6 Simple Steps for Hardening your WordPress Security

A Review of Basic WordPress Hardening

Having a secure WordPress site does not need to be a challenge. Hardening a website means adding security layers to reduce the risks of attacks and hacks.

6 ways to Harden WordPress Security

You can harden your WordPress site by following these six simple steps:

1 Keep WordPress updated

It is important to keep up with the latest WordPress updates. No matter if it is a security or a maintenance release, make sure your WordPress site is running on the latest version. You can check out releases on the official WordPress site.

2Clean up your WordPress plugins

Step one – Less is more. Take a look at your WordPress plugin inventory and make sure you only keep what you actually use on your website. Remember that plugin you installed a while ago and never really used? Get rid of it! This means fully deleting the plugin from the WordPress installation and not simply deactivating it through the wp-admin interface.

Step two – Now that you have only what you need, make sure all of your plugins are updated. If there is a WordPress plugin that has not received any update from its developer for more than six months, think about deleting it and looking for another plugin. Some developers stop paying attention to their plugins. When hackers get ahold of them, those bad actors will use a vulnerable plugin to hack websites.

Step three – Make sure all the plugins you have installed on your WordPress website are on the WordPress official plugin repository. Some plugins get kicked out of the official repository for having security issues.

Once you have only updated and useful plugins in your website, it is going to be harder for malicious users to use a vulnerable plugin as the door to get into your WordPress installation.

3Not everybody needs to be a WordPress admin 

If more than one person works on your website, you need to ensure that everybody has a user role that makes sense according to the tasks that they perform. This is a form of access control and is paramount to securing an asset.

Within WordPress itself, we can use the existing role-based access control system by assigning specific roles to our registered users. There are six user roles in WordPress. Each user role has its set of capabilities, including:

ASuper Admin: someone who has access to the site network admin features

BAdministrator: someone who has access to the site admin features

CEditor: someone who can publish and make changes to all posts

DAuthor: someone who can publish and make changes to their own posts

EContributor: someone who can write and make changes to their own posts without being able to publish them

FSubscriber: someone who only has access to their profile

When you create a new user in WordPress, think about the tasks this user is going to perform and which role will better fit them. For example, if you have a new writer joining your business, they might need an author or editor role.

If you already have more users in your WordPress installation, it is highly advisable to audit their existing roles and make sure they only have access to what is necessary for their specific role.

4Use two-factor authentication (2FA)

There are many plugins that can offer you 2FA for a WordPress installation. The most common one is the Google Authenticator plugin.

Google Authenticator plugin

After you download and activate the plugin in WordPress, It is very simple to use. All you need is to have the Google Authenticator app in your smartphone and scan a QR code.

Alternatively, if you are a user of our web application firewall, you can configure this without the need of a plugin, by using the protected pages feature in your web application firewall settings.

Multi-factor authentication adds a layer of security to your website front door.

5Update all your WordPress passwords

Yes, no matter how difficult you believe your password is, hackers work around the clock to find ways to crack even the hardest passwords.

Our malware researcher Luke Leal shows how quick it is for a hacker to crack a password in this short video:

We offer some quick tips for you:

  • Never use predictable passwords, such as your birthday or the name of your spouse.
  • Add as many characters as possible.
  • Use a password manager, such as LastPass, to generate and keep your passwords in a safe vault.
  • Never reuse a password.

Having said that, the best practice is for you to change all of your passwords right now with the help of a password manager. This way, you only need to remember one password — the master LastPass password, for example — and still follow all password best practices.

6Get behind a WordPress firewall 

Even following all of the WordPress security best practices, a website can still be hacked. However, if you have an active website firewall filtering out all the traffic that your website receives, the chances of being affected by a WordPress hack are really minimal.

Sucuri offers a Web Application Firewall that is easy to install and will make your website run faster without you needing to worry much about website security. All you need to do is point your DNS A record to our secure servers and we will take care of your website. And if you need help during this process, our firewall analysts can do it for you.


Today, we covered six basic hardening techniques for WordPress that will not take much of your time to implement, but will make a great difference on your website security going forward.

The year is only starting, a great time to focus more on your big projects and less on being hacked. Sucuri has a DIY WordPress security guide, a free WordPress auditing and hardening plugin, as well as a complete WordPress security plan for you — peace of mind for 2020.

You May Also Like