{"id":4287,"date":"2021-05-31T10:29:00","date_gmt":"2021-05-31T15:29:00","guid":{"rendered":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/"},"modified":"2025-11-25T09:44:22","modified_gmt":"2025-11-25T15:44:22","slug":"wordpress-security-tips-best-practices","status":"publish","type":"post","link":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/","title":{"rendered":"7 WordPress Security Tips and Best Practices Every Site Owner Should Know"},"content":{"rendered":"<p data-analytics-track-visibility=\"yes\">WordPress security is one of the most important topics for any site owner. Whether you\u2019re managing a boutique eCommerce shop or 50+ client sites, experiencing a security breach can mean a loss of time, money, and credibility\u2014all things no one wants to face.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">While there\u2019s no \u201cone-size-fits-all\u201d security solution for every WordPress site, there are a few security best practices that can make a big impact.&nbsp;<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">In this article, we\u2019ll explain why sites get hacked in the first place and share key security tips that are easy to implement in your workflow. Here\u2019s a quick overview.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Ready to boost your WordPress site security? Let\u2019s get started!<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter\" data-analytics-track-visibility=\"yes\"><img decoding=\"async\" src=\"https:\/\/getflywheel.com\/layout\/wp-content\/uploads\/2019\/01\/2018-10-04_Send-your-newsletter-using-WordPress-9034.jpg\" alt=\"two men in blue shirts work in a white office space\" class=\"wp-image-31175\"><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"toc-why-do-wordpress-sites-get-hacked\" data-analytics-track-visibility=\"yes\">Why do WordPress sites get hacked?<\/h2>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Before we jump straight into WordPress security best practices, it can be helpful to understand why websites get hacked in the first place. Generally speaking, hackers&nbsp;target websites for the following reasons:<\/p>\n\n\n\n<ul class=\"wp-block-list\" data-analytics-track-visibility=\"yes\">\n<li>To send spam emails through your site.<\/li>\n\n\n\n<li>To steal your information, such as data, mailing lists, stored credit cards, etc.<\/li>\n\n\n\n<li>To trick your site into installing malware on your users\u2019 machines (or your own).<\/li>\n<\/ul>\n\n\n\n<p data-analytics-track-visibility=\"yes\">While a security event might feel like a personal attack, it\u2019s often part of a larger scheme, such as a <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"outbound\" href=\"https:\/\/www.cloudflare.com\/learning\/ddos\/what-is-a-ddos-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Distributed Denial of Service (DDoS) attack<\/a>. Rather than target a single site, hackers might target the infrastructure your site is operating on, affecting numerous sites at once. That\u2019s why it\u2019s important to be familiar with basic WordPress security standards, even if you\u2019re just running a personal website.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">In addition to the above, WordPress may be targeted specifically simply due to its widespread popularity. Because it now <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"outbound\" href=\"https:\/\/w3techs.com\/technologies\/overview\/content_management\" target=\"_blank\" rel=\"noreferrer noopener\">powers more than 43%<\/a> of all websites, WordPress offers a large \u201carea of opportunity\u201d for online attackers.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">But that alone shouldn\u2019t be cause for alarm. WordPress is an open-source content management system (CMS) with a highly dedicated and involved community of <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"outbound\" href=\"https:\/\/wordpress.org\/documentation\/article\/become-a-wordpress-contributor\/\" target=\"_blank\" rel=\"noreferrer noopener\">contributors<\/a>, which means there are a ton of people continuously working to improve the security of the platform.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter\" data-analytics-track-visibility=\"yes\"><img decoding=\"async\" src=\"https:\/\/getflywheel-images.s3.us-east-2.amazonaws.com\/uploads\/2019\/01\/2018-08-09_Gutenberg_Layout-5600-1024x683.jpg\" alt=\"A man wears glasses and works in a green room\" class=\"wp-image-31176\"><\/figure>\n\n\n\n<p data-analytics-track-visibility=\"yes\">The truth is, any website can experience a security issue at any time, and the same goes for sites built with WordPress. Luckily, there are several best practices you can implement to increase the security of your WordPress sites and make it far more difficult for hackers to mess things up.