1. Home
  2. Security and Optimization
  3. Security
  4. How can I keep my WordPress sites secure?

How can I keep my WordPress sites secure?

We have implemented different security levels on our servers to keep your websites safe. However, as we mentioned in our Malware removal rules and security standards article, the security of your website is a 2-way street: WPX & YOU. Here we will discuss the WordPress security tips that you should implement on your sites.

WordPress Security practices that you should use.

Limit access:

Reduce the number of people who have administrative access to your WordPress site to a minimum. You can also reduce the number of possible entry points. This can be done by only installing web applications that you need and use.

Stay Up-to-Date:

Do your best to stay up-to-date with your WordPress site, including plugins, themes, and the PHP version. The latest version of WordPress is always available from the main WordPress website. Official releases are not available from other sites—never download or install WordPress from any website other than https://wordpress.org.

Also, you can just install WordPress with a few clicks from the WPX Control Panel. This way you can be sure that the source of your installation is not compromised.

Trusted Sources:

Aside from being extremely dangerous, using nulled/cracked plugins is a violation of our Terms and Services and is grounds for immediate termination of your account.

Secure your Working Environment:

Do not download plugins and themes from sources that are not trusted. Googling for a free version of a premium plugin is asking for trouble. Malicious people and organizations distribute what are known as ‘nulled’ plugins and themes that come bundled with malicious code and malware.

Make sure that your local computer, browser, and routers are up to date, and free of any spyware, malware, and virus infections. Consider using tools like NoScript (or disabling JavaScript/flash/java) in your browser and VPNs to encrypt your online communication when moving around and using different public Wi-Fi hotspots. You should also secure your mobile devices and install any updates as soon as they become available.

Always use strong passwords:

The purpose of your password is to make it difficult for other people to guess and to help prevent a brute-force attack. The key to making a strong password is making it complex, long, and unique. It is recommended to use a password generator for all passwords or create passwords that would only make sense to you personally.

If you want to use reliable software that generates and stores all of your passwords for you, we recommend using KeePass. All you have to do is download the application and create a database file that will take care of the rest of your password by entering the file using a master password.

Protect your WP-admin area:

You can change the wp-admin URL that you use to log in to your WordPress dashboard. You can use a plugin such as WPS Hide Login to change the login URL.

Additional WordPress security tips.

If you are technically familiar with WordPress and would like to know some additional security measures, then the following points will help you.


A layer of protection can be added to the PHP scripts located in the WP-includes directory, Those scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.

To ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

# Block the include-only files.

RewriteEngine On
RewriteBase / 
RewriteRule ^wp-admin/includes/ - [F, L] 
RewriteRule !^wp-includes/ - [S=3] 
RewriteRule ^wp-includes/[^/]+.php$ - [F,L] 
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L] 
RewriteRule ^wp-includes/theme-compat/ - [F,L] 

# BEGIN WordPress

This won’t work well on Multisite, as
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
would prevent the ms-files.php file from generating images.
Omitting that line will allow the code to work.


The uploads directory is the one directory that will need to be writable by the webserver. It’s where all files are uploaded remotely. If you want to prevent PHP execution in this directory, you can do this by placing a .htaccess at the root of /UPLOADS using:

#Kill PHP Execution 
<Files ~ "\.ph(?:p[345]?|t|tml)$">
deny from all

This can break your theme if it requires PHP execution in UPLOADS. If you apply it and the site breaks, remove it and the site will reappear.

Disable File Editing:

Disabling file editing within the WordPress dashboard is also recommended. WordPress has a constant that disables this editing via the wp-config.php file. Append the following two lines to the end of your wp-config file:

# Disable Editing in Dashboard
define(‘DISALLOW_FILE_EDIT’, true);

That’s it! Now you know more about WordPress security and what you can do to protect your sites.

If you get stuck with anything discussed on this page, please get in touch with the WPX Support Team via live chat (use the bottom right-hand widget) and they will respond and help within 30 seconds or less.

Was this article helpful?

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support