WordPress Security – 11+ Steps to Lockdown WordPress in Case of an Emergency 
Wordpress security is a very important aspect of WordPress. Without proper WordPress security, you can never be sure about your business’s success. Internet live stats states that about 70000 websites get hacked every day on average. Sometimes it is wise to go 100% on security.
In this tutorial, we are covering the essential steps to lock down WordPress in case of an emergency.
Since more than 32% of websites use WordPress to publish content every day, WordPress is targeted more for hacking. One of the most common reasons of websites getting hacked is using outdated software.
Is WordPress Secure?
For example, Sucuri’s 2017 Hacked Website Report states that 39.3% WordPress websites were running out-of-date WordPress software at the time of the hacking.
The WPScan Vulnerability Database finds out that more than 70% vulnerabilities happen due to out-of-date software. The most vulnerable versions of WordPress are all way back in WordPress version 3.X.
It is evident that WordPress has improved a lot in security. However, how do you know you whether have you been able to secure WordPress or not?
Well, you don’t.
There are always new ways of hacking and phishing. All you can do is taking a good preparation. Also, be certain to follow the best WordPress security tips. Although, if you feel that your website has already been compromised, follow this tutorial
Lockdown WordPress in Case of an Emergency
Sometimes it’s a good idea to lockdown WordPress. When you know you are in a high risk of getting hacked, our WordPress Pros suggest that you should lockdown WordPress for a while.
One of the worst security vulnerabilities is backdoors. Backdoor vulnerabilities give hackers the ability to bypass security to obtain access to WordPress websites. Backdoor vulnerabilities can be exploited using – SFTP, FTP, wp-admin etc. According to Sucuri, 71% malware were backdoors out of all the hacking attempts in 2017.
Steps to Lockdown WordPress
1. USE DISALLOW FILE EDIT on wp-config.php
If you want to secure your WordPress site from any frontend injections, you need to add
DISALLOW_FILE_EDIT', true parameter in your
This is very helpful when a site gets hacked or in danger of getting hacked.
wp-config.php file and add the following line after the opening
define( 'DISALLOW_FILE_EDIT', true);
2. Use Latest PHP Version
The most crucial WordPress site security factor is PHP. PHP is the spine of your WordPress site. It is vital and absolutely crucial that you use the latest version of PHP on your server. PHP 7.3 is the latest PHP version as of writing the article and we recommend using the latest PHP version always.
However, according to WordPress Stats, only a mere 0.3% users are using the latest version of PHP.
Every PHP version is usually supported for two years after its release. As of right now, PHP versions below 5.6 has no security support and are vulnerable to security threats. However, the stats show that more than 34% of people are still using PHP 5.2, which is kind of sad.
If you are using cPanel, take a look on how to change the PHP version in cPanel
3. Check Existing Users in Your WordPress Dashboard
If you suspect that hackers have already logged into your WordPress system, go to Users>>All Users.
From the list, try finding if there’s any unknown users registered on your system. If you find out that are unfamiliar to you, delete those users ASAP.
Make sure there are no unfamiliar users on that list.
4. Use A Strong Password
One of the common WordPress security tips that you will find in every blog is using a strong and clever password. It’s okay if you use a memorable password on your social and email accounts but when you are managing your own website with Administrator privilege (Companion read: WordPress User Permissions, Explained), make sure you use a strong password.
Do not use a common password like “123456”, as revealed by Fortune’s most common passwords. Do not use “iloveyou” because that’s a common password too.
- You can use services like LastPass, Bitwarden (an open source alternative to LastPass), 1Password to generate a strong password with numerics, capital letter, small letter, and symbols. These password managers can also save your password behind a master password for your convenience.
- Take a look at our WordPress Security Guide about how to choose a strong password in more details
5. Update WordPress Core, Plugins and Themes
However, an independent survey from Wordfence found out that more than 60% of the webmasters say attackers gain access of their site via plugin or themes.
