The definite WordPress security guide for 2019

Imagine this:

You have spent countless hours working on your website.

You have great content. You have a steady traffic flow. You have a loyal customer base.

And one day your site gets hacked.

How long will your customers stay with you if they know that their private details are in danger?

Every week, 20 000 WordPress sites get blacklisted by Google for hosting malware.

Don’t become part of that daunting statistic – check out our WordPress security guide.

Wait, isn’t WordPress security hard?

A lot of people think that online security is something really hard to achieve – something that should be left to the system administrators.

But that’s not true.

You can beef up the security of your website without touching a single line of code or having to know what XSS is, for example.

(It’s a web app vulnerability. Don’t worry about it for now.)

Read below to learn how to improve the security of your site.

No programming knowledge and skills are required.

You’ll just need to click here and there, that’s all!

An updated WordPress installation is a safer WordPress installation

5 years ago, WordPress updates had to be implemented manually. You had to download the new files from the source, to upload them to your website, to unpack the archive, to manually install each given update…

Today, all this is done with just a single click.

And the update process takes about a minute.

Imagine having your site gone because you forgot to press a button.

To make your life even easier, the creators of WordPress can automatically update your website on your behalf.

Stronger passwords save lives and WordPress sites

The password is the key to your WordPress website.

If someone knows it, they can log in at any moment and do whatever they want.

In the world of online security, this is known as “a single point of failure”, i.e. a part of a system that will stop the latter from working if it fails.

So, it’s imperative to make the password for your WordPress website hard to steal.

But this doesn’t stop here.

You have to also strengthen the passwords for your hosting account, for your MySQL database, for your FTP account, for your mailbox…

All these passwords need to be very strong since each of them represents a potential single point of failure.


Either memorize multiple unique passwords or use a password manager.

Our advice?

Pick a password manager and start creating strong, unique passwords.

But wait, can’t I just pick one single extremely strong password and use it to access all my existing accounts?

Yes, you can. But we don’t advise you to.

Even extremely strong passwords can be cracked, guessed or even stolen through social engineering.

Don’t put yourself in that position.

Always be prepared and keep a backup at hand

The very first thing you need to do in order to protect your website is maintaining an up-to-date backup.

There is no such thing as an unhackable website. Even government institutions are affected by hackers from time to time.

Whatever happens, your backup will help you get your site back online at any time.

Nowadays, users can choose from a vast selection of free and paid WordPress backup solutions.

Your hosting provider is the first major line of defense against content loss. Almost all hosting providers today offer website and database backup services.

But that’s just a start.

The first rule is to always keep a backup in a remote location.

(This means outside your WordPress hosting account.)

There are different cloud storage providers, among them Amazon, Dropbox, Google Drive, Backblaze, etc.

And you don’t need anything special to automate these backups.

There are multiple plugins that will allow you to export a backup to them directly:

The recommended backup interval depends on the time interval at which you update your website.

Based on this, decide whether to create daily or real-time backups.

Are you still using the ‘admin’ username? Change it today!

Earlier we mentioned that passwords represent potential single points of failure.

Well, if your username is still ‘admin’, the probability of being subjected to a brute-force attack will be much higher.

(Brute-force attacks represent quick password-guessing attempts.)

The solution?

Simply change your ‘admin’ username.

This is something that happens by default with newer WordPress installations.

However, if you are still using the ‘admin’ username, here is how to change it quickly:

  1. Create a new user with admin privileges.
  2. Log in as the user you’ve just created.
  3. Delete the old ‘admin’ username.

That’s it.

Now your website is much better protected.

Enable two-factor authentication (2FA)

If you have a Gmail mailbox or a Twitter account, then you have already met the term “two-factor authentication”.

With 2FA enabled, aside from the standard username/password combo submission, you will be asked to authenticate yourself in another way as well.

The most common two-factor authentication method is the phone-based verification, be that via an app or a text message.

But what’s the benefit of enabling 2FA?

Well, it’s simple!

Imagine if someone broke into your email account and stole your username and password.

There would be no stopping them from wreaking havoc in your WordPress environment, right?

Well, with two-factor authentication on, the attacker would also need to have access to your phone.

And getting access to one’s phone is a much harder task.

Enabling two-factor authentication, however, can be a hurdle, especially if your website has many users.

Our advice?

Enable it only for accounts with admin privileges. This way, regular users can log in unhinderedly.

Check our guide on the best two-factor authentication plugins for WordPress to see which is the best one for your needs.

Limit the allowed login attempts

You’ve already changed your username and your password?


Still, there is one more thing you should do in order to prevent brute-force attacks.

(Brute-force attacks are among the most common attacks affecting today’s websites.)

As we’ve already stated, brute-force attacks represent quick password-guessing attempts.

A quick and effective measure would be to limit the number of login attempts.

How to do that?

Well, the easiest way is by using a plugin.

WP Limit Login Attempts does a good job, is regularly updated and fairly easy to use.

You should also check with your hosting provider to find out whether they are offering something similar.

Disable XML-RPC in WordPress

XML-RPC is a protocol that allows remote connections between WordPress and third-party services and apps.

That said, you will be so much better off if you disable it.

Wait, but why?

Well, because it can be very easily exploited by hackers and spammers.

For instance, in lieu of trying 500 different username-and-password combinations, an attacker can unobstructedly reduce this number to 20-50.

But are there any downsides to disabling XML-RPC?

Well, there are some.

Here are several third-party services and apps that rely on the XML-RPC protocol’s availability:

  • the WordApp Mobile App
  • some of Jetpack’s modules
  • some podcast apps
  • BuddyPress
  • multiple photo gallery plugins

If you are using any of them, you can soft-disable XML-RPC with a plugin like Remove XMLRPC Pingback Ping.

If you aren’t using any of them, the most resource-efficient way to block XML-RPC requests will be to tweak the .htaccess file a little bit.

Just add the following lines:

## block XML-RPC requests
<Files xmlrpc.php>
order deny,allow
deny from all

That’s it, you are all set.

Monitor files for changes

A lot of security specialists would advise you to disable the WordPress admin panel-integrated theme and plugin editors outright.

However, we like the file editor and are using it extensively.

So, that’s not an option for us.

A very good alternative would be to monitor your core files for changes.

The File Changes Monitor plugin will do the job.

It can track modification date and file size changes, compare file hashes, etc.

And if it detects anything out of the ordinary, it will notify you via email.

Wordfence and Sucuri are two other file-monitoring solutions.

They both are jam-packed with security features.

Install an SSL Certificate and boost your security and traffic

Would you say “no” to a free traffic boost?

How about a free boost to your website’s security?

And what about a free and quick customer trust boost?

You can achieve all these by getting an SSL certificate.

Today, thanks to the efforts of the good guys at, anyone can get a free SSL certificate for their website.

And installing one on a WordPress website is easier than ever.

But what will it do?

Well, the SSL certificate will encrypt the connection between your visitors and your website.

This way, you can effectively prevent the otherwise very-hard-to-stop man-in-the-middle attacks from ever occurring.

There is another reason why you should get an SSL, and that is because Google will start labeling all unencrypted websites as “Not Secure”.

And you don’t want this to happen to your website, do you?

Check out our guide to installing an SSL certificate on a WordPress website.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.