Secure Your WordPress Site

WordPress is an open source project and developed by the community from all over the world. A lot of expert spent their times to make WordPress as secure as possible. But I’m not in the position to say that it has bulletproof for security vulnerability. You can see there are couple security has been reported fixed and disclosed in WordPress hackerone. You can report any security issue too, if it is valid, you’ll get bounty!

With that said, I would like to share couple best practices I did to hardened my WordPress site.

Add https to your WordPress site

You must have https for your site. Now SSL certificate is free, and easy to install. And if you are on share hosting, ask your hosting provider to add the free SSL certificate for you.

I’m on Vultr vps, and I’m using this guide to add Let’s encrypt SSL certificate for this blog: Install Let’s Encrypt SSL on One-Click WordPress App.

If You are on share hosting with cPanel, it has AutoSSL feature enabled by default (should be). All you need is open a ticket to your hosting provider support and ask them to enable SSL for your domains.

Or You can use free SSL from Cloudflare. Open an account in Cloudflare, and follow their instruction to move your Nameserver and DNS over to Cloudflare. And from your WordPress admin, install Cloudflare plugin and activate the SSL feature.

Enable 2 Step Authentication For Your Admin Login

Enable sign in from Jetpack security setting page. Then also enable Require two-step authentication. You need to follow the setup instruction to enable that.

Always Code Review a Plugin/Themes Before Install or Update

Most of the WordPress hacked is from plugin vulnerability. These are the steps to review a plugin/theme:

  1. Always get the plugin from the trusted source
  2. Read the plugin review
  3. Check the plugin inĀ WPScan Vulnerability Database
  4. Open the source code and do code review based on WordPress Coding Standard and 10up Engineering Best Practices.
  5. Testing it in local environment/staging

If that plugin/theme is poorly written and against the coding standard and best practices, I rather not install that plugin and find something else. When the case I really need to use that plugin, then I will patch the code and remove the high risk code then install it. Sometime I email the plugin owner with my patch so they can fix their plugin. This is the beauty of open source.

Keep Your WordPress Up To Date

By default WordPress has auto update if there is a security release. But just in case You haven’t update your WordPress, always keep your WordPress to latest release.

Daily Maintain Your Website

Check your website daily, use it, write contents. Most WordPress sites get hacked also because it’s being abandoned. 

That’s all I can share today, I hope it’s useful for You. Remember your sites is as secure as you care.


  1. Andy Saw says:

    Also, use a strong password and change the URL of your WordPress admin to something else. Consider getting a 3rd party WAF (Web Application Firewall) such as Sucuri that will help filter off some of the bots/spam and injection attacks.

    We have lay down a much more details at

  2. Un buen articulo.

Give me your feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.