20 Minutes to a Secure WordPress Website

Securing WordPress has become easy thanks to the amazing work the WordPress team continuously do to fix vulnerabilities and improve the security of the platform. With the addition of Wordfence, it is possible to run a secure WordPress site and sleep well at night knowing your investment is safe.

Today I’m going to provide you with a checklist you can get through in 15 minutes that will help you secure your WordPress website. Time is short, so lets get started!

1. Ensure that your site is backed up

Backups are the first step in securing your website. Your backups ensure that even if your site is compromised or damaged in some way, you can always recover it. We suggest running a full backup before making the changes below so that you can recover your site if you break anything.

Your hosting provider may already provide free backups. If not, there are a wide range of backup plugins available for WordPress. We like UpdraftPlus which is well maintained, has excellent ratings and has a large install base of over 2 million sites.

For a more in-depth article about the importance of WordPress backups visit our blog post here.

2. Delete any old public WordPress installations and other old software

Sign in to your WordPress website using FTP or a file manager. You need to be able to view all files in your hosting account. Check to see if you have any old WordPress installations lying around. For example in a directory called ‘backup’, ‘doc_root.old’, ‘old_wordpress’ or something similar.

If you are unsure what a directory is, ask your hosting provider or a developer if you work with one. Any directories that are old and no longer used should be deleted. They are probably not being maintained and hackers may eventually discover them and use vulnerabilities in the out-of-date software to gain access to your site.

Now do the same for any other software that you have installed but aren’t using or maintaining. This includes old PHP applications like phpmyadmin, MediaWiki, Joomla and Drupal.

3. Delete any themes, plugins or extensions that you don’t need or that aren’t maintained

Sign in to your WordPress site and go to Plugins > Installed Plugins. Delete any plugins that you no longer use. Check everything else and make sure you recognize it and use it.

You can click the “Details” link next to each plugin to see when it was last updated. We strongly recommend that you delete any plugin that has not been updated for 2 years or more. It is unlikely that the author is maintaining the plugin and if a vulnerability is reported, it may not be fixed quickly.

Do the same for WordPress themes. Go to Appearance > Themes. Then delete any themes you no longer use. If you switched themes at some point and still require images in another theme directory, we recommend you delete as much as you can of the legacy theme and just preserve static assets like images and stylesheets.

If you use Joomla, Drupal or other applications, sign in to each application and remove old extensions that you no longer use or that are not being maintained by the author.

Deleting old extensions, plugins and themes will remove them as potential entry points for a hacker.

4. Secure your WordPress admin accounts and cPanel

Secure any admin accounts on your site. Sign in to WordPress. Go to Users > All Users and then click on ‘Administrator’ at the top of the screen to view all administrator level accounts. Make sure you recognize all admin accounts. If you don’t recognize an account, find out who it belongs to. If you have an unauthorized admin account and suspect you may have been hacked, you may need to contact our security services team.

Delete any admin accounts that are no longer needed. 

If you aren’t sure if your admin passwords are secure, go in and change them to something random and ensure your admin account owners are alerted to the change. We strongly recommend using WordPress’s automatically generated password which is very secure. Use a password manager like 1Password to store the generated passwords.

Sign in to cPanel and make sure you are using a secure password there too. It should be random and preferably 20 characters or more. You can use 1Password or another password manager to generate a random password and store it.

Check for unnecessary FTP users and remove those. If you are using FTP, ensure that your site’s FTP account is using a very strong and unique password, different from your cPanel or wp-admin password.

5. Update absolutely all software in your hosting account

You need to bring everything up-to-date. Under absolutely no circumstances should you be running out of date software. Complete the following steps:

  • Update all WordPress core installations.
  • Update all WordPress plugins.
  • Update all WordPress themes.
  • Update any Joomla, Drupal, MediaWiki, PHPMyAdmin or other applications you have installed.
  • Update any extensions in any applications like Joomla or Drupal that you have installed.

A special note on custom WordPress themes

If your theme is custom designed and you aren’t able to update it, you are going to need a developer to maintain that software. This is an unfortunate reality and expense of having a custom theme installed. You can’t just install and forget.

Many themes use libraries that eventually have vulnerabilities discovered in them. If your theme is not maintained, your site will eventually become hacked through this vulnerable software. When engaging the services of a company that designs custom WordPress websites, you should ask them if they will be maintaining any custom software they install on your WordPress site.

