Search our site for answers
Help Docs Content Management Systems (CMS) WordPress Overview How to harden your WordPress site

How to harden your WordPress site

Hardening is securing your WordPress site by reducing vulnerabilities through best practices, updates, and protective settings.
WordPress
4 min read

Keeping your WordPress site secure is crucial—whether you’re running a personal blog or a bustling e-commerce store. At Liquid Web, we make it easy to protect your digital presence with proven security practices and reliable tools.

Hardening in the context of cybersecurity—and specifically WordPress—refers to the process of strengthening a system to reduce its vulnerability to attacks. For WordPress websites, hardening involves applying best practices, configuration changes, and security tools to make it more difficult for hackers or malware to exploit potential weaknesses.

This guide will walk you through WordPress hardening techniques, combining industry best practices with the specialized knowledge of our hosting experts.

Top 10 WordPress security best practices

These practices are the foundation of a secure WordPress site:

  1. Randomize Table Prefixes: Avoid using the default wp_ prefix when installing WordPress to reduce SQL injection risks. Softaculous installations handle this automatically.
  2. Use Strong Usernames: Replace generic usernames like admin with unique, unpredictable ones.
  3. Create Strong Passwords: Ensure all user passwords—especially admins—are long and complex.
  4. Limit Admin Accounts: Reduce the number of users with administrative privileges to minimize risk exposure.
  5. Back Up Regularly: Always have a recent backup of your site, plugins, and themes.
  6. Keep Everything Updated: Update WordPress core, themes, and plugins promptly.
  7. Install Only Trusted Plugins & Themes: Stick to reputable sources like WordPress.org.
  8. Remove Unused Plugins & Users: Regularly audit your site to eliminate dormant accounts and inactive tools.
  9. Isolate WordPress Installations: Use a separate database for each installation to contain potential breaches.
  10. Relocate wp-config.php: Move this critical file one level above your web root for added protection.

Must-have security plugins

These plugins make it easy to automate many security functions:

Explore more security plugins at WordPress Plugin Repository.

Set correct file permissions & ownerships

Use these permission settings for typical PHP handlers like suPHP and FCGI:

find /PATH/TO/WORDPRESS -type d -exec chmod 755 {} ;
find /PATH/TO/WORDPRESS -type f -exec chmod 644 {} ;

Note: If you’re using DSO, different permissions and ownerships apply. Files should be owned by user.nobody.

Secure specific files & directories

wp-admin

Brute force attacks are common here. Use .htpasswd for directory-level protection or install security plugins to add authentication layers.

wp-config.php

  • Change file permissions to 600 for maximum protection (unless you’re using DSO).
  • Move the file out of the web root to prevent unauthorized access.

Change directory paths

Within the wp-config, you can change the directory location of a lot of different core WordPress directories. This can be useful for further securing a WordPress website further. For wp-content and plugins you set a location path on the server and then a URL path. These paths need to be where the main WordPress install is. If you have WordPress installed in another directory, it will need to be placed in that directory, and not above it. Below are the directories that can utilize this

WP-CONTENT

define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/PATH/TO/NEW' );
define( 'WP_CONTENT_URL', 'http://domain.com/PATH/TO/NEW' );

PLUGIN

define( 'WP_PLUGIN_DIR', dirname(__FILE__) . '/PATH/TO/NEW' );
define( 'WP_PLUGIN_URL', 'http://domain.com/PATH/TO/NEW' );

This value is not required, but some plugins may need it to function properly.

define( 'PLUGINDIR', dirname(__FILE__) . '/PATH/TO/NEW' );

WP_UPLOADS

This path cannot be absolute and will always be relative to the ABSPATH. So, it will not require a slash at the beginning.

define( 'UPLOADS', 'PATH/TO/NEW' );

Disable file editing from dashboard

Disable theme and plugin editing by adding this line to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Need help?

If you need assistance applying these steps, contact our Support team for help.

Was this article helpful?