
When a website is developed in WordPress, security is not normally considered all that much, but it is becoming more and more necessary. Whether you are reading this out of curiosity or because you have experienced the consequences of poor security on your WordPress site, don’t neglect this topic and take a look at every point described below.
Content index
Is WordPress secure?
We should be clear from the get go: on every website in the world there is always some risk. That’s why working on security is not about avoiding risks 100%, but about minimizing all the ones we can.
Given the above, I would answer the question in the heading by saying no, WordPress is not secure, but not simply because it is WordPress.
If we modify the question we can consider it from another perspective:
Could WordPress be more secure?
Without a doubt. Below you will discover some methods to achieve just that.
What to consider when improving security in WordPress
How can I make my website secure? That’s the million-dollar question. Below you will discover several tips and implementations that will make your WordPress site much more secure.
1. Security Audit
If you are concerned about the security of your WordPress site and you don’t have the knowledge you need, an audit is highly recommended. That way you will be informed about what improvements are the best for your website specifically.
2. Passwords
Passwords are our access key; anyone who has them or a copy of them will be able to enter our site as they wish. Knowing this, I’m sure the importance of having a secure password is clear. To achieve this, we recommend:
- Changing passwords regularly
- Not sharing passwords, much less those belonging to the administrator
- Adding different characters:
- Upper case and lower case letters
- Numbers
- Special characters
- Save it in your memory only
A good strategy for creating a password is using the initials of a phrase you will remember. For example, for the phrase “make love, not war” we could have the following password: “mlnw”. We could also include the first and last initials of the person who said it in capital letters at the beginning and end. Since it was John Lennon, it would be “JmlnwL”. To make it even more secure, add an underscore followed by the year he was born: “JmlnwL_40”.
If you don’t want to use this strategy, you can always use a secure password generator like this one: Roboform.
3. Usernames
Usernames can also be a weakness. In fact, there are certain very simple ways usernames can be obtained. One of them is by searching for the URL in the browser. It would be as easy as:
- Placing the domain in the search engine: example.com
- Followed by this structure: ?author=1
This would show us all the posts created by the user with id = 1, which quite often is the website administrator. On top of this, we would also have access to the username of the user with id = 1. There are several ways to keep this information from being so easily accessible. For instance:
Don’t use the same username as at login!
You could modify your “user_nickname” through SQL or in phpMyAdmin
Add code in your .htaccess to redirect when that format of URL is added:
RewriteEngine On
RewriteCond %{QUERY_STRING} ^author= [NC]
RewriteRule ^ /? [L,R=301]
Add code in your functions.php file:
function wh_author(){
if (!is_admin()) {
if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])){
wp_redirect(home_url());
exit;
}
}
}
add_action("init", "wh_author");
Use a plugin such as “stop user enumeration”
If you want to avoid loading by id, but want the author pages to work, you will have to verify that in Settings/Permanent Links the “simple” option is not selected.
4. Login Page
The login page goes along the same lines as the two previous points. One of the most common attacks on login pages is phishing. This is an attack where you are shown a false login page so you will fill out your information there voluntarily. To avoid this we recommend always paying close attention to see that the domain of our access page is correct.
Another very interesting strategy for an extra layer of security on our WordPress login page would be to add a ReCAPTCHA on your login form.
5. Modify the URL of the Login Page
To access the WordPress control panel you can use the default URL mydomain.com/wp-admin. A simple way to hide the login page is by modifying the URL. There are several plugins that provide this function, including:
- WPS Hide Login
- Change wp-admin login

6. Limit Login Attempts
Brute-force attacks are the most common type for discovering the username and password. An easy way to avoid them is by using a tool that blocks login after several attempts. There are several plugins that have this function, such as “Limit Login Attempts Reloaded.”
7. Two-Factor Authentication
This is simply authentication in two steps instead of one. Depending on the tool you use, you can verify your identity through a code you receive on your phone or in your email. There are many plugins with this function, such as “Two Factor” or “Two Factor Authentication.”
8. PHP Errors
Often, our website may display errors that come from the code. This could be relevant information that could benefit a malicious attacker. To keep these errors from appearing, we can write the following line of code in our wp-config.php file, one line after the <?php opening:
error_reporting(0);
9. Block the File Editor
In the control panel we find the file editor under Appearance/File Editor. From there, we will have access to several of the essential files of our site, such as functions.php. If someone has been able to access our admin account, they could do a lot of damage in these files. Therefore, to avoid risks, it would make sense to remove this access. To do so, we can add the following code in the wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
10. New Users
We should avoid giving access to our website as much as possible. Try to keep the number of users to a minimum. If, for example, there is only one person who has access, we should make sure that registration of new users is deactivated. To check this, you can go into your control panel under: Settings/General/Membership/Anyone can register.
