Skip to main content
All CollectionsWordPress
A short WordPress security guide
A short WordPress security guide

A security guide for WordPress-websites

Kenneth Nyman avatar
Written by Kenneth Nyman
Updated over a year ago
  1. Password and Username:


    Use a complex password.
    Use a long password (minimum of 8 characters).
    Avoid common passwords like "password," "salasana," "123456," etc.
    Use a unique password for each website.
    Avoid common usernames like "Admin" or "administrator."

  2. Keep WordPress Updated:

    Ensure that your WordPress version is always up to date with the latest release.
    Use a plugin for automatic updates of the WordPress version or modify the wp-config.php file with code that enables automatic updates (refer to the security guide for the code snippet).

  3. Keep WordPress Plugins Updated:

    Similar to the WordPress version, make sure that your plugins are always updated to the latest available version.
    Check for plugin updates manually on a weekly basis, or use a plugin that enables automatic updates for your plugins. Alternatively, add code snippets to the wp-config.php file to enable automatic plugin updates (code snippets can be found in the security guide).

  4. Use Trusted Themes and Plugins:

    Download themes and plugins only from trusted sources.
    Ensure that the plugins you use are regularly updated.
    Remove unnecessary plugins from your WordPress installation (each plugin poses a potential security risk).

  5. Change Database Prefix:

    Change the database table prefix from the default 'wp_' to something else.

  6. Backup or Ensure Availability of Backups:


    Updates to plugins and themes can affect the appearance of your site.
    Backups provide security in case of unexpected issues.
    You can restore from a backup if problems arise.

  7. Enhance Security with Plugins:

    Enable two-factor authentication.
    Change the default login URL (/wp-login.php and /wp-admin) to prevent easy access for brute-force attacks.
    Limit login attempts.

  8. Subscribe to and Install an SSL Certificate for Your Site:

    Order an SSL certificate for your site (SSL certificates can be obtained from various service providers).
    An SSL certificate encrypts the traffic on your site.
    Sites with an SSL certificate are identified by the https:// prefix and a lock symbol in the address bar.
    Google favors HTTPS websites.

  9. Keep PHP Version Updated:

    Check if your PHP version is still supported at https://www.php.net/supported-versions.php.
    Request your service provider to update your PHP version to the latest one available. Newer PHP versions offer improved security and performance.

  10. Prevent Spam:

    If you have forms on your site, consider implementing a CAPTCHA verification to block bots.
    Add an invisible field option to your forms to differentiate between bots and humans.

  11. wp-config:

    Restrict access to the wp-config.php file using htaccess (refer to the provided command in the guide).
    Move the wp-config.php file one level above in the directory structure.

  12. Hide WordPress Version:

    Remove the readme.html file to prevent easy access to the WordPress installation version.

Commands and plugins mentioned in the security guide with direct links:

For changing database prefixes, the following commands should be executed:

  • RENAME table wp_commentmeta TO xx_commentmeta;

  • RENAME table wp_comments TO xx_comments;

  • RENAME table wp_links TO xx_links;

  • RENAME table wp_options TO xx_options;

  • RENAME table wp_postmeta TO xx_postmeta;

  • RENAME table wp_posts TO xx_posts;

  • RENAME table wp_termmeta TO xx_termmeta;

  • RENAME table wp_terms TO xx_terms;

  • RENAME table wp_term_relationships TO xx_term_relationships;

  • RENAME table wp_term_taxonomy TO xx_term_taxonomy;

  • RENAME table wp_usermeta TO xx_usermeta;

  • RENAME table wp_users TO xx_users;

  • UPDATE xx_options SET option_name=REPLACE(option_name,'wp_','xx_') WHERE option_name LIKE '%wp_%';

  • UPDATE xx_usermeta SET meta_key=REPLACE(meta_key,'wp_','xx_') WHERE meta_key LIKE '%wp_%';

For plugins mentioned in step number 2:

For plugins mentioned in step number 7:

For step number 9:

For step number 10:

For the htaccess file code snippet to restrict access to wp-config.php:

<files wp-config.php> order allow,deny deny from all </files>

Did this answer your question?