Changing or deleting the admin user and using a strong password will make things more secure but they wont block the attack and for many smaller sites its the sheer numbers of attempts from a huge number of compromised machines that is the problem

    • Dragan Nikolic

      Thanks for the info, Steve. Any solution to these brute force attacks?

  • ben

    Thanks Dragan ,

    all wordpress security plugins insert some code to .htaccess file , thats better to not to change the htaccess manully if you are using such plugins ,

    but , i never could trust to free CDNs even there are famous ( Cloudflare… )
    cuz they do as a gate that all information passes through the gate ( user/password ) . and such a big bridge of important info attract great hackers .


    • Dragan Nikolic

      Ben, you’re right when it comes to .htaccess. People shouldn’t do it both manually and let plugins do it, but choose one over the other.

      As for CDNs and important info, could you explain that to me, I’m not sure I understand?

  • Prem Nath

    Superb Information !

  • Adam B

    Does anyone have suggestions for WordPress plugins that actually stop spammers? It seems that no matter what you do, some of them will get through.

  • Amanda

    Is installing wordpress via an FTP client like FileZilla the most secure option? Or does uploading via c-panel work the same way? I am about to install and am not clear on why to choose one method over the other. My understanding is that simple scripts is not the way to go, but I don’t understand the difference between the manual- install options.

    • Dragan Nikolic

      Amanda, it’s pretty much the same which method you use in terms of security.

    • Dragan Nikolic

      Be sure to change the defaults: administrative account and database prefix. You can read more about it if you search for Hardening WordPress

  • Arun Rajput

    some awesome tips, though I am using the bulletproof wordpress plugin. its also an awesome plugin. Its protect sql injection too. & yea performing daily backup is also important

    • Dragan Nikolic

      Thanks Arun,

      Yes, backups are most important.

      I’ll try the plugin you suggested.

  • Osei Fortune

    Thanks for the list the two i use are Better WP Security and BackWPUp works great also i didn’t know about PageSpeed Service by Google i’ll have to look into this 🙂 . Thank you Dragan

    • Dragan Nikolic

      You’re welcome.


  • Justin Mifsud

    Great post Dragan,

    I have tried several techniques to harden WordPress – some worked, others brought down my site (and I actually had to spend more time figuring out what went wrong). There are also some great free plugins. I personally went for Sucuri – they are so professional and their monitoring tools (especially the WPplugin) are awesome. I have blogged my personal opinion about WordPress security and Sucuri here – http://usabilitygeek.com/wordpress-security-sucuri

    • Dragan Nikolic

      Hi Justin,

      Which techniques brought down your website? I’m curious not to make those mistakes, myself. Nice post you wrote there, I’ll try Sicuri for sure. But, where can I find their plugin you’ve mentioned in the post?

      • Justin Mifsud

        Hi Dragan,

        With regards to the plugin I assume you are referring to the Google Authenticator… it is this one: http://wordpress.org/plugins/google-authenticator/ . As for the Sucuri WordPress plugin, this is available with any subscription service that they offer.

        As I have said, I have tried several techniques and plugins such as Better WP Security (that you mention here). To tell you the truth, the plugin is very advanced but when I changed my database prefixes with it, it created havoc. But I may have hurried too much and did not read the documentation or forum well. Also, some of my worst experiences were mainly when I made modifications to my .htaccess files.

      • Justin Mifsud

        Oops I thought I mentioned the Google Authenticator in my comment. Well, now that I mentioned it, it is worth mentioning here since it adds an extra layer of security 🙂

  • Obinna Egbule

    Didn’t know .htaccess meant Hypertext Access, guess we all learn everyday. Thanks for the wordpress security tips.

    • Dragan Nikolic

      I learn new security tips and terminology everyday, too 🙂

      No problem, cheers

  • Mark Conger

    Point 1: I use Better WP Security and have for some time on many sites. Previously I used both Better WP Security and Bullet Proof Security. NOT GOOD. I opted to delete BulletProof because it totally owns the htaccess file or it doesn’t work. Thus cutting out other security plugins settings.

    Others here have mentioned Better WP Security causing issues. My first reaction is that there are some features you should avoid such as Away, Dir, Hide, and Tweaks. I don’t use them – they all have warnings that there could be conflicts. Heed them! The other features are very good.

    Point 2: BackWPup was my backup plugin of choice until they went to a paid model. At that time they changed their code base and several times the plugin brought my site down. I switched to BackupBuddy (had to buy it) and have been very pleased.

    Point 3: A few weeks ago I had somewhat of a DDoS attack and it would cause MySQL to get overloaded and restart. (I have a ServINT VPS) After opening a support ticket with ServInt about it, they enabled a password protect feature for the wp-login.php file using .htaccess. Apache itself requires a login and password before the wp-login.php script gets called. You can find more info on how to do it with a Google search. It’s very much like passwording a directory using cPanel, but with a small code change. Folks, this STOPPED all the automated login attempts. I’ve not had a single one since. It’s not the only security mechanism in my arsenal, but it for dang sure is the front runner now.

    Hope this helps someone.


    • Dragan Nikolic


      All I can say is “Wow!”. You’ve really made this article valuable with your security tips. Thanks so much for sharing your insights. I’m sure a lot of people will find it useful.

      • Mark Conger

        Thanks for the shout out. I am by NO means a WordPress security guru. I follow what the gurus say, and then make my own assessments based on my sites and circumstances.

        Your article here is a great find and I’m glad I was able to pitch in a few cents as well.

  • Vinny Moreira

    Great tips! I’m gonna try the Better WP Security plugin. Google Authenticator is awesome too! Thanks!

    • Dragan Nikolic

      Thanks Vinny,

      Please read the FAQ section before installing/activating Better WP Security plugin. It may alter your database, so backup your WordPress.