<\/p>\n\n\n\n<hr class=\"wp-block-separator aligncenter has-css-opacity\" data-analytics-track-visibility=\"yes\">\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\" data-analytics-track-visibility=\"yes\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"update\" data-analytics-track-visibility=\"yes\">7 WordPress security best practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-1-keep-your-themes-plugins-and-wordpress-version-up\" data-analytics-track-visibility=\"yes\">1. Keep your themes, plugins, and WordPress version up to date<\/h3>\n\n\n\n<p data-analytics-track-visibility=\"yes\">One of the easiest ways to give your site an extra security boost is to keep everything updated.&nbsp;<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">While it might feel tedious to keep up with plugin updates (especially if you\u2019re trying to manage multiple WordPress websites) those updates are published for a reason (and that reason is often security-related).<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">If developers discover a vulnerability in their code, they\u2019ll usually push an update to fix it. The longer your site uses the outdated version, the more likely it is to be targeted by hackers.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">While it might take some time, staying up to date with all plugins, themes, and WordPress core updates is a great way to limit security risks. If you\u2019re using a <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/wordpress-hosting\/\" target=\"_blank\" rel=\"noreferrer noopener\">managed host for your WordPress site<\/a>, WordPress version updates should be performed automatically, helping you stay on top of the latest updates to core.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">When it comes to keeping your plugins updated, solutions such as <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/smart-plugin-manager\/\" target=\"_blank\" rel=\"noreferrer noopener\">Smart Plugin Manager<\/a> automatically check your plugins for updates at a pre-scheduled time. Using machine learning and visual testing, Smart Plugin Manager also ensures your site doesn\u2019t break when updates occur.<\/p>\n\n\n\n<hr class=\"wp-block-separator aligncenter has-alpha-channel-opacity\" data-analytics-track-visibility=\"yes\">\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\" data-analytics-track-visibility=\"yes\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-2-apply-username-and-password-best-practices\" data-analytics-track-visibility=\"yes\">2. Apply username and password best practices<\/h3>\n\n\n\n<p data-analytics-track-visibility=\"yes\">There\u2019s nothing new about this security tip, but it\u2019s absolutely worth a reminder:<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Use unique passwords. Use strong usernames. Use a password manager.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Hackers weren\u2019t born yesterday; they know all the most common passwords and will test every single one with the username \u201cadmin.\u201d So, do a quick audit.<\/p>\n\n\n\n<ul class=\"wp-block-list\" data-analytics-track-visibility=\"yes\">\n<li>Are your usernames hard to guess?<\/li>\n\n\n\n<li>Are your passwords unique?<\/li>\n\n\n\n<li>Have your passwords been updated recently?<\/li>\n<\/ul>\n\n\n\n<p data-analytics-track-visibility=\"yes\">If you\u2019re feeling overwhelmed trying to remember all these login credentials, I highly recommend a password manager, such as <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"outbound\" href=\"https:\/\/1password.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">1Password<\/a>. Not only will it help you create and store complex credentials, it makes logging into sites a breeze (especially if you\u2019re working with a team!).<\/p>\n\n\n\n<hr class=\"wp-block-separator aligncenter has-alpha-channel-opacity\" data-analytics-track-visibility=\"yes\">\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\" data-analytics-track-visibility=\"yes\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-3-limit-login-attempts\" data-analytics-track-visibility=\"yes\">3. Limit login attempts<\/h3>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Now that your login credentials have been strengthened, take your login security a step further by limiting login attempts! This is one of the best ways to defend against <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/resources\/wordpress-brute-force-attack-prevention\/\" target=\"_blank\" rel=\"noreferrer noopener\">brute force attacks<\/a>, which attempt to gain access to your site.