identification.com®
Back to Guides
Intermediate Guide

WordPress Security Hardening

Protect your WordPress site from hackers with proven security configurations and practices

WordPress powers over 40% of the web, making it a prime target for hackers. This guide provides step-by-step instructions to harden your WordPress installation and protect against common attacks.

WordPress Security Statistics

  • 70% of WordPress sites are vulnerable to attacks1
  • 90,000+ attacks per minute on WordPress sites globally2
  • 52% of vulnerabilities come from plugins
  • 8% of hacks are due to weak passwords

Secure Initial Setup

1. Change Default Admin Username

Never use "admin" as your username. Create a new administrator account with a unique username:

  1. Create new admin user with strong username
  2. Log in with new account
  3. Delete or change original "admin" account
  4. Update all posts/pages to new author

2. Secure Database Prefix

Change the default wp_ table prefix during installation or via wp-config.php:

$table_prefix = 'a3f9k_'; // Use random prefix

⚠️ For existing sites, use a plugin like "Change Table Prefix" to safely update

3. Move wp-config.php

Move wp-config.php one directory above your WordPress root for added security:

/home/user/wp-config.php (moved here)

/home/user/public_html/ (WordPress root)

wp-config.php Security Settings

Add these security configurations to your wp-config.php file:

Disable File Editing

define('DISALLOW_FILE_EDIT', true);

Force SSL for Admin

define('FORCE_SSL_ADMIN', true);

Security Keys

Generate unique keys at: WordPress Key Generator3

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

Additional Security Constants

// Limit login attempts

define('WP_MAX_LOGIN_ATTEMPTS', 3);

// Disable PHP execution in uploads

define('ALLOW_UNFILTERED_UPLOADS', false);

// Auto-update core

define('WP_AUTO_UPDATE_CORE', true);

File & Directory Permissions

Correct file permissions prevent unauthorized modifications:

LocationDirectoriesFiles
Root directory755644
wp-admin/755644
wp-content/755644
wp-content/uploads/755644
wp-config.php-600
.htaccess-644

Set permissions via SSH:
find . -type d -exec chmod 755 \;
find . -type f -exec chmod 644 \;

.htaccess Security Rules

Add these rules to your .htaccess file for additional protection:

Protect wp-config.php

<files wp-config.php>
order allow,deny
deny from all
</files>

Disable Directory Browsing

Options -Indexes

Block PHP in Uploads

Add to wp-content/uploads/.htaccess:

<Files *.php>
deny from all
</Files>

Limit Login Attempts

# Block access to wp-login after failed attempts
<FilesMatch "wp-login\.php">
    Order Deny,Allow
    Deny from all
    # Add your IP address
    Allow from 123.456.789.0
</FilesMatch>

Essential Security Plugins

Comprehensive Security

  • Sucuri Security

    Firewall, malware scanning, hardening

  • MalCare

    Real-time protection, one-click malware removal

  • Wordfence

    Firewall, scanner, login security

Specialized Tools

  • Limit Login Attempts Reloaded

    Brute force protection

  • WP Security Audit Log

    Activity monitoring

  • UpdraftPlus

    Automated backups

⚠️ Important: Don't install multiple security plugins with overlapping features. Choose one comprehensive solution and supplement with specialized tools as needed.

User Security Best Practices

User Roles & Permissions

  • Only give administrator access when absolutely necessary
  • Use Editor role for content managers
  • Create custom roles with minimum required capabilities
  • Regularly audit user accounts and remove inactive ones

Strong Password Requirements

Enforce these password policies:

  • Minimum 12 characters
  • Mix of uppercase, lowercase, numbers, symbols
  • No dictionary words or personal information
  • Unique for each user
  • Changed every 90 days for admin accounts

Ongoing Security Maintenance

Daily Tasks

  • Check security plugin alerts
  • Review login activity
  • Monitor site uptime

Weekly Tasks

  • Update plugins and themes
  • Run security scans
  • Test backup restoration

Monthly Tasks

  • Audit user accounts
  • Review security logs
  • Update security keys

Quarterly Tasks

  • Complete security audit
  • Review hosting security
  • Update incident response plan

If Your Site Gets Hacked

Immediate Actions:

  1. Take site offline (maintenance mode)
  2. Change all passwords (hosting, WordPress, FTP, database)
  3. Contact your hosting provider
  4. Scan with multiple security tools
  5. Check for unauthorized users
  6. Review recently modified files
  7. Restore from clean backup if available
  8. Remove malicious code
  9. Update everything (core, plugins, themes)
  10. Implement security hardening measures

Need WordPress Security Help?

Get professional WordPress security services including hardening, monitoring, and emergency cleanup.

View Security SolutionsGet Security Audit

Sources & References

  1. 1 WordPress Security Statistics - Sucuri Hacked Website Report:https://sucuri.net/reports(Accessed: July 15, 2025)
  2. 2 Wordfence WordPress Attack Statistics:https://www.wordfence.com/blog/wordpress-statistics/(Accessed: July 15, 2025)
  3. 3 WordPress Secret Key Service API:https://api.wordpress.org/secret-key/1.1/salt/(Accessed: July 15, 2025)