30+ WordPress Security Best Practices in 2025

Upfront: This article on WordPress security best practices is a 20-minute read, which is still faster than trying to recover from a hacked WordPress site.

WordPress runs over 40% of the internet. That also means it has a big target on its back. Every day, millions of bots and bad actors go poking around WordPress sites, looking for outdated plugins, lazy passwords, and that one admin account no one ever deleted.

And when they find something? It’s rarely pretty. Sites go down. Data leaks. Customers bounce. Reputations take a hit.

The good news is that most of these disasters are preventable. This guide lays out 30+ WordPress security best practices to keep your site locked down—from basic hygiene to advanced hardening.

Whether you’re running one blog or managing hundreds of client sites, consider this your unofficial checklist for not getting owned in 2025.

30+ WordPress Security Best Practices in 2025

Core Updates & Software Management Best Practices

If you’re going to skip parts of this guide (we don’t recommend it), at least don’t skip this one. Software updates are where most WordPress security lapses start, and where they’re easiest to fix.

1. Keep WordPress Core Updated

WordPress doesn’t just push out updates for fun. Each release patches vulnerabilities—sometimes ones that are already being exploited in the wild. The longer you wait to update, the bigger your attack surface becomes. Minor security updates usually install themselves, but major version upgrades still need your approval. Don’t drag your feet.

Before you click update, ensure you have a complete backup in place. If you’re running a business-critical site, test the update on a staging version first. And if you want full peace of mind, you can force automatic updates for everything via a single line in your wp-config.php file.

2. Update Your Plugins

Plugins are where most WordPress hacks begin. Not because plugins are bad, but because people forget to update them. In 2024 alone, nearly 8,000 new vulnerabilities were found in plugins and themes.  And often, patches already exist before an attack happens. It’s the delay that creates the damage.

Set aside time to regularly check for plugin updates. For plugins you trust—especially anything related to security, backups, or uptime monitoring—turn on auto-updates. If you see a change-log that mentions a security fix, don’t put it off. Update immediately.

And here’s a simple rule: if a plugin hasn’t been updated in over a year, it probably doesn’t belong on your site.

3. Don’t Ignore Theme Updates

Themes aren’t just about design. Many include their own functionality, custom scripts, and bundled plugins, which means they can become a security risk if left outdated. Even if vulnerabilities in themes are less common than in plugins, when they happen, they can be just as devastating.

Always keep your active theme updated. If you’ve made custom edits to the code, use a child theme to avoid losing your work during updates. And once your theme is live, clear out the demo files and extra templates that came with it. They serve no purpose, and sometimes, they open the door to exploits.

Keep one default theme on hand (like Twenty Twenty-Four) for troubleshooting. Everything else can go.

4. Avoid Nulled Plugins

Nulled plugins might seem like a clever workaround when you don’t want to pay for the premium version. But in reality, they’re a gift to attackers. These pirated versions often include hidden malware, backdoors, or tracking scripts, and since they’re disconnected from the official update stream, they never get patched.

If a plugin matters enough to your site that you’re willing to take the risk on a pirated version, it probably matters enough to buy it properly.

5. Delete What You Don’t Use

It’s not enough to deactivate old plugins and themes. If they’re still sitting on your server, they can still be exploited. Deactivated code is still code. It can still contain vulnerabilities. And if someone finds a way in, it’s game over.

If you haven’t touched a plugin or theme in six months, remove it. Don’t hoard software “just in case.” Less clutter means fewer potential entry points.

Also read: Top 10 WordPress Security Issues [+ How to Avoid Them]

User Access & Authentication Best Practices

6. Stop Using “admin” as a Username

It still happens. Thousands of WordPress sites are running accounts named “admin,” and attackers love them. Why guess both a username and a password when half the job is already done?

If your site still has an “admin” user, create a new account with a unique username, give it administrator privileges, and then delete the original. WordPress will reassign all content to the new account. Easy fix, big win.

And don’t get clever by switching to “administrator” or your company name. The less guessable, the better.

7. Use Strong Passwords

This sounds obvious until you realize how many sites are still using variations of “admin123.” Weak passwords are one of the fastest ways into a WordPress site, especially when bots can try thousands of combinations in seconds.

Use long, random, and unique passwords. Let WordPress generate them for you and store them in a password manager. Bitwarden, 1Password, take your pick. Just don’t rely on memory.

And about those “must change your password every 90 days” policies? They’re outdated. Better to have one very strong password you never reuse than five forgettable ones you rotate through. Change it if you suspect it’s been compromised, not just because a timer went off.

8. Add Two-Factor Authentication

Even if your password gets leaked, two-factor authentication (2FA) can stop attackers cold. It’s one of the most effective low-effort security upgrades you can make.