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">To limit login attempts, you can use a plugin like <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"outbound\" href=\"https:\/\/wordpress.org\/plugins\/limit-login-attempts\/\" target=\"_blank\" rel=\"noreferrer noopener\">Limit Login Attempts<\/a>, which will block any attempt to log into your site after three errors, putting a block on it for twenty minutes.<\/p>\n\n\n\n<figure class=\"wp-block-image aligncenter\" data-analytics-track-visibility=\"yes\"><img decoding=\"async\" src=\"https:\/\/getflywheel.com\/layout\/wp-content\/uploads\/2019\/01\/2018-04-27_7-ways-to-entice-your-users-to-scroll-7063-copy.jpg\" alt=\"Three men discuss a security issue on a WordPress site\" class=\"wp-image-31178\"><\/figure>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Sure, it might get in your own way if you forget your password, but that\u2019s what password managers are for, remember?<\/p>\n\n\n\n<hr class=\"wp-block-separator aligncenter has-alpha-channel-opacity\" data-analytics-track-visibility=\"yes\">\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\" data-analytics-track-visibility=\"yes\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-4-move-the-wordpress-login-url\" data-analytics-track-visibility=\"yes\">4. Move the WordPress login URL<\/h3>\n\n\n\n<p data-analytics-track-visibility=\"yes\">One way to make your WordPress site extra secure is to <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/resources\/wordpress-login-url\/#How_to_Change_Your_WordPress_Login_URL\" target=\"_blank\" rel=\"noreferrer noopener\">change the login page<\/a>. It\u2019s pretty common knowledge that to log into a site, you just add \/wp-admin to the end of the URL. By changing the link, you effectively hide the entryway to your site, making it harder for hackers to find.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">There are a variety of ways you can change your login URL, but the <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"outbound\" href=\"https:\/\/wordpress.org\/plugins\/wps-hide-login\/\" target=\"_blank\" rel=\"noreferrer noopener\">WPS Hide Login<\/a> plugin is a good place to start! Just remember what you change the URL to, and remember to share it with any other site collaborators (including your hosting provider) or clients.<\/p>\n\n\n\n<hr class=\"wp-block-separator aligncenter has-alpha-channel-opacity\" data-analytics-track-visibility=\"yes\">\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\" data-analytics-track-visibility=\"yes\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-5-use-two-factor-authentication\" data-analytics-track-visibility=\"yes\">5. Use two-factor authentication<\/h3>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Another great way to make your credentials more secure is to <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/resources\/two-factor-authentication-wordpress\/\" target=\"_blank\" rel=\"noreferrer noopener\">use two-factor authentication<\/a>. This security method acts as a temporary second password that updates every 30 seconds or so.&nbsp;<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">To gain access to your site, hackers would have to guess both your true password and the temporary security code within that 30 second timeframe, greatly increasing your chances of blocking them.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Two-factor authentication is great because you can use it with a variety of logins related to the sites you manage. For example, <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/secure-wordpress-hosting\/\" target=\"_blank\" rel=\"noreferrer noopener\">WP Engine allows you to enable two-factor authentication<\/a> on your <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/wordpress-hosting\/\/\" target=\"_blank\" rel=\"noreferrer noopener\">WordPress hosting<\/a> account, and you can also add it to individual WordPress sites.