How to Keep Your WordPress Site Secure

How to keep your WordPress site secure… WordPress is a very popular website creation tool. It can be used to create anything from a simple blog to a full-blown e-commerce site.

Because of that, it is the most dominant CMS (Content Management System) on the market. According to a survey, 35% of all websites (62% of CMS websites) – or around 455,000,000 websites are using WordPress.

This is great for you, it means that there is a lot of support and plenty of plugins (add-ons) available – often free.


WordPress Maybe Great But How do we Keep it That Way?

WordPress is the most attacked content management system on the web. Anybody using WordPress must use a security plugin.

The one that I use – and have been using for a number of years on sites that I have built – is iThemes Security previously known as Better WordPress Security.

According to the Bloggers Roadmap, “iThemes Security is the best overall security plugin you can find”. Although there is a paid version, the free version does an excellent job.

Inside this post, I will take you through the options and configurations of the free version.


What to do After The Install

The first thing you should do after installing and activating the plugin is to run the security check.

This will enable and initially configure

  • Banned Users
  • Database Backups
  • Local Brute Force Protection
  • Network Brute Force Protection
  • Strong Passwords
  • WordPress Tweaks

You then have basic protection – With a single click of a button.

Now it’s time to visit the various modules to really tighten thing up by checking (and possibly changing) the following configurations

Global Settings

The configuration that I use is as follows:

Allow iThemes Security to write to wp-config.php and .htaccess – this will ensure that your security settings are always properly updated.

The three lockout messages can be left as standard, or you can enter your own.

Enable Blacklist Repeat Offender – people who fail blacklist checks several times are automatically added to the banned list. I use these thresholds: Permanently Ban after 3 lockouts within 21 days, Lockout Period 15 minutes (before they can retry).

Lockout Whitelist: Enter Your own IP address – done automatically if you click the button.  This is very important – it means that you cannot accidentally be blacklisted from your own site.

You may need to update this periodically if your internet provider changes your address – I am on a cable service and have had the same IP address for a few years.

Notification Center
Here you can configure notification of security warnings

User Groups
Can be left at the defaults

404 Detection
This catches people looking for files to exploit. 404 (not found) errors are shown when a requested file is not found on your system. I set ‘Remember 404 Error’ to 15 minutes and ‘Error Threshold’ to 5. I leave the ‘Whitelist’ and ‘Ignored File Types’ as is.

Away mode
I don’t enable this but it can be used to disable WordPress dashboard access at certain times.

Banned users

  • Here you can give a list of IP addresses or address blocks to ban completely.
  • Enable’s blacklist feature.
  • Enable Ban Lists
  • Ban Hosts. I tend to use the lockout notifications (especially for people trying to log in as Admin) to block the whole ISP for hackers
  • from places like Russia, China etc.

If you need help with this, ask via comments and I will add a short explanatory post

Database Backups

Configure your backups. I use the following:

  • Backup Full Database Off
  • Backup Method Email Only – backups will be emailed to me
  • Backups to Retain doesn’t matter as I am not storing them on the machine
  • Zip Database Backups
  • Exclude Tables I leave as is
  • Enable Scheduled Database Backups
  • Backup Interval 3 days (if your site is very busy, with many posts, you may wish to shorten this interval).

File Change Detection
I leave this as is, but you can choose not to flag changes to some files, or to include some of the exclude file types.

File Permissions
This will give the current and recommended permissions for various files. If the site is working a lower level than recommended doesn’t hurt, but they need some explanation.

Assuming a Linux host (the most common) each file or folder has 3 sets of permissions:

  • What the owner of the file can do
  • What people in the same group of users as the owner can do
  • What anyone else can do

These permissions are represented as 3 numbers in the order owner, group member, anyone else.

The numbers have the following meaning.

0 can do nothing
1 can enter the folder or execute the program (e.g. a php file)
2 can write to the file (or folder)
3 can write to the file (or folder) and can enter the folder or execute the program (e.g. a php file)
4 can read the file (or folder)
5 can read the file (or folder) and can enter the folder or execute the program (e.g. a php file)
6 can read or write to the file (or folder)
7 can read or write to the file (or folder) and can enter the folder or execute the program (e.g. a php file)

Local Brute Force Protection
This is to protect against those who attempt to break in by guessing passwords.
Note: Set yourself up as an administrator, set up another user as an editor, remove the user ‘admin’ (if present), and never post using your admin login. If you have posted with this name you can choose quick edit for the post and change the author.

I set Max Login Attempts Per Host and Max Login Attempts Per User to 5
I set Minutes to Remember Bad Login (check period) to 15 minutes (some hackers anticipate the normal 10 minute period)
Always set Automatically Ban “admin” user

Network Brute Force Protection
make sure that you have generated an API key and selected Automatically ban IPs reported as a problem by the network

Password Requirements
Enable strong passwords for Administrator and Editor. You can also enable for lower categories if you wish.

Leave unless you have a security certificate to run your site under https

System Tweaks

More advanced settings. I recommended
Protect System Files
Disable Directory Browsing
Disable PHP in Uploads

WordPress Salts
I leave this alone

WordPress Tweaks

I enable the following:

  • Reduce Comment Spam
  • Disable File Editor It says that if you enable this you will need to manually edit theme and other files using a tool other than WordPress, but you can disable this and re-enable after editing.
  • XML-RPC You can set this to disabled. If you use jetpack you will need it enabled, and follow the jetpack security settings
  • Block Multiple Authentication Attempts per XML-RPC Request
  • REST API is the better, newer replacement for XML-RPC. Use the recommended Restricted Access.
  • Disable login error messages
  • Force users to choose a unique nickname – makes the displayed post name different from the login name. This would allow you to post as administrator user but I still recommend that you don’t.
  • Prevent attachment thumbnails from traversing to other files

Once this is done your WordPress site will be quite strongly protected. If you would like to see my progress from internet nerd to internet marketer visit

This is a guest post from Norman Hull, if you would like to be considered for a guest post please contact me.

Thanks for reading “How to Keep Your WordPress Site Secure”

Over to you… please feel free to comment below and discuss the points made here today.

Further Reading

Why not increase your affiliate sales in 1 easy step HERE

Bloggers Roadmap Bootcamp Day 1

Are You Ready For Your Very Own Blogging Bootcamp?

Grab Your FREE 5 Day Blogging Course Delivered to Your Inbox

To get onboard simply enter your email address below and we can get started immediately

Your Reports Are on The Way Check Your Inbox