WordPress Security Tips

WPX Hosting and WordPress recommend the following tips for our users to keep their sites as secure as possible.

How to protect your WordPress site

Limit access: Reduce the number of people who have administrative access to your WordPress site to a minimum and reduce the number of possible entry points too. This can be done by only installing web applications that you need and use. Removing any unused plugins and themes will also help preserve the confidentiality, integrity, and security of your site.

Functional Isolation: Your system should be configured to minimize the amount of damage that can be done should it come under attack. Where possible, avoid having many diverse web applications on a single hosting account. Logical separation of applications into separate accounts with their own access will confine a compromise to that one account and reduce damage.

Backups: You should verify the integrity and reliability of backups regularly to make sure that you can restore your website if it is damaged. Have a plan to recover your website if it is compromised and document this plan.

Aside from your own Backup Manager, WPX Hosting makes daily, automatic backups of your websites and keep them for 28 days. You can read more about that here.

Stay Up-to-Date: Do your best to stay up-to-date with your WordPress site, including plugins and themes. You should put administrative control in place that requires a check, with some frequency, that status of your site and its extensible components. The latest version of WordPress is always available from the main WordPress website. Official releases are not available from other sites—never download or install WordPress from any website other than https://wordpress.org.

Trusted Sources: Do not download plugins and themes from sources that are not trusted. Googling for a free version of a premium plugin is asking for trouble. Malicious people and organisations distribute what are known as ‘nulled’ plugins and themes that come bundled with malicious code and malware.

Aside from being extremely dangerous, using nulled/cracked plugins is a violation of our Terms and Services and is grounds for immediate termination of your account.

Security Updates and News: Security vulnerabilities affect all software, WordPress is not exempt. To stay current, we recommend subscribing to the vulnerability database maintained by WPVulnDB.com. You can also stay ahead of the latest trends following WordPress’s own Security tag.

Secure your Working Environment: Make sure your local computer, browser, and routers are up to date, free of any spyware, malware, and virus infections. Consider using tools like NoScript (or disabling JavaScript/flash/java) in your browser and VPNs to encrypt your online communication when moving around and using different public Wi-Fi hotspots. You should also secure your mobile devices and install any updates as soon as they become available.

Improving your Website’s Security

Access Control: One of the top two attack vectors used by cyber criminals are software vulnerabilities and access control. To combat this, you must secure any point of entry into your host, WordPress installation, or server. This includes employing strong passwords and enabling some form of Multi Factor authentication.

Passwords: The purpose of your password is to make it difficult for other people to guess and to help prevent a brute force attack. The key to making a strong password is making it complex, long, and unique. It is recommended to use a password generator for all passwords or create passwords that would only make sense to you personally.

WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.

Services like 1Password and Last Pass can help you manage and create random passwords.

Security plugins: There are many security plugins available for WordPress that provide a wide range of security and hardening features.

Apart from the more straightforward site security plugins, there are some additional plugins that can effectively improve your website’s security. That’s why we recommend you protect your WP Admin area.

Tips for Developers

If you are more technically familiar with WordPress hosting, and would like to know of some additional security measures, then the following points will help you.


A layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

# Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F, L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # BEGIN WordPress

Note: This won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work.


The uploads directory is the one directory that will need to be writable by the web server. It’s where all files are uploaded remotely. If you want to prevent PHP execution in this directory, you can do this by placing an .htaccess at the root of /UPLOADS using:

# Kill PHP Execution 
deny from all 

Note: This can break your theme if it requires PHP execution in UPLOADS. If you apply it and the site breaks, remove it and the site will reappear.


You can put this in your .htaccess file (at the very top) to deny access to anyone surfing for it:

# Kill PHP Execution
deny from all 

Disable File Editing

Disabling file editing within the WordPress dashboard is also recommended. WordPress has a constant that disabled this editing via the wp-config.php file. Append the following two lines to the end of your wp-config file:

## Disable Editing in Dashboard
define(‘DISALLOW_FILE_EDIT’, true);

What does WPX do to protect your Websites?

We have a number of security measures in place, such as brute force protection. If someone tries to log in to your wp-admin with wrong credentials (or via FTP) 5 times within one minute, their IP will be blocked for 1 hour. You can read more about that in this article.

We also scan your websites for malware every day. If your sites are compromised, we’ll inform you about what you need to do to clean your website.

We also have mod_security Firewall set up.

We have Enterprise-level DDoS Protection with Incapsula, an industry leader in DDoS protection. This does not cost you anything extra and you can find out more about it here.

We make daily backups of all websites hosted with us and keep them for 28 days. If you need to restore your website (free of charge), you can contact our support team or you can take a look at your Backup Manager and restore backups manually!

We are running the latest and most stable versions of all server software. Everything is tested thoroughly before being installed on our servers.

We also provide WHOIS Protection for all WPX domain customers. This service will help prevent your personal information from being retrieved by others online through WHOIS requests.

If you have any further questions about our security, you can browse through the Security section of our Knowledgebase.

Should you get stuck with any function discussed here, please contact WPX Support via live chat (use the bottom right hand widget!) and they will usually respond and help within 30 seconds or less.