<\/p>\n\n\n\n<hr class=\"wp-block-separator aligncenter has-alpha-channel-opacity\" data-analytics-track-visibility=\"yes\">\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\" data-analytics-track-visibility=\"yes\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-6-add-captcha-to-your-forms\" data-analytics-track-visibility=\"yes\">6. Add captcha to your forms<\/h3>\n\n\n\n<p data-analytics-track-visibility=\"yes\">As you\u2019ve probably gathered, locking down your site\u2019s login page is incredibly important. That isn\u2019t the only form you should focus on, however. Don\u2019t forget about blog comments, checkout pages, or any other open form on your website!<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Each of these forms present opportunities for hackers to submit information to your site, such as malicious links in a comment. Even if it doesn\u2019t directly affect your site\u2019s performance, having shady links will create a confusing user experience, and may even hurt your business.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">To prevent this type of activity, you can install a WordPress plugin like <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"outbound\" href=\"https:\/\/wordpress.org\/plugins\/google-captcha\/\" target=\"_blank\" rel=\"noreferrer noopener\">Google Captcha (reCAPTCHA) by BestWebSoft<\/a>. This will prevent automated programs from posting spam or malicious links to your comments sections or open forms on your site.<\/p>\n\n\n\n<hr class=\"wp-block-separator aligncenter has-alpha-channel-opacity\" data-analytics-track-visibility=\"yes\">\n\n\n\n<div style=\"height:10px\" aria-hidden=\"true\" class=\"wp-block-spacer\" data-analytics-track-visibility=\"yes\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"toc-7-disable-file-editing\" data-analytics-track-visibility=\"yes\">7. Disable file editing<\/h3>\n\n\n\n<p data-analytics-track-visibility=\"yes\">When you disable file editing on your site, you effectively prevent users from editing theme and plugin files directly from the WordPress dashboard. While most of the individuals who work on the backend of your site should understand the dangers of editing these important files, mistakes can happen, and if they do, finding and fixing the error can be time consuming and potentially costly.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">By limiting access to files that are vital to the form and function of your site, even users with admin privileges will be unable to alter theme or plugin files. It will also encourage the developers who work on your code to use best practices, promoting the use of secure file management and version control systems.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">To disable file editing in WordPress, add the following line to your wp-config.php file:<\/p>\n\n\n<div class=\"wp-block-code-wrapper wp-block-acf-code\" data-analytics-track-visibility=\"yes\">\n\t<pre class=\"wp-block-code\"><code>define('DISALLOW_FILE_EDIT', true);<\/code><\/pre>\n\t<div class=\"wp-block-code-controls\">\n\t\t<button class=\"wp-block-code-button\" aria-label=\"Copy code to clipboard\" type=\"button\">\n\t\t\t<svg viewBox=\"0 0 24 24\" fill=\"none\" aria-hidden=\"true\">\n\t\t\t\t<path d=\"M5 2C3.34315 2 2 3.34315 2 5V16C2 16.5523 2.44772 17 3 17C3.55228 17 4 16.5523 4 16V5C4 4.44772 4.44772 4 5 4H16C16.5523 4 17 3.55228 17 3C17 2.44772 16.5523 2 16 2H5Z\" fill=\"currentColor\" \/>\n\t\t\t\t<path fill-rule=\"evenodd\" clip-rule=\"evenodd\" d=\"M9 6C7.34315 6 6 7.34315 6 9V19C6 20.6569 7.34315 22 9 22H19C20.6569 22 22 20.6569 22 19V9C22 7.34315 20.6569 6 19 6H9ZM8 9C8 8.44772 8.44772 8 9 8H19C19.5523 8 20 8.44772 20 9V19C20 19.5523 19.5523 20 19 20H9C8.44772 20 8 19.5523 8 19V9Z\" fill=\"currentColor\" \/>\n\t\t\t<\/svg>\n\t\t<\/button>\n\t\t<span class=\"toast\" role=\"status\" aria-live=\"assertive\"><\/span>\n\t<\/div>\n<\/div>\n\n\n\n<p data-analytics-track-visibility=\"yes\"><a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/security\/\" target=\"_blank\" rel=\"noreferrer noopener\">WordPress security<\/a> is an important topic for every site owner to understand, and while it\u2019s a constantly evolving area of focus, the tips and best practices above should provide a solid baseline for keeping your WordPress sites safe and secure.<\/p>\n\n\n\n<p data-analytics-track-visibility=\"yes\">Visit <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">WP Engine<\/a> to learn about our secure <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"https:\/\/wpengine.com\/wordpress-hosting\/\/\" target=\"_blank\" rel=\"noreferrer noopener\">hosting platform for WordPress<\/a>, or <a data-analytics-action-type=\"link\" data-analytics-link-location=\"Post Content\" data-analytics-link-type=\"internal\" href=\"\/contact\/\">speak to a representative now<\/a> to find out more.