LochStudios  /  Help Centre  /  WordPress  /  Secure Your WordPress Site

Secure Your WordPress Site

Protect your WordPress installation with essential security practices and configurations.

Updated

WordPress powers millions of sites, which makes it a target for attacks. Fortunately, securing your installation doesn't require advanced technical knowledge—a few key steps will defend against the vast majority of threats.

Change Your Admin Username

WordPress installations often ship with a default admin account. Hackers know this and will target it first.

  1. Log in to WordPress and go to Users.
  2. Create a new admin user with a strong, unique username (not "admin" or "administrator").
  3. Delete the default admin user, reassigning any posts to your new account.

Use a Strong Password

Your admin password is your most critical security asset.

  • Use at least 16 characters mixing uppercase, lowercase, numbers, and symbols.
  • Never reuse passwords across multiple sites.
  • Store securely in a password manager, not a sticky note.
  • Change it every 90 days if possible.

Enable HTTPS (SSL/TLS)

HTTPS encrypts data between your visitors' browsers and your server, preventing interception.

1. Verify your hosting account includes an SSL certificate (most hosts offer free certificates today).
2. Enable HTTPS in your WordPress settings:
- Go to Settings > General.
- Change both "WordPress Address" and "Site Address" to use https:// instead of http://.
- Save changes.
3. Set up automatic redirects from HTTP to HTTPS:
- Add this line to your WordPress .htaccess file (in your public_html root):
```
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTPHOST}%{REQUESTURI} [L,R=301]
```

Keep WordPress, Themes, and Plugins Updated

Security patches are released regularly for WordPress and its extensions. Delaying updates leaves you exposed.

1. Enable automatic updates (recommended):
- Go to Settings > General (WordPress 5.1+).
- WordPress will automatically update minor versions and security patches.
2. Review major updates manually:
- Go to Dashboard > Updates.
- Click "Update" for WordPress core, themes, and plugins.
- Test your site afterward to ensure nothing broke.

Remove Unused Themes and Plugins

Every theme and plugin is potential attack surface. Deactivate and delete anything you're not using.

  1. Go to Appearance > Themes and delete inactive themes.
  2. Go to Plugins and deactivate, then delete unused plugins.
  3. Delete the default themes you're not using (e.g., Twenty Twenty-One if you're using a custom theme).

Limit Login Attempts

Brute-force attacks repeatedly guess your password. Limiting attempts stops them quickly.

1. Install a security plugin like Wordfence or iThemes Security (many offer free tiers).
2. Enable login attempt limiting:
- Set it to lock after 5–10 failed attempts within a specific time window.
- Require a CAPTCHA or email verification before unlock.

Secure Your Database

If you access your WordPress database directly, use strong credentials and limit access.

  1. Change your database user password (if possible through your control panel).
  2. Never use "admin" or simple names for database users.
  3. Limit database user permissions to only the database WordPress needs (not all databases on your server).
  4. Do not expose your database directly to the public internet—keep it server-side only.

Set File and Folder Permissions

Correct file permissions prevent unauthorized modification.

1. Use FTP or File Manager to set permissions:
- Directories (folders): 755
- Files: 644
- Exception: wp-config.php should be 600 if possible (more restrictive).
2. Never use 777 permissions—this is dangerously open.

Disable File Editing

The WordPress admin panel includes a built-in file editor. Disable it to prevent modification if an account is compromised.

1. Open wp-config.php via FTP or your control panel's File Manager.
2. Add this line before the line that says /* That's all, stop editing! */:
```php
define( 'DISALLOWFILEEDIT', true );
```
3. Save the file.

Back Up Regularly

Even with security in place, incidents can happen. Regular backups let you recover quickly.

  • Use your hosting control panel's backup feature if available—most offer automated daily or weekly backups.
  • Store backups off-site if possible (e.g., download monthly backups to your computer).
  • Test recovery: Restore a backup in a test environment annually to ensure backups work.

Monitor for Security Issues

Stay alert to signs of compromise: unexpected admin users, strange posts, or unusual traffic.

  1. Review user accounts monthly in the WordPress Users section.
  2. Check your site's posts and pages for unauthorized content.
  3. Use a security plugin to monitor file changes and malware.
  4. Review control panel logs regularly for suspicious login attempts to FTP or your database.

Security is ongoing, not a one-time setup. By following these steps and keeping everything updated, you'll stay ahead of common attacks.


Was this article helpful?

← Back to WordPress