WordPress Security Guide: 16 Pro Tips to Keep WordPress Secure in 2022

This brief article regarding WordPress security and protection will help you guys to keep your websites secure in case of malware, hacking or redirection hacks.

Hackers usually use SQL Injections, and exploit WordPress Plugin / Theme Vulnerabilities and most importantly XML-RPC to do massive login attempts.

How to avoid wordpress hack attempts?

1. Wordfence plugin helps to keep your wordpress based website safe and secure, it also send email alerts as soon as someone logins to your wordpress website.

2. Don’t install file manager plugins in your wordpress installation

3. Always keep your wordpress themes and plugins up to date

4. Never use nulled, cracked or pirated themes / plugins

5. Keep eye on server IP Logs, block those IP ranges or countries which are initiating the attacks.

6. Block XML-RPC service of WordPress, from WordFence, if you don’t need JetPack or publishing via email. Some other plugins might require XML-RPC, so it depends if your setup needs this service or not.

7. Don’t keep username as “admin” while installing WordPress CMS.

8. Most chances of hacking are possible with nulled Premium themes or outdated themes. Try to use free themes which are frequently updated, they also help to speed up your website performance.

9. Set user permissions of wp-config.php file as 444 instead of 655. It will make wp-config.php not accessible for public. It might cause you some issues like plugins will not be able to add or modify any stuff inside wp-config.php, but it will keep your site secure.

10. Don’t keep WP Database Table Prefix as WP_, make it something else.

11. If your hosting provider is using CloudLinux that has CAGE-FS technology, that helps to avoid the spread of malware from one user account to another.

12. Don’t allow anyone else to use your web hosting account, to host their sites. They might be the cause of hacking or malware injection in your site by using nulled scripts, which could redirect all your organic SEO traffic to other hacker websites.

13. Use a STRONG PASSWORD, which has all alphanumeric + special characters (#$@&*) and is hard to remember.

14. Use 2 Factor Authentication / 2FA that emails you the code before logging in to your website. WordFence offers 2 factor authentication.

15. Ensure that you have configured daily backups of your database and wordpress cms files on any 3rd party cloud server, that will keep you safe from any unforeseen destructive attack. Usually your hosting providers maintain daily or weekly backups of database and website files. Always ensure from hosting support, that whether they do maintain backups or not. If they are not maintaining backups, that means they aren’t serious about their client’s data security. You can also setup cron jobs on your server to initiate daily wordpress database and wordpress files backups. Alternatively you can use Updraft Plus plugin to maintain backups on cloud storage.

16. Lastly yet another important thing is, never go for cheap hosting providers, those are themselves using the nulled or cracked versions of WHMCS or cPanel, which is again a huge security risk.