RamNode logo
    Sign UpLogin
    Back to Shared Hosting Docs

    WordPress Security

    Protect your WordPress site from hackers and vulnerabilities

    On This Page

    Why WordPress Security Matters

    WordPress powers 43% of websites, making it a prime target for hackers. A compromised site can lead to data theft, malware distribution, SEO damage, and loss of trust.

    Keep Everything Updated

    WordPress Core

    • Enable automatic updates
    • Dashboard → Updates
    • Update immediately when available
    • Test on staging first if possible

    Plugins

    • Check for updates weekly
    • Delete unused plugins (deactivate ≠ delete)
    • Only use actively maintained plugins
    • Check last update date before installing

    Themes

    • Keep theme updated
    • Delete unused themes
    • Use reputable theme sources

    Strong Authentication

    Strong Passwords

    • Minimum 15 characters
    • Mix of letters, numbers, symbols
    • Unique for each site
    • Use password manager
    • Never use: admin, password, 123456

    Two-Factor Authentication (2FA)

    Install plugin like:

    • Google Authenticator: Free, reliable
    • Wordfence Login Security: Built into Wordfence
    • Two Factor: Multiple 2FA methods

    Limit Login Attempts

    • Prevent brute force attacks
    • Plugins: Limit Login Attempts Reloaded
    • Lock account after 3-5 failed attempts
    • Whitelist your IP if possible

    Change Default Settings

    Admin Username

    • Never use "admin" as username
    • If you have "admin", create new admin user and delete old
    • Use unique, non-obvious usernames

    Hide Login URL

    Hide /wp-admin and /wp-login.php:

    • Use plugin like "WPS Hide Login"
    • Creates custom login URL
    • Reduces automated attacks

    Install Security Plugin

    Wordfence (Recommended)

    • Firewall: Blocks malicious traffic
    • Malware Scanner: Detects infected files
    • Login Security: 2FA and IP blocking
    • Real-time Protection: Free tier available

    Sucuri Security

    • Security hardening
    • File integrity monitoring
    • Security activity logging
    • Post-hack actions

    iThemes Security

    • 30+ security measures
    • Easy setup wizard
    • Scheduled malware scans

    File Permissions

    Set correct permissions via FTP or File Manager:

    • Files: 644 (or 640)
    • Directories: 755 (or 750)
    • wp-config.php: 440 or 400 (very restrictive)
    • .htaccess: 644

    Protect wp-config.php

    Add to .htaccess:

    <Files wp-config.php>
order allow,deny
deny from all
</Files>

    Disable File Editing

    Prevent plugin/theme editing from dashboard. Add to wp-config.php:

    define('DISALLOW_FILE_EDIT', true);

    Regular Backups

    Backup Plugins

    • UpdraftPlus: Popular, free, cloud storage
    • BackWPup: Comprehensive backup solution
    • Duplicator: Migration and backup

    Backup Strategy

    • Daily backups for active sites
    • Weekly for static/slow-changing sites
    • Store backups off-site (cloud storage)
    • Test restoring periodically
    • Keep multiple backup versions

    SSL Certificate (HTTPS)

    • Enable SSL: Use AutoSSL in cPanel (free)
    • Force HTTPS: All traffic over secure connection
    • Update URLs: Change site URL to https://

    Force HTTPS in .htaccess

    RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

    What to Do If Hacked

    Immediate Actions

    1. Take site offline: Maintenance mode
    2. Change all passwords: WordPress, FTP, cPanel, database
    3. Scan for malware: Use Wordfence or Sucuri
    4. Check users: Remove suspicious accounts
    5. Review file changes: Look for modified files

    Deep Cleaning

    1. Download clean WordPress core files
    2. Replace wp-admin and wp-includes
    3. Manually review plugins/themes
    4. Restore from clean backup if available
    5. Update everything to latest versions
    6. Check database for malicious code

    Security Checklist

    1. ✓ Install security plugin (Wordfence/Sucuri)
    2. ✓ Enable SSL/HTTPS
    3. ✓ Use strong, unique passwords
    4. ✓ Enable two-factor authentication
    5. ✓ Keep WordPress, plugins, themes updated
    6. ✓ Change admin username from "admin"
    7. ✓ Limit login attempts
    8. ✓ Regular backups (daily/weekly)
    9. ✓ Set proper file permissions
    10. ✓ Disable file editing in dashboard
    11. ✓ Hide login page
    12. ✓ Remove unused plugins/themes
    13. ✓ Change database prefix
    14. ✓ Disable XML-RPC if not needed
    15. ✓ Monitor site regularly

    Common Vulnerabilities

    • Outdated software: #1 security risk
    • Weak passwords: Easy brute force target
    • Nulled plugins/themes: Often contain malware
    • No backups: Recovery impossible
    • Shared hosting neighbors: Cross-site contamination
    • SQL injection: Through insecure plugins
    • Cross-site scripting (XSS): Malicious scripts