How to secure a wordpress website – WordPress hardening

How to speed up and secure a wordpress website

Wordpress is the most popular blogging software and it installed on millions of websites

Do the below steps to secure your wordpress website after installation.

1. Set strong password for wordpress

You must set a strong password for your wordpress website while installing. Bruteforce attacks initiated by hackers will easily crack your website password if you have set weak password for your wordpress website.

a. Passwords must be minimum 8 characters in length
b. Do not use dictionary words as password
c. Password should be a combination of upper case letters, lower case letters, numbers and characters

It will take many years to crack a password like “Gty67f4#@0”. You can use website like to generate a strong password or you can use ‘mkpasswd’ command to generate a strong password.

[root@server ~]# mkpasswd -l 20

You can reset the password of wordpress site to stronger one through phpMyAdmin in cPanel.

Use sites like to generate a strong password for the website.

2. Do not set 777 permission

Do not set 777 (full permission – read write, execute) for directories. Hackers can edit the files and execute if you set full permission for files and directories.

The permission of directories should be 755 and file should be 644. Do not set executable permission for others.

Go to document root of the website and run the below commands to change permission to 755 for directories and 644 for files.

For Files :

find . -type f -exec chmod 644 {} \;

For Directories :

find . -type d -exec chmod 755 {} \;

IMPORTANT : Do not run the above command outside document root of the website.

3. Install AntiVirus on your PC

Make sure the PC from which you’re trying to access the wordpress admin is clean. keylogger will track the username and password of your website so you must install any security applications on your PC. Install Kaspersky, Norton, Avast or any other antivirus and initiate a scan in your PC. Remove/Quarantine all the threats detected after the scan.

Do not Save WordPress password in text format

Always try to remember the wordpress admin password. Do not save wordpress password in text password in the PC. Save all website password in encrypted format. Also do not save wordpress password in the web browser, saving website password in the browser is not secure.

4. Use SFTP instead of FTP

Use SFTP intead of FTP when you transfer files to the server. Ask your webhosting provider to enable SFTP and you can transfer files to server using Filezilla. FTP uses port 21 and it is not secure. SFTP (Secure File Transfer Protocol) uses SSH protocol and it is secure compared to FTP.

5. Set strong passwords for your wordpress database

You must always set a strong database password when installing wordpress. Reset the mySQL password to a stronger one and update the new password in wp-config.php file.

6. Set Daily, Weekly and Montly backup

You must keep a daily, weekly and monthly backup of your wordpress website because it is possible to restore the website if it gets hacked.