Blog Winston AI @CustomerPanel
UnderHost
Knowledgebase Docs
/
Tools
WordPress Security Advanced

Advanced WordPress security-protect your site

WordPress security plugins, hardening tips, preventing hacks, malware detection, SSL setup, file permissions, security headers, and recovery after compromise.

UnderHost NOC Network Operations
15 min read Updated June 2026
On this page

WordPress is a target for hackers because millions of sites use it. The good news: most hacks are preventable with proper security practices. Advanced security requires a layered approach combining plugins, hardening, monitoring, and good backups.

Common WordPress threats

  • Brute force attacks - Hackers use bots to try thousands of password combinations on wp-login.php
  • Plugin vulnerabilities - Outdated plugins with known security holes are exploited
  • Theme vulnerabilities - Hacked or outdated themes can be compromised
  • SQL injection - Attackers inject malicious code through forms or URL parameters
  • File upload abuse - Attackers upload malware through media upload features
  • Cross-site scripting (XSS) - Malicious JavaScript injected into pages
  • Cross-site request forgery (CSRF) - Attackers trick admin users into performing unwanted actions
  • Weak admin passwords - Simple passwords are cracked quickly

Essential security plugins

Wordfence (Best overall)

Wordfence is the most comprehensive WordPress security solution. It includes a firewall, login security, malware scanner, and monitoring.

  • Core features (free):
    • Malware scanner - scans your site hourly for malware
    • Login security - blocks brute force attacks, enforces strong passwords
    • Firewall - blocks common attacks before they reach your site
    • Activity log - logs all admin actions and user activity
  • Premium features: Real-time threat intelligence, priority support, country-based access controls
  • Setup: Install and activate; the free version works out of the box

Sucuri Security

Sucuri focuses on malware detection and website integrity monitoring. It's known for detailed security notifications.

  • Free features: Security audits, malware detection, file integrity monitoring
  • Premium features: Malware removal, website firewall (WAF), DDoS protection
  • Best for: E-commerce sites, high-traffic WordPress sites

iThemes Security (formerly Better WP Security)

Lightweight security plugin focused on hardening and attack prevention.

  • Features: Two-factor authentication, login change, password policy enforcement, database backups
  • Cost: Free / Premium plans
  • Best for: Users who want simple, focused security
Don't use multiple security plugins

Running two security plugins simultaneously can cause conflicts (both trying to block login attempts, both modifying the .htaccess file, etc.). Choose ONE primary security plugin and use it with backup plugins if needed.

Hardening WordPress

1. Disable file editing in WordPress

If a hacker gains admin access, they could edit theme and plugin files directly from the WordPress admin. Disable this:

Add this line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

2. Change the wp-admin directory (optional)

Rename wp-admin to something obscure (e.g., /wp-admin-secret/). This makes brute force attacks harder because attackers expect /wp-admin.

Use plugins like iThemes Security to automate this without manual file changes.

3. Hide WordPress version

Remove the WordPress version from your page source. Hackers target specific versions with known vulnerabilities:

define('WP_AUTO_UPDATE_CORE', true);

Also, hide the version from generator meta tag using a security plugin.

4. Remove dangerous WordPress hooks

Disable the theme and plugin editors entirely (not just file editing):

define('DISALLOW_FILE_MODS', true);

5. Limit login attempts

Brute force attacks try thousands of passwords. Most security plugins limit login attempts automatically, but ensure it's enabled:

  • Lock account after 5 failed attempts for 30 minutes
  • Log and alert on repeated failures from the same IP
  • Block known bot IP addresses

6. Change the database table prefix

By default, WordPress uses "wp_" prefix for database tables (wp_posts, wp_users, etc.). SQL injection attacks target this. Change it:

$table_prefix  = 'secure_' .  wp_generate_password( 12, false );

7. Two-factor authentication (2FA)

Require a second form of verification (phone code, authenticator app) to log in, even if password is compromised:

  • Use Google Authenticator or Authy with iThemes Security or Wordfence
  • Require 2FA for all admin users
  • Provide backup authentication codes for admin users

SSL certificate (HTTPS)

HTTPS encrypts data in transit between your visitor's browser and your server. It's essential for security and is now a Google ranking factor.

  • Check status: Your site should show a green lock icon in the browser address bar
  • Installation: UnderHost provides free AutoSSL certificates (installed automatically)
  • WordPress configuration: Go to Settings → General and ensure both WordPress Address and Site Address begin with https://
  • Mixed content: Check browser console for "mixed content" warnings (insecure images, JavaScript, etc.)

