General practice of wordpress security

Security is very important for every website. Google blacklists approx 25,000 websites for malware and approx 60,000 for phishing every week. That’s why every site needs to pay attention to their security seriously. If you are running a WordPress site you are the easiest food for any hacker.

WordPress is called hackers paradise so why WordPress is most commonly hacked CMS in this world.

There are many ways you can protect your WordPress site. In this article, we have to show some best practice WordPress security with the example code.


Always Update
Priority: Low

Always download/update the latest version WordPress, themes and plugin.

Authentication Unique Keys
Priority: High

Update Authentication Unique Keys and Salts in wp-config.php from

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

Use strong Username
Priority: High

Use upper-lower combination in the username, don’t use a common username like admin/webadmin.

Use strong password
Priority: High

Set a unique and strong password is very important for a WordPress user. This can keep your content safe, secure, protected and can’t be accessed by other than you.

Change database table prefix
Priority: High

During WordPress installation by default, it creates the database with the tables prefixed with wp_. There is a total of 11 tables created during the standard WordPress installation process, and all of them will be prefixed with wp_.

Change database table prefix and do not use default wp_, using something random.

Disable Theme & Plugin Editor
Priority: High

There is a code editor inside WordPress admin panel in which users allows to edit the theme and plugin codes. Its a good feature comes with WordPress by defaults but sometimes it can be dangerous. A simple typing mistake can damage your site and if a hacker gains access to your WordPress admin panel, they could easily insert malicious code into your files and can hamper your site.

That’s why it’s a good practice to Disable Theme & Plugin Editor form WordPress admin panel.

To disable the Theme & Plugin Editor add the following code in wp-config.php

define( 'DISALLOW_FILE_EDIT', true );

Move wp-config.php outside web root directory
Priority: High

By default wp-config.php placed in the root folder of your site which contains your MySQL database username, password, authentication keys and much other important information. A hacker can easily gain access to your site and database with this information.

So its important to move wp-config.php outside web root directory (public_html).


you can also protect wp-config.php by add following lines in .htaccess

<files wp-config.php>
        order allow,deny
        deny from all

By doing this we can protect “wp-config.php” from unauthorized users, but the file can be editable by FTP.

Prevent directory access
Priority: High

Protect your FTP directories from being listed by the user. It will make your website more secure. Add the following code in .htaccess.

Options All -Indexes

By adding above code will remove directory indexing and make the server respond with a 403 forbidden message.

File permission
Priority: High

Protect the WordPress from malicious activity, it’s important to secure your files and folders by changing their file permissions.
File permissions will set who is able to read, write, modify and delete files or folders on FTP server.


  • Desired: 600
  • Fallback: 440, 640, 755

uploads folder

  • Desired: 755
  • Fallback: 766, 777 (not recommended)

.htaccess files

  • Desired: 755
  • Fallback: 440, 444, 600, 640″

Add blank index.php
Priority: High

bots/scanners try to visit the folder structure of your website from the browser. Adding a blank index.php in the folders will hide the inner file structure. you will see a blank page which is actually the index.php file.

So it’s a good practice to add blank index.php in all these folders

  • wp-includes
  • wp-content
  • wp-content/plugins
  • wp-content/themes
  • wp-content/uploads”


Update Blog Title & Tag line
Priority: High

Title and tagline are the most important and basic elements of a website its also play a key role in Search Engine Optimization(SEO).

Go to Settings > General > Change the Title and Tagline.

Set default Date, Time & Zone
Priority: Medium

WordPress display dates in the format December 10, 2017, and times in the format 5:45pm.
Also, WordPress uses UTC (Coordinated Universal Time, or GMT) to determine the time to display.

Go to Settings > General

Delete default contents
Priority: Medium

Delete the default hello world post, comment and page from WordPress admin.

Delete sample files
Priority: High

Delete wp-config-sample.php, readme.html, wp-admin/install.php & wp-admin/upgrade.php file from WordPress folders.

Remove unused plugins and themes
Priority: Medium

Remove all unused plugins and themes from WordPress admin.

Disable user registration
Priority: High

Disable user registration If not required from WordPress admin.
Go to Settings > General, make sure ‘Anyone can register’ box is unchecked”.

Disable Comments
Priority: Medium

If not required, disable comments from WordPress admin.
Go to Settings > Discussion, uncheck ‘Allow people to post comments on new articles’.

Enable site to be Crawled
Priority: Medium

Enable site to be Crawled from WordPress admin.
Go to Settings > Reading, uncheck ‘Discourage search engines from indexing this site’.

Enable permalink & check SEO friendly URLs
Priority: Medium

Default WordPress URL structure is not SEO friendly, That’s why we are using SEO friendly Permalinks which contain post, category, tag, title in the URL.
Go to Settings > Permalinks.

Create & check 404 page
Priority: Medium

It’s important to create and check 404 page in WordPress theme so that when a user tries to access a page that does not exist will not leave your site.

Set-up proper redirections
Priority: Medium

Stick on www or non-www and set-up proper redirections. You have to add the following lines at the beginning of the .htaccess file so that the redirection is properly set up.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^ [NC]
RewriteRule ^(.*)$$1 [L,R=301]

replace with your domain name.

Create a Sitemap
Priority: Low

Create a Sitemap and upload at the root directory.

Google Analytic Priority: Low

Add Google Analytic tracking code. For more details go to Google Analytic.

Standard robots.txt
Priority: Medium

Before crawls, the search engine will visit robots.txt file of your website. And follow the instructions on where they are allowed to crawl.

So put standard robots.txt with following contents into the root folder.

User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: /wp-includes/js/
Disallow: /*?*
Disallow: /*?
Disallow: /*~*
Disallow: /*~"

Install captch plugin
Priority: Medium

To stop bots captcha is the easiest way. Enable the captcha in all forms in WordPress. There are many WordPress captcha plugins is available.

Install Security plugin
Priority: High

install Security plugin & scan.

Install one SEO plugin
Priority: Medium

Install one SEO plugin & configure. There are may SEO plugin avalable in WordPress plugin site.

prevention is better than cure

After following these tips you can secure your WordPress. Hope you enjoy this article. Don’t forget to share this with your friends.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *