Your WordPress Security is Horrible – Here’s How to Fix It

You’ve probably heard plenty of horror stories about security problems involving WordPress sites (such as this one and this one), and they may have gotten you worried.

The truth is, we could all implement additional measures for securing our WordPress installs. Here are five things you can do today to greatly enhance the security of your WordPress-powered sites.

Secure Your Admin Area

Even if you have a random username and strong password for accessing the WordPress administration area, using additional layers of authentication is a good idea because they can lower the chance of a brute-force attack becoming successful.

There are three options for strengthening the security of the WordPress admin area.

Option 1: Password-Protect the WordPress Login Page

On an Apache web server, you can use htpasswd, which is a simple method of password-protecting website files. (Nginx, IIS, and other web servers will have their own version of password-protection.)

For WordPress, you could password-protect the wp-login.php file, for example. Doing this will require administrators of your site to type in an additional username and password before they can access the WordPress login page.

To learn how to password-protect your WordPress admin area, read this tutorial.

Option 2: Set Up Two-Step Verification

Two-step verification requires two separate stages of authentication before you can log into your WordPress admin area. This additional layer of authentication helps secure your WordPress site in cases where your username and password have been compromised without your knowledge. Two-step verification can give you time to reset your login information before your WordPress admin area is breached. Two-step verification also informs you when there are attempts to log into your WordPress admin area.

Here’s how two-step verification works:

  1. You sign into WordPress as you normally do.
  2. Right after entering your login information, you will receive a unique, one-time-use password on your mobile phone that will expire after a certain amount of time.
  3. If the unique password is incorrect or if the password has expired, access to your WordPress admin area will be denied, even if the login credentials used is valid.

You can use the Google Authenticator for WordPress plugin in conjunction with the Google Authenticator (which is available on iOS, Android and Blackberry devices).

Another plugin to consider is Duo Two-Factor Authentication. It can be set up to send an SMS to your mobile phone or to perform a voice call that discloses your unique password.

Screenshot of Duo Two-Factor Authentication WordPress plugin

Option 3: IP Address Whitelisting

Using this option, only authorized (whitelisted) IP addresses can access the WordPress admin area.

A drawback with IP address whitelisting is, if you work in many places (coffee shops, coworking spaces, etc.) or if you travel frequently, this security measure can be a hassle since you’d have to whitelist the IP address you’re using before you can access your admin area. There are workarounds to this, such as using a VPN so that you have a static IP address regardless of which network you’re connecting from.

Whitelisting IP addresses can be done through your site’s .htaccess file. You can use the following directive to deny access to WordPress’s wp-login.php page if the request doesn’t originate from your IP address (replace your.ip.address below with the IP address you normally use):

<files wp-login.php>
  order deny,allow
  deny from all
  allow from your.ip.address

If you want to whitelist multiple IP addresses, just add additional allow from lines. Here’s an example where the directive whitelists three different IP addresses:

<files wp-login.php>
  order deny,allow
  deny from all
  allow from
  allow from
  allow from

Maintain a Good Password Policy

WordPress sites involve several services that have user authentication: Your MySQL database, graphical user interfaces that you use to manage your WordPress-related assets and hosting such as cPanel and phpMyAdmin, the WordPress admin area, etc. It’s best to use strong, randomly-generated passwords for all services that can potentially be exploited to affect your WordPress site.

Also, it’s a good practice never to use the same username and password credentials for different services. This way, if one of your login credentials is compromised, the breach can be contained to just one service.

Using a password manager such as LastPass can help you keep track of your passwords. Because a password manager remembers your passwords for you, it gives you the freedom to choose complex (and thus more secure) passwords that you don’t have to commit to memory.

Remove Website Files That You Don’t Need

Having a regular website maintenance routine where you remove unused and outdated website files can improve WordPress security because doing so reduces potential attack vectors.

Many people either forget to remove unused or outdated files, or don’t think these files can be harmful and so they don’t take the time to maintain them. Later on, these files can cause security problems such as cross-site contamination, where attackers exploit vulnerabilities in old files that you’ve forgotten about.

Here’s a list of things to remove:

Protect Your WordPress Site Against DDoS Attacks

Distributed denial-of-service (DDoS) attacks are attacks that attempt to crash your website. Many people don’t think they can be a target of a DDoS attack, but it can happen to anyone.

With regular reports and studies showing that DDoS attack frequency, duration and size are growing drastically, now is the time to take steps to defend your site against downtime and subsequent revenue loss caused by denial-of-service.

