WordPress Website Security: Do’s and Don’ts

    Deepen Shah
Listen to this article

wordpress-website-security-blogWe are always mindful of the valuables that we own, be it money, jewelry, gadgets, etc. We have a system set up to safeguard anything and everything we own. And if you are so vigilant about your personal belongings then safeguarding your website has to be taken a notch higher than this. Why? As you have more to lose from a hacked website than from a lost personal belonging. You stand to lose money, business, and reputation from every loophole in your website that has been hacked into. So, all those people out there who have not been taking WordPress Website Security seriously it’s time to gear up! I am going to list out some do’s and don’ts to help you manage your WordPress website security.

However, before we get into it, here’s the short version for your quick reference:



Remove Version Numbers Do Not Take Passwords Lightly
Upgrade Website Regularly Do Not Allow Directory Browsing
Update System Software Do Not Allow File Edits in Dashboard
Take Site Backup Do Not Allow Hotlinking on Website
Secure Directories Do Not Send Update Notifications to all Users
Secure wp-config.php File
Scan Site with Malware Monitoring Service
Set Appropriate Permissions

Now, let’s discuss these in detail –

The Do’s for WordPress Website Security 


  • Remove Version Numbers

Version numbers in your WordPress is a critical piece of information on your website. It allows hackers to invade your website if they have the means to abuse the WordPress or theme version used on your website. Hence, it would be ideal to remove the version numbers generated by WordPress and Theme’s CSS and JS files so that it won’t be easy to detect WordPress or Theme Version.

  • Upgrade Website Regularly

You should regularly upgrade the WordPress core. Also, upgrade non-customized themes and plug-in installed on your website. This is important as the software might to have bugs that make your website susceptible to attacks. Scheduling regular updates as part of your WordPress website maintainence would ensure you get cleaner versions of the code reducing the threat of an attack on your website.

  • Update System Software

Ensure that you have all the latest version of software such as OpenSSL, Nginx, PHP, MySQL, etc for you windows, Mac or Linux systems.

  • Take Site Backup

Install an appropriate plug-in to take regular backup of files and database on your website. You do not want to take a risk with precious data on your website right?

  • Secure Directories

It is important to secure wp-includes and uploads directories in your website folder so that direct access to files present in those directories can be prohibited.

  • Secure wp-config.php File

The wp-config.php file in your WordPress website folder contains a lot of sensitive information. Hence, it is important to make it secure.

  • Scan Site with Malware Monitoring Service

Scan your website periodically with malware monitoring software. This will help you get notifications when there is a potential hazard to your website.

  • Set Appropriate Permissions

Restrict access to folders on your website to users who can be trusted. Set the appropriate read and write permissions on the folders depending on your requirement.

[su_note note_color=”#EDEDED”]

Expert Advice:

WordPress security is not a one-time thing, it requires maintenance. You have to be vigilant about updating your plugins & themes and security scans. Regular scans are crucial for identifying malware & security issues. Then once you’ve identified these issues, you also have to patch them up. And of course, take regular backups in case something goes wrong. All these activities need to be planned for. So, it is a good idea to make them a part of the monthly maintenance plan for your WordPress website.

Recommended Reading: 
The Do-It-Yourselfer’s Complete Guide to WordPress Maintenance


The Don’ts for WordPress Website Security


  • Do Not Send Update Notifications to all Users

Update notifications that are made available on the website’s dashboard would not be made available across all user levels. While updating WordPress core, themes and plugins are essential it should be a well-researched step. Unrestricted updates could mean disaster for your website.

  • Do Not Take Passwords Lightly

Do not set your website password as admin as it is easy to guess. Also regularly change the password on your website. If you use the same password for a very long time, you’re giving hackers more time to try and crack it. If you change it frequently, you shorten the window of attack

  • Do Not Allow File Edits in Dashboard

File edits in the dashboard is a big fat NO! Users who are meant to make changes to the website should not be allowed to make changes to the code. Allowing file edits in the dashboard screams Danger!!! for your website.

  • Do Not Allow Hotlinking on Website

Prevent hotlinking on the website. People should not be able to hotlink any images or content from your website. After all, in the web world content is a goldmine and should be secured.

  • Do Not Allow Directory Browsing

Do not allow directory browsing access to all users. It is important to secure wp-includes and uploads directories in your website folder so that direct access to files present in those directories can be prohibited.

Well, that’s about it from my end on WordPress website security. I would like to add that maintaining website security is not a small task. It is sometimes a good idea to outsource it to a professional. As far as I am concerned I’ve tried to cover all the essential points in this article. If there are any other points that you might like to add feel free to do so in the comments section.

[su_note note_color=”#EDEDED”]

Recommended Reading: 


Deepen Shah

Deepen Shah

Leave a Reply

Your email address will not be published. Required fields are marked *

Get The Latest Updates

Subscribe to our Newsletter

A key to unlock the world of open-source. We promise not to spam your inbox.

Suggested Reads

Join our 55,000+ Subscribers

    The Wisdm Digest delivers all the latest news, and resources from the world of open-source businesses to your inbox.

    Suggested Reads

    Don't Settle for Less - Learn How to Choose the Right WordPress Plugin Developer.

    Get your hands on invaluable advice and recommendations. Download our free guide to make informed decisions when hiring a WordPress plugin Developer and maximize your ROI