See our AutoSSL setup guide for details.

File and directory permissions

Proper file permissions prevent unauthorized modification:

  • Directories: 755 (rwxr-xr-x) - readable and executable by all, writable only by owner
  • Files: 644 (rw-r--r--) - readable by all, writable only by owner
  • wp-config.php: 600 (rw-------) - readable and writable only by owner
  • /wp-content/uploads/: 755 or 775 - must be writable by the web server for plugin/theme uploads

Most web hosts set these correctly by default. Check with support if you're unsure.

Security HTTP headers

HTTP security headers tell browsers how to handle your content, preventing certain types of attacks:

X-Frame-Options: SAMEORIGIN

Prevents "clickjacking" attacks where your site is embedded in an invisible iframe and users are tricked into clicking something malicious.

X-Content-Type-Options: nosniff

Prevents browsers from guessing file types. A .txt file that contains JavaScript won't be executed.

Content-Security-Policy (CSP)

Controls which resources (scripts, images, stylesheets) can be loaded. Prevents XSS attacks.

Strict-Transport-Security (HSTS)

Forces HTTPS on all requests. Even if someone tries to access your site via HTTP, the browser redirects to HTTPS.

How to add headers: Most security plugins add these automatically. If not, add them to your .htaccess file (or ask UnderHost support to add them at the server level).

Security monitoring

Continuous monitoring detects issues early:

  • Activity logging: Track all admin logins, post edits, plugin/theme changes
  • File integrity: Monitor for unauthorized changes to core WordPress files
  • Login notifications: Email alerts when admin user logs in
  • Malware scans: Automatic daily or weekly scans for malware
  • Failed login reports: Track brute force attempts and suspicious activity
  • Database backups: Automatic daily backups for quick recovery

Wordfence and Sucuri provide these out of the box.

Recovery after compromise

If your site is hacked despite these precautions:

  1. Isolate the site: Take it offline (rename index.php temporarily or put in maintenance mode)
  2. Change all passwords: WordPress admin, FTP, cPanel, database user, hosting control panel
  3. Scan for malware: Run Wordfence or Sucuri comprehensive scan (not just quick scan)
  4. Remove backdoors: Hackers often install backdoors for re-entry. Delete unused plugins, themes, and suspicious files
  5. Check the database: Look for rogue admin users, malicious SQL in posts/pages
  6. Restore from backup: If the site is heavily compromised, restore from a clean backup made before the hack
  7. Update WordPress, plugins, themes: Ensure everything is current
  8. Reinforce security: Implement 2FA, limit login attempts, set proper file permissions
  9. Rebuild trust: If customer data was exposed, contact affected users and consider offering credit monitoring
  10. Monitor closely: Watch the security log for 2-4 weeks to ensure the hacker doesn't return

When to call UnderHost support

Open a support ticket if:

  • You need help restoring from a backup
  • You need help removing a backdoor or malware
  • You need server-level security headers added
  • Your site is being DDoS attacked and you need firewall help

Security checklist

Use this checklist to ensure comprehensive WordPress security:

  • ☐ Install a security plugin (Wordfence or Sucuri)
  • ☐ Set strong admin password (20+ characters, uppercase, lowercase, numbers, symbols)
  • ☐ Remove default admin username
  • ☐ Enable two-factor authentication (2FA) for all admin users
  • ☐ Install free SSL certificate (AutoSSL)
  • ☐ Enable HTTPS in WordPress settings (Settings → General)
  • ☐ Update WordPress to the latest version
  • ☐ Update all plugins and themes
  • ☐ Remove unused plugins and themes
  • ☐ Disable file editing (add to wp-config.php)
  • ☐ Set correct file permissions (644 files, 755 directories)
  • ☐ Enable automatic daily backups (UpdraftPlus or Wordfence)
  • ☐ Set up login attempt limiting (5 fails = 30 min lockout)
  • ☐ Enable activity logging (track admin actions)
  • ☐ Enable file integrity monitoring (detect unauthorized changes)
  • ☐ Test your backup restore process
  • ☐ Review security logs weekly
Security is ongoing, not one-time

Set up security once, but maintain it continuously: update WordPress and plugins immediately, monitor logs regularly, test backups quarterly, and keep your host informed of any issues.

Related: WordPress troubleshooting-common issues and fixes | WordPress backup and restore-complete guide | Security firewall rules

Was this article helpful?

Need managed WordPress hosting?

Run WordPress on UnderHost managed hosting with performance tuning, SSL, backups, security guidance, and expert support.

View WordPress Hosting CustomerPanel

Related articles

Back to WordPress