WordPress Security 101 : The Ultimate WordPress Security Guide

Why is WordPress Security important? A website is the first point of contact for potential customers to know you and trust in your brand and business, hence it is important to always keep your website’s health in terms of its security. As WordPress gained popularity in the last few years, it has become a point of fascination by hackers to break into it, and damage your files and eventually your business. Besides hacking, there are other threats as well, like ransomware.

In this article, we will cover the following topics –

All about WordPress Security

Ransomware is a software that gets into your system and blocks its access for website visitors. The owner of ransomware then demands a certain amount of money/ransom to free your website.

It doesn’t end with just that, If Google finds that your website is affected by a virus or hacking attack it can blacklist and un-index your website, and whenever a visitor wants to visit your website he will be notified by the browser about the security issue on your website.

All this makes it really important for you to secure your website by following wordpress security best practices and adopting best industry tools. Besides the right tools and practices, it is very important to understand the role of your hosting provider. It is important to host your website with a trusted and reliable web hosting provider.  In this article, we will guide you to optimise your WordPress Security !!

How Secure is WordPress?

By WordPress, we are referring to the core WordPress Files. WordPress is very secure provided users keep in check all the other security parameters and follow all the security procedures. It is important for WordPress Admin to keep all the core files to the latest version, and keep all the themes and plugins updated.

WordPress security plugins

It is advisable to use trusted WP security plugins, like Wordfence, Sucuri, or All in One WordPress Security and Firewall. There are free as well as paid versions of these plugins. These security plugins keep a vigilant eye on all suspicious activity and block the attacks. You can easily configure these plugins using their respective dashboards.

WPOven servers already come equipped with all these features of these security plugins, and you can configure and monitor from the WPOven dashboard.

Top Security plugins for 2021


These plugins are cheap. But can be availed for even cheaper pricing during Black Friday.



We recommend Malcare as it comes with instant malware scanning & cleanups. You can auto clear your website in the simplest steps using this plugin. It also offers inbuilt staging and very good support. Pricing starts with just $99 per year.

No. of Installations: 240,000+                                                                                                        Rating: 4.5                                                                                                                                         Price:  Starting From 99$/Year

Sucuri Security


Sucuri Security is a very effective WP Security plugin with features that include Security Activity Auditing, File Integrity Monitoring, Remote Malware Scanning and Blacklist Monitoring, with email notifications. It has a free as well as a paid option with a monthly subscription starting from $16/month.

No. of Installations: 600,000+
Rating: 4.4
Price: From Only $16.66/month

iThemes Security


Itheme Security is a very versatile security plugin with options like Malware Scan, User Action Logging and Online File Comparison among others. Also there are lots of other options inbuilt in this plugin like changing URLs for WordPress dashboard, removing RSD header information, changing wp-content path etc. You can also set two factor authentication and password expiration with this plugin.

No. of Installations: 900,000+
Rating: 4.7
Price: From only $48 per year.

WordFence Security

wordfence security
wordfence security

Wordfence have up to date malware firewall rules and list of malicious IP addresses, with features like Country Blocking and disable or add 2FA to XML-RPC. It has a special version for multisite known as Wordfence Central as a proven method to secure multiple sites within your multisite environment.

No. of Installations: 3+ million
Rating: 4.8
Price: From $74 per year



SecuPress is a simple WordPress security plugin with malware scans; block bots & suspicious IPs. It is a simple but effective WordPress installation and will provide PDF security reports. It also takes care of using secured usernames and passwords with its features like setting password lifetime and forbid the use of usernames that can be easily guessed.

No. of Installations: 20,000+
Rating: 4.2
Price: €60 per year

Types of WordPress Vulnerabilities

To understand how to secure your website it is important to understand what kind of factors threaten your WordPress security, here is a list of threats:


These are the unconventional vulnerable points that hackers always look for, it can be through one of the vulnerable files within your WordPress core package, theme or plugin files, FTP access from an unsecured computer you made in the past, etc. It is one of the primary sources of hacking attacks. The malicious files resemble one of the legitimate WordPress files.

One can use Backdoors files to exploit in multiple ways, including the creation of Wp Users, use the WP illegitimately to steal user data.

One of the ways to avoid these attacks is to keep your files updated and scan them regularly using plugins like WordFence, SiteCheck or Sucuri. It is very important for your WordPress security.