You can use apps like Google Authenticator or Authy. Most good security plugins support 2FA for admin logins. Also, ensure that you generate backup codes and store them in a safe location. Losing access to your 2FA device without a backup is its own kind of nightmare.

Start by requiring 2FA for administrators. Then roll it out to editors, authors, and anyone else with backend access. Here’s how to implement 2FA in your WordPress site.

9. Assign the Right Roles (and Only the Right Roles)

WordPress has a few default user roles: Administrator, Editor, Author, Contributor, and Subscriber. Not everyone needs full access to everything.

If someone just needs to write posts, don’t make them an Editor. If someone’s just moderating comments, they don’t need to install plugins. Stick to the principle of least privilege: only give people what they need, and nothing more.

If the built-in roles aren’t quite right, plugins like User Role Editor let you customize access down to the individual capability. It’s worth the setup.

10. Clean Out Old User Accounts

Users come and go. Passwords get reused. Accounts get forgotten. And all of that creates risk.

Audit your users on a monthly or bi-monthly basis. If someone hasn’t logged in for a while and no longer needs access, remove them. For people who’ve published content, WordPress will ask you whether to delete or reassign it. Just reassign and move on.

And if you’re running an agency or managing multiple sites, set up a simple offboarding checklist so users don’t linger longer than they should.

WordPress Login Protection Best Practices

11. Limit Login Attempts

One of the easiest wins. Without limits, bots can hammer your login page with thousands of guesses until something sticks. Add a limit—say, three to five tries—and they’re locked out.

Most security plugins can handle this. Some hosts offer it by default. And if you’re self-managing, you can configure it manually with a few lines of code or a lightweight plugin. Either way, the result is the same: brute force bots waste their time elsewhere.

Bonus tip: whitelist your IP address so you don’t lock yourself out during a late-night typo session.

12. Change Your Login URL

Every WordPress login page lives at /wp-login.php or /wp-admin. That’s not a secret. Which means bots don’t need to guess where to attack—they just show up.

Changing the login URL won’t stop a determined attacker, but it can block a lot of automated bot traffic. It’s like locking the side door and not putting a neon “Entrance Here” sign over it.

Plugins like WPS Hide Login make this painless. Just pick a new, unguessable URL. No need to overthink it—just don’t use “/login” or “/admin” again.

13. Add Server-Level Password Protection to wp-admin

Protect your /wp-admin directory with an additional username and password at the server level.

Most hosts allow you to do this through cPanel or your preferred control panel. Just make sure the password is different from your actual WordPress credentials—otherwise, what’s the point?

It adds one more step for legit users, but the extra friction is worth it if you’re running a sensitive or high-traffic site.

14. Add reCAPTCHA to Login and Forms

ReCAPTCHA helps separate the humans from the bots, and it works. When added to your login page, it can shut down automated brute force tools.

The newer versions (v2 and v3) are much less annoying than the old “click all the traffic lights” days. Many security and form plugins now integrate reCAPTCHA with a few clicks. Use it on your login page, contact forms, and anywhere else bots might be. 

Just make sure it doesn’t conflict with caching plugins or custom login pages. If something breaks, test and tweak.

15. Auto-Logout Idle Users

People walk away from their computers. It happens. What you don’t want is an admin dashboard left wide open on a shared screen or in a public space.

Set idle sessions to expire after 15–30 minutes for admin users, longer for regular users. You can find plugins that do this automatically, and some even give users a warning before they’re logged out.

Think of it like locking your phone screen. Nobody likes it, but you’ll be glad it’s there when you forget to close a tab in a coffee shop.

File and Server Security Best Practices

16. Lock Down wp-config.php

Your wp-config.php file holds the keys to your site: database credentials, security salts, API keys—everything.

Lock it down. Set file permissions to 600 so only the server can read or write to it.

If your hosting setup allows it, move the file one level above your WordPress root. WordPress will still find it, but hackers won’t. (Note: this only works if your host allows access outside the public_html or www directory.)

Want to go even further? Add a rule to your .htaccess file to deny all HTTP access to this file.

17. Disable the Built-In File Editor

Yes, WordPress lets you edit theme and plugin files directly from the dashboard. Yes, that’s convenient. It’s also a huge security risk.

If an attacker gets access to an admin account, the first thing they’ll do is use the editor to drop in malicious code. Disable it entirely by adding this line to wp-config.php:

php

define('DISALLOW_FILE_EDIT', true);

Developers can still access files via SFTP or Git—the proper way to make changes anyway.

18. Set the Right File Permissions

Permissions control who can read, write, and execute files. Set them wrong, and anyone can poke around—or worse, inject malicious code.

File permissions control who can do what with your files. Stick to 755 for folders and 644 for files—this keeps them readable by the server but not writable by just anyone.

Never use 777 unless you want to give full access to everyone. And if you’re on shared hosting, check your host’s documentation. Some setups require slightly stricter rules, such as 750.

