Services Tools About Process Referral Program News Contact Get Started
WordPress Security: Essential Settings Every Site Needs
WordPress March 4, 2026 7 min read

WordPress Security: Essential Settings Every Site Needs

Learn the critical WordPress security settings that protect your website from attacks. Step-by-step guide to hardening your site in under 30 minutes.

Your WordPress site is under attack right now. Bots are trying to break in, hackers are scanning for vulnerabilities, and automated scripts are testing weak passwords.

Don't panic. WordPress powers 43% of all websites because it's robust and secure when configured properly. The problem? Most site owners skip the essential security settings that keep the bad guys out.

In this guide, you'll learn the critical security settings every WordPress site needs. We'll walk through each one step-by-step, so you can secure your site in under 30 minutes.

Why WordPress Security Settings Matter

WordPress gets a bad reputation for security. But most breaches happen because of poor configuration, not flaws in WordPress itself.

Think of it like a house. WordPress gives you solid walls and a front door. But if you leave that door unlocked with the key under the mat, you're asking for trouble.

These settings are your locks, alarms, and security cameras. Set them up once, and they work 24/7 to protect your site.

Essential WordPress Security Settings

1. Update Everything Immediately

Before touching any settings, update WordPress core, themes, and plugins. Outdated software is the number one cause of WordPress hacks.

How to check for updates:

  1. Go to Dashboard → Updates
  2. Install any available WordPress updates first
  3. Update all plugins and themes
  4. Set up automatic updates for minor releases

Pro tip: If you're worried about updates breaking your site, consider our WordPress maintenance service that handles updates safely with full backups.

2. Change Your Admin Username

Never use "admin" as your username. It's the first thing hackers try.

To change your admin username:

  1. Go to Users → All Users
  2. Click "Edit" next to your admin user
  3. Change the username (you might need to create a new admin user and delete the old one)
  4. Use something unique, not related to your business name

3. Strengthen Your Password Policy

Weak passwords are like leaving your front door wide open.

Password requirements:

  • Minimum 12 characters
  • Mix of uppercase, lowercase, numbers, and symbols
  • Unique to your WordPress site
  • Changed every 6 months

To enforce strong passwords: Install a plugin like "Force Strong Passwords" or use WordPress's built-in password strength meter as guidance.

4. Enable Two-Factor Authentication

Two-factor authentication (2FA) adds a second layer of security. Even if someone guesses your password, they can't get in without your phone.

Setting up 2FA:

  1. Install the "Two Factor" plugin from the WordPress repository
  2. Go to Users → Your Profile
  3. Enable your preferred 2FA method (authenticator app recommended)
  4. Test the login process

5. Limit Login Attempts

By default, WordPress lets people try to log in as many times as they want. This makes brute force attacks easy.

To limit login attempts:

  1. Install "Limit Login Attempts Reloaded"
  2. Configure to lock out users after 3-5 failed attempts
  3. Set lockout duration to 60 minutes
  4. Enable email notifications for lockouts

6. Hide wp-admin from Logged-Out Users

Your WordPress admin area shouldn't be accessible to visitors. When someone tries to access /wp-admin without being logged in, redirect them away.

Code to add to your theme's functions.php:

function redirect_non_logged_users_from_admin() {
    if ( is_admin() && ! current_user_can( 'administrator' ) && ! ( defined( 'DOING_AJAX' ) && DOING_AJAX ) ) {
        wp_redirect( home_url() );
        exit;
    }
}
add_action( 'init', 'redirect_non_logged_users_from_admin' );

7. Disable File Editing in WordPress

WordPress lets you edit theme and plugin files directly from the admin. This is convenient but dangerous if someone gains access to your account.

To disable file editing, add this to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

8. Change the WordPress Database Table Prefix

By default, WordPress uses "wp_" as the database table prefix. Changing this makes it harder for attackers to target your database.

To change the table prefix:

  1. This requires technical knowledge - consider hiring a developer
  2. Or choose a custom prefix during WordPress installation
  3. Never use common prefixes like "wordpress" or "site"

9. Disable XML-RPC (If You Don't Need It)

XML-RPC allows remote connections to WordPress. Unless you're using mobile apps or specific integrations, disable it.