6. Install the Wordfence Firewall in “Extended Protection” mode

Install the Wordfence plugin on your WordPress site. Go to the “Firewall” menu and enable “Extended protection”. This ensures the following:

  1. The Wordfence firewall code will inspect any request before it executes any PHP code including WordPress core code. That allows Wordfence to intercept and stop any vulnerability before it even reaches your PHP applications.
  2. Wordfence will also protect any other PHP applications that are installed off your WordPress base directory. This happens automatically and is an added benefit of Wordfence that many people aren’t aware of.

We recommend you upgrade to Wordfence Premium if you can, to ensure that you receive the IP Blacklist, firewall rules and malware signatures in real-time as new attacks emerge.

7. Perform a full Wordfence scan on your site

Go to the Wordfence > Scan menu. Click the button to perform a Wordfence scan. This will perform a large number of security checks on your site and will ensure that your site is clear of any infection. Any issues that are found will be clearly displayed and need to be resolved.

You can visit the Wordfence options page and scroll down to “Scans to Include” where you’ll find an option to “Scan files outside your WordPress installation”. You can enable this to have Wordfence scan all files outside of your WordPress root directory, even web applications that are not part of WordPress. This is a great way to get extended scan coverage for all of the files in your hosting account.

8. Enable 2 Factor Authentication, aka Cellphone Sign-in

Go to Wordfence > Tools. Click the tab at the top titled “Cellphone Sign-in”. Enable cellphone sign-in on all your administrator accounts. You can sign in using an SMS to your cellphone or using the Google Authenticator app.

Enabling this feature will significantly improve the security of your WordPress admin accounts because anyone who signs in as an admin on your site will now have to verify that they know their password and also are in possession of their cellphone. A hacker will have to steal your cellphone and know your password to be able to sign in as you.

Note that cellphone sign-in is a Premium Wordfence feature.

Now share it!

Completing these easy steps will provide you with a significantly more secure website than most WordPress installations on the web today. Share this post with the community to help other WordPress site administrators secure their websites.

Now that you are done, we suggest you pour yourself a glass of something tall and cold and take a well deserved break. You’ve earned it!

For a deeper dive on WordPress security, check out The WordPress Security Learning Center.

Did you enjoy this post? Share it!


  • great overview, thank you so much. Would be great if you could also mention that there is not just cpanel but also Plesk that people use to manage their servers - we are in same size :)

    • Thanks Lukas, really great point. For the rest of our readers: Lukas is CMO over at Plesk. Plesk is an alternative control panel to CPanel:


    • SPAM. Nobody cares about Plesk nowadays. You lost the battle long ago with your excessive prices.

  • Hi,

    Security should be the top most priority of any blogger or Business Owner, and a single mistake can lead to disasters.

    Thank you so much for sharing these security tips with us.

    Keep writing such helpful articles

    • Thanks Saurabh.

  • Excelent!!! Thanks

  • I manage 40 websites on 3 servers. I can't tell you how much easier it is to do that since I found Wordfence (about a year ago). You guys and gals have done a great service for the internet community as a whole, and I wanted to say thanks.

    I only wish you also offered Wordfence for other platforms like Prestashop, Dupral, Joomla and so many others.

    But what would really be nice is if Wordfence could run on a linux stack with cPanel to scan all the cpanel accounts. LOL, i guess I'm not asking too much! right?

    Again, thanks and good job to everyone @ WF.

    PS. I really enjoy getting notifications about new blog posts too.

    • Thank you.

    • For other CMSs try webanti

    • Nice Dream !!!:)

      " Wordfence could run on a linux stack with cPanel to scan all the cpanel accounts. LOL, i guess I'm not asking too much! right? "

  • Great list! Like wordfence lover, I'm a fan as well.

    I'll be posting links to this article for my clients. I know the scope is necessarily limited, so I'll be adding to my post these items that are fairly easy for most WordPress users:

    + Remove any Administrator account using the default "admin" username, and attribute all admin content to a new Administrator account with a different name.
    + In addition, be careful naming Administrator accounts; never use any form of the site's domain name, or the name of the WordPress site.
    + Be sure that the display name for all Administrator users is set to something other than their username. It can be, say, their full name or their first name, or their nickname if it's different from their username.
    + Rename wp-login to something else; there are plugins available that can do this easily.

    I'll be reminding my clients that these small steps can stop many bots cold — and help cut down on WordFence email alerts telling you of users and IPs that have been locked out due to too many login attempts.

