How Secure is Your WordPress Site?

WordPress is generally known for being a cost-effective content management system (CMS) that allows you to create and manage websites, blogs, and web applications with ease. But it’s not just for bloggers or mom-and-pop businesses. Many of the world’s top companies use WordPress to deliver their content. These include CNN, Forbes, the White House, and The New York Times, as well as thousands of financial institutions, health systems, universities, and other organizations. They appreciate WordPress for its ease of use and its security.

Of course, not all WordPress sites are created alike when it comes to design as well as security. There are security features that come standard just like there are free design templates. But if you really want to ensure the highest level of security, you need to know how to implement advanced security protocols – which requires a certain degree of technical expertise.


If your organization deals with sensitive information such as personal, health, or financial data, you want to make sure that information is as secure as possible. Here are some of the best practices for building a highly secure WordPress site:

  • Implement strict password requirements
  • Add Google reCAPTCHA to Form and Login pages
  • Limit admin access to designated IP addresses or enable Two Factor Authentication
  • Lock profiles after a designated number of unsuccessful login attempts
  • Install trusted malware scanning, spam prevention, and firewall applications


Creating a truly secure WordPress site requires more than just following best practices when installing WordPress. You also have to address server-side security. Here are some of the steps that you need to take on the server side:

  • Disable directory browsing and limit open database connections
  • Implement proper file directory structure and permissions
  • Install an authoritative SSL Certificate from a trusted source and consider enforcing site administration over SSL
  • Take steps to prevent script injections
  • Install and configure a WAF (web application firewall) at your web server to filter content before it is processed by WordPress
  • Make sure you are using a stable and supported version of PHP
  • Move wp-config.php out of your web root or deny access by modifying your .htaccess file
  • Set up a hosting environment that limits server access via VPN connection


Once your site is up and running, it is important to remain vigilant because new threats appear all the time. Here are a some of the things you need to do to ensure your WordPress site remains as secure as possible:

  • Thorough core and plugin management
  • Run regular scans for known viruses and vulnerabilities
  • Require users to periodically update passwords
  • Monitor logins, logout, and open database connections, and record any unusual or suspicious activity
  • Use a security plugin that contains a real-time IP address blacklist for detecting and blocking potential hackers before they get to your site


WordPress sites can be highly secure – when you set them up and maintain them using best practices. But ensuring maximum security for WordPress sites isn’t something that a beginner, or even intermediate web developer is necessarily capable of doing. When you need to protect sensitive data, it pays to work with WordPress security experts like those at Lightstream. If you’re interested in building a new secure site using WordPress, would like us to conduct a security audit, or want to discuss how we can make your site more secure, contact us to start a conversation.