[2018] WordPress Security 101: The Definitive WordPress Security Guide

Secure your WordPress website from scripts injections, hacking attempts, and other vulnerabilities. Check out our ultimate WordPress Security Guide [2018]

Why Do I Need to Worry About WordPress Security?

WordPress Security is one of the major concerns for everyone right now. Each year thousands of WordPress built websites get hacked, lose data, lose access to the website. Hence, you do need a full proof WordPress Security Guide!

Let’s face it. There is no 100% secured system in the world. That is why you need a WordPress Security Guide!

There will always be some risks in your system. However, you must take preventive actions, mitigate risks to make sure your website is not vulnerable to attacks.

Most websites usually get hacked due to poor system administration, not using the latest WordPress version, using weak username/password among many other cases.

Attacks on WordPress Sites Have Risen Significantly in the last few years

Industry renowned security firm Sucuri has published a detailed analysis of the most attacked Content Management Systems of 2018. Unsurprisingly WordPress came on top by absorbing about 80% of the total attacks.

Infected Websites Stats WordPress Security Guide
Source: Sucuri

So it is wise to concentrate your WordPress security before it is too late. Nothing is worse than waking up in the morning and discovering that you do not have to access your own website. Our WordPress security guide will help you to stop attacks and fix vulnerabilities on your website.

Sucuri CMS Infection Comparison WordPress Security Guide
Source: Sucuri

This post will provide you some of the best WordPress security tips to reduce the vulnerability of your WordPress installation. WPHive’s WordPress Security Guide will also share all the common tricks to strengthen your WordPress Security over time.

We have divided our WordPress Security Guide into a few parts.

  • Database Security
  • WordPress File Permission
  • Preventing Brute Force Attacks
  • WordPress Security Tricks

Database Security

A database is the single most important thing when building a new website. So when you are creating a new website, you must rethink about the security measures you are taking to secure your database. Many of us prefer the easiest way to install WordPress from cPanel. If you are concerned about security, we will always recommend you to install WordPress manually by creating the database first and adding a database user.

  • Tip: Use a unique database name. For example, if your website name is “myschool.com” then always choose something that is not related to the domain name.
  • Add number with the database name to make it more secured.

Database User Security

While adding your newly created user, it is wise not to allow ‘Drop’ permission for the database user. Even if someone gets access to your database, they will not be able to drop the table. This will ensure a tight security for your website.

WordPress Database User Security - WordPress Security Guide 2018

File Permission

(If you don’t bother about learning what is File Permission, skip to WordPress File Permission)

If you are running any Unix based operating system like Linux based distros like Ubuntu, Linux Mint or macOS you might know that all files and folders of Unix based operating systems have a file permission. This permission is written as three digits. If you notice the following image, you can understand what each of this digit does.WordPress File System Security - WordPress Security Guide 2018

See this video to quickly understand about Unix File Permission

WordPress File Permission

Make sure you follow this file permission structure to harden your file permission on WordPress. You can run the command like the following to change the file permission of your .htaccess file, after locating to its directory. Otherwise, you can just right click on the file and set permission in cPanel File Manager.

chmod 404 .htaccess

File Permission for WordPress Security

Some servers show error when using permission 705 at the root folder. In that case, use permission 750.

Preventing Brute Force Attacks on WordPress Website

A small script can be used to run Brute Force attack on your site. Hackers nowadays use different methods such as Socks/Proxy/VPN/Tor to keep attacking websites. Hence, we need to use CAPTCHA to stop these brute force attacks.

[2018] WordPress Security Guide 101

You will be able to decide where to show captchas.

[2018] WordPress Security Guide 101

After successful installation, the captcha will show on WordPress Login. Login to WordPress Dashboard in 1 Click using this tutorial.

[2018] WordPress Security Guide 101 - Captcha 2018

Multifactor Authentication

You can use third-party authenticators if you are not satisfied with your username/password combo. There are a few authenticators available for WordPress. Such as

  • Google Authenticator

You can use the Google Authenticator plugin if use iPhone/Android devices. The plugin will enable the support for you.


OTP means One Time Password. If you want that your website will always a one-time password at your email before each login, use the plugin Secure Login

 [2018] WordPress Security Tricks – Always Updated

Some other security tricks can harden your WordPress website. We will regularly update this section to add more and more tips and tricks to strengthen your WordPress security.

  1. If you want to stop plugin updates from admin panel add this code to your wp-config.php file

2. If you want to stop any changes from the admin panel, add this code to your wp-config.php file. This is particularly helpful when a site gets hacked.

define( 'DISALLOW_FILE_EDIT', true);

3. If you want to stop several types of script injections to your website, add this code to your .htaceess file.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

4. Use Strong Username/Password. It is so obvious but still people use WordPress username as “admin” and password as “admin” or “1234456”. Please DO NOT!

If you are using WordPress username admin, then immediately create a new user with a new username, make the new user Administrator and delete the old “admin” account.

Wrapping Up on WordPress Security

We can never finish covering up all the topics for the ultimate WordPress Security Guide. However, we will be updating this page frequently to prevent you from all the known security vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *