Basic WordPress Security

I attended the WordPress User Group Philippines meetup last January hosted by our friends at I was one of the speakers discussing Basic WordPress Security, so I decided to post it here on my blog.

The need for Security

  • 90% of all Hacked Sites are in WordPress
  • 97% came from plugins
  • 2.4% came from themes
  • .05% came from WordPress Core

Several Basic things you can do to secure a WordPress Site

  1. Use a strong and unique password for your WordPress administrator account, and use two-factor authentication if possible. Here are the top WordPress plugins that implement and manage 2FA that can be used on your site:
  2. Keep your WordPress core, all plugins, and themes up to date, as new versions often include security fixes. Some hosts/platforms offer managed update services:
  3. Use a security plugin to scan your site for malware and vulnerabilities, and to block malicious traffic. Some popular security plugins include:
  4. Use SSL/TLS to encrypt traffic to and from your site. You can get an SSL certificate for free through Let’s Encrypt or some web hosts included in their service.
  5. Use a security service or CDN to block malicious traffic and protect against DDoS attack example are Cloudflare and Fastly. Some web hosts like WP Engine include Cloudflare while includes Fastly.
  6. Restrict file permissions so only necessary users and processes can read, write, and execute files on your server.  The standard would be to make all writable permissions on the wp-content/uploads folder and deny PHP execution.
  7. Regularly make a backup of the site, so that you can restore it in the event that it is hacked or otherwise becomes unavailable.