Denial of Service:

It is important to use Themes and Plugins from trusted developers so that their code doesn’t have vulnerable bugs. In this type of attack, hackers use these weak points in the code to increase the RAM usage of the server by making recurring requests, which makes the website to stop responding to other website visitors. We use multiple systems to occupy a single resource which causes the website to stop responding.

This can lead to huge business loss, as the website may not be available for access to actually intended visitors and potential clients. WordPress vulnerability is can easily be reduced if you follow the tips.

Cross-site Scripting (XSS):

Using these technique hackers get into the browsers of website visitors and steal their data, which can include important passwords. This is done through injecting vulnerable files in your WordPress installation. It is predominantly found in plugins developed by new or non-trusted developers.

XSS attacks are commonly executed through JavaScript and CSS. Using XSS attacks hackers can harm website visitors that includes cookie theft, planting trojans, keylogging, phishing, and identity theft, without them even realizing the loss. Don’t worry we got you covered !! Read everything about WordPress errors to solve them in a jiffy.

Malicious Redirects:

Hackers can redirect your website visitors to other websites, by injecting a redirection code in one of your files, most commonly .htaccess file.

When visitors try to access your website or any particular page on your website they will be redirected to a malicious website. This will lead to losing trust in your business.

WordPress security

Brute-force Login Attempts:

Hackers use automated scripts to identify weak passwords and log in to your WordPress dashboard.

Hackers can utilize brute force attack to acquire access to a website backend, and steal vital personal and business data, can delete the website files and put it down. Brute force is a time-consuming approach for hackers. It can be easily avoided through hardening the WordPress login using methods like Limit Login Attempts, using Captcha on Login Screens and two-factor authentication logins.  This is important for the WordPress security of your website.

Pharma Hacks:

It is important to keep your WordPress core files, theme files and plugin files updated to the latest available versions. Hackers can identify the outdated files and inject codes to display pharma ads to your visitors, more predominantly about Viagra and other illegitimate drugs.

When visitors visit your website or any particular page on your website they will be shown pharma advertisements within the page or as a pop-up. This will lead your website and business to lose trust among visitors.


It is one of the most common methods adopted by hackers to steal your visitor’s passwords. This is usually done through an email, which looks like from a trusted source, but of course, it is not. It includes a link, clicking it will expose the users to hackers.

Hackers can use your server and WP Installation to send out malicious emails to their victim’s email list. It is difficult to identify if your website is infected by phishing scripts. Though it can be avoided with regular scans.

WordPress Security Best Practices to keep your WordPress site secure

Find a Secure, Reliable and Trusted WordPress Hosting

As discussed earlier, it is important to choose a hosting provider who is very particular about security, and follows a high standard of security measures and have a good support system.

A good hosting provider will always:

  • Keep a vigilant eye on suspicious activity by hackers, and have checkpoints in place to protect against any type of attack.
  • Uses state of the art tools to identify the small as well as large attacks, by continuous monitoring of server. You can also check the website monitoring here for free.
  • Have all the scripts (including latest PHP versions), software and hardware used based on the latest technology and are frequently updated.
  • User firewalls and intrusion detection systems.
  • Keep regular backups, and provide easy and automatic backup and restore options.
  • Scan all the files and against malware, ransomware and other viruses.
  • Provides HTTPS support.
  • Have excellent support staff to take action in case of any incidents.
  • Offer Managed WordPress Hosting plans, specially crafted for WordPress needs.

WPOven The All-Inclusive Managed WordPress Hosting offers all of the above to help you run your WordPress website without worrying about the security. WPOven under their Managed WordPress Hosting plan also offers:

  1. Daily Malware Scans
  2. Free Malware cleanup
  3. Hardened Server setup with custom firewall
  4. DDOS Protection
  5. Daily offsite backups and one-click restore
  6. Optimized server security and performance for WordPress and WooCommerce
  7. One-Click File Permission settings.
  8. Free HTTPS/SSL for every website
  9. Update Themes and Files right from the WPOven dashboard
  10. Backup available up to 14 days.

Copy of Wordpress security WordPress Security 101 : The Ultimate WordPress Security Guide

Keep the latest version of PHP on the server

All your WordPress files are developed using PHP codes, and it is the foundation of your WordPress website, hence it is obvious to keep your foundation strong. Hence it is important to only use the latest version of PHP.

