WordPress runs a huge portion of the web, and that scale makes it a constant target. Every WordPress site needs a deliberate approach to security — not a single plugin or silver bullet, but a practice that covers the hosting environment, the WordPress install itself, authentication, files, databases, networking, and the habits that keep the whole thing maintained over time.
This guide is a practical reference to the main areas you need to cover. Each section answers a specific question and links to the full chapter in the handbook where the topic is covered in depth. Whether you're securing a single site or managing hundreds, the fundamentals are the same.
How to secure a WordPress site
WordPress security starts with hardening the core install. That means editing wp-config.php to disable file editing through the dashboard, rotating the security keys, and locking down what users can do through the admin interface itself.
None of this is exotic. It's a checklist of small configuration changes that close off the paths attackers actually use: editing files through the theme editor, reading database credentials from misconfigured files, or exploiting known vulnerabilities in out-of-date WordPress installs.
The full handbook walks through every change step by step, with the exact lines of configuration you need.
WordPress login security and 2FA
Most WordPress sites are compromised through the login page. Weak passwords, leaked credentials, and brute force attacks all target wp-login.php — so authentication is where a huge amount of the security value sits.
Strong password policies, two-factor authentication, and limiting login attempts are the baseline. Moving the login URL, disabling XML-RPC if you don't need it, and locking down the REST API for unauthenticated users are the next layer.
Chapter 3 covers every step, including which plugins do the job well and which introduce more problems than they solve.
WordPress file permissions
File permissions are one of the most misunderstood areas of WordPress security. Get them wrong and either your site can't write uploads, or worse, any process on the server can overwrite your core files.
The correct model is strict: directories 755, files 644, wp-config.php locked down to 640 or tighter, and ownership that separates the web server from the files it serves. Uploads need special handling to prevent PHP execution.
Chapter 4 covers the exact permissions, the commands to set them, and how to audit them on an ongoing basis.
WordPress database security
Your database is where everything lives — posts, users, password hashes, session tokens. Securing it means more than changing the default wp_ table prefix, though that helps against lazy attacks.
The real work is in MySQL itself: dedicated database users with the minimum privileges your site needs, local-only connections where possible, encrypted backups, and hardened MySQL configuration.
Chapter 5 covers database hardening from the WordPress layer all the way down to MySQL configuration.
WordPress SSL and HTTPS setup
HTTPS is non-negotiable. Without it, logins happen in plain text over the network, sessions can be hijacked, and browsers will mark your site as insecure. Let's Encrypt makes certificates free, but the configuration still matters.
Beyond the certificate itself: HSTS, security headers like Content-Security-Policy and X-Frame-Options, mixed content handling, and modern TLS configuration all play a role in making the HTTPS on your site actually secure.
Chapter 6 walks through certificate setup, header configuration, and the ongoing maintenance of HTTPS on a WordPress site.
WordPress firewall configuration
A firewall sits in front of WordPress and stops known bad traffic before it reaches PHP. That can be a plugin like Wordfence running inside WordPress, a server-level tool like Fail2Ban, or a cloud layer like Cloudflare — each does a different job.
The right approach combines layers: edge filtering for bot traffic and DDoS, server-level Fail2Ban for failed logins and authentication abuse, and an application firewall inside WordPress itself for known exploit patterns.
Chapter 7 covers all three layers, which tools to use, and how to configure them without locking legitimate users out.
WordPress backup strategy
A backup you haven't restored from isn't a backup, it's a hope. Most WordPress backup setups fail when you actually need them — incomplete database dumps, missing files, corruption from mid-backup writes, or off-site copies that were never actually leaving the server.
The right strategy is 3-2-1: three copies of your data, two different types of storage, one copy off-site. Tested restores on a schedule. And enough retention that you can recover from something you didn't notice was broken for a week.
Chapter 11 covers backup strategy, tools, off-site storage, and most importantly, how to test your restores so you know they actually work.
WordPress maintenance checklist
Security isn't a one-time setup — it's a habit. Every WordPress site needs ongoing attention: updates, audits, log reviews, and the occasional deep clean of plugins and themes that have quietly accumulated.
A good maintenance routine has a weekly rhythm (core and plugin updates, log skim), a monthly one (file permission audit, backup restore test, user review), and a quarterly one (plugin and theme cull, dependency review, SSL and DNS check).
Chapter 12 covers the complete maintenance workflow including staging environments, update processes, and the checklists to make this repeatable across multiple sites.
Want the complete guide?
All 13 chapters, continuously updated. One-time payment, lifetime access.
Buy Protect My WP — £19