After changing permissions, double-check that your site still works. It’s boring work, but it matters.

19. Change the Default Database Prefix

By default, WordPress uses wp_ as the prefix for all database tables. Attack bots know this.

Changing the prefix can block basic SQL injection attacks that look for known table names, such as wp_users or wp_options.

To change it, edit the $table_prefix in wp-config.php and rename all the database tables to match.

Warning: This can break your site if done incorrectly. Always back up your database first. Use a plugin if you’re unsure.

20. Disable Directory Browsing

If a folder on your server doesn’t contain an index file, visitors might see a full list of everything inside it. Not ideal.

You don’t want people snooping around your /wp-content/uploads/ or plugin directories. To stop that, add this to your .htaccess file: Options -Indexes

That’s it. One line. No more browsing your file structure like it’s a public folder on Dropbox.

Network and Communication Security Best Practices

21. Use SSL. Everywhere.

If your site still loads over HTTP, you’re behind the times—and exposed. Without SSL, login credentials, form data, and even cookies travel unencrypted. That’s an open invitation for interception.

Most hosts now offer free SSL certificates via Let’s Encrypt. Use one. After it’s installed, force all traffic to HTTPS and update your WordPress URL settings. That padlock in the browser? It’s not just about trust—it’s about encryption.

If you’re seeing mixed content warnings, it means some assets are still loading over HTTP. Use a plugin like SSL Insecure Content Fixer to clean them up.

22. Use a Web Application Firewall (WAF)

A WAF filters out malicious traffic before it even hits your site. Cloud-based WAFs, such as Cloudflare, route traffic through their servers, blocking threats and even speeding up your site with built-in CDN features. Application-level firewalls like Wordfence or Sucuri run inside WordPress itself and can block known attack patterns and bad IPs in real-time.

Neither is perfect. But both give you visibility into what’s trying to get in—and the power to shut it down.

23. Disable XML-RPC

XML-RPC is a legacy feature that lets external apps connect to WordPress. Most sites don’t need it, and hackers often use it for brute force attacks and DDoS amplification.

Unless you’re using a plugin that needs it, disable XML-RPC. If you’re unsure, you can block just the dangerous methods, like system.multicall, instead of turning it off entirely. Safer either way.

24. Add a CDN

A content delivery network (CDN) stores static versions of your site on servers around the world. That means faster load times—and more protection.

During a DDoS attack, a CDN can absorb the traffic, preventing a server crash. It also hides your origin IP, making it harder to target. Cloudflare, Bunny.net, and Amazon CloudFront are all solid options. Some hosts even include CDN services out of the box.

It’s not just a performance tool. It’s a layer of defense.

25. Add Security Headers

Security headers tell browsers how to handle your content. They can help prevent things like cross-site scripting (XSS), clickjacking, and other client-side attacks.

Add headers like Content-Security-Policy, X-Frame-Options, and X-XSS-Protection via your .htaccess file or a plugin that supports them. They don’t take long to configure, and once they’re set, they just work.

You can check your current setup using securityheaders.com. Aim for at least a B grade.

Monitoring and Maintenance Best Practices

26. Scan for Malware Regularly

Not all hacks are obvious. Some malware sits quietly, siphoning data or redirecting users without drawing attention. That’s why regular scans matter.

Use a malware scanner that checks core files, themes, and plugins for unauthorized changes or suspicious code. Daily is ideal—weekly at minimum. Many tools compare your files to the originals and flag anything that looks sketchy.

Be aware of false positives, especially when using custom code. If something gets flagged, don’t panic—just investigate before deleting.

27. Back Up Everything. Often.

When things go wrong, backups are your lifeline. They let you restore your site to a clean state, without starting from scratch.

A proper backup includes both your site files and your database. Store them offsite—cloud storage, a secure remote server, or even local storage if you’re disciplined about syncing. Never rely on your host’s backups alone.

How often should you back up? For static sites, once a week might be fine. For busy blogs or eCommerce stores? Daily. Or more.

Most important: test your backup and restoration process. If you’ve never tried restoring one, you don’t know if it works.

28. Monitor User Activity

Ever wonder who installed that random plugin, or why that post suddenly disappeared? Activity logs answer those questions.

Logging tools track logins, plugin installs, content edits, and more. They’re useful for spotting suspicious behavior, especially when you have multiple users or clients working in the backend.

If someone injects malicious code or tries something shady, you’ll know who, when, and what they did. That makes cleaning up faster—and a lot less guesswork.

29. Hide Your WordPress Version

By default, WordPress includes its version number in your site’s page source. Bots use this info to find sites running outdated software with known vulnerabilities.

You can remove the version output by adding this to your theme’s functions.php file:

php

remove_action('wp_head', 'wp_generator');

It won’t stop a targeted attacker, but it’ll cut down on drive-by scanning from automated tools. And in security, every bit helps.

