Knowledge base article
Secure your WordPress installation
View other technical support articles
Related articles
Basic WordPress security and site management
How did my WordPress website get hacked? What do I do?
Optimising Wordfence firewall and security settings
Other technical support articles
A beginners guide to email spoofing
Accessing your site before changing DNS
An introduction to email authentication
Basic WordPress security and site management
Check MySQL database table disk usage
Configure object cache with memcached and Litespeed Cache plugin
Configure spam filtering in cPanel
Connect via SFTP using SSH key authentication with FileZilla
Connecting to Serversaurus shared hosting via SFTP
Create a clone of your website
Create a SSH key pair and configure your SSH key in cPanel
Create a WordPress administrator via MySQL CLI
Create a WordPress administrator via phpMyAdmin
Create a WordPress cron task in cPanel
Disable automatic WordPress updates via wp-config.php
Download or restore individual files, directories or database backups with JetBackup
Enabling PHP extensions, Changing PHP Version and Setting PHP Options
Export or Import a MySQL database via CLI
Force HTTPS via .htaccess (cPanel)
Getting Started with Anycast DNS
Getting Started with the Content Delivery Network (CDN)
Getting Started with Virtual Machines
Go live with your WordPress staging website
Help! I need a backup of my cPanel-hosted website
Hide .html extension using .htaccess
How did my WordPress website get hacked? What do I do?
How to ensure website generated emails are delivered successfully
How to issue a Let’s Encrypt certificate
How to remove Site Software management
I can receive email but can’t send!
Introduction to LiteSpeed Cache
Manage DNS zones with the cPanel Zone Editor
Manual WordPress migrations in a nutshell
Migrate remote staging website to local hosting server
Migrate remote transactional website to local server
Migrating email from one POP/IMAP email account to another
My site and/or email service is down
Network Firewall (I can’t access my services on a non-standard port)
Optimising Wordfence firewall and security settings
Pointing your domain to Serversaurus
Pointing your domain to Squarespace with cPanel
Prevent website generated spam with CAPTCHA
Push updates from a staging to production website
Reconfigure production website to subdomain
Recover your hacked WordPress website
Remove Wordfence firewall block via MySQL CLI
Setting up email on your iPhone
Subdomains for test sites & more
Unable to renew certificate: The Let’s Encrypt HTTP challenge failed
Understanding CloudLinux resource limits
Update a WordPress website to use a new domain name
Update your WordPress username via phpMyAdmin
Using Serversaurus’ nameservers but hosting your email elsewhere
Using the Serversaurus Cloud CDN with your WordPress website
This article will walk you through how to secure your WordPress installation for ongoing protection
Whether you're setting up a new WordPress site or improving an existing installation, it's important to take initiative to secure your installation against various methods a hacker can penetrate and comprise your WordPress installation.
Keep in mind, applying the below recommendations does not mean you can disregard applying ongoing WordPress core, plugin or theme updates, you should also always run the latest available PHP version. Please visit our guide for recommendations regarding the ongoing management and security of WordPress.
1. Disable XML-RPC
XML-RPC is renowned for being exploited and used as means to gain access to your site via brute force attack methods. You don't need to disable this function completely, for example JetPack plugin is reliant on the use of XML-RPC, so if this function is crucial for your site operations, you can whitelist any IP address which still require access.
To disable XML-RPC, add the below entry to the .htaccess in your sites document root, ensure to add the entry below any rewrite entries, additionally take note of the 5th line in the entry, if you have a IP address which still requires access to XML-RPC please update xxx.xxx.xxx.xxx with the nominated IP address- if not, simply remove the 5th line.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
</Files>
2. Disable user registrations
Disable user registrations within WordPress administrator, go to Settings > General >> Uncheck the option "Anyone can register".
3. Encourage strong user passwords
Although you can install various plugins to force users to use only secure passwords, it would be recommended to avoid installing additional non crucial plugins on the website, and instead ensure all WordPress users are aware of the security risk created by weak passwords and only use high strength passwords.
4. File Permissions
The recommended, secure permissions for WordPress is 644 for files and 755 for directories, you can issue the below commands which recursively update the permissions to the recommended setting. Please issue each command from your websites document root.
To update directory permissions:
find . -type d -exec chmod 755 {} ;
To update file permissions:
find . -type f -exec chmod 644 {} ;
5. Disable theme/plugins editor
Within WordPress dashboard you have the ability to edit theme and plugin files directly, if your WordPress website was ever compromised the hacker could easy take advantage of this functionality to inject malicious code into your theme or plugin files.
You can disable the editor functions by adding the below code into the wp-config.php within the home directory of your website:
define( 'DISALLOW_FILE_EDIT', true );
If you require theme or plugin editor in the future, just update the entry to state "false" in replacement of "true".
6. Disable comments
The comment function on a website is often taken advantage of to send spam/fraud content, disabling comments is recommended however if you would like to retain comments you can always allow comments to be posted after moderation.
Either disable comments or set the requirement for comments to be moderated within WordPress Dashboard >> Settings >> Discussion >> Deselect Allow people to submit comments on new posts or enable Comment must be manually approved depending on your preference.
7. Configure CAPTCHA on all web forms
Prevent website generated spam by adding a CAPTCHA to any web form on your website, you can also install what's called a Honeypot, however we would recommend CAPTCHA due to the CPU overhead created by Honeypot services.
We recommend reCAPTCHA by BestWebSoft which utilizes the Google's v2 or v3 CAPTCHA tokens.
9. Install a Site Security plugin
Employ a Site Security plugin to configure and manage your application firewall to protect your website from brute force attack, block malicious IP addresses and identify vulnerabilities in your WordPress installation. We recommend installing WordFence and optimising the WordFence firewall and security settings.
10. Install a SSL certificate and force redirect all traffic to HTTPS
Install a SSL certificate so users can browse and enter data into your website securely and then implement a force redirect to HTTPS to ensure website visitors always access the website securely over HTTPS (rather than HTTP which is insecure).
Last updated November 30, 2023