Updating WordPress plugins and themes can be an excellent choice. Sure, that would consume some CPU always in the background, but it is worth it. Check our guide on How to Manage WordPress Automatic Updates Like a Pro to learn how you can automate updates in WordPress.
Takeaway: Wordfence recently reported that a vulnerability in AMP for WordPress plugin could make the way for XSS (cross-site scripting) affecting almost 100,000 websites where the plugin has been active.
6. Replace WordPress Core Files
If you find out that your site has been compromised but how to secure WordPress website from hackers, follow this simple procedure.
If your WordPress site is hacked, and you are wondering how to fix it – try replacing your WordPress core files.
Following this procedure will make sure you get your site working again (without any malware). If you are replacing WordPress core files, make sure you have already done step 1 as mentioned in the article.
- Download latest version of WordPress from WordPress.org
- Unpack the archive. and open the WordPress folder.
- delete the wp-content and
wp-config-sample.phpfile from the extracted folder
- Zip everything again (without the wp-content folder and
- Login to your cPanel delete all files except wp-content folder and
- Upload the newly created WordPress zip file and extract them in your root folder.
- See the following video to replace WordPress core files manually.
Takeaway: The procedure replaces all existing files of your WordPress installation except those in the wp-content folder. Usually, hackers place malicious files in the wp-includes folder. Replacing all WordPress core files will make sure that your WordPress installation is clean and malware free.
7. Do a WordPress Security Scan
WordPress Security scans are a good way to find out how exactly your site has been compromised. However, most of the WordPress security scans are paid. Here’s a list of websites where you can schedule a free WordPress Security Scan.
How to remove malware from my wordpress site?
— Security scans are helpful for finding security vulnerabilities
- Hackertarget WordPress Security Scan
- WP Recon WordPress Security Scan
- WPScan WordPress Security Scan
- ScanWP’s WordPress Security Scan
- WPScans WordPress Security Scan
- Sucuri’s Site Check (WP Hive recommended)
- WP Loop
- WP Neuron
- Astra’s Hack Removal Guide
We recommend using complete website security and acceleration services like Cloudflare or Incapsula
8. Enable WordPress Login Security
Limit Login Attempts is a great plugin that blocks IP addresses from making continuous attempts after a specified limit on retries has been reached. This is a good tool against brute-force attacks.
9. Review Your WordPress User Permissions
- Make sure you have the correct WordPress user permissions set for each user.
- Do not give admin access to everyone. Only provide admin access whom you trust
- Explore other WordPress User Permissions such as Editor, Contributor
10. Use HTTPS
HTTPS makes your website more secure and makes it harder for hackers to eavesdrop. HTTPS is unquestionably critical for a secured connection between a website and a browser.
Check our in-depth guide to learn to configure Cloudflare with WordPress and take advantage of free CDN and SSL service.
Most hosting providers already provide Let’s Encrypt free SSL service nowadays. Watch the following video to know how you can enable Let’s Encrypt free SSL in cPanel.
Google has started to give SEO boost to HTTPS websites since July 2018. A blog post on Chromium titled A Secure Web is Here to Stay explained Google’s stance on HTTPS.
11. Follow WP Hive’s Ultimate WordPress Security Guide 
Before wrapping up, we would suggest you bookmark our article 31+ WordPress Security Tips: Ultimate WordPress Security Guide . We are always updating this article with new ways to secure your website. The following article includes the best WordPress Security Plugins for your convenience.
We hope these WordPress security tips have helped you to secure your website. If we have missed any essential WordPress security tips, feel free to let us know via comments.
Saif HassanLead Product Manager
Product Manager by passion & profession. Lead Product Manager at weDevs, former PM @ Poptin. Passionate about writing & tech. He's an advocate of Human-Centered Design and believes that websites and the tools used to build them should be well crafted, intuitive, and accessible. Cyclist. Reader. A WordPress ninja 🥷, HCI expert & a design thinker 💡