Skip to content

How to Secure, or Harden, a WordPress Website

This is a question that we get asked a lot. How do I make sure my website is secure and that people won’t be able to access my information or hack my website?

There are a lot of different tricks you can do to reduce the chance of having your website compromised. However, at the end of the day the most important thing you can do is back up your website frequently. Restoring a backup is orders of magnitude faster and simpler than cleaning a hacked WordPress site.

Be wary of WordPress security plugins and tools. Most of them tend to focus on either preventing damage after someone has already hacked in to your site, or hiding things like your WordPress login page, rather than actually preventing intrusions. After someone has gained access, there’s no way to tell the extent of what they’ve done, so it’s considerably more important to block them in the first place. Therefore, our tips focus on the kinds of changes you can make to your site that will prevent intrusions.

You might be thinking “but aren’t you missing dozens of other security practices?!” Perhaps you’ve read about them on other blogs or from other hosting providers or WordPress experts. There’s a bunch of articles out there with 50+ security improvements you can make to WordPress… in our opinion anything more than what you see below is overkill. As mentioned above, the majority of those tweaks are designed to stop automated tools from inflicting damage *after* they’ve already gained admin access to your website. We tend to prefer preventing access to the site in the first place, which the following tweaks will do if you implement all of them.

In the WordPress Admin

1. Install a Limit Login Attempts Plugin

Note: this is optional if you host with us. The reason why can be found in the box below.

This plugin will let you limit the number of unsuccessful login attempts for your WordPress dashboard. This will protect against people trying to login to your website with random passwords over and over again in an attempt to “brute force” the system. You can download the plugin here, which will set the limit to 3 attempts.

If you have used our one-click web applications installer than this plugin should be installed by default. If it isn’t you can install it by using the link above.

 Did you know that our WordPress hosting comes with server-level tools to automatically detect multiple login attempts from the same IP and ban the malicious IP addresses? It doesn’t do any harm to install a plugin, but with our hosting, it’s no longer essential!

2. Admin Users: Use secure passwords & audit them

Never use a “temporary” password that you plan on going back to change later – it’s too easy to forget to adjust. When you go to change your password in WordPress under Users, it defaults to providing an autogenerated secure password. Please use what it provides and do not try to use one of your own, which will likely be weaker.

If you have trouble keeping/remembering long passwords, we don’t blame you: use a password manager like LastPass that will keep track of all of your randomly generated passwords for you and lock them all with one strong master password.

It’s also recommended to audit your admin users every few months. Delete admin users you do not require. It’s preferable to only use one if you can.

3. Always update your software

Note: this is automated if you host with us and have auto updates enabled (it is by default) in 1-click web apps.

This includes the core WordPress software, all plugins, and all themes that you have installed. This, alongside secure passwords, are the most important steps. WordPress and plugin and theme developers release updates to both add features and repair security flaws. It is crucial that you update your software whenever a new version is available.

If you are using commercial plugins or themes, make sure to follow their instructions to save a license key to the plugin’s settings to enable auto update. This is an option for most commercial plugins like BeaverBuilder, Gravity Forms and WooCommerce extensions.

If your commercial theme or plugin does not support auto-update, you will need to make a note to regularly check for updates and install them manually. When we encounter such plugins, we the developer to add auto-update and, if they do not intend to, we’ll find an alternative. This is because we find it’s not worth the time necessary to stay on top of manual plugin or theme updates.

4. Delete old software

If you have multiple versions of WordPress installed on your website (or any other piece of software for that matter) and you aren’t using one of them anymore, you’ll still need to make sure it’s up to date or delete it all together. Outdated and forgotten-about software installations are a very common method that automated hacking tools gain access to your website.

The same is true for installed plugins and themes. If you’re not using them, remove them!

5. Force HTTPS when logging in to the dashboard.

The simple way to do this is to use a plugin like Verve SSL. It will force you to login to your WordPress admin area over “https” instead of the insecure “http.” You don’t need a signed certificate for this (although you’ll get a warning from your browser if you don’t have one), the connection will still be secure and your username and password will be sent encrypted instead of via plain text. It’s recommended to use Let’s Encrypt with your domain to have a valid certificate.

