WordPress is a common target for hackers. Protect your site with these security best practices.
Essential Security Steps
Keep Everything Updated
- Update WordPress core immediately when available
- Update all plugins regularly
- Update your theme
- Remove unused plugins and themes
Use Strong Credentials
- Never use "admin" as your username
- Create strong, unique passwords
- Use a password manager
- Enable two-factor authentication
Install a Security Plugin
Recommended options:
Wordfence — Firewall and malware scanner Sucuri — Security monitoring and CDN iThemes Security — Comprehensive security features
Protect Your Login
Limit Login Attempts
Install a plugin to block IP addresses after failed login attempts.
Change Login URL
Change /wp-admin to a custom URL using a plugin like WPS Hide Login.
Add CAPTCHA
Add reCAPTCHA to your login form to prevent automated attacks.
File Security
Secure wp-config.php
Move above your web root or add protection rules in .htaccess.
Disable File Editing
Add this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
Set Correct File Permissions
- Folders: 755
- Files: 644
- wp-config.php: 600
Backup Regularly
Even with security measures, backups are essential.
- Use UpdraftPlus for automated backups
- Store backups offsite (Google Drive, Dropbox)
- Test your backups by restoring on a staging site
Monitor Your Site
- Check for malware regularly
- Monitor login attempts
- Review user accounts periodically
- Set up uptime monitoring
If You're Hacked
- Don't panic
- Take your site offline
- Restore from a clean backup
- Change all passwords
- Update everything
- Scan for remaining malware
- Contact BearHost support for assistance
Tags:#wordpress#security#protection#malware