It is very likely that we will need there to be other users on our site. For example, to create content or to design new pages. You should be very careful with the privileges you give them. For this reason, in WordPress there are several user profiles with different privileges:
- Super Admin
- Administrator
- Editor
- Author
- Contributor
- Subscriber
You can visit this page to learn about the privileges of each one.
11. Adding External Code
Often we may come across pieces of code that promise a solution to our problems. In certain cases they may be very useful but if we don’t understand the code, it’s best not to use it. This is because we may be adding a weakness to the website without even knowing it.
12. WordPress Version
By default, WordPress shows you what version is being used through a meta tag called “generator.” This is valuable information to possible attackers. For that reason, it is a good idea to not show this information. To do so, we can add the following code in the functions.php:
remove_action('wp_head', 'wp_generator');
13. Plugins
According to several studies, more than 20% of the WordPress sites that have been hacked were hacked through a security gap in a plugin. We try to limit the use of plugins and replace them with functions created in code. If our only option is to use a plugin, it is vital that it come from a reliable source.
14. Themes
In WordPress we can only have one theme active, and it is recommended that you have a second one as a backup in case the main one breaks down. Apart from those two, it is not recommended that you have more themes installed, since they could become potential security gaps.
15. Child Theme
If you want to personalize the file structure of your theme, modify part of its code or add personalized code, using a child theme is always recommended. These themes will not be affected by any updates and will allow you to keep your code more organized.
16. Updates
Keeping your plugins, themes and WordPress core up to date is essential to minimizing security risks.
Before doing any updates, it is very important that you have a backup available in case a problem arises. Remember that updates are modifications of the code, so you should handle them carefully.
We recommend having a record of each update made, including the date. That way, you can see what updates may be causing errors, and what date you should revert your site to.
17. Avoid Installing Themes and Plugins
Antes de realizar alguna actualización es muy importante tener un back up disponible por si aparece algún tipo de problema. Recordemos que una actualización es una modificación del código, por lo que debemos tratarlas con cuidado.
Se recomienda tener un registro de cada actualización que se realiza, con fecha incluida. Así podremos reconocer en qué actualizaciones pueden estar provocando errores, y a qué fecha recuperar nuestra web.
17. Evita instalación de temas y plugins
Once we have finished developing the website, it is very likely that you will not need to install new plugins and/or themes. You can remove this function with a simple line of code, thus adding another small layer of security. To do so, we can add the following code in your wp-config-php:
define('DISALLOW_FILE_MODS', true);

18. Spam
Years ago, spam was one of the main ways attackers would access a website or install some form of malware. Though the frequency has decreased considerably, it is highly recommended that you use a tool to protect yourself from these troublesome messages. There are many anti-spam plugins for WordPress. We would like to highlight “Akismet” and “Antispam Bee.”
19. Database Prefix
The default prefix in WordPress is “wp_”; anyone with a basic understanding of WordPress will know that.
The WordPress database contains almost all your site content. In fact, you can also find data as sensitive as the username, passwords, etc. That gives you an idea of how concerning it would be for someone to gain access. Therefore, it is not just recommended, but essential, that you modify this prefix to make life just a little more difficult for malicious attackers.
Normally, we can modify this prefix at the time of installation. If you haven’t modified it, you can always do so through the wp-config.php file, where you will find a line of code like the following:
$table_prefix = 'wp_';
You just have to change wp_ to the prefix of your choice. It is also important that you change the prefix of all the tables from PhpMyAdmin, because if you don’t, your site will just be a white screen.
20. Security Through Keys and Salts
Keys and salts are random texts used to improve the encryption of your passwords and add extra layers of security to several elements of your site. They are automatically generated when you install WordPress, but there may be several reasons that make changing them a good idea, such as:
- Your site has been infected with malware
- Someone outside your circle of trust has gained access to this information
You can change the keys and salts through WordPress plugins such as Salt Shaker. Or you can do it manually following these steps:
- Create a backup to ensure that you have a recovery point if something fails
- Access the generator provided to you by WordPress to get the automatically generated code
- Access the wp-config.php file. You will find it in the root folder of your site, which you will have access to via FTP or with the file manager of your server
- Search for ‘AUTH_KEY’ and replace all the elements with those obtained in step two
- Save and close the window
21. XML-RPC
XML-RPC is an API that makes remote calls through http and XML markup language. Put simply, XML-RPC allows you to interact with your website remotely, and it is used for plugins like Jetpack.
