WordPress Security Guide 2019

Andy Holland

Updated: 28th June 2019

Welcome to our WordPress Security guide for 2019, this guide aims to cover everything you can do to protect your site from hackers and malware.

This advice guide is ideal for any WordPress site owner from brand new websites to established sites that have been around for many years, (the latter potentially being more at risk if security has never been assessed).

You might be thinking why would anyone want to hack my website? It doesn’t matter hackers can use your website to make money through any kind of fraudulent method such as the distribution of harmful software. As a website owner, you might not even be aware of this happening, so it’s important to have at least some knowledge of WordPress security.

Why is WordPress Security important?

As one of the most widely used CMS systems, WordPress is a common target for hackers and once a hacker finds their way into one site, they can find their way into plenty of other WordPress sites too. Hackers are accessing websites everyday and as a result it means your always at risk unless you take securing your website seriously.  While WordPress is an extremely secure platform that is regularly audited for any security concerns, there’s a lot you can do as a website owner to ensure your site is as secure as possible.

If your not up to speed on security for WordPress, below we have compiled our ultimate list to keep your site safe in 2019 along with some additional information if you think your website has been comprised by hackers.

 16 Steps To Make Your WordPress Site Secure in 2019

  1. Don’t have a weak password 

Step one and you probably already know it: have a strong password and a two step verification process. Don’t use the same password for more than one thing, and ideally regularly change your password – we recommend every 90 days. 

  1. Don’t re-use the same password

It goes without saying, don’t ever re-use the same password again or use the same password you have another platform. Doing this automatically puts you at risk of hackers. 

  1. Don’t use the default username 

The usual default username – ‘admin’ – is most susceptible to attack. So you should always change it. To create a new user, go into ‘Users’ and click ‘Add New’. Be sure to give it the role of ‘Administrator’ for complete authority and choose the setting to transfer all old posts to the new username. Login in again and delete that old username. 

WordPress Password

  1. Host your site securely 

Hosting vulnerabilities account for a large number of WordPress hacks. Choose your web hosting provider carefully. Remember, cheaper is not always better. Look for a reputable web hosting company who have an excellent track record of security. 

  1. Don’t edit the WordPress Core Files

If you update the WordPress core files, it means you won’t be easily able to update to the latest version of WordPress as you will lose changes

  1. Remove any in-active plugins from your site

The more plugins you have, the greater risk you have that your site will become insecure. Therefore any unnecessary plugins which are inactive should be deleted.

  1. Use paid-for themes

Free themes can be great when they’re built by reputable developers, but some of them aren’t, instead being built by shadier devs who sneak bits of malicious code onto your site. Likewise, plugins should also come from reputable places. Check for reviews online to be safe. 

  1. Ensure you are always running the latest version of PHP

 While making sure to update to the latest version of WordPress is important, you should also being making sure your site is on the latest version of PHP. Your hositng service will usually make the latest PHP versions available with each WordPress installation. 

  1. Use the functions.php file 

Whenever you install a theme for your WordPress website, there will be an option to use a functions.php file. As the name suggests, this file is designed to provide extra functionality to your site which can help keep your site secure. Use it to mask the version of WordPress you are using and disable the default login hints to remove clues for hackers. You can also use it to force external scripts to load using HTTPS reducing the opportunity for malicious code to be injected into your site. 

  1. Limit login attempts

A brute force attack – repeatedly attempting to crack a user’s login is widespread and surprisingly effective. Download a plugin such as Login LockDown, Limit Login or BruteProtect to avoid this happening. These monitor each failed login attempt, and detect the IP range from where they’re coming from. After a few failed attempts, the Plugin will disable all logins from that IP address. 

  1. Use an Anti Virus Software

It’s important to have an Anti Virus Software installed on any computer which has administrative access to your WordPress website. If the computer has a virus, then this could potentially spread onto the website when a user logs in

  1. Use a WordPress Security Plugin

Make sure you secure your website with a security plugin, we recommend Sucuri Security.


