WordPress is the most popular CMS in the world, which also makes it the most targeted platform for hackers. Securing your WordPress site is essential to protect your data, your visitors, and your reputation. This guide covers the most important security steps.
1. Keep Everything Updated
- Update WordPress core to the latest version.
- Update all themes and plugins regularly.
- Enable auto-updates: go to WordPress Dashboard → Plugins → Enable auto-updates for each plugin.
- Remove unused themes and plugins — they are potential attack vectors even when deactivated.
2. Use Strong Passwords and 2FA
- Change the default "admin" username to something unique.
- Use a strong password (12+ characters, mixed case, numbers, symbols).
- Install a Two-Factor Authentication plugin (e.g., Wordfence Login Security or WP 2FA).
- Enable 2FA on your cPanel account as well (see our guide: How to Enable 2FA in cPanel).
3. Install a Security Plugin
- Wordfence — firewall, malware scanner, and login security. Free version available.
- Sucuri Security — malware scanning and security hardening.
- Run a full scan after installation to check for existing threats.
- Configure the firewall to block common attack patterns.
4. Secure the wp-config.php File
- In cPanel → File Manager, find
wp-config.phpin yourpublic_htmlfolder. - Add these lines above the
/* That's all, stop editing! */line:define( 'DISALLOW_FILE_EDIT', true ); define( 'WP_DEBUG', false ); - This prevents editing theme and plugin files from the WordPress admin.
- Never expose your database password by sharing wp-config.php or taking screenshots that include it.
5. Fix File Permissions
- Files should be
644(readable, not executable). - Directories should be
755. wp-config.phpshould be440or600.- You can check and change permissions in cPanel → File Manager (right-click → Change Permissions).
- No file should ever be
777(world-writable).
6. Limit Login Attempts
- Install Login LockDown or use Wordfence's built-in brute force protection.
- This blocks IP addresses after a set number of failed login attempts.
- Default setting: lock out after 5 failed attempts for 30 minutes.
7. Regular Backups
- Use UpdraftPlus plugin to schedule automatic backups (to cloud storage like Google Drive or Dropbox).
- Or use cPanel's backup tool (see our guide: How to Create a Full Website Backup in cPanel).
- Test your backups periodically by restoring to a test environment.
Important Notes
- Most WordPress hacks happen through outdated plugins — keep everything updated.
- Never download "free" premium themes or plugins from untrusted sources — they often contain malware.
- Delete the default WordPress "Hello World" post and "Sample Page" — they confirm to hackers that the site is freshly installed and may not be secured yet.
- Use SSL/HTTPS for your site. AutoSSL is included with your Allanux Web hosting account.
Troubleshooting
- Security plugin causing website to slow down: Wordfence's firewall can be resource-intensive. Try switching to "Extended Protection" mode instead of "Enhanced Protection" (which requires more server resources).
- Locked out of WordPress admin: The login security plugin may have blocked your IP. Use FTP to rename the plugin folder (e.g.,
wp-content/plugins/wordfencetowp-content/plugins/wordfence-off) to disable it, then log in. - Malware scan found infected files: Do not delete system files. Use Wordfence's "Repair" option for known WordPress files, or restore from backup. For custom files, review the code and remove the injected malware manually.
- Security headers not being applied: Use a plugin like HTTP Headers or add security headers directly in your
.htaccessfile. Common headers include X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security. - Want a professional security audit: Contact support — we can perform a server-level security review of your account.
Need help? Contact our support team.