30. Keep Your PHP Version Updated

WordPress runs on PHP. And just like WordPress, PHP needs to be kept up to date.

Newer versions of PHP aren’t just faster—they’re safer. As of now, anything below PHP 8.0 is either near end-of-life or already unsupported. Check your current version under Tools → Site Health → Info → Server. If you’re behind, talk to your host about upgrading. Be sure to test compatibility first—some older themes or plugins might need updates of their own.

Infrastructure and Hosting Best Practices

31. Use a Security-Minded Hosting Provider

Your site’s security is only as good as the server it runs on. Choose a host that understands WordPress and offers built-in security features, like malware scans, account isolation, firewalls, and rate limiting.

Ask if they use containers or chroot jails to separate accounts. If they don’t know what that means, run.

Look for daily backups, offsite storage, and one-click restore options. Bonus points for real 24/7 support from people who know what WordPress is.

32. Install a Real Security Plugin

Yes, WordPress is technically secure out of the box. But it’s also flexible, and that flexibility opens up vulnerabilities.

A well-maintained security plugin like WP Umbrella gives you defense in depth: login protection, file integrity monitoring, GDPR-compliant backups, and more—all in one place.

Go for a plugin that’s actively maintained and widely used—any of the major players will do the job. Just avoid piling on three at once. Too many security plugins can cause conflicts or slow down your site.

Let one tool do the heavy lifting, and configure it properly.

33. Turn Off PHP Error Reporting

Debug mode is great when you’re building a site. On production sites, keep error reporting off. It can leak file paths, database details, or plugin names to the world.

Keep it off by adding this to your wp-config.php file:

php

define('WP_DEBUG', false);

define('WP_DEBUG_DISPLAY', false);

Some hosts also let you manage this at the server level. Either way, the goal is the same: don’t hand over your server architecture to every visitor with a browser.

Advanced Protection Strategies

34. Harden Your Database Access

Your WordPress database holds everything: logins, posts, settings, comments, and custom fields. If someone gets in, they don’t need to deface your homepage—they can rewrite your entire site from the inside out.

Start by assigning limited permissions to your database user. WordPress doesn’t need full root access. Just enough to read, write, and manage content. No more, no less.

Regular maintenance matters too. Clear out post revisions, spam comments, and unused plugin tables. The smaller and cleaner your database, the easier it is to spot something weird.

If your host offers encryption at rest for databases, enable it, especially if you handle personal or financial data.

35. Have an Incident Response Plan

Even the best setups can fail. Someone clicks a phishing link. A zero-day hits. A plugin update goes sideways. What matters most in those moments is how fast you can react.

You should know exactly what to do when things go wrong: who to contact, what to check first, and how to bring the site back online safely. That means backups, yes—but also logs, access credentials, DNS settings, and a way to communicate with your team or clients while you triage.

Have templates ready for notifying users. Document your cleanup steps. And once the dust settles, do a post-mortem. Every incident is a lesson—if you’re paying attention.

Related: How to Perform a WordPress Security Audit: Step-by-Step Guide

WP Umbrella: Because Handling Security Manually Is…a Lot

We’ve just walked through more than 30+ WordPress security best practices. Following them on one or two WordPress sites is totally doable. However, doing it across 10, 20, or 50 sites? Good luck keeping up without losing your weekends.

To save your time, WP Umbrella helps you scale good security hygiene. From a single dashboard, you can monitor outdated plugins, themes and WordPress core, proactively block vulnerabilities, and back up everything without bouncing between sites or setting 30 different calendar reminders.

Automated Security Monitoring

WP Umbrella continuously monitors your WordPress sites for vulnerabilities, outdated software, and security threats. The platform automatically detects when plugins, themes, or WordPress core need updates, alerting you to critical security patches that require immediate attention.

WP Umbrella scans for vulnerabilities four times daily, providing constant protection against emerging threats. The platform also monitors SSL certificates and validates proper HTTPS configuration across all your sites.

Security configuration monitoring tracks critical settings like WP_DEBUG status to ensure debug mode isn’t accidentally enabled on production sites. WP Umbrella alerts you when debug settings expose sensitive information that could help attackers understand your site structure and identify vulnerabilities.

This addition makes perfect sense, as it directly ties back to the security best practice we covered earlier, which involves disabling PHP error reporting and debug mode. It shows how WP Umbrella automates the monitoring of these important security configurations.

Site Protect: Advanced Security Add-on

Site Protect implements many of the security best practices covered in this guide automatically. This add-on provides virtual patching that protects against known vulnerabilities even before official patches become available, working at the PHP level to prevent attacks from reaching your WordPress installation.

Security hardening features automatically disable file editing, remove WordPress version information, block user enumeration attempts, and add security headers. The integrated firewall blocks malicious traffic, brute force attacks, and common WordPress exploits without affecting legitimate visitors.