Securing WordPress¶
Start here when reviewing WordPress security. Focus first on administrator access, updates, backups, plugin quality, HTTPS, and two-factor authentication.
Security Priorities¶
-
Keep it updated
Update WordPress core, plugins, and themes after a backup is available.
-
Use 2FA
Add two-factor authentication to administrator logins.
-
Keep backups
Keep backups available before updates and larger site changes.
-
Use HTTPS
Confirm WordPress uses SSL consistently.
Users And Passwords¶
Use unique passwords for WordPress, Fused, cPanel, FTP, and email. Do not reuse a password from another service.
Review WordPress users periodically:
- Remove users who no longer need access.
- Avoid giving administrator access unless it is required.
- Use named accounts instead of sharing one administrator login.
- Change passwords after staff or contractor changes.
Administrator Access¶
Administrator accounts can change plugins, themes, users, and site settings. Keep that role limited.
| User type | Suggested role |
|---|---|
| Site owner or technical maintainer | Administrator |
| Writer or editor | Editor or Author |
| SEO or content contractor | Editor, Author, or a plugin-specific role |
| Temporary developer | Administrator only while the work is active |
Plugins And Themes¶
Plugins and themes should be current, supported, and necessary.
| Item | Recommendation |
|---|---|
| Inactive plugins | Delete them unless they are intentionally kept for a short-term rollback. |
| Unused themes | Keep only the active theme and one current default WordPress theme. |
| Nulled plugins or themes | Do not use them. They often contain malware or backdoors. |
| Security plugins | Use one reputable security plugin, not several overlapping tools. |
Review plugin and theme management
The wp-toolkit hardening guide also includes WP-CLI commands for auditing administrator users, update status, registration settings, and file-editing configuration from SSH.
Disable File Editing¶
WordPress can edit theme and plugin files from the dashboard. Disabling that feature reduces damage if an administrator account is compromised.
Add this to wp-config.php above the line that says to stop editing:
define('DISALLOW_FILE_EDIT', true);
Or set it from the WordPress document root with WP-CLI:
wp config set DISALLOW_FILE_EDIT true --raw
Disable Public Registration If You Do Not Need It¶
Most WordPress sites do not need public user registration. If spam accounts are appearing, disable registration.
Disable WordPress user registration
If You Suspect A Compromise¶
- Take a backup before deleting evidence.
- Change WordPress administrator passwords.
- Change cPanel, FTP, database, and email passwords if they may be exposed.
- Review administrator users, plugins, themes, and recent file changes.
- Contact Fused if you need help restoring from backup or reviewing the account.
Do not keep working from a compromised browser or device
If credentials may have been stolen from a computer, secure that device and change passwords from a different trusted device.