Ultimate WordPress Security Guide

WordPress Security Guide

We have divided our WordPress Security Guide into a few parts.


A database is the single most important thing when building a new website. So when you are creating a new website, you must rethink about the security measures you are taking to secure your database. Many of us prefer the easiest way to install WordPress from cPanel. If you are concerned about security, we will always recommend you to install WordPress manually by creating the database first and adding a database user.
31+ WordPress Security Tips - Ultimate WordPress Security Guide [2021] 3

  • Tip: Use a unique database name. For example, if your website name is “myschool.com” then always choose something that is not related to the domain name.
  • Add number with the database name to make it more secured.


While adding your newly created user, it is wise not to allow ‘Drop’ permission for the database user. Even if someone gets access to your database, they will not be able to drop the table. This will ensure tight security for your website.


(If you don’t bother about learning what is File Permission, skip to WordPress File Permission)

If you are running any Unix based operating system like Linux based distros like Ubuntu, Linux Mint or macOS you might know that all files and folders of Unix based operating systems have file permission. This permission is written as three digits. If you notice the following image, you can understand what each of this digit does.

WordPress File System Security - WordPress Security Guide 2018

See this video to quickly understand about Unix File Permission.


Make sure you follow this file permission structure to harden your file permission on WordPress. You can run the command like the following to change the file permission of your .htaccess file, after locating to its directory. Otherwise, you can just right click on the file and set permission in cPanel File Manager.

chmod 404 .htaccess

Some servers show error when using permission 705 at the root folder. In that case, use permission 750.


A small script can be used to run Brute Force attack on your site. Hackers nowadays use different methods such as Socks/Proxy/VPN/Tor to keep attacking websites. Hence, we need to use CAPTCHA to stop these brute force attacks.

  • Install the plugin No CAPTCHA reCAPTCHA from WordPress Repository. If you do not know how to install a plugin.

You will be able to decide where to show captchas.

After successful installation, the captcha will show on WordPress Login.

[2018] WordPress Security Guide 101 - Captcha 2018
[Pro WordPress Security Tips: Add Akismet to stop spams]

Use Cloudflare to Setup Free SSL

There’s no reason you shouldn’t take advantage of free SSL as it creates an encrypted connection between you and the server. Please read the following article to implement SSL with WordPress using Cloudflare.

Multifactor Authentication

You can use third-party authenticators if you are not satisfied with your username/password combo. There are a few authenticators available for WordPress. Such as


You can use the Google Authenticator plugin if use iPhone/Android devices. The plugin will enable the support for you.


OTP means One Time Password. If you want that your website will always a one-time password at your email before each login, use the plugin Secure Login


If your site ever gets compromised, you need to have a database backup to restore your site to the previous state.


Our picks of the best WordPress security plugins included some of the most popular WordPress security plugins around the web. We picked Wordfence as the best security plugin for WordPress.

We are recommending some other plugins also which we have carefully tested and feel free to recommend to you.

  1. Wordfence – The most popular WordPress firewall and security plugin. Wordfence is always updating its vulnerability database to save you from security vulnerabilities. The plugin automatically blacklists most risky IPs by enabling firewall rules, malware threat sense. The built-in scanner checks WordPress core files, themes, and plugins for malicious codes.
    We recommend using Wordfence. This is one 
  2. Sucuri Security –This is an Auditing, Malware Scanning and Security Hardening plugin for your WordPress installation. Although most of the great features come with the premium version which costs around $199.99/year
  3. Jetpack Security – Jetpack includes some basic security features including IP lockouts, automatic DDoS protection, spam protection and more.
  4. SecuPress Free — WordPress Security – SecuPress is a new WordPress plugin on the market. It is originally developed by the same author of WP Rocket. It is a new plugin in the market and the free version offers many essential security features. The plugin includes a firewall, provides malware scanning and security notifications.
  5. NinjaFirewall (WP Edition) – NinjaFirewall tries to be a full featured firewall plugin. The plugin acts as proactive. The main motto of the plugin is to “prevent an attack before it takes place“. NinjaFirewall can scan, repair and block any HTTP or HTTPS request before it reaches WordPress or any of its plugins

One4All is a digital media creative company with a passion for design , trained as industrial designers we have a deep-rooted belief in rational function and sustainable aesthetics.