Keeping WordPress Sites Secure

Below is a list of elements found in each learning module, and a brief description of each. To keep WordPress Sites safe and secure, ensure that it contains each of these elements.


In this lesson, you will learn how to keep your WordPress site secure. You may ask yourself, “Do I even need to worry about keeping my WordPress site secure?” And the answer would be, “Yes!” Most people think that they could never be hacked, but you will find that it can happen to anyone. By taking a few precautions you will gain not only security but a fair measure of peace of mind.


After completing this lesson, you will be able to:

  • Identify the reasons why you must keep your WordPress site secure.
  • Explain various ways of keeping your site secure.
  • Demonstrate what must be done to keep your WordPress site safe from hackers.

Prerequisite Skills

You will be better equipped to work through this lesson if you have experience in and familiarity with:

  • Basic knowledge of WordPress.
  • Basic knowledge of HTML.

Readiness Questions

  • Do you have a working WordPress site?
  • Are you familiar with using the dashboard on your site?
  • Do you have Anti-Malware in place to protect your computer?

Notes for the Instructor

  • Take the time to familiarize yourself with the various WordPress security plugins.

Hands-on Walkthrough

Why, you may wonder, must we talk about security? And the answer would be because staying aware and on top of or ahead of problems will save a whole lot of stress and heartache later. Don’t ever think, “It couldn’t happen to me.”, because it can certainly happen to anyone.

Most of us would like to believe the best in people, but lest we be thought naive let us be prepared for the very worst and hope for the very best. Hackers are not looking for the long-drawn-out battle to gain access to any site. They target sites that are exposed and defenceless; those that display security holes.

You can basically block almost any and every attack by simply addressing the security issues and putting measures in place to stop them.

Sign in and sign out

One of the easiest, but most important ways of keeping your site secure is to be sure that you always log out of your site when you are finished. This is the simplest safety measure of all, but the one that most of us fail to do. 

This is extremely important for you to remember if you are working from a shared or public computer. If you fail to log out anyone can access your account just by going back and viewing your browser history. If they do so, they will be able to access your Dashboard as well.

Always be sure to protect your account by signing out every time you are finished working. To do so;  all you need do is click on your Gravatar in the upper right corner, this will open your Profile page, and then you hit the “sign out button” in the left corner under your Gravatar. Or, If you are on your blog dashboard you can hover over your Gravatar on the grey toolbar at the top right and click  “Sign Out”.

Use Strong Passwords

Another item that we must consider is passwords. It is important to maintain a strong password. Having a weak password will allow a hacker to gain access to your website easily.

A strong password should include capital letters, lowercase letters, a number and/or a symbol of some type. DO NOT use the same password for every instance that you need one.  

It would also be wise to change your password frequently. There are tools available to help you create strong passwords as well as tools to keep track of all your passwords.

Also, add 2FA Authentication for the login as well, it will help to make your system more robust.

Keep WordPress updates current

Next, it is necessary to keep your WordPress updates current; this is of utmost importance. WordPress is very quick to keep their updates current. They are equally quick to fix security problems that arise. For these updates and security measures to work for you though you must be utilizing them. Be responsible for keeping your own site up-to-date.

Guard your information

Always be careful of whom you give your information to. Once again; be prepared for the very worst and hope for the very best. It would be best if you were the only person who had access to your passwords. If, for some reason, such as job purposes, you must share this information, keep in mind the fewer people that have access to your security information the safer your site will be.

Use Anti-Malware

Anti-malware is a must; not only for the safety of your computer but also for the safety of your WordPress site. There are a variety of anti-malware products available and you must decide which one will work best for your situation. Some are continuously working in the background; keeping your computer and site safe. Others will need to be periodically run to check for any form of malware that may be lurking.

Each program comes with a different idea of how often they need to be run; monthly, weekly or daily. It would be best to set a schedule and make it a habit of running it at least on a weekly cycle. Always be consistent in monitoring your computer for Malware.

