Making & Keeping WordPress Secure

Making & Keeping WordPress Secure Presentation

Here's my "Making & Keeping WordPress Secure" presentation, which I presented to the WordPress Greenville meetup group. The rest of this blog post gives more detail than these slides.

Note: This page contains affiliate links. Please see Affiliate Disclosure.

Prevent Security Issues

An ounce of prevention is worth a pound of cure. It's better to put your energy into preventing your site from being hacked, than to spend it on responding to a hack.

Password Management

Create strong passwords. Use 20+ characters. Use uppercase, lowercase, and special characters. Use a password manager like BitWarden to generate strong passwords.

Store passwords securely. Keep them in a password manager like BitWarden.

Share passwords securely. Many password managers like BitWarden have feature for sharing with other users of the same password manager. You can also use an encrypted messenger like Signal. Don't send passwords by email or SMS/text message!

Use SFTP or FTPS, not FTP. Plain FTP sends your password in cleartext, where eavesdroppers can see it. SFTP and FTPS are secure FTP.

Account Management

Ensure that each WordPress user has their own account. WordPress accounts shouldn't be shared. If each user has their own account, it makes it easier to trac, who does what in the site, and to cut off access when someone no longer needs it.

Give each user the lowest role possible. The User Role Editor plugin can fine-tune permissions.


Managed hosting

Using a managed WordPress host is probably the easiest way to improve security, because they handle so much of the network, server, and site security for you.

We recommended Flywheel and WP Engine, though there are other good managed WordPress hosts.

Even though managed WordPress hosts handle many aspects of security for you, it's worth checking if you should do anything else. Check your host's support documentation, or ask them.

Shared hosting

Some budgets don't allow for managed WordPress hosting. If that's the case for you, you may end up using shared hosting. In this space, we recommend SiteGround.

Shared hosts may offer security add-ons. For example, SiteGround has their SG Site Scanner. Some hosts' security scanners will notify you of malware, but won't remove it. Find out what your host does.

Because shared hosts usually don't offer the same level of security as managed hosts, you should consider a security plugin. Be sure to weigh the pros and cons. Some potential downsides of security plugins:

  • They can use a lot of resources, which could slow your site down and/or cause your hosting plan to hit limits or incur fees.
  • They can trigger false positives; they may flag legitimate code as malware.
  • They can increase your site's attack surface; security plugins are usually large and complex, and may inadvertently introduce vulnerabilities to your site.

These are some of the best-known WordPress security plugins:

The free versions of these plugins usually have limited features, and you can pay for the premium versions of the plugins for more features.


Hardening is the process of increasing your site's defenses. Managed hosts may handle some or many of these for you, so find out what they do before you proceed with your steps.

Put the code from Securing wp-config.php in your .htaccess file. This denies access to anyone looking for the wp-config.php file.

Put the code from Securing wp-includes in your .htaccess file. This blocks scripts from running where they shouldn't.

Put the code from Disable File Editing in your wp-config.php file. This disables the file editors which are built into the WordPress admin area. If a hacker gets access to the admin area, they can use these file editors to edit the code of your plugins or themes. You shouldn't be editing your site using these editors anyway (you should be using SFTP/FTPS or version control).

Ensure that no admin account is named admin, because hackers look for that account. If it exists, create a new account to replace it, then delete the admin account.

Add brute-force protection to prevent hackers from repeatedly trying to break into your site. Use Login LockDown or a similar plugin. Security plugins often include brute-force protection.

Add a TLS/SSL certificate. This encrypts the communication between your website and the browsers of visitors, preventing eavesdropping. Your entire site should run over HTTPS (all URLs should start https rather than http).

Consider Cloudflare, which includes a firewall, for an extra layer of protection.

Add two-factor authentication (2FA) to your site. That way, even if a hacker acquires or guesses a username and password, they won't be able to log in without a 2FA code. Use Two-Factor or a similar 2FA plugin.


Before I say anything about updates, I need to warn you to always back up your site before installing updates. You should have automatic daily backups, but it doesn't hurt to take another manual backup before updating, especially if it's a significant update.

Because hackers start exploiting vulnerabilities as soon as they learn about them, in general you should install updates as soon as possible. However, you need to consider that updates sometimes break sites, so weigh that risk against the security risk of delaying updating.

For plugins that are more likely to contain bugs that can break features of your site (such as Yoast SEO and WooCommerce), check the plugin's changelog before updating, to see what changes the update includes. If the update doesn't include any security fixes, consider waiting a few days to update, while others act as guinea pigs to discover any bugs the plugins may contain.