Here are some services to look into if you’re concerned about DDoS attacks:

Use a Web Application Firewall

No matter how big (or small) your WordPress site is, it needs a web application firewall. A web application firewall blocks attacks that attempt to exploit common security vulnerabilities.

Even if you’re keeping your WordPress install, theme and plugins up-to-date with the latest security patches, you’re still at risk of exposure to zero-day attacks. Zero-day attacks in the context of WordPress can come from things like unpatched security issues that are unknown to the developers of your plugins or theme, or security issues that the developers have had no time to fix and release a patch for. A web application firewall could significantly reduce zero-day-attack vulnerabilities by blocking commonly known exploits such as SQL injection and XSS.

If you run your own Apache web server (or are using a VPS), ModSecurity is a free and open source web application firewall module you can install.

If you have a bit of money to spend, check out CloudProxy, a suite of website protection software. It comes with a web application firewall that supports many types of publishing platforms, including WordPress.

If you’re on a shared web hosting service and have a restricted ability to configure your web server, have a look at the Block Bad Queries WordPress plugin. While it isn’t technically a web application firewall, it does a good job of blocking malicious requests. BBQ adds directives to your .htaccess file that monitors your incoming website traffic for bad requests.

Related Content

Jacob Gube is the founder of Six Revisions. He’s a front-end developer. Connect with him on Twitter and Facebook.

This was published on Mar 2, 2015


LaptopHeaven Mar 04 2015

Monarobase Mar 05 2015

Nice article :)

Don’t forget to also deny access to xmlrpc.php as you will get almost as many attacks on this file as on wp-login.php…

Luke Pettway Mar 06 2015

I’d also at least encrypt the login page with a self signed cert or another method if possible since the form submits the data in plain text as far as I can remember.

Caleb Lane Mar 08 2015

These things are often not done on sites I work on, so I covered these things.


I agree, HTTPS should be used across all of the admin area for some sites. Although buying and configuring an SSL certificate is beyond some people’s technical ability. Also, if you only login from trusted networks, have a strong password, and use IP whitelisting or two factor authentication you are pretty secure and better than 99% of the sites out there. Although I do agree if you can it is always a good idea to use HTTPS for the login page, but even better the whole admin area.


I agree, it’s always a good idea to do that. Thanks for the comment.


Yes, it’s plaintext. I agree totally. Thanks for taking the time to reply.

Cathy Mayhue Mar 10 2015

But may I know how can I protect my word-press websites from malware?

Caleb Lane Mar 11 2015

@Cathy Mayhue

If you follow these 4 things, they will help greatly reduce the changes of your site getting hacked.

The first thing you need to do to your site is update WordPress from 3.5.1 to 4.1.1. And update all of your plugins and themes to the current version.

Alex Bailey Mar 12 2015

Some great things in here to consider, especially didn’t think about deleting deactivated plugins as that’s a way of how hackers can get into wordpress. The two different types of logins are also great

Worli Mar 13 2015

Great Share Caleb,

Typically WordPress is quite safe and protected if you use some security plugins as well as follow some general points to keep hackers away from your blog.

“Google Authenticator for WordPress” is a new plugin for me, i would give it a try.

Thank You!

    Caleb Lane Mar 17 2015

    Not necessarily… If you add a paid plugin or theme that you get from a site that is allowing you to download it for free, no matter what security you have… you may be out of luck. It could have a backdoor and your site would be compromised right away. Maybe you wouldn’t do it, but there are a lot of people who would. There are a ton of examples like that. I am sure if I listed them all you would probably say you would do one of them. And remember it only takes one mistake for a hacker to get in. Security isn’t as simple as everyone makes it out to be.

    I prefer the plugin Google Authenticator for WordPress over Google Authenticator, so make sure you pay attention to the difference when installing it on your site.

      Worli Mar 20 2015

      Totally agree with you! Thank you for the clarification.

Caleb Lane Mar 14 2015

Thanks Alex for the comment!

You might want to consider a plugin like Login Security Solution to not reveal login errors for your site and change the username admin to another one.

pceasies Mar 17 2015

If you’re going to do IP whitelisting, you may as well just only whitelist the IP of the server and VPN or create an SSH tunnel. You won’t have to worry about the IP changing since your server should be using a static IP. In addition, you have the benefit of requiring the SSH/VPN credentials or keys and will be connecting over an encrypted connection.

    Caleb Lane Mar 17 2015

    Good idea and it is definitely a great and secure option. You do have to remember one thing though. There aren’t many people who would be comfortable doing this I would say, so it isn’t very practical for 99% of the people using WordPress.

This comment section is closed. Please contact us if you have important new information about this post.