WordPress Security

WordPress powers over 40% of the web, making it the #1 target for hackers, bots, and automated attacks. The good news: Ultra Web Hosting provides multiple layers of server-level protection - Imunify360, ModSecurity WAF, CageFS isolation, and CSF firewall - but securing your WordPress installation itself is equally critical. This guide covers everything from essential first steps to advanced hardening.

03. Wordfence vs BBQ: Why Lighter Is Better on Shared Hosting

Wordfence is a popular security plugin, but it comes with significant trade-offs on shared hosting that many site owners don't realize until they're dealing with performance problems or resource limit hits.

04. Keep Everything Updated

The single most important thing you can do for WordPress security is keep your software updated. The vast majority of hacked WordPress sites we see are running outdated core, theme, or plugin versions with known vulnerabilities.

• WordPress Core - enable automatic updates for minor releases (enabled by default since WP 5.6). For major releases, update within a week of release after confirming plugin compatibility.
• Plugins - update promptly and remove any plugins you aren't actively using. Deactivated plugins can still be exploited if their files remain on the server.
• Themes - keep your active theme updated and delete any inactive themes except a default Twenty* theme as a fallback.
• PHP Version - run PHP 8.2 or 8.3 for the latest security patches. Older PHP versions (7.x and below) no longer receive security fixes.

05. Strong Passwords & Two-Factor Authentication

Brute-force attacks against wp-login.php are the most common attack vector we see. Use passwords that are at least 16 characters with a mix of upper/lower case, numbers, and symbols - or better yet, use a password manager to generate and store unique passwords.

Enable Two-Factor Authentication (2FA) on all admin accounts. We recommend Two Factor Authentication by UpdraftPlus or Wordfence Login Security (a standalone plugin that adds 2FA without the full Wordfence overhead). Both support TOTP authenticator apps like Google Authenticator, Authy, and 1Password.

06. Change the Default Admin Username

If your admin account is still named "admin," you're giving attackers half the credentials they need. WordPress doesn't let you rename a user directly, but you can:

1. Create a new administrator account with a unique username
2. Log in with the new account
3. Delete the old "admin" account and reassign all content to the new user

Also block author enumeration (which reveals usernames) by adding this to .htaccess:

# Block author enumeration
RewriteCond %{QUERY_STRING} ^author=\d+ [NC]
RewriteRule .* - [F,L]

07. File & Directory Permissions

Incorrect permissions are one of the most common security issues we find on shared hosting accounts. WordPress needs specific permissions to function while preventing unauthorized access:

• Directories: 755 (owner can read/write/execute, group and others can read/execute)
• Files: 644 (owner can read/write, group and others can read only)
• wp-config.php: 600 or 640 (owner can read/write, no access for others)

You can fix permissions in bulk via SSH or Terminal in cPanel:

# Fix directory permissions
find /home/username/public_html -type d -exec chmod 755 {} \;

# Fix file permissions
find /home/username/public_html -type f -exec chmod 644 {} \;

# Lock down wp-config.php
chmod 600 /home/username/public_html/wp-config.php

08. Harden wp-config.php

Your wp-config.php file contains your database credentials and security keys. Add these lines to harden it:

// Disable file editing from the WordPress dashboard
define('DISALLOW_FILE_EDIT', true);

// Limit post revisions to reduce database bloat
define('WP_POST_REVISIONS', 5);

// Force SSL for admin area
define('FORCE_SSL_ADMIN', true);

// Disable WordPress debug display on production
define('WP_DEBUG', false);
define('WP_DEBUG_DISPLAY', false);

// Block external HTTP requests (optional - may break some plugins)
// define('WP_HTTP_BLOCK_EXTERNAL', true);
// define('WP_ACCESSIBLE_HOSTS', 'api.wordpress.org,downloads.wordpress.org');

Also make sure your security keys are unique and random. Visit api.wordpress.org/secret-key to generate fresh keys, then replace the existing ones in wp-config.php. Do this immediately if you suspect your site has been compromised.

09. Login Page Security

Your login page is the front door to your site. Lock it down:

Limit Login Attempts

Our server-level CSF firewall already provides brute-force detection, but you can add an application-level limit with Limit Login Attempts Reloaded. It locks out IP addresses after a configurable number of failed attempts.