Backups should happen automatically. Ensure your backup system is automatically taking backups at least daily. 

You can use a management tool such as ManageWP, or a backup plugin such as UpdraftPlus or BackWPup.

You should have at least one set of backups stored off-site, on a system not owned by your hosting company, and in a location far from your web server. That's because if your hosting company has a problem, you don't want to lose access to your site and your backups. Sadly, I've seen that happen.

Keep backups for long enough; I recommend at least 30 days. People don't always discover website problems as soon as they occur; sometimes days or weeks pass. By keeping backups for a month or more, you'll be able to grab files or database records from before the problem occurred.


WordPress security isn't "set it and forget it"; you need to monitor your site's security.

Monitor suspicious login attempts. Brute-force protection plugins (mentioned earlier) will often do this for you. Have some way of being notified when people are trying to break into a site, or have a rule in place to automatically block such attempts.

Consider an activity log. ManageWP will track changes made to your site through that tool. You can also consider a plugin such as WP Activity Log. Activity logging is included in several security plugins.


All the code that makes up your site contributes to its attack surface. Think of a house; the more windows and doors, the greater the risk that someone can find a way in. With your website, the more code and user accounts are in place, the more opportunities for hackers to get in. Remove anything that's not truly necessary.

Remove unnecessary plugins, themes, and users.

Simply deactivating plugins and themes isn't enough, because the code is still present on your site. You must delete them.

Respond to & Recover from Security Issues

No defense is 100% effective. Even if you do all the above prevention steps, there's still the chance your site could be hacked. Let's consider what to do in that unfortunate situation.


There are 3 entities that can deal with a hacked site:

  1. Host
    • Your host may clean your site for free, or charge you. The charge may be less than hiring someone to clean it.
  2. Malware removal service. These are reputable companies:
  3. You (DIY). The next section will explain how.

Clean a WordPress Site

If you decide to clean a hacked WordPress site yourself, be sure you know what you're doing, or you'll likely miss malware or leave the hacker a way to reinfect the site.

  1. Download any known good (clean) backups to your PC. Also, take a backup of the site as it is, in case you need anything out of it.
  2. In the WordPress admin area, go to Settings > Reading and check the box for Discourage search engines from indexing this site.
  3. Enable maintenance mode by adding a file named .maintenance to the root of your WordPress directory, or enable maintenance mode using a plugin.
  4. If you have a known good (clean) backup. After you restore it, check the site for evidence of malware.
  5. If there's no good backup, scan the infected site with security plugins. Remove any malware. Here are useful malware-removal plugins:
    1. Sucuri Security
    2. Wordfence 
    3. SiteAlert (Formerly WP Health)
    4. Anti-Malware Security and Brute-Force Firewall
    5. AntiVirus
    6. Theme Check
  6. If the malware is too difficult to remove, use a cleaning service (see the list above).
  7. Reinstall WordPress Core (in the WordPress admin area, go to the Updates screen).
  8. Disable maintenance mode and remove the .maintenance file or plugin.
  9. In the WordPress admin area, go to Settings > Reading and uncheck the box for Discourage search engines from indexing this site.
  10. Use the Sucuri plugin to reset WordPress user passwords and WordPress keys (Settings > Post-Hack).
    1. To manually reset the WordPress secret keys create a new set with the WordPress key generator. Take those values then overwrite the values in your wp-config.php file.
  11. Uninstall any plugins you installed, which don't need to remain installed.
  12. Do any needed maintenance (install updates, etc.).
  13. Change all site-related passwords (host, FTP, WordPress) if not already reset.
  14. Clean Google search results, if necessary (if Google is showing warnings about your site containing malware).
    1. Ensure your sitemap index is in Google Search Console > Sitemaps.
    2. Use Google Search Console > Removals to remove URLs you don't want to appear in Google search results.
    3. Submit a reconsideration request to Google.
  15. Add a TLS/SSL certificate if you don't already have one in place.

Need Help with WordPress Security?

You probably don't have a WordPress website because you want to spend time on website security. You probably want to be running your business, not worrying about security issues. Why not let someone else focus on securing your website? Contact OptimWise and get back to doing what you do best.

Filed Under: 

Want tips to rocket-boost your website?

Simply sign up.
Ready to Blast Off?

Let's talk.

Contact OptimWise