  1. Use WP Admin Block

One way which you can stop hackers from accessing the WordPress backend is using a WordPress plugin called WP Admin Block. It is free to use and available in the WordPress plugin catalogue.

How does it work?

The plugin redirects people who try to access the admin panel who don’t have the right to the homepage. It uses a secret unique URL in the form of Http:// Website.Com/Wp-Login.Php?Access=SECRET_KEY. The secret key is set by the administrator when you install the plugin.

Make sure that you bookmark the page so that you can access it yourself.

How to set up WP Admin Block?

Firstly, you need to go to your WordPress backend and visit the Plugins section. Click ‘Add New’.

Type in WP Admin Block and click ‘Install’.

Activate the plugin in the Tools menu and click the WP Block option.

Enter a password – make sure that you choose something unique and secure. Then click ‘Save Changes’.

There you have it – installation and setup complete.

If you do manage to forget or lock yourself out of your site, then you can visit the admin panel by going to your server via FTP. Then go to the the /Plugins folder in the /Wp-Content folder. Delete the /Wp-Admin-Block folder to get access back.

  1. Blacklist IP addresses 

This should only be considered for a one-person blog or a very small organisation. It’s quick and easy to do by adding code in the /wp-admin/ folder, but seek out a WordPress professional to help you (like us!). 

  1. Never allow guest registrations 

Unless you have a membership site, or online shop where this is a fundamental part of your site. Otherwise, it’s unnecessary to allow visitors to register for an account. Make sure this option is switched off by clicking on ‘Settings’ and unchecking the option for ‘Anyone can register’. 

  1. Always upgrade 

Upgrading is an essential part of WordPress, but many users neglect to click that ‘update’ button. It may seem like a waste of time, but this could leave you open to attack. Making software more resistant to hackers is one of the many reasons software is upgraded. Be sure to upgrade all plugins, have the latest version of WordPress, and download the latest version of your theme. The WordPress update is now automated and a one-click process, so there’s really no excuse. Besides upgrading WordPress make sure you’ve got up to date versions of your browser and browser plugins too. 

  1. Backup 

Be on the safe side. Make sure you have a backup available which is updated regularly to keep all of the content from your site protected. Plugins are available to make this easier.

How spot if a WordPress Site Has been Hacked? 

As careful as you can be, you could still find yourself experiencing WordPress security issues. Symptoms of a hacked website include: 

  • The site being down
  • Text and links not added by the admin showing up on the website
  • The homepage redirecting to a new page which says the site has been hacked (bit of a giveaway)
  • Phishing pages being added to the site

What to do if you think you’ve been hacked?

  1. Don’t restore backup immediately

As you’ll hide the hacker’s tracks and may not be able to fix the problem, allowing them to come straight back and do it again. 

  1. Do a local machine clean

Your admin or FTP logins could simply have been taken from your local machine. Make sure that your computer hasn’t got a virus and all your programmes are up to date. 

  • Keep your operating system up to date, whether Windows or iOs.
  • Use the latest web browser version.
  • Keep your anti-virus up-to-date and perform regular scans.
  • Only install trusted software onto your machines.
  • Don’t click dodgy links in emails.
  1. Check server security 

Ask your hosting provider if any other sites have been compromised on the server. By identifying the files that have been compromised, you can track where the hack started. 

  1. Change passwords Including: 

  • FTP login credentials 
  • WordPress logins for everyone 
  • WordPress database login details 
  • All application logins on the domain 
  1. Secure WordPress 

Change your WordPress encryption keys. Use a generator to make sure they are secure. And find plugins not in use and remove them. 

  • Change your WordPress encryption keys. Use a generator to make sure they are secure.
  • Keep WordPress up to date.
  • Use only the latest plugin versions.
  • Find plugins not in use and remove them.
  1. Ask Sucuri 

Get Sucuri.net to scan the website for any malicious files. The cost covers one year of daily scans.

If you regularly carry out these steps, you will considerably reduce the chances of getting hacked.

Need More Help?

If you have any questions around WordPress Security or think you’ve been hacked and don’t know what to do. Contact our WordPress Security team and we will get back to you within 24 hours.