WordPress Security Best Practices: Complete Recap

WordPress security requires a multi-layered approach. This guide summarizes the essential security practices every WordPress site should implement. Use it as a checklist to audit your current security posture.

Foundation Security

1. Keep Everything Updated

• WordPress core - Update within 24-48 hours of releases
• Plugins - Update regularly, remove unused ones
• Themes - Keep active theme updated, delete inactive
• PHP version - Use PHP 8.0+ for security improvements

2. Strong Authentication

// Essential authentication measures
- Enforce strong passwords (12+ characters)
- Enable two-factor authentication
- Limit login attempts (5 max)
- Use unique admin username (not "admin")
- Implement session timeouts

3. Secure Hosting

• Reputable hosting provider
• SSL/TLS certificate (HTTPS)
• Regular backups
• Server-level firewall
• PHP version control

Configuration Hardening

wp-config.php Security

// Essential wp-config.php settings
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
define('WP_AUTO_UPDATE_CORE', true);
define('FORCE_SSL_ADMIN', true);

// Unique security keys (regenerate these)
define('AUTH_KEY', 'unique-phrase-here');
define('SECURE_AUTH_KEY', 'unique-phrase-here');
define('LOGGED_IN_KEY', 'unique-phrase-here');
define('NONCE_KEY', 'unique-phrase-here');

.htaccess Protection

# Protect wp-config.php

order allow,deny
deny from all


# Disable directory browsing
Options -Indexes

# Block sensitive files

Order deny,allow
Deny from all

Access Control

User Management

• Principle of least privilege - Only necessary permissions
• Regular user audits - Remove inactive accounts
• Role-based access - Use appropriate roles
• Admin account protection - Limit administrator accounts

File Permissions

// Recommended file permissions
Directories: 755 (drwxr-xr-x)
Files: 644 (-rw-r--r--)
wp-config.php: 400 or 440 (-r--------)
.htaccess: 644 (-rw-r--r--)

Attack Prevention

SQL Injection

// Always use prepared statements
$wpdb->prepare(
    "SELECT * FROM {$wpdb->posts} WHERE post_author = %d",
    $author_id
);

XSS Prevention

// Always escape output
esc_html($text);      // For HTML content
esc_attr($attribute); // For attributes
esc_url($url);        // For URLs
wp_kses_post($html);  // For post content

CSRF Protection

// Always use nonces
wp_nonce_field('action_name', 'nonce_field');
wp_verify_nonce($_POST['nonce_field'], 'action_name');

Monitoring & Detection

Security Logging

• Login attempts (successful and failed)
• File changes
• User activity
• Error logs

File Integrity

• WordPress core verification
• Plugin/theme file monitoring
• Upload directory scanning
• Baseline hash comparisons

Backup Strategy

3-2-1 Rule

• 3 copies of your data
• 2 different storage types
• 1 off-site backup

Backup Contents

• Database (full export)
• wp-content folder
• wp-config.php
• .htaccess

Security Headers

// Essential security headers
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'

Regular Maintenance

Weekly Tasks

• Check for updates
• Review security logs
• Verify backups working

Monthly Tasks

• User account audit
• Plugin/theme review
• Security scan
• Password rotation for critical accounts

Quarterly Tasks

• Full security audit
• Backup restoration test
• Permission review
• Security key rotation

Quick Security Checklist

• [ ] WordPress, plugins, themes updated
• [ ] Strong passwords enforced
• [ ] 2FA enabled for admins
• [ ] Login attempts limited
• [ ] File editing disabled
• [ ] SSL certificate active
• [ ] Backups configured and tested
• [ ] Security plugin installed
• [ ] File permissions correct
• [ ] Unused plugins/themes removed

Conclusion

WordPress security is an ongoing process, not a one-time setup. Implement these best practices, maintain regular security routines, and stay informed about new threats to keep your site protected.