WordPress Security: 20 Steps to Protect Your Site
Complete WordPress Security Checklist
1. Keep WordPress Updated
Enable auto-updates in wp-config.php:
define('WP_AUTO_UPDATE_CORE', true);
2. Use Strong Passwords
Minimum 16 characters with uppercase, lowercase, numbers, symbols
3. Install Security Plugin
Recommended: Wordfence or Sucuri Security (both free)
4. Enable Two-Factor Authentication
Use Google Authenticator or Duo plugin
5. Change Default Admin Username
Never use "admin" - create new admin user and delete old one
6. Limit Login Attempts
Install "Limit Login Attempts Reloaded" plugin
7. Disable File Editing
Add to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
8. Change Database Prefix
Default "wp_" is vulnerable. Change to random prefix like "x7k_"
9. Hide WordPress Version
Add to functions.php:
remove_action('wp_head', 'wp_generator');
10. Disable XML-RPC
Add to .htaccess:
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
11. Install SSL Certificate
Free with WebHostWare hosting - auto-installed
12. Regular Backups
Daily automated backups included with WebHostWare
13. Secure wp-config.php
chmod 440 wp-config.php
14. Disable Directory Browsing
Add to .htaccess:
Options -Indexes
15. Use Security Headers
Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff"
16. Monitor File Changes
Wordfence alerts you to any file modifications
17. Scan for Malware
Weekly scans with Sucuri or Wordfence
18. Secure Database
Use strong database password and unique prefix
19. Remove Unused Themes/Plugins
Delete, don't just deactivate
20. Use Secure Hosting
WebHostWare includes:
- Free SSL certificates
- DDoS protection
- Malware scanning
- Daily backups
- Firewall protection
Need Help?
WebHostWare offers 24/7 expert support with all hosting plans. Get help when you need it.