Since WordPress version 3.5, XML-RPC comes by default and it cannot be uninstalled from the control panel.
The connections allowed by XML-RPC can be used to make DDoS attacks, so it may be beneficial to remove this function.
There are many plugins to remove XML-RPC, or even just to protect you from some attacks while continuing to use API. If you want to disable it through a WordPress code, it is as easy as adding the following code in your functions.php:
add_filter('xmlrpc_enabled', '__return_false');
22. wp-config.php file
This file contains the salts, keys, database login details and other extremely sensitive information. Therefore, it’s a good idea to make access difficult for malicious attackers.
Some security experts say that changing the location of the file may be a good practice, but there are some who say otherwise. I prefer to deny access through .htaccess by adding the following code:
<files wp-config.php>
order allow, deny
deny from all
</files>
An extra security measure is changing the file editing permissions. In the next point I explain how.
23. Permissions in Files
The servers have the ability to define what permissions each file has depending on the user. The permissions can be to read, write and execute, and they can be defined for owners, groups or audiences. There are cases (such as in the wp-config.php) when it is best to define read and write only for owners (600). If you want to learn more about this, you can read the article at this link.

24. Security Headers
When you place the web domain in your browser or click on a link, you are requesting data from the server where they are hosted. The server receives the call and collects the data to deliver them over the internet. The response includes the text, images and functions of the corresponding site. It also includes other data with information about the server and some settings, which can be valuable to attackers. To try to avoid this, we can add a series of headers. They include:
- Strict-Transport-Security: Avoids interaction if not through https
- Content-Security-Policy: Can avoid XSS attacks, defining what sources are permitted when files are loaded
- Permissions-Policy: Through this header you can tell the browser if it should allow access to some hardware elements such as the camera, microphone, etc. For this example, access to the camera and the microphone is denied
- X-Frame-Options: To avoid loading the page in an iframe external to the domain
- X-Content-Type-Options: This header prevents the loading of files that are not correctly defined through MIME
Before you include this code, you should know that it might conflict with some settings on your website. It is therefore recommended that only one informed person perform the implementation and have guaranteed access through FTP or the file manager of your server to modify the code if the site breaks down. That said, here is the code:
function add_security_headers() {
header( 'X-Frame-Options: SAMEORIGIN' );
header( 'X-Content-Type-Options: nosniff' );
header( 'X-XSS-Protection: 1;mode=block' );
header( "Permissions-Policy: camera 'none', microphone: 'none'" );
header( 'Strict-Transport-Security: max-age=31536000' );
header( 'Content-Security-Policy: default-src self' );
}
add_action( 'send_headers', 'add_security_headers' );
25. Personal Devices
One of the main security problems on your site may come from your device and the way you interact with it. We should use our devices responsibly. Some good practices are:
- Keeping your operating system and browser up to date
- Using a login with a password
- Using a firewall on the router
- Using high quality antivirus software
26. Hosting
A hosting is a space on a server where you can host the data you like. It is a physical device with its own operating system, processor, hard drive, memory, etc. Apart from directly affecting the performance of your website, the quality of your hosting also influences security. Hosting at a very low annual price will never be advisable.
27. Use the Latest Stable Version of PHP and MySQL
PHP is the language in which WordPress is built. Servers usually offer support to old versions for no more than 2 or 3 years. This means that, if you are using a previous version, it is very likely that your security is not covered.
Old versions of the language can have a direct influence on site performance.
You should have the option to update PHP through the control panel of your server.
MySQL is the language used to manage the database. Just like PHP, your mySQL should have the best and latest version available.
28. Use Secure Connections
It may seem like no big deal, but if we connect through our neighbor’s free Wifi, or if we connect to the control panel of our WordPress site through the hotel computer, we won’t be able to verify if it is a secure connection.
29. SSL Certificate
An SSL Certificate will allow you to transfer encrypted data between your browser and the server where the site is found. It is what allows access to your site through https instead of http. It appears as a small lock icon next to the URL in the browser.
30. SVG files
Upload SVG files in WordPress from a suspicious source could be a serious problem. This files could have malicious code.
Conclusion
Security in WordPress is a factor to certainly consider as it becomes more and more relevant. Keeping a careful eye on it and having the most appropriate implementations for your project is vital in keeping your site from running unnecessary risks.