Use Reputable Hosting

Hosting providers are responsible for protecting the security of their clients at the server level. Your host should be proactively searching for and plugging security holes. This is particularly important on low-budget “shared hosting” providers where hundreds or thousands of sites share the same server. In some situations, one “bad neighbour” can cause all of the sites to get hacked – even if you did everything right. That’s why picking the right host is so important.

Use WordPress Security Plugins

There are various plugins available through WordPress which are exclusively for security purposes. Each plugin is unique and its features used to keep the site safe are distinct in their own way. It is recommended that you do a thorough study of each of them before making a final decision.

  • WordFence: This is one of the most popular security plugins. It continuously checks for malware infections and will notify you if anything is found. WordFence is a free plugin. There are also a few advanced features which are available for a price.
  • BulletProof Security: This is another popular choice. Bulletproof adds firewall security, login security, database security,  and much more. It too is free, but also comes with the option of additional security for an added cost.
  • Sucuri Security: Sucuri offers various security features, including malware scanning, security activity auditing, blacklist monitoring, and even a website firewall. Sucuri is not a free service, you will need to pay for using their service.
  • iThemes Security: iThemes Security claims to offer over 30 ways to secure and protect a WordPress website. It does come at a cost though.
  • Acunetix WP Security: The Acunetix plugin helps to secure your WordPress website and will suggest various guidelines to improve the security of your site.
  • All In One WP Security & Firewall: All In One is great for checking for any vulnerabilities on your site and it is easy to use. It will protect against hackers and goes into lockdown if someone tries to use brute force on your site. There is a cost attached to this plugin.
  • Source Code Protection: Source Code Protection is a simple and effective plugin that uses to prevent common techniques in protecting your code from being stolen. Disable the following keys CTRL+A, CTRL+C, CTRL+X, CTRL+S or CTRL+V. No one can right-click images on your site if you want.

Be vigilant! By being proactive and taking a few steps of preparation for security’s sake you can keep your site safe and enjoy some peace of mind.  

Lesson Overview

  • Demonstrate points on how you can make your WordPress site safer
  • Follow all the steps or points that make sure to set up a WordPress site.
  • Practice exercises to and add any WordPress security plugin to more secure your WordPress site.


  • Become familiar with signing in and out of your WordPress site.
  • Create a new password for your site.
  • Research the various WordPress plugins and decide what will work best for you.


Write out the question.

  1. If I am careful I will not need to ever worry about safety on my WordPress site. (True or False)
  2. If I am only writing a blog I will not need to worry about hackers. (True or False)
  3. One of the easiest ways to keep your site safe is to _____ _____ after each use.
  4. It is important to maintain a strong password even on a WordPress site. (True or False)
  5. All WordPress plugins for security purposes come with a cost. (True or False)

Answer: 1. False 2. False 3. Sign Out 4.  True 5. False  

Additional Resources

Hardening WordPress

Example Lesson

2FA Authentication

When working with any online site, consider enabling 2FA by default. Refer to Two-Step Authentication for more information.

Some WordPress plugins designed to help include:

File Permissions

The default permission scheme should be:

Folders – 750
Files – 640

There several ways to accomplish this change. There are also some variations to these permissions that include changing them to be more restrictive. These, however, are the default recommendations. Check with your host before making permissions changes as they can have adverse effects on the performance and availability of your site.

Avoid having any file or directory set to 777.

You can read more about WordPress updates and file ownership on the Updating WordPress codex page.

Changing file permissions

Via command line you can run the following commands to change permissions recursively:

For Directories:

find /path/to/your/wordpress/install/ -type d -exec chmod 750 {} ;

For Files:

find /path/to/your/wordpress/install/ -type f -exec chmod 640 {} ;

You can also do this via your favorite FTP/SFTP client.

For a detailed explanation of UNIX file permissions, see File system permissions – Wikipedia


If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:

order allow,deny
deny from all

Disable File Editing

Recommended to disable file editing within the WordPress dashboard. WordPress has a constant that disables this editing via the wp-config.php file. Append the following two lines to the middle of your wp-config file, with all the other defines. The require_once line should always remain last in the file:

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

Lesson Wrap Up

Follow with the Exercises and Assessment outlined above.