Skip to main content

We all know that nowadays setting up a WordPress site is not too difficult. Many hosting companies are providing automatic WordPress site installation through the standard CPanel platform, and you can have something a bit more than “Hello World” showing up on the browser in less than a cup of coffee’s time.

However, a WordPress site is actually just another system running on the web that can be hacked and attacked. To make the system secure and safe, surely we have a lot of things to be done. It is impossible to have a single checklist that can safeguard all different types of WordPress installation because we can freely install and customise themes and plugins on top of the platform.

WordPress has its own official documentation served as an entry point to address some fundamental security issues, at

To summarize, here are a few main points:

  • Always keep your WordPress site up-to-date. Security issues are regularly being fixed in WordPress Updates. Once an update is released, since WordPress is an open source software, technical people can trace easily what have been fixed, and that implies everyone knows very clearly where the problems are in the old versions. Your site will be at risk if you do not update and patch the announced issues as soon as you could.
  • Use better username and passwords. Hackers can guess your password by brute force. If you are not checking your web server log, and you do not have any security plugins installed, you may never notice someone is trying to gain access to you system. Since this kind of hacking requires a valid user name, before working out a very safe password, DO NOT use usernames such as admin, administrators, support, etc. as your WordPress account user name. Given that hackers do not know a valid user name, this kind of brute force hacking will be very difficult to succeed.
  • Avoid using FTP. FTP sends unencrypted password. Use SFTP if possible.
  • Setting up correct file permissions. This should have been done automatically by your hosting provider in general. If you are unsure, consult the WordPress documentation for a list of recommended configurations, and ask your technical support to verify them.
  • Database security. Again this should have been done automatically by your hosting provider, but just to bear in mind that hackers can choose to hack into your database (that keeps the WordPress contents and accounts) instead of going through the WordPress front-end. In general hosting providers should block the database server from being accessed from the outside world. Check with your hosting or your technical support if you are unsure.
  • Securing WP-Admin. There are many different ways to do this. The official recommendations are:– Don’t limit access to the wp-admin folder as this may break the system.
    – Do implement another layer of server-side password protection such as BasicAuth. Your browser will pop up a window asking you for an extra pair of user name and password before showing up the WordPress login screen.
    – Do use SSL (HTTPS). This will make your site administration more secure as your work are encrypted on the network. Also this helps better Google SEO.
  • Secure WP-Includes. WordPress provided a sample .htaccess configuration file for the system admin to restrict access to this folder. Check the original documentation for details.
  • Secure WP-Config.php. This file keeps the database passwords and other important settings. Some suggested moving this file away from public access, but WordPress again suggested to protect using .htaccess server side configuration. Your server admin guy should know how to do that by referring to the sample codes in the documentation.
  • Disable (.php) file editing. The idea is that hackers would insert malicious codes to WordPress system file. This is debatable and the exact implementation varies depends on how you use the WordPress system. Consult with your technical guys if you are unsure.
  • Data backup. No need to explain – this help recover your site quickly in case of any problems. Better keep multiple backups done over time because it might be too late when you found your site is hacked, and your only backup contains all contaminated files.
  • Logging. This can be done by installing WordPress plugins to monitor access to the wp-admin. Also, the web server log is very useful in tracking hacking attempts.
  • Monitoring. Having logs but without reading them is simply meaningless. Make this a regular work for the support team to check the logs and the system for any irregularities.

Is this list too long to read? Not really! We have only covered some very basic things you should do. If you are unsure what to do, discuss with us, and we can help provide WordPress regular security check and hacked site clean up service.

Stay tuned! We will share more security tips for making your WordPress site better!