WordPress Security for Complete Beginners

WordPress Security – A complete beginners guide

WordPress really is a brilliant way to have a fully functioning website up & running within minutes. According to Research by W3Techs, it powers more than 23 percent of all sites on the web and more than 60 million sites rely on it. With such wide-reaching popularity, WordPress has attracted the attention of those who are out to cause harm as a bit of an easy option. You can make their lives harder for them with a few simple tweaks to your WordPress Set Up.

What harm can an attacker cause anyway?


Most attackers don’t care about your site, they have their own objectives and goals. In fact they probably haven’t looked at your site at all and are what is know as a “bot”; a small program that searches the internet looking for websites that are vulnerable to particular types of attack or have particular bugs. Generally these bots are out there to manipulate the web. Most compromised sites never show it, they just silently have links embedded in their content to stores selling viagra and other pharmaceuticals. Other have some of their links changed or ads embedded to “adult” media. Some are done for political reasons, just to get a message across.

This can be pretty bad for your website. Your content is no longer your own and you are linking to some pretty spammy material. This can lead to Google and the other search engines removing your form their listing. Or worse, the attack could be a visual defacement that your potential clients and customers see, ruining your reputation in their eyes. Bad for business all round.

Is WordPress actually secure then?

WordPress is as secure as it is. No software is fully bug-free, and no software is fully secure. There are more secure content management systems out there, but, they are a lot harder to work with and – hence a lot more expensive to deal with. WordPress’ core developers are generally great at fixing security issues quickly when they are announced, it’s up to site owners and admins to keep it up to date. Another big problem with WordPress is the plugin infrastructure. Because it is so easy to write plugins for WordPress, many experienced and inexperienced developers have released work into the ecosystem that isn’t secure and causes many of the vulnerabilities that lead to problems. Good authors release frequent security patches to their plugins to keep things locked up tight.

Securing WordPress

It is possible to make WordPress more secure. The earlier in the life of your site you do this, the easier it will be (ie – think about these before you start). Some of these items will require a little technical know-how.

Disable the editor in the Admin Panel

WordPress has a built-in File editor that will let you edit any file in your site. Plugins, themes, core etc. This is a problem as anyone who managed to get access to your user account can now edit every file and any whatever they want. Fortunately, this is easy to stop by adding the following to wp-config.php.


Have Properly set up file permissions

Most web servers have a way of controlling who can edit which files on a server. WordPress comes with recommended settings for these permissions. Follow them. They will stop access to your files from other sites that may be on the same server.

Remove the default user

Many bots depend on the default user ‘admin’ being available. You can delete this user assuming you have another admin setup.

Keep everything up to date

One of the easiest and most effective things you can do is keep your WordPress core and plugins updated to the latest version. WordPress will try and automatically update itself if it can but may need some help from time to time if something goes amiss. This really is key.

Completely remove unused plugins

Deactivated plugins don’t get update notifications, and if poorly made can contain vulnerabilities that can bring down a site. If you are not using a plugin, remove it completely.

Use a non-standard directory structure

By changing the default folder structure, you can confuse most bots that have to make assumptions. This is pretty easy to do – just add these constants to wp-config.php and move your directory.

define( 'WP_HOME', 'https://www.wp-security.co.uk/' );
define( 'WP_SITEURL', 'https://www.wp-security.co.uk/' );
define( 'WP_CONTENT_FOLDERNAME', 'content' ); // change this to your directory

Change your table prefix

A type of vulnerability call SQL Injection depends on knowing your database structure before hand and WordPress’ database is well documented. Many bots will rely on using the default table names for making attempts on your site. Fortunately, we can inject a random string into the table names, making it much harder for them to guess the name of the table and do a database query.

Edit the variable $table_prefix in wp-config.php

$table_prefix = “wp_randomstringofcharacters_siteid_”;

This is much harder to change once WordPress has been installed, I recommend doing this from the start.

Force users to have strong password

If you are the only person using the site to post or make changes then you can get by having a strong password from a generator. If you’re part of a team you should use a strong password enforcement plugin like Force Strong Passwords.

Strong password is key to preventing brute force login attacks or people guessing your password through social engineering

Only allow logins from specific IPs

If your team of editors have a specific location and device they work from you should consider limiting the IP addresses that can access your WordPress admin panel. You can do this simply in Apache by editing a .htaccess file in your /wp-admin folder.

order deny,allow allow from deny from all

Ban users trying to login multiple times

Brute force attacks will try and login multiple times in quick succession. There any many plugins out there that prevent the user from attempting to login again after so many attempts. A good one to use is BruteProtect.


SSL or https is a method of securely protecting information as it is in transit between your browser and the server. It encrypts data so anyone between you and the server your accessing can’t easily see the information. It’s a definite on eCommerce or on sites where you are transmitting personal information. It can further protect you, even on a small site, from having your password be compromised in transit.

You’ll need to get a SSL certificate from somewhere, probably your web host or domain registrar.

You can then force WordPress to use SSL for the admin panel by adding these constants to your wp-config.php

define( 'FORCE_SSL_LOGIN', true );
define( 'FORCE_SSL_ADMIN', true );

Only use trusted themes and plugins.

The more code on your server the bigger a risk you’re at. Volume is a factor but so is quality. Only use plugins that have good reviews and show a history of being updated frequently. If at all possible – get your theme custom made for your requirements. It can be a lot more expensive but will generally be faster and of higher quality than the alternatives.

Have a backup plan

You can take all the precautions in the world but the worst can still happen. It is important that you have regular accepts if your site. Your core files, plugins, theme, media uploads and database.

There are good back ups and there are bad.

  • Keep your backups somewhere else – on a completely different server ideally.
  • Have them happen automatically. You will forget
  • Keep more that one copy. You don’t know how far back you’ve have to go.
  • Test your back-ups regularly to be sure that they work.

Backups can be expensive to setup and time consuming to manage but they are cheaper than the alternative.

What to do if you do get attacked?

The worst has happened! You have a couple of things you must do.

  • Change all your passwords. Everywhere. Email, Bank, Web Hosting, WordPress. Everything.
  • Revert to a back up of the site, ideally on a totally new server.
  • Dont have a back up? Cleaning services like Securi can help to get you back online
  • Learn from your mistakes. You may never know what happened or how they got it but learn from this and take measures to prevent it again.


Your site is important to you and your work. Don’t let the worst happen to it. Take steps now to prevent what is an inevitable thing. Security doesn’t need to be hard and while we are only taking the most basic precautions here, these will go along way to stop intruders and attackers. Have we missed anything or do you have any questions? Ask in the comments bellow and we’ll do our best to help.

Stewart Ritchie Lead developer and founder of Powered By Coffee. Stewart has been building websites for 15 years and focusing on WordPress for 5. He founded Powered By Coffee in 2011 after finishing is masters degree. He lives in Guildford Surrey with his wife Sydney and their two cats.

Signup to our mailing list