PHP versions are supported up to 2 years against the security issues. During this time period, all the necessary security patches are provided by developers. After that it becomes obsolete. The most current version of PHP is 7.3 which is optimized for better speed as well as much more secure than its previous versions. The versions below PHP 7.0 are unsecured. So, the versions that you can use are 7.0, 7.1, 7.2 or 7.3.

WPOven has scrapped the older versions of PHP, and only uses PHP version 7.0 and above. You can easily choose the PHP version you would like to use hence decreasing the WordPress vulnerability.

Take Frequent Backups

It is always advisable to take frequent backups of your WordPress website files as well as the database.

You can take backups manually as well as using some WordPress plugins like UpdraftPlus, VaultPress, BackupBuddy or any other backup plugins. You can use these plugins to schedule automatic backups. While choosing a plugin make sure there is an easy restore option too.

Keeping the backups off-server is a better approach as files are safe in case of any untoward incident on the server.

WordPress Backup Services:

There are some offsite WordPress Backup Services available to use that store the backups in the cloud. Some of the paid services are like:

  • VaultPress: It is a subscription-based backup service, and overall security solution including regular scans, spam defence system, uptime monitoring and other security features.
  • WPOven: Within their service they backup core files and databases to Amazon S3 and have 1-click restore capability. Based on the chosen package you can choose the backup frequency (even 2 times per day), and choose between US or EU server.
  • BlogVault: It is a WordPress backup, migration, staging, restore & management solution provider with a 100% restore rate.

WordPress Backup Plugins:

You can use some free and very trusted plugins as well. Some plugins provide on server backups, while some provide off-server backups that store backup files on off-server locations like AmazonS3, Google Cloud, Dropbox, MS Azure, Rackspace, etc.

UpdraftPlus: This is the most popular backup and restores plugin, used by a million WordPress sites. There are free as well as a premium version of this plugin. It is also compatible with a Multi-Site environment, and can store back up of up to 100 GB and can even schedule hourly backups.

BackupBuddy: It is one of the oldest WordPress backup plugins. It provides instant Email Notifications and Customizable Backup Contents.

WP Time Capsule: This is a smart backup plugin, that backups only when there are any changes in the file or database. This saves time, space and resources. It has various plans to fulfil the needs of users ranging from single website owners as well as agencies managing multiple WordPress websites.

BackWPup: This is a versatile backup plugin that Encrypts the backups.

WPOven has the feature of backup and restores inbuilt in its dashboard. There are two types of backup WPOven dashboard provides, Incremental and Full.  WPOven provides free backups for up to 14 days and saves backups off-server.


Also, you can download the Full Backup, as well as Files or Database backups separately as shown:

BackWPup by WPOven

Strong usernames and passwords

Of course, you must have heard this recommendation since you started using computers in your childhood to use strong usernames and passwords that are hard to guess and remember. This has been and will always be the wordpress security best practices to keep your WordPress website secured. It is also recommended to change your password every few months or weeks.

Most of the hosting providers provide a one-click installation of WordPress, where a password is generated automatically. The one-click installation at WPOven generates extremely secured login details for WordPress Admin Dashboard.

Also, the default and most popular username created for WordPress is ‘admin’. We recommend you not to use this as a username, rather use something which is not easy to guess.

Besides WordPress user logins it is also recommended to keep your other passwords secure that includes FTP, CPanel, Emails (associated with WordPress USer accounts), Database Password, etc.

DDOS Protection

The harsh reality about DDOS attacks is that even the most updated versions of WordPress cannot prevent such attacks. It can only be prevented by securing hosting servers. There are some third-party tools that you can install on your WordPress websites to prevent it.

If you use reliable and trusted partners like WPOver, you can use their tools to monitor website analytics, server performance, and resource usage data. It is important to identify the abnormal surge in the usage of resources and notify your service provider. Your provider can check all the necessary logs and take the necessary measures to stop the Denial of Service Attack.

HTTPS SSL certificate

Website owners overlook the importance of SSL, most of them think that it’s just a sign which is necessary only if your website involves financial transactions. An SSL certificate on a website is instrumental in making a secure connection between your website and the user’s browser.

Another added benefit of using HTTPS is gaining better search engine rankings.

WPOven provides a Free HTTPS certificate through One-click LetsEncrypt, install with auto-renew for all the sites.

Disable XML-RPC

XML-RPC is basically incorporated in order to execute multiple processes using a single command. But this is maliciously used by hackers to hack into a website. The most effective solution is to completely disable it for your WordPress website.

