WordPress Security Hardening - Complete Guide
Mahesh Waghmare WordPress security is crucial for protecting your site and user data. This comprehensive guide covers essential security measures from basic to advanced.
Introduction to WordPress Security
WordPress powers millions of websites, making it a frequent target for attacks. Implementing proper security measures protects your site, data, and users.
Common Threats:
- Brute force attacks
- SQL injection
- Cross-site scripting (XSS)
- Malware infections
- DDoS attacks
Security Layers:
- Server-level security
- WordPress core security
- Plugin and theme security
- User security practices
Basic Security Measures
Keep WordPress Updated
Always use the latest WordPress version:
// Enable automatic updates
define('WP_AUTO_UPDATE_CORE', true);Strong Passwords
- Minimum 12 characters
- Mix of uppercase, lowercase, numbers, symbols
- Unique passwords for each account
- Use password managers
Limit Login Attempts
// Limit login attempts
function limit_login_attempts() {
$attempts = get_transient('login_attempts_' . $_SERVER['REMOTE_ADDR']);
if ($attempts >= 5) {
wp_die('Too many login attempts. Please try again later.');
}
}
add_action('wp_login_failed', 'limit_login_attempts');Authentication Security
Two-Factor Authentication
Implement 2FA for admin accounts:
- Use plugins like Wordfence or iThemes Security
- Require 2FA for all admin users
- Use authenticator apps
Change Login URL
// Change wp-login.php URL
function custom_login_url() {
if (strpos($_SERVER['REQUEST_URI'], 'wp-login.php') !== false) {
wp_redirect(home_url('/custom-login'));
exit();
}
}
add_action('init', 'custom_login_url');File and Directory Permissions
Recommended Permissions:
- Files: 644
- Directories: 755
- wp-config.php: 600
- .htaccess: 644
Set via .htaccess:
# Protect wp-config.php
<Files wp-config.php>
Order allow,deny
Deny from all
</Files>
# Disable directory browsing
Options -IndexesDatabase Security
Change Table Prefix
// In wp-config.php
$table_prefix = 'wp_custom_';Database User Permissions
- Use dedicated database user
- Grant only necessary permissions
- Strong database password
- Regular backups
Advanced Security Measures
Security Headers
// Add security headers
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('Strict-Transport-Security: max-age=31536000');Disable File Editing
// In wp-config.php
define('DISALLOW_FILE_EDIT', true);Regular Backups
- Automated daily backups
- Off-site backup storage
- Test backup restoration
- Version control for code
Conclusion
WordPress security requires:
- Regular updates
- Strong authentication
- Proper file permissions
- Database security
- Security headers
- Regular backups
Key principles:
- Defense in depth
- Least privilege
- Regular monitoring
- Incident response plan
- Stay informed
Implementing these measures significantly improves WordPress security.
Written by Mahesh Waghmare
I bridge the gap between WordPress architecture and modern React frontends. Currently building tools for the AI era.
Follow on Twitter →