Immediate Security Actions
1. Keep Everything Updated
# Using WP-CLI (recommended)
wp core update
wp plugin update --all
wp theme update --all
# Check for vulnerabilities
wp plugin list --status=active
wp theme list --status=active
# Or via admin dashboard: Dashboard → Updates
2. Secure wp-config.php
Move wp-config.php Outside Web Root
# Move one directory up (WordPress will find it automatically)
mv /var/www/html/wp-config.php /var/www/wp-config.php
# Set restrictive permissions
chmod 600 /var/www/wp-config.php
Or Protect with .htaccess
# Add to /var/www/html/.htaccess
<files wp-config.php>
order allow,deny
deny from all
</files>
Generate Strong Security Keys
Visit: https://api.wordpress.org/secret-key/1.1/salt/
Replace these in wp-config.php:
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
3. Change Default Database Prefix
Default prefix: wp_ (makes SQL injection easier)
# In wp-config.php, change:
$table_prefix = 'wp_';
# To something random:
$table_prefix = 'wp_7x2j_';
# Then rename all tables in database
# WARNING: Backup first!
# Use plugin like "Brozzme DB Prefix" or manual SQL
4. Disable File Editing
Prevents attackers from editing theme/plugin files via admin dashboard.
# Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);
5. Limit Login Attempts
Prevent brute force attacks on wp-login.php
Using Plugin (Recommended)
Install: Limit Login Attempts Reloaded or WP Limit Login Attempts
Or Use .htaccess Password Protection
# Create password file
htpasswd -c /etc/apache2/.htpasswd adminuser
# Add to wp-admin/.htaccess
AuthType Basic
AuthName "Restricted Area"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
6. Change wp-login.php URL
Hide login page from automated bots
Plugin: WPS Hide Login
Changes /wp-login.php to custom URL like /my-secret-login
7. Disable XML-RPC
XML-RPC is exploited for DDoS and brute force attacks
Method 1: .htaccess
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Method 2: Nginx
location = /xmlrpc.php {
deny all;
access_log off;
log_not_found off;
}
Method 3: functions.php
// Add to theme's functions.php
add_filter('xmlrpc_enabled', '__return_false');
8. Secure File Permissions
# Set ownership
sudo chown -R www-data:www-data /var/www/html/
# Secure directory permissions
sudo find /var/www/html/ -type d -exec chmod 755 {} \;
# Secure file permissions
sudo find /var/www/html/ -type f -exec chmod 644 {} \;
# Extra secure wp-config.php
sudo chmod 600 /var/www/html/wp-config.php
# Make .htaccess readable
sudo chmod 644 /var/www/html/.htaccess
9. Disable Directory Browsing
# Add to .htaccess
Options -Indexes
10. Remove WordPress Version Info
// Add to functions.php
remove_action('wp_head', 'wp_generator');
// Remove from RSS feeds
add_filter('the_generator', '__return_empty_string');
Advanced Security Measures
Enable Two-Factor Authentication (2FA)
Plugins:
• Two Factor Authentication (by WP White Security)
• Google Authenticator
• Wordfence Login Security
Install Security Plugin
Recommended Security Plugins:
Wordfence Security (Most Popular)
• Firewall
• Malware scanner
• Login security
• Real-time threat defense
Sucuri Security
• Security activity auditing
• File integrity monitoring
• Malware scanning
• Blacklist monitoring
iThemes Security
• 30+ security measures
• Two-factor authentication
• Password security
• Database backups
Harden .htaccess
# Comprehensive .htaccess security
# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# Disable directory browsing
Options -Indexes
# Protect .htaccess
<files .htaccess>
order allow,deny
deny from all
</files>
# Disable XML-RPC
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
# Block access to readme.html
<files readme.html>
order allow,deny
deny from all
</files>
# Block access to license.txt
<files license.txt>
order allow,deny
deny from all
</files>
# Protect wp-includes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Block author scans
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# Disable server signature
ServerSignature Off
# Block PHP execution in uploads
<Directory "/var/www/html/wp-content/uploads/">
<Files "*.php">
Order Deny,Allow
Deny from All
</Files>
</Directory>
Database Security
# Regular backups (using WP-CLI)
wp db export backup-$(date +%Y%m%d).sql
# Or use backup plugins:
# - UpdraftPlus
# - BackWPup
# - Duplicator
# Change database user password
ALTER USER 'wp_user'@'localhost' IDENTIFIED BY 'NewStrongP@ssw0rd!';
Add Security Headers
# Add to .htaccess
<IfModule mod_headers.c>
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "0"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>
Plugin & Theme Security
Remove Unused Plugins & Themes
# List installed plugins
wp plugin list
# Delete inactive plugins
wp plugin delete plugin-name
# List themes
wp theme list
# Delete unused themes (keep one default as fallback)
wp theme delete theme-name
Check Plugin/Theme Vulnerabilities
Resources:
• WPScan
• Patchstack
• Wordfence Intelligence
# Scan with WPScan (requires API token)
gem install wpscan
wpscan --url https://example.com --api-token YOUR_TOKEN
User Account Security
Strengthen User Security
1. Change Default "admin" Username
Create new admin user, delete old "admin" account
2. Enforce Strong Passwords
Plugin: Force Strong Passwords
3. Limit User Roles
Only give users minimum necessary permissions:
• Administrator (full control)
• Editor (publish/manage posts)
• Author (publish own posts)
• Contributor (write posts, can't publish)
• Subscriber (read only)
4. Audit User Accounts
# List all users
wp user list
# Delete suspicious users
wp user delete user_id --reassign=1
Monitoring & Maintenance
Enable Activity Logging
Plugins:
• WP Security Audit Log
• Simple History
• Activity Log
Track: Login attempts, file changes, plugin installs, user changes
Regular Malware Scans
# Using Wordfence (via WP-CLI)
wp wordfence scan
# Or manual file integrity check
wp core verify-checksums
wp plugin verify-checksums --all
Set Up Automated Backups
Backup Solutions:
• UpdraftPlus (free, reliable)
• BackWPup
• VaultPress (Jetpack)
• BlogVault
Backup: Database + Files, at least weekly, store offsite
Emergency Response
If Site is Compromised
Immediate Actions:
1. Take site offline (maintenance mode)
2. Change ALL passwords (database, hosting, FTP, admin)
3. Scan for malware
4. Restore from clean backup
5. Update everything
6. Review user accounts
7. Check file permissions
8. Enable security plugin
9. Monitor logs closely
# Emergency maintenance mode
# Create .maintenance file in WordPress root
<?php
$upgrading = time();
?>
Security Checklist
☐ WordPress core, plugins, themes updated
☐ wp-config.php secured and moved
☐ Strong security keys generated
☐ Database prefix changed (new sites)
☐ File editing disabled
☐ Login attempts limited
☐ XML-RPC disabled
☐ File permissions set correctly (755/644)
☐ Directory browsing disabled
☐ Security plugin installed (Wordfence/Sucuri)
☐ 2FA enabled for admin accounts
☐ Unused plugins/themes removed
☐ Regular automated backups configured
☐ SSL/HTTPS enabled
☐ Activity logging enabled