Move or Protect wp-login.php

You can add HTTP authentication in front of your login page for an extra layer. Add this to your .htaccess:

# Password-protect wp-login.php
<Files wp-login.php>
  AuthType Basic
  AuthName "Restricted Access"
  AuthUserFile /home/username/.htpasswd
  Require valid-user
</Files>

Generate the .htpasswd file using the Directory Privacy tool in cPanel, or via command line: htpasswd -c /home/username/.htpasswd yourusername

10. Disable XML-RPC

XML-RPC (xmlrpc.php) allows external applications to communicate with WordPress, but it's heavily abused for brute-force amplification attacks and DDoS. Unless you specifically use the WordPress mobile app, Jetpack, or a remote publishing tool, disable it completely:

# Block xmlrpc.php
<Files xmlrpc.php>
  Require all denied
</Files>

This is already included in our bot & security .htaccess rules from the WordPress Performance guide.

11. Force SSL / HTTPS

Every Ultra Web Hosting account includes free AutoSSL certificates. Make sure your site uses HTTPS everywhere:

1. In WordPress → Settings → General, ensure both WordPress Address and Site Address start with https://
2. Add an HTTPS redirect to your .htaccess:

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

If you're seeing mixed content warnings after enabling SSL, see our guide: How to Fix Mixed Content Warnings After Enabling SSL.

12. Change the Database Table Prefix

WordPress uses wp_ as the default table prefix, and many automated SQL injection attacks target this prefix specifically. For new installations, choose a unique prefix during setup (e.g., ultra7x_). For existing sites, plugins like Brozzme DB Prefix Change can rename your tables safely.

13. Disable File Editing in the Dashboard

WordPress includes a built-in code editor under Appearance → Theme Editor and Plugins → Plugin Editor. If an attacker gains admin access, this is the first tool they use to inject malware. Disable it by adding this to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

This removes the editor entirely from the admin dashboard. You can still edit files via FTP, cPanel File Manager, or SSH.

14. Security .htaccess Rules

Our comprehensive WordPress bot blocker and security rules are covered in detail in our Optimize WordPress Performance guide. Here are the security-specific highlights:

# Block access to sensitive files
<FilesMatch "(wp-config\.php|wp-config\.bak|wp-config\.old|readme\.html|license\.txt)$">
  Require all denied
</FilesMatch>

# Block PHP execution in uploads (prevents uploaded backdoors)
RewriteRule ^wp-content/uploads/.*\.php$ - [F,L]

# Block access to hidden files (.git, .env, etc.)
RewriteRule ^\. - [F,L]

# Block wp-includes direct PHP execution
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# Disable directory browsing
Options -Indexes

15. Backups: Your Last Line of Defense

No security setup is complete without reliable backups. If the worst happens, a clean backup lets you restore your site in minutes instead of days.

• cPanel Backups - generate full or partial backups from cPanel → Backup or Backup Wizard
• UpdraftPlus - schedule automatic backups to Google Drive, Dropbox, or Amazon S3
• Store backups off-server - if backups only exist on the same server as your site, a server-level issue could take out both

See our detailed guide: How to Back Up Your Website.

16. What to Do If You've Been Hacked

If your site has been compromised, take these steps immediately:

1. Don't panic. Imunify360 may have already quarantined the malicious files. Check cPanel → Imunify360 for detected threats.
2. Change all passwords - WordPress admin, database, FTP, cPanel, and email accounts associated with the site.
3. Update everything - WordPress core, all plugins, and all themes to the latest versions.
4. Regenerate security keys - replace all AUTH/SALT keys in wp-config.php with fresh values from the WordPress key generator. This invalidates all existing login cookies.
5. Scan for backdoors - check wp-content/uploads/ for any .php files (there should be none). Check for unfamiliar admin users. Review recently modified files.
6. Restore from backup if available, or open a support ticket and our team can help with malware removal.

For a detailed walkthrough, see our guide: How to Fix a Hacked WordPress Site.

Quick Recap: The 5-Minute Security Checklist

If you only do five things from this guide, do these:

1. Install BBQ Firewall - instant, zero-config application-layer protection (free, under 10 KB)
2. Update WordPress, plugins, and themes - outdated software is the #1 attack vector
3. Enable Two-Factor Authentication on all admin accounts
4. Set file permissions to 755/644 and lock down wp-config.php to 600
5. Set up automated backups with UpdraftPlus to an off-server destination

376 users found this article useful · Last updated March 2026 · Browse all WordPress articles →