WordPress SecurityMany of you may know me as one of the founders of the Advanced WordPress Meetup group both in a Facebook Group as well as Meetup.com, I highly recommend you joining if you’re not yet a member. During our meetups and live on Facebook I always talk about hosting your own WordPress site on your own Virtual Servers.

Using Virtual Servers requires you to do a lot of setup ahead of time, but it also gives you the most flexibility possible to do and build the environment you want. I want to quickly mention all of the WordPress specific configurations that do when running my own machines but they can apply to you as well even if you don’t.

Make sure you have Version Control and Backups

Proper backups & version control are probably the most important components of running your own machines, I can’t tell you how many times I’ve had to rebuild a machine from scratch in order to implement a new major change in development or stage and I would never have been able to pull that off successfully without backups and Git Push. I use an older version of BackupBuddy religiously (not really a fan of any of the newer versions), but I know others who prefer managed services. BackUpWordPress and BackWPUp are really great options. Git is practically the only version control I use anymore. I have a GitHub account, of course, but for corporate or enterprise projects I like a self-hosted solution called GitLab.

Update your Environment even if it breaks something

Update WordPressUpdating WordPress is crucial because like any human piece of software, the developer community will catch a security vulnerability, write a patch for the vulnerability, and then you need to update in order to maintain your site security. Most security updates are well-publicized because they need to happen immediately. Once a vulnerability has been patched, it’s also been documented, and it’s common to see hackers start attacking those vulnerabilities that same day.

If you’re hosting sites for others then check out WP-CLI, which allows you to build simple scripts to check a version of WordPress and update a client’s site if they’ve been slow to do so, for example.

Keep track of Logs and what your site is doing

Generating useful system logs is great when you use Debug Bar or other similar debugging plugins. However, I prefer the good old fashion WP Constant called WP_DEBUG in order to output a log file that I can grep and search through to find errors or mistakes. It’s important to understand the purpose of looking at your logs on a regular basis. If someone is trying to hack your system or constantly uses the wrong password or attempts a login attempt every few minutes, looking at your logs will give you insight into what they are doing before it’s too late.

Passwords & Two Step Authentication

WP Engine BodyguardWith all of the recent brute force attacks on user passwords, I’m glad one of the things I’ve always required of all of my WordPress installations is the Enforce Strong Password Plugin. This forces your users to only utilize passwords that are safe and keeps them from using ones that will put your site at risk and are sufficiently complex.

Another interesting option is Two-Step Authentication on your site. To do this, I recommend using a plugin like Google Authenticator, which allows your users to use the Google Authenticator App on iOS, Android and Blackberry, or DUO Two-Factor Authentication Plugin which is actually attached to a 3rd-Party service that lets your users receive a phone call or SMS text message as well as an App to authenticate themselves however they wish.

Make sure your site has a strict Login policy

Using the Simple Login Lockdown Plugin or the Limit Login Attempts Plugin is also a great way to prevent people from Brute Forcing your system. These limit the number of login attempts that can be made from a single IP address. Limit Login Attempts is actually a more up to date Plugin, but in terms of security I don’t really see any issues with the code in Login Lockdown, and I prefer it because it hides the number of attempts made from the user. This prevents bots from reading the number of tries they have before they get blocked.

Prevent File Edits wherever possible

Disallowing File edits using the WordPress Constants, define('DISALLOW_FILE_EDIT' , TRUE); makes sure that if someone does get administrator access who isn’t supposed to, they won’t try to modify plugin or theme code because you’ve turned off the ability to do so from WordPress itself or from any of the administrative menus.

Always use BWP Security, period

Better WordPress Security

Last, but not least, we have Better WP Security. There are a ton of great security plugins, but this one is probably one of my favorites because it covers the gamut of services that you want in a security management plugin.

It does some security through obscurity, including changing URLs for some important login and registration locations, as well as remove plugin or theme messages from users who don’t need to see them (more of a peace of mind thing than anything). It automatically scans and fixes vulnerabilities and forces SSL for your site if you took the time to set up Port 443 in Nginx.

The plugin also detects important issues by monitoring your file system for changes or vulnerabilities. And because it works with Multisite and Nginx, it covers many of the complicated use cases that I run into self-hosting my own WordPress sites.


Remember, I’m a full stack developer that uses these processes and tools for a living, which is why they’re a bit different than what others recommend. I shared the things that I do and setups that I have. They work for me, but I’d encourage you to test your own security set up. I’m always learning and always open to new suggestions and recommendations that I can test in a real world production environment.

Maintaining secure WordPress sites is very possible if you’re willing to put in the time and effort to ensure multiple layers of security. But if you take nothing else from this, remember, keep WordPress up to date.

Self & School taught C++, Java, PHP, Perl and Ruby Developer working as a Ruby Software Engineer for Spawar Research (G2 Software Systems) with a BSCS degree.

Follow Michael:

Leave a Reply