Securing a WordPress site requires a combination of good account hygiene, regular maintenance, and defensive controls at both the application and server level. This guide explains practical steps you can apply to reduce common risks such as brute force attacks and unauthorized access.
Essential WordPress Security Measures
Certain baseline actions significantly reduce the attack surface of a WordPress installation. These steps should be applied to every site, regardless of size or traffic volume.
Use Strong Administrator Passwords
All administrator accounts must use strong and unique passwords. Weak credentials are the primary reason brute force attacks succeed.
Recommended practices include:
- Long passwords with mixed character types
- Unique passwords per user
- Periodic password rotation for administrator accounts
If you suspect that a site has been compromised, passwords alone are not sufficient. WordPress authentication cookies rely on security keys stored in the wp-config.php file. These keys should be regenerated immediately after any suspected breach.
[Screenshot placeholder: wp-config.php file with authentication keys highlighted]
Avoid Default Administrator Usernames
Using predictable usernames such as admin makes brute force attacks easier.
A safer approach is:
- Create a new user with a unique username
- Assign administrator privileges to the new user
- Delete the original default administrator account
[Screenshot placeholder: WordPress users list showing administrator roles]
Keep WordPress, Thèmes, and Plugins Updated
Outdated WordPress components frequently contain known vulnerabilities. Updates should be applied as soon as they are available.
This applies to:
- WordPress core
- Installed themes
- Installed plugins
Sites hosted on environments such as cPanel-based WordPress hosting should regularly review update notifications inside the dashboard.
[Screenshot placeholder: WordPress updates screen]
Remove Unused Themes and Plugins
Disabled plugins and themes still expose code that can be analyzed by attackers. Any component that is not actively used should be deleted entirely.
Reducing unused code lowers the number of potential entry points into the application.
[Screenshot placeholder: plugins list showing inactive plugins before deletion]
Maintain Regular Backups
Backups do not prevent attacks, but they are critical for recovery. Ensure backups are stored off-site and tested periodically.
Backup tooling is commonly available in hosting control panels and should be configured before security incidents occur.
[Screenshot placeholder: backup configuration screen in hosting panel]
Defending Against Brute Force Attacks
A brute force attack attempts to log in repeatedly by guessing username and password combinations. High volumes of login attempts can also degrade site performance by increasing PHP and database load.
Method 1: Password-Protect the WordPress Login Page
Adding HTTP authentication in front of the WordPress login page creates an additional security layer.
Create a password file containing a username and encrypted password:
username:$apr1$hashedvalue$encryptedpassword
[Screenshot placeholder: generated htpasswd credentials]
Save this file as .wp-password in the account home directory. The filename must begin with a dot.
Then create or edit the .htaccess file in the WordPress installation directory and add the following configuration:
# Prevent access to hidden files
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
</FilesMatch>
ErrorDocument 401 "401 Unauthorized"
ErrorDocument 403 "403 Forbidden"
# Protect wp-login.php
<Files wp-login.php>
AuthUserFile /home/USERNAME/.wp-password
AuthName "Restricted Access"
AuthType Basic
require user WP-USERNAME
</Files>
Replace USERNAME with the hosting account username and WP-USERNAME with the username defined in the password file.
[Screenshot placeholder: .htaccess file with login protection rules]
Method 2: Restrict Login Access by IP Address
Limiting access to the WordPress login page by IP address blocks most automated attacks.
Add the following rules to the .htaccess file in the WordPress directory:
<Files wp-login.php>
order deny,allow
allow from xxx.xxx.xxx.xxx
deny from all
</Files>
Replace xxx.xxx.xxx.xxx with the IP address allowed to log in. Multiple allow from lines can be added if needed.
[Screenshot placeholder: IP restriction rules in .htaccess]
If your site uses a reverse proxy or CDN, this method must be tested carefully to avoid blocking legitimate access.
Method 3: Change the WordPress Login URL
Automated attack scripts commonly target the default wp-login.php endpoint. Changing the login URL reduces automated attack traffic.
This can be achieved using a plugin that renames the login endpoint. Après activation, attempts to access the default login paths return a 404 error.
[Screenshot placeholder: plugin settings showing custom login URL]
Method 4: Use a Network-Level Protection Service
Content delivery networks and security proxies can block malicious requests before they reach WordPress.
Network-level filtering reduces load during attack attempts and adds another defensive layer, especially when combined with application-level controls.
For email-related attack vectors that accompany WordPress compromises, additional filtering services such as SpamExperts email security help protect associated mailboxes.
[Screenshot placeholder: security dashboard showing blocked requests]
Ongoing Security Maintenance
WordPress security is not a one-time configuration. Regular reviews of user accounts, plugins, access logs, and hosting settings help maintain a secure environment over time.
Sites hosted on managed platforms such as Plesk-based WordPress hosting benefit from centralized visibility, but responsibility for application security remains with the site owner.