The best time to make sure your website is secure is when you first install it. Here is an explanation as to why it must be done, as well as list of best practices for securing your new WordPress website.

Note: This article does not cover ways to maintain the security of your site, but simply how to ensure that it is secure from the get-go.

Make sure to read this article if you want to learn how to create SEO-friendly WordPress blog posts.

Why secure your WordPress website?

Unfortunately, all WordPress websites are targets for malicious activity. This is because it is the most popular content management system in the world (similar to how Windows computers are more likely to get hacked than other types because they are the most popular operating system).

Even if your website is small, doesn’t contain sensitive information or even get a lot of traffic, it is still a target for malicious activity. Hackers can manipulate your site for their benefit and at the expense of your precious time, money, and reputation.

Various hacker tactics include:

  • Holding your website for ransom
  • Stealing user information
  • Installing malicious software
  • Distributing malware to your users
  • Creating links on your site to their nefarious site(s)

Often this kind of activity is executed by bots that don’t discriminate between one WordPress site or another, but are simply looking for any WordPress site that has one or more vulnerabilities.

How to secure your new WordPress install

Without further ado, here is my list of key steps to take in order to ensure your new site is secure:

  • Always use a dedicated server or virtual private server instead of shared hosting. Shared hosting shares a server with other websites which can infect your website if they are hacked.
  • Set up a daily backup system. I prefer the UpdraftPlus plugin that saves your backups to Dropbox.
  • Always use plugins that are up to date, maintained regularly by their development team, and in the WordPress plugin repository. A plugin that is not available in the repository is not officially approved by
  • Enable a Web Application Firewall, like Sucuri’s.
  • Always use an SSL certificate and force HTTPS.
  • Always use strong passwords for all accounts related to your site, including domain registrar, hosting, and FTP/SFTP access, and require them of your users (security plugins can help with this, listed below).
  • Make sure your site directories and files have the correct permissions (again, the security plugins listed below can help you determine whether or not your directories/files have the correct permissions).
  • Never keep the “admin” user in your site. If your one-click install created this user, delete it after creating a new administrator account.
  • Change your default database prefix from wp_ to something custom and difficult to guess. This should be done before there is any content on your new site.
  • Limit login attempts.
  • Stop brute force attacks using the iThemes plugin.
  • Disable file editing by placing the following code in your wp-config.php file:

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

  • Disable PHP file execution in uploads folders by creating a .htaccess file to place in all the /uploads directories that includes this code:

<Files *.php>
deny from all

  • Disable XML-RPC.
  • Hide your login and admin page so people that aren’t supposed to find it can’t.
  • Disable directory browsing and indexing.
  • Log out idle users automatically.
  • Activate two factor authentication (2fa) for all WordPress user accounts.

Free Security Plugins

After your WordPress setup is secure, make sure to install my personal favorite (and free!) WordPress security plugins, some which were referenced above:

Security Maintenance

After your website is set up using the guidelines discussed in this article, you will need to regularly maintain it so it is secure. I will publish an article outlining the necessary steps to do that in the near future.

Need help?

Please contact me if you need assistance securing your WordPress website. I’d be happy to offer you a complimentary security audit and provide you with a quote.