You can use it using some of the available plugins. You can use free plugin Disable XML-RPC plugin or a paid plugin like the one from Perfmait.

But if you are using WPOven, you don’t need to worry about it, as it is already disabled by default on its server for all of its hosted websites.

Disable PHP File Execution:

There are certain directories in the WordPress installation environment where there is no need for any type of PHP executions. One example of such a directory is the uploads sub-directory under wp-content.

To disable the directory create  new .htaccess file under that specific directory and paste following code in it:

Inactive Users Log Out:

Sometimes users can close their browser without properly logging out. Hackers can exploit this opportunity to break into the WordPress dashboard and overtake user credentials. You can use plugin to Automatically Log Out the inactive users after a set duration. This is very important for your wp security.

Delete Unused Theme and Plugin Files:

There are times when we install a theme or plugin, and never use them. It is advisable to identify the unnecessary plugins and delete them from the system.

WordPress comes with some default themes like Twenty Seventeen, Twenty Nineteen, etc. We recommend deleting this and other unused themes from the system. One thing to note here, is delete all the themes except one of the default themes, so that in case if your main theme fails at some point of time there is another theme to fall back on. But always remember to keep this theme updated even if it is not in use.

Use as Less Possible Plugins as Possible:

Let’s explain this with an example. Many modern themes and page builders (Avia, Thrive, Elementor, etc.). If your theme or the page builder you are using already have a contact form element, you don’t need a separate contact form plugin for simple forms. It is advisable to avoid using extra plugins unless there is some special need. One should give WP security due importance.

Add Captcha or Security Question to Login Screen:

Another popular method of improving the WordPress security is a simple method of adding captcha or a security question on Login Screen. You can use plugins available to do this.

Robust files and folders permissions

It is a very important step to take to prevent your website from attacks. There are basically three types of file permissions (Read, Write, Execute). For optimum and effective website performance it is important to understand which files need what level of permission. You can set these file and folder permissions either through File Manager or using FTP software.

But WPOven the all in one wp security offers a Single Click File Permissions through its dashboard.

WordPress Security

Limit login attempts

Hackers make continuous attempts to log in to your WordPress using password guesses. You can control by using plugins to Limit Login Attempts.

WPOven’s Managed WordPress Hosting already covers this on all of it’s plans.

Two Factor Authentication:

For additional login security, you can enable two-factor authenticity, where it needs an additional OTP code to enter before you log in, which you will receive on your phone through SMS or Phone Call. You can use one of the Two-factor authentication plugins, like Google Authenticator or Duo Two-Factor Authentication. Both these plugins also come with their respective Android and iPhone Apps.

Once you add two-factor authentication, your login screen will appear with additional options to send authentication code. Once you enter the generated code received on your phone correctly, you will be able to log in as usual. This is a great method to prevent brute force attacks.

Change Default Login URL:

Hackers look for the default login URL for WordPress dashboard which is websitename.com/wp-login.php or websitename.com/wp-admin/. One of the obvious solutions is to change the login URL to something else. You can do this by using one of the plugins like WPS Hide login plugin or the premium Perfmatters plugin.

Secure the Login URL:

You can secure your WordPress admin login URL using HTTP authentication. Whenever someone tries to access the admin URL he/she will have to use additional username and passwords to access this link. You can read more about Anchor Links Here

Note: Do not use this on eCommerce or any site that have members who will need to log in.

Update Database prefix:

By default WordPress installations used table prefixes like wp_, which makes it easier for hackers to guess. The obvious method to avoid this is to change the table prefix to something else, which is not easy to guess by hackers.

You can do this at the time of installation:

WPOven’s WordPress installation generates a random table prefix for each of their websites. This will reduce your WordPress Security issues.

Disable file editing

All the admin users of a WordPress website can access theme files through the editor under the dashboard. Which makes the theme files vulnerable to unintentional changes, as well as intentional attacks. You can prevent by disabling the file editing. You can do this by defining it in a wp-config.php file using the following line of code: define(‘DISALLOW_FILE_EDIT’, true);

WPOven users can use the site lock feature to do this with one click.

Secure wp-config file:

The wp-config.php file under your WordPress installation contains database login details and other authentication keys, as well as other details about your database (like table prefix, DB Host URL).

There are various ways to secure it as described follows:

  1. Change Location of the wp-config.php file
  2. Change default WP Security Keys in the wp-config file
  3. Denying access to wp-config.php by appropriate FIle Permissions

Change wp-config location: By default wp-config file is located in the root directory of your WordPress Installation. You just have to create another wp-config file which is not on an easily accessible location and use it as a reference in the original wp-config file.

