Securing WordPress
Practical WordPress security: login hardening, malware scanning, and more. No plugins-only advice.
WordPress runs 40%+ of all websites, which makes it the most targeted CMS on the internet. GoZen WordPress hosting includes cPGuard and DDoS protection, but application-level security is up to you. Most attacks are automated: bots scanning for default usernames, known plugin vulnerabilities, and weak passwords. Here’s how to shut them down.
The Basics (Do These First)
1. Keep Everything Updated
Outdated plugins and themes are the #1 attack vector.
- Core: enable auto-updates for minor releases (they’re enabled by default since WP 5.6)
- Plugins: enable auto-updates for all plugins: Plugins → check the plugin → Enable auto-updates
- Themes: delete any themes you’re not using. Keep only your active theme + one default (like Twenty Twenty-Four)
2. Use Strong Credentials
| Don’t | Do |
|---|---|
Username: admin | A unique username (your first name, a nickname) |
Password: password123 | 16+ character password from a password manager |
| Same password everywhere | Unique password per site |
If you’re still using admin as your username, create a new admin user with a different name, log in as the new user, and delete admin.
3. Enable Two-Factor Authentication
Install Two-Factor (free, lightweight) or Wordfence (includes 2FA plus more).
See Enabling Two-Factor Authentication for details.
File-Level Hardening
Protect wp-config.php
Move it one level up (WordPress looks there automatically):
mv /home/username/public_html/wp-config.php /home/username/wp-config.php
Or block access via .htaccess:
<Files wp-config.php>
Order deny,allow
Deny from all
</Files>
Disable File Editing
WordPress has a built-in file editor that lets anyone with admin access edit theme and plugin files. Disable it:
// Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);
Prevent PHP Execution in Uploads
Attackers often upload malicious PHP files disguised as images. Block PHP execution in the uploads folder:
Create /wp-content/uploads/.htaccess:
<Files "*.php">
Order deny,allow
Deny from all
</Files>
Login Hardening
Limit Login Attempts
Install Limit Login Attempts Reloaded (free) or use Wordfence. This blocks IPs after repeated failed logins, exactly like Fail2Ban for SSH.
Change the Login URL
The default /wp-admin and /wp-login.php URLs are targeted by every bot. Change them with WPS Hide Login:
- Install and activate WPS Hide Login
- Go to Settings → WPS Hide Login
- Set a custom URL (e.g.,
/my-login)
Write down your custom login URL. If you forget it, you’ll need to disable the plugin via FTP or File Manager to get back in.
Disable XML-RPC
XML-RPC is an older API that most sites don’t need. It’s frequently exploited for brute-force attacks. Disable it:
# Add to .htaccess
<Files xmlrpc.php>
Order deny,allow
Deny from all
</Files>
Security Plugins
Pick one. Don’t stack security plugins. They conflict.
| Plugin | Best For | Free Tier |
|---|---|---|
| Wordfence | All-in-one (firewall + scanner + 2FA) | Yes (strong) |
| Solid Security | Hardening checklists | Yes |
| Sucuri Security | Malware scanning and cleanup | Yes (scanner only) |
Security Checklist
After setting up your WordPress site, run through this:
- WordPress, plugins, and themes all updated
- auto-updates enabled for plugins
-
adminusername changed - Strong password (16+ characters)
- Two-factor authentication enabled
-
wp-config.phpprotected - File editing disabled (
DISALLOW_FILE_EDIT) - PHP execution blocked in
/uploads/ - Login attempts limited
- XML-RPC disabled
- Unused plugins and themes deleted
- SSL active (HTTPS)
- A security plugin installed and configured
What to Do Next
- GoZen Security Scanner - run an external security audit on your WordPress site
- Using cPGuard: server-level protection included with your GoZen plan
- Backups and Restores: make sure you have a recovery plan
- Server Hardening Basics: if you’re on a VPS, secure the server too
Last updated 05 Apr 2026, 00:00 +0200.