Securing WordPress

This is my first blog post, and I think the perfect ice-breaker would be to explain how I hardened my WordPress site from intrusion and spam, beyond what the standard installation provides, through the use of plugins.

If you want to know how to install WordPress on your own server, check out this great guide from WPBeginner. They provide the process for several different installation methods, including how to install a WordPress Multisite Network.

Before you go on, you’ll also need to know how to search for and install plugins. WPBeginner has another great guide for this, you can find it here.


  1. Akismet Anti-Spam

Akismet is the first plugin I activated on my site. I didn’t have to actually install it, because it came pre-loaded when I installed the WordPress core. Akismet provides spam detection and filtering on any comment and contact form submissions from your readers.

To activate it, you must visit and register. You’ll have to choose a subscription plan. I chose the free plan and simply paid a one-time donation of my choosing. Once you have an active subscription, you’ll be able to retrieve an API key. Copy that key and paste it into the settings page for your Akismet plugin. That’s it! Any form submissions from visitors will now be subject to spam-filtering. You may need to periodically check your spam comments folder in your control panel, under “comments”.


  1. All in One WordPress Security

As the name says, this truly is an All In One plugin. There are dozens of screens with numerous settings on them. I won’t be able to go into detail on all of them, but I can give you a run down of the top four sections I consider most important.

One of the most basic things you can do to protect yourself is to reveal as little information about your setup as possible. If a malicious visitor knows what version of Apache, PHP, WordPress, etc you are running, it makes it easier for them to know which vulnerabilities they can immediately exploit. This is especially true, if you are running an outdated version piece of software. Version numbers that appear in footers or similar, are too easy to search for in Google or other search engines. For this reason, you should enable the option under AIOWPS > Settings > WP Version Info to hide version numbers from appearing in the source code of your generated pages.

One of the biggest problems with a public facing login page (like a blog or website), is brute force attacks. This is where someone points a bot at your login page and continuously tries known or random combinations of passwords to gain access to your control panel. Browse to AIOWPS > User Login > Login Lockdown, to find options to help prevent brute force attempts. The options here are pretty self-explanatory. The top checkbox and the following 3 text fields are what are most important. With these settings, you can block IP addresses that have made repeated failed logon attempts from accessing your site entirely. You can also make a list of usernames that will immediately cause an IP to be blocked, if anyone attempts to login with them. As you’ll see in the screenshot below, I included some generic usernames that I know are not valid on my site, and may be used in a brute force attack.

(For security reasons, I’ve redacted the time settings in my screenshot.)

I also enabled an auto-logout for all accounts on my site. After two hours (even if you’re active), you are forced to log back in. This ensures that no authentication sessions get left open or orphaned and can be stolen. This option is under AIOWPS > User Login > Force Logout

The last section I’ll talk about is under AIOWPS > Firewall. There are several tabs with many options under each one. Broadly speaking, you may want to just enable them all. You should read each option though, and make changes as are appropriate for your site. Most of these changes make entries to your .htaccess file to limit access to certain other files, like your wp-config.php.

There a several aspects of AIOWPS that I didn’t mention. Things like the Filesystem scan which looks for new or changed files on your server, more spam prevention, adding CAPTCHA to forms, preventing hotlinks to images, database backups(!!!), and much more. Some of these tasks I have handled by other plugins, but not all of them. I’ll leave it to you to decide what is best for your site.


  1. Two-Factor Authentication

This was a no brainer for me. If you don’t know what Two Factor Authentication (2FA) is, it’s where you need three pieces of information to login to an account; a username, a password, and a code that is most often generated by an app on your phone or texted or emailed to you. This code typically changes every 30 seconds, making it impossible to guess. You cannot login unless you have all three pieces of information. I enable 2FA on every account I have on any website or service, if it’s an available option.

The free version of this plugin makes 2FA available to every user, but there’s no option to enforce it, like in the screenshot below. Originally, the free version would have worked for me since I was going to be the only author for this blog. I’ve since talked to some former co-workers who have agreed to help me edit and possibly even create content. For that reason, I purchased the premium license to force them to configure 2FA within the first week of their account’s creation.

One of the things I really like about this 2FA plugin in particular, is that you can make 2FA a requirement for XMLRPC requests as well (learn about XMLRPC). Unfortunately, most applications that use the XMLRPC (like the WordPress mobile app), don’t support 2FA. So if you want to use something that requires XMLRPC, then you’ll have to disable 2FA.


  1. WP-Mail-SMTP

The last plugin I’m going to mention has to do with sending email from your site.

With this plugin you can use SMTP instead of the default PHP mail() function for sending emails.. The main reason I prefer this method is because it supports TLS/SSL encryption to a SMTP relay server. I like this because it helps to ensure that emails (in transit from this web server at least) are encrypted and cannot easily be read by anyone spying on web traffic. If the destination server AFTER the relay server doesn’t support TLS/SSL, then the message will have no choice but to travel un-encrypted from the relay to the destination. I can at least ensure my leg of the process is secure, with this plugin. It’s up to the destination server to allow TLS/SSL connections on their own end.

The final reason I prefer SMTP is because I can have emails sent out through the same server(s) I used for all other email related to This is very useful if you are renting web space from a shared hosting server. All it takes is one website on the shared server to get flagged as spam, from then on all emails originating from that same server’s IP will now be flagged as spam as well.


With these four plugins you can reasonably shore-up your WordPress site’s security. There are 100’s of other plugins available that provide additional security, and there may even be some that are better than the four I mentioned above. I tried to focus on the most common and most frequently updated plugins, since those have a greater chance of being supported and maintained as time goes on.

What plugins do you use? Do you have any other suggestions for protecting a WordPress site? If so, please leave a comment below!

Leave a Reply