Change default WP Security Keys: There are 4 types of randomly generated alphanumeric keys in every wp-config: AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and NONCE_KEY. You can generate a new random key using this WP Security Key tool.

Change FIle Permissions: It is advisable to change file permissions to set to 400 so that it is not readable by external sources. Alternately, you can set it to 440 if 400 creates some sort of issue for the WP Installation to work properly.

Hide WP Version

If an attacker knows which version of WordPress you are using he can exploit the vulnerabilities specific to that version. Hence it is advisable to completely hide it. You can do this by adding a small code in your functions.php file. This decreases your WordPress vulnerability

Besides appearing in the header you can also identify WordPress version through the readme text file. You can delete this file (readme.html) from your installation.

Regular Scanning:

You can run scans at regular intervals using security plugins and observe if there are any changes to the original files. There are online tools as well using them you can find the suspicious files. For example using this free tool known as WPSec you can find out online security scan results.

Keep Themes and Plugins updated

WordPress, Theme Developers and Plugin Developers launch new versions frequently. We will recommend to keep everything updated to its latest version on your WordPress Installation. The newer versions always come updated with security patches to protect against new viruses and malware. Also the outdated versions are vulnerable to attacks, and out of development support.

WPOven all in one wp security Dashboard provides an interface to view the installed plugins and themes, and they can be updated directly from the dashboard:

Update Plugins

Use Trusted Themes and Plugins:

Before installing any new theme and plugin make sure it has got good and sufficient ratings and reviews. Also look at its ‘Number of Installations’. Checks its Changelogs to see how frequently they update the versions.

Before installing a plugin check if the plugin is compatible with your version of WordPress. You can check the developer’s history and other plugins or themes he developed to be sure that he has experience and has created secured products. You get free premium WordPress themes and plugins with WPOven signup.

Protect WordPress Media Files


Protect WordPress media files against Google indexing and direct file URL access with a few simple clicks using Prevent Direct Access (PDA) Gold. In fact, the plugin offers bulk protection of any file uploads to WordPress Media library including but not limited to PDF, DOCX, PPTX, PNG, JPG, MP4, and MP3.


pda protect wordpress media files WordPress Security 101 : The Ultimate WordPress Security Guide


PDA Gold enables you to restrict direct file access to authorized users only. That means the file access permission can be set to either admins, logged-in users or even specific users and custom memberships.


Besides, you can create unlimited expiring download links and then share them with a group of users and subscribers. These download links will auto-expire after a period of time or clicks.


Last but not least, PDA Gold provides an intuitive User Interface to secure your WordPress site right away:


  • Hide WordPress version

  • Prevent image hotlinking

  • Protect WordPress uploads folder

  • Block direct access to WordPress sensitive files, e.g. readme.html and license.txt

  • Protect any files under uploads and/or root directory with folder protection feature


There are other resources where you can find details about the recent security issues. Here they are:

  1. WPScan Vulnerability Database:This is a catalog of all the identified vulnerabilities in WordPress, Themes, Plugins and APIs. Users can submit their own incidents to this to make other users aware of the issues.
  2. ThreatPress: It is another database of vulnerabilities which is updated daily by their R&D team.


The above article must have given you a good insight into making your WordPress security, but it is important to understand and realize that a good hosting provider is your partner in making your website secure. Your website is synonym to your business, and a secured website embeds trust in your potential customers, which is essential for the business growth.

You have taken a right decision if you have chosen WPOven as your hosting partner, if not yet, take first step to host your website with WPOven and fortify your website with state of the art technology, which at the same is very convenient to use.

8 Replies to “WordPress Security 101 : The Ultimate WordPress Security Guide”

  1. This guide is extremely helpful. I feel that this could really help a lot of people or new users by raising awareness on online security matters. Keep up the good work!

  2. Asking questions are actually nice thing if you are not understanding anything fully, but this article offers nice understanding even.

  3. Excellent post on WordPress security and you’ve included the most popular security plugins which is great. Wordfence arguably has the best offer in terms of price vs features so it’s not surprising to see how many more downloads they have compared to the others.

  4. Hello Vikrant,

    How do hackers redirect visitors from a website? For some days, my website is losing organic traffic.

Leave a Reply

Your email address will not be published.