The advanced way of doing this is by editing wp-config.php manually:

  1. Login to Plesk, choose File Manager, then navigate to your web root (httpdocs for your primary domain, custom for add-on domains). Alternatively you can login via FTPS or SFTP.
  2. Look for wp-config.php and edit the file
  3. Below the database settings place the following:
define('FORCE_SSL_ADMIN', true);

Control Panel Level:

6. Deny access to administrator login to anyone but yourself

We consider this to be overkill, and it does not work with all configurations (e.g.: nginx due to .htaccess files not being used), but if you want some extra security measures, there’s no harm in it!

There’s two ways to accomplish this: using Plesk’s “Password Protected Directories” or by blocking access to everyone except your own IP address (note the latter option is problematic if your IP changes regularly, which many ISPs do).

Plesk Password Protection (HTTP AUTH)

Read our guide to learn how to password protect your wp-admin folder with HTTP authentication. When following the guide, the folder to enter will be the wp-admin folder.

Once completed, you will have two levels of password entry before reaching the admin, HTTP Auth, and your standard WordPress admin login. Be sure to make the passwords different; if they are the same then a bot trying to guess them won’t have any trouble after getting through the first layer.

Manual IP Block

You can block anyone except your IP from the /wp-admin/ section of your WordPress installation by adding the following lines to a new .htaccess file created within the wp-admin folder. You can use the Plesk file manager or FTP to do this:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName SecuringWordPress
AuthType Basic
order deny,allow
deny from all
# whitelist IP addresses like this:
allow from

Just replace the IP address on the last line with whatever your current IP is. Click here to find your external IP.

Unfortunately there is no great plugin to handle this for you because the .htaccess file in this case will need to be located in the /wp-admin/ directory (and not the root directory). The simplest way to edit this file is by using the Plesk File Manager.

7. Run the latest PHP In Fast-CGI or FPM mode whenever possible.

If you are using a control panel that is current and up to date you’ll be able to choose between running PHP by Fast-CGI or Apache PHP. Choose the FastCGI method when possible to avoid having to set permissions to “chmod 777.” In WordPress, there are many themes and plugins that require you to use this permission set in order to properly write to the folders and upload content. The biggest problem with it is that “777” means that everyone can read, write, and execute any of the files that have those permissions.

Needless to say this is a big security risk and is a major problem if you are on a shared web hosting environment. If another website is compromised on the same server, they will be able to access any of your files and folders that have the chmod 777 permission set.

Using FastCGI forces PHP to run as your user and will avoid these problems altogether. If you’re hosting with us then this is likely the default for your website, however, don’t hesitate to ask us if you want us to check on it for you.

Be sure you’re running the latest version of PHP. Only the latest couple of major versions are regularly supported by the PHP developers, so running older versions like 5.4 and older (as of Jun 30) could present security risks for your site.

Personal Computer Level:

8. Never store your passwords unless you know they are encrypted.

Many programs on your computer actually store your passwords in plain text. This means that if you have a virus or a particular piece of spyware on your computer it may be able to access the FTP or web-based credentials for your WordPress or website installation.

If you want to save your passwords in your applications be sure to verify if they are encrypted or stored in plain text. For example, any application which stores passwords using Apple’s Keychain system, has fully secured password storage. Unfortunately FileZilla is not one of these apps, so saving your password in FileZilla’s site manager tool could be problematic if your computer is ever infected by a virus that knows to look for FileZilla data files.

9. Ensure you are always running an anti-virus and anti-spyware program.

Although this one should go without saying, it’s very common that people don’t run either of these. It doesn’t matter how secure your website or the server is if people are able to get your passwords from your personal computer.

If you follow these tips, there are only two remaining methods that could be used to hack your site:

  1. Zero day vulnerabilities, which are impossible to predict and protect against, though the best answer to them is fast updates, which our 1-click web apps utility handles for you.
  2. Social engineering, where someone tricks you into giving up your password. To prevent this, simply be vigilant and do not give out your password.

Jordan has been working with computers, security, and network systems since the 90s and is a managing partner at Websavers Inc. As a founder of the company, he's been in the web tech space for over 15 years.

1 Comment

  1. Mike Venables on February 8, 2015 at 6:58 pm

    Great ideas! You might be interested to see a presentation I gave at WordCamp Ottawa 2014…