    Thanks again for all of your work in keeping our sites secure!

  • Thank you very much. You have developed a very useful tool. I made it a point on my server that all hosted accounts should use it or get their accounts suspended instantly once realized they are hacked. Just clicking the button twice must be easy, all those listed points are repeated daily so there is a guarantee of better and improved security.

  • A question I've had, if you backup the site, assuming you don't know if the site has a hacked file, wouldn't you be backing up that file in your backup only to reinstall it again later?

    I know the WF scan would tell me that, but always concerned that some other file could be in the back up.

    • Yes. That is why you need more than just your more recent backup. You should use a backup rotation scheme that gives you backups up to several months ago. You can find more info here: https://en.wikipedia.org/wiki/Backup_rotation_scheme

  • Another trick I learned a while ago was to change the user_nicename in your database/phpMyadmin to your real name, and be sure you have used a more obscure username.

    When you hover your mouse over what is normally the author's real name at the top of a post, Wordpress will reveal whatever the user_nicename is, which by default is your username.

    I don't think bots can do this, but humans with time on their hands can do the hovering, and when they have your username, they are already halfway to hacking your site.

    All these tips, plus Wordfence, makes a hackers job that much harder.

    "We will not go quietly into the night! We will not vanish without a fight! We're going to live on!"

  • Backing up is important. But it's also important to be sure the site hasn't already been infected when you backup. I once used FTP and backed up my entire website - overwriting my old backup. Stupid, I know. But we live and learn.
    The site was already infected (I suspect it was the vulnerability in Revslider) so I ended up reinstalling everything from scratch.

    I am glad to report that since using WordFence Premium I have not had infections.

    • Hi Thomas. See my note about backup rotations. If you have several backups over time you can select from you can revert to a point pre-infection which may save time. But of course hindsight is 20/20.

  • Excellent...great overview. Thanks.

  • 6. Install the Wordfence Firewall in “Extended Protection” mode - Install the Wordfence plugin on your WordPress site. Go to the “Firewall” menu and enable “Extended protection”.

    I do not see the "Extended protection" option in my Wordfence Firewall settings. Version 6.3.7 free version. Am I missing something here, or is this a premium version feature only?

  • This is one of the most important plugins used on my sites. First security, then SEO stuff. The free option is great, but the buy option is better. I've been hacked multiple times, so now, i don't mess around. This should be mandatory or baked into core WP.

  • Thanks for your sharing

  • There's another priceless thing to do for your web-site security, and it's a pretty simple step - install a plugin that changes the address of your wp-admin page. This will drastically improve your page safety.

    • It may also break things.

  • Nice tips, Mark!

    Although you recommend deleting any plugin that has not been updated for 2 years or more, it is very time consuming to really know... short of going to the repository and checking every single plugin for the last update (and doing this every month or so). Would you ever consider adding a feature to WordFence, where you would notify users if a plugin is over 2 years old? (or even 1 year old -- in my opinion, that is a red-enough flag).

    FYI, the same developer that forked your Falcon Cache also has a great plugin that will flag old plugins (1 year or more without an update). It's called "Vendi Abandoned Plugin Check" and I install this plugin on every site I maintain. It shows the last plugin update on the Plugin page, and also when you search for plugins within WordPress. Any plugin without an update in the past year is highlighted in red. This is a very quick and easy way to know if you have old plugins. See https://wordpress.org/plugins/vendi-abandoned-plugin-check/

    - Scott

    • Interesting idea. Thanks Scott.

    • I really like Scott's idea and would also really appreciate it if Wordfence could add in this old plugin scanning functionality. I have manually done a review of the last updated dates a couple times for all my plugins and developed a spreadsheet, but it is very time-consuming just with two websites to manage!

  • Thanks for your sharing.

    Have to check few points you mentioned.


  • Suggesting people have backups is good, but to not tell them to save them off the server, you may as well have not said it.

    It is pointless leaving backups on a server if the point is to recover from a hack that is likely going to compromise the server itself.

  • I have been reading more and more lately that if a website is http rather than https it is unsecure and that every time anyone logs in they are broadcasting the username and password freely for anyone to use.

    Is this true or is it just scaremongering?

    If it's true, why has it only just become something to be concerned about?

    • Not broadcasting, but sending in clear-text over the network which is risky.

  • Great explanation, i like your plugin most of time for few sites.
    Would be great if you could let me know, can wordfence offer custom URL features.

  • Thanks Mark for your sharing