I’ve written a lot about the steps to secure WordPress.  It is a bit of a wonder that I don’t have them listed in one place for you to refer to over and over. Well, I’m rectifying that right now.

14 Action Steps To Secure Your WordPress SiteHere are so actions, with updated information you need to take immediately.

Install iThemes Security

Before proceeding, please know that…

Good WP security doesn’t come in a box. One plugin cannot solve all problems.

WordPress security isn’t a set once and forget thing. It’s a series of steps, and layers of processes.

Now that is out of the way, there are many different plugins out there for security. I like and use iThemes Security extensively. Mostly because it has a checklist of things that covers a lot of the common issues that I used to handle by hand.

Great as it is, sometimes, on some servers it just doesn’t want to work nicely. It could be an incompatibility with other plugins or with the way a web host has configured the server. In these instances, my fallback is Wordfence. While Wordfence does not do as much but it has one really important feature – to block suspicious logins and brute force logins.

Both are free though there is a Pro version for iThemes Security.

Action Step – download or check out:

Use An Application Delivery Platform or DNS Service

Ok, sounds like huge, scary, geeky words but really it is super easy to use and nothing you need to be afraid of. These services are sort of like the traffic police for your website. Your traffic passes through them and they filter out the bad. This way, the bad guys don’t even get a chance to reach WordPress which is big. Here’s why.

If you are under a brute force attack (heavy attempts at password cracking), plugins may stop them but you can’t stop them from continuing to try. It is these continuous, unsuccessful attempts that could lock up your site or even bring your web server to a halt. They may not have cracked your site, but they managed to make it unavailable. So you still lose.

I use Incapsula and also Cloudflare. Incapsula is more focused on the security while Cloudflare is more of an all rounder, helping with site performance (speed) and security. Both have free plans you can start with and upgrade as your needs increase.

Action Step – Install:

Be Pro-Active With Your Passwords

As with everything else, use good passwords and change them regularly. Good passwords don’t have to be gibberish and you can use a plugin to force yourself to change your passwords regularly if like me, you’re bad at remember that stuff. Also, to manage everything, use a great password manager. I use LastPass that also works on mobile devices, plus, it lets me securely share passwords with virtual assistants and anyone who need access to my site.

Action Step – Get:

Get A Security Certificate

Security certificates used to cost a bomb. It lets you to enable https on your site. Since WordPress is also capable of working with https, it will pass your information in a secure fashion as you log in. I don’t use this on all sites though. Just higher level ones like flagship sites.

Certificates come in a variety of levels and the price increases accordingly. Higher levels can cost a lot. For straight blogs only, a basic low level one works. They give the same level of encryption, the difference is in the checks and what type of confidence level you want to pass to others. If you are selling stuff like have a shopping cart in WordPress, I’d begin at a mid-level certificate. Even if you don’t store credit card information, chances are, the cart will store customer email addresses, physical addresses and telephone numbers. These days, this type of information is valuable as they can be used for social engineering.

Action Step – Purchase & Install:

Use Dual Authentication

For some sites, in addition to security plugins I also use Duo. Using this, when someone tries to log in as admin, I get either a text message, a phone call or a notification on my phone to verify the login. I also use Google Authenticator but that works a little differently. It asks for a PIN that can only be generated from my phone. I prefer Duo because it actually alerts me.

Action Step – Install:

Keep Your Computer Clean

That is odd. We are talking about WordPress so what’s this about your computer? Because I’ve seen far too often, WordPress websites being compromised from a key logger or other malicious software. Keep your computers updated, don’t install everything you can download, don’t visit questionable websites or click on suspicious emails. Use a Sandbox program to access the Internet.

Action Step – Install:


When uploading – especially outside of WordPress, don’t use regular FTP. These days, most FTP programs support two other methods of connecting to your host. SFTP or FTPS. Select one of those methods instead of FTP because FTP sends your logins in plain text over the Internet.

Action Step:

  • Change your FTP connection method to FTPS or SFTP

Be Careful About Usernames

With WordPress, it’s actually fairly easy to guess half of anyone’s login. That’s because usernames are used in the author’s archive URL and sometimes on the posts itself. Thankfully, there are plugins that help with that. While we are talking about usernames, always, always, always change the admin username from admin to something else. If you use iThemes Security, this is in the settings. Use it to help you change it.

Action Step:

Backup, Backup, Backup and Backup Some More

You can never have enough backups. It is a sad affair when people come to me for help with their websites and they have no backup.

Action Step:

Hide WordPress’s Key Files

There are a few files in WordPress that could be used for a breach. Such as the wp-config.php, xml-rpc.php, wp-login.php, to name a few. These can all be locked down or hidden using iThemes Security. One thing, though, don’t password protect the wp-admin folder. It will cause other issues on your site related to AJAX processing.

Action Step:

Change The wp-content Folder

The wp-content folder holds a lot of stuff. Your themes, plugins, uploads. Because this is the folder WordPress uploads into, a lot of hackings enter and residues can be found in this folder. WordPress allows you to change this folder. If you have an existing site, this could become an issue although I’ve done it before. That’s only because I know how to fix it when the issues arise. Also some poorly written plugins may not work with this method. As a result, this is best done on a new WordPress site. For older sites, you will need to hire help. Unless you’re confident you can do it ;)

Action Step:

Change Your Database Prefix

If you have no clue what this means, don’t worry. iThemes Security can handle that for you. See why I like it so much?

Action Step:

Use Themes & Plugins From Reputable Authors

As a plugin developer, I often see a lot of sloppy code. I sometimes cringe looking at my early work, but thankful I no longer make those mistakes. Sometimes there are even malicious code in them. This happens quite a bit with themes.

Action Step – Get themes and plugins from:

Add Privacy For Your Domains

Domain hijacking is getting more and more popular. Your domain is often also your brand. Don’t let people steal your online brand! One way is to stop broadcasting your personal details via your domain WhoIs information. I switched from GoDaddy because I was paying much more there for it. I now use Hover and Namecheap as my registrar. Private registrations are included with Hover and at Namecheap it is included for the first year, only $1.99 a year after.

Action Step – Use or switch to:

Well, that’s a long list of action steps but all worth doing. These aren’t the only things you should be doing forever. It is, however, a great starting point. With WordPress and security, things change often. So you should always be on the lookout.

Before signing off, a word of caution. Please be careful with some of these. Some of these issues can lock you out, cripple your site or break it completely. I cannot be held responsible or accountable for whatever happens to your site be it a breach or if the site breaks as a result of implementing these steps. I’ve personally done all of these on various sites successfully. That’s because I know what to do and how to fix it. When in doubt always get help.

For professional security setup and for cleaning up a hacked site, I recommend WPSecurityLock and Sucuri.