To disable XML-RPC, add to functions.php:

add_filter('xmlrpc_enabled', '__return_false');

10. Set Proper File Permissions

Wrong file permissions can let attackers modify your files. Here are the correct settings:

  • Folders: 755 or 750
  • Files: 644 or 640
  • wp-config.php: 600 or 644

To check file permissions: Use your hosting control panel's file manager or FTP client. Most good hosting providers set these correctly by default.

Advanced Security Settings

Security Headers

Add these security headers to your .htaccess file:

Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"

Content Security Policy

A Content Security Policy (CSP) prevents malicious scripts from running on your site. This is advanced but worth implementing:

Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'"

Security Plugins vs Manual Configuration

You might wonder: should I use a security plugin or configure everything manually?

Security plugins are good for:

  • Beginners who want everything automated
  • Sites that need firewalls and malware scanning
  • Busy owners who don't have time for manual updates

Manual configuration is better for:

  • Developers who understand what each setting does
  • Sites that need custom security rules
  • Anyone who wants full control

Popular security plugins include Wordfence, Sucuri, and iThemes Security. They'll handle most of these settings automatically.

Common Security Mistakes to Avoid

Using Nulled Themes or Plugins

Never download "free" premium themes or plugins from dodgy sites. They often contain malware.

Ignoring Updates

That plugin update notification isn't just about new features. It might be patching a critical security flaw.

Weak Hosting

Your security settings won't help if your hosting provider has poor security. Choose a host that takes security seriously.

No Backups

Security isn't just about prevention. When something goes wrong (and it might), you need recent backups to restore your site quickly.

Troubleshooting Common Issues

Locked Out of Your Own Site

If you've enabled login limits and locked yourself out:

  1. Wait for the lockout period to expire
  2. Or access your hosting control panel and reset the plugin settings
  3. Or add your IP address to the plugin's whitelist

Site Breaking After Security Changes

If your site breaks after implementing security settings:

  1. Deactivate recently installed security plugins
  2. Remove recently added code from functions.php or .htaccess
  3. Check your hosting error logs for specific issues
  4. Contact your hosting support for help

Plugin Conflicts

Security plugins sometimes conflict with other plugins:

  1. Deactivate all plugins except the security plugin
  2. Test if the issue persists
  3. Reactivate plugins one by one to identify conflicts
  4. Contact plugin support for compatibility help

Monitoring Your Security

Setting up security isn't a one-time task. You need ongoing monitoring:

Regular Security Scans

Run security scans monthly to check for malware and vulnerabilities. Many security plugins include this feature.

Monitor Failed Login Attempts

Keep an eye on failed login attempts. A sudden spike might indicate an attack.

Check Your Website Trust Score

Trust signals tell visitors and search engines that your site is secure and legitimate.

Review User Accounts

Regularly audit user accounts. Remove old accounts and ensure everyone has appropriate permissions.

What's Next?

Once you've secured your WordPress site, consider these next steps:

  1. Set up automated backups - Security prevents problems, but backups solve them
  2. Learn about WordPress maintenance - Keep your site secure and running smoothly
  3. Consider managed hosting - Let experts handle server-level security
  4. Get a security audit - Professional review of your site's security

WordPress security isn't complicated, but it is critical. These settings protect your business, your customers, and your reputation.

Take 30 minutes today to implement these security measures. Your future self will thank you when your site stays online while others get hacked.

Need help securing your WordPress site? Get in touch and we'll make sure your site is properly protected.

WC

Web Cardiff

Cardiff's WordPress specialists helping Welsh businesses grow online.

Related Articles

WordPress

How to Fix Common WordPress Errors: A Simple Troubleshooting Guide

Learn how to fix the most common WordPress errors like white screen of death, 500 errors, and login ...

 WordPress

Adding a Contact Form to WordPress: A Simple Guide

Learn how to add a professional contact form to your WordPress site in minutes. Step-by-step guide w...

 WordPress

Setting Up WordPress SEO: The Basics Done Right

Learn how to set up WordPress SEO properly with this step-by-step guide. From Yoast SEO configuratio...

Need help with your website?

Get a fast, secure website that wins you business.

Get in touch