Scotts Web Dev Banner
Did you notice... every article on this site has an associated video? Consider subscribing to Scotts Web Dev on YouTube! :)
View Channel Subscribe
a padlock with the wordpress logo

WordPress Security

Security on WordPress is a big topic but we can develop best practices that ensure that our sites are as secure as possible. A lot of bots scan the internet looking specifically for WordPress installations that they can try to hack into. Since WordPress is very popular it also has to be really secure out of the box. And it mostly is! But there’s some things you can do to be secure.

Keep WordPress Up To Date

Any time a vulnerability is found in WordPress, it is addressed very quickly and a fix is released. It is this reason that your WordPress version should always be kept up to date. You can keep on auto updates. If you have a completely custom theme that may break with an update, you can manually update WordPress, but make sure to do it on a regular basis.

Keep Plugins Up To Date

This one is a tricky one because sometimes updating plugins can break our site (see the plugins page). However, updating plugins could fix security vulnerabilities.

I would say if you can, update your plugins on a staging site first to make sure there’s no breaking changes. Or look at the change log for the plugin and see if there are security fixes in the update. Personally, I update plugins manually so I have complete control and can check for breaking changes. This is another reason why fewer plugins are better – less plugins, less updates.

Hide Your WordPress Login URL

I don’t usually believe in security by obscurity, but this is an exception. Since there are a lot of bots that specifically look for login pages to brute force, you can deny them simply by changing your WordPress login from /wp-admin to /my-wordpress-admin (or whatever you’d like).

And, it’s really easy to do using one of my favorite must use plugins, WPS Hide Login. Just type in your new obscure URL and the old wordpress login page of /wp-admin now returns 404!

Mitigate Common Attacks Like XMLRPC and WP Cron

You can take steps to ensure that you’re protected against common WordPress attacks like an XMLRPC attack and a WP Cron attack.

For XMLRPC, you just disable access to xmlrpc.php through code or htaccess file. See how to prevent wordpress xmlrpc attacks.

For cron attacks, you ensure that requests to wp-cron.php only come from your server and can even put the cron script on a real cron task so WordPress isn’t handling it.

Forms and Captchas

To prevent spam, always use Re-Captcha or another captcha mechanism along with honeypots. Disable file uploads and if you must accept them always verify their contents. Always validate forms and escape user input. Contact Form 7 has re-captcha built into it and can connect seamlessly.

Going Further With WordPress Security

You can go further than these steps too. Plugins make this easy. You can add 2 factor authentication (2FA) when logging in. You can restrict the number of login attempts. You can install an extensive security library like WordFence.

Security In Code

If you’re developing in WordPress your code needs to be secure, too. Escape all user input, use best practices, prevent SQL injection, use WordPress’s nonce system, use the Role’s & Capabilities functions. Develop with the mindset of “least access needed”. If you’re developing a plugin to manage blog posts, those users don’t need administrative access. Keep security and best practices in mind for all of your code.

Previous: WordPress Plugins
Next: WordPress Search Engine Optimization