&nbsp;&nbsp;<\/p>","protected":false},"excerpt":{"rendered":"<p>WordPress security is one of the most important topics for any site owner. Whether you\u2019re managing a boutique eCommerce shop or 50+ client sites, experiencing a security breach can mean a loss of time, money, and credibility\u2014all things no one wants to face. While there\u2019s no \u201cone-size-fits-all\u201d security solution for every WordPress site, there are [&hellip;]<\/p>\n","protected":false},"author":36,"featured_media":2679,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":true,"mediapress_draft_name":"","_mediapress_is_draft_copy":false,"footnotes":""},"audience":[],"blog-category":[121],"buyer-stage":[],"company-and-culture":[],"content-type":[43],"location":[],"persona":[109],"product":[],"topic":[96],"use-cases":[],"class_list":["post-4287","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","blog-category-best-practices","content-type-article","persona-owner","topic-security"],"time_to_read":7,"acf":{"hero_image_alt_text":"","display_author_bio":false,"featured_on_hub_page":false,"featured_on_tag_page":false,"featured_on_category_page":false,"wp_engine_pick":false,"taxonomy_selector":{"":null,"taxonomy-audience":false,"taxonomy-buyer-stage":false,"taxonomy-company-and-culture":false,"taxonomy-content-type":[43],"taxonomy-location":false,"taxonomy-persona":[109],"taxonomy-product":false,"taxonomy-support-topic":false,"taxonomy-topic":[96],"taxonomy-use-cases":false}},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>7 WordPress Security Best Practices Every Site Owner Should Know<\/title>\n<meta name=\"description\" content=\"Learn how to reduce security risks and keep your websites secure with these WordPress security tips and best practices!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"7 WordPress Security Best Practices Every Site Owner Should Know\" \/>\n<meta property=\"og:description\" content=\"Learn how to reduce security risks and keep your websites secure with these WordPress security tips and best practices!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/\" \/>\n<meta property=\"og:site_name\" content=\"WP Engine\u00ae\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/wpengine\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-31T15:29:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-25T15:44:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/wpengine.com\/wp-content\/uploads\/2025\/09\/WPE-IMG-Thumbnail-1200x630-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Britt Dreisbach\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@wpengine\" \/>\n<meta name=\"twitter:site\" content=\"@wpengine\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Britt Dreisbach\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/\"},\"author\":{\"name\":\"Britt Dreisbach\",\"@id\":\"https:\\\/\\\/wpengine.com\\\/#\\\/schema\\\/person\\\/67dae5c9952fb9a51f0125eea70c098e\"},\"headline\":\"7 WordPress Security Tips and Best Practices Every Site Owner Should Know\",\"datePublished\":\"2021-05-31T15:29:00+00:00\",\"dateModified\":\"2025-11-25T15:44:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/\"},\"wordCount\":1369,\"publisher\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/wpengine.com\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/wordpress-security-tips_1200x627-1.png\",\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/\",\"url\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/\",\"name\":\"7 WordPress Security Best Practices Every Site Owner Should Know\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/wpengine.com\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/wordpress-security-tips_1200x627-1.png\",\"datePublished\":\"2021-05-31T15:29:00+00:00\",\"dateModified\":\"2025-11-25T15:44:22+00:00\",\"description\":\"Learn how to reduce security risks and keep your websites secure with these WordPress security tips and best practices!\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/#primaryimage\",\"url\":\"https:\\\/\\\/wpengine.com\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/wordpress-security-tips_1200x627-1.png\",\"contentUrl\":\"https:\\\/\\\/wpengine.com\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/wordpress-security-tips_1200x627-1.png\",\"caption\":\"a man implements security best practices on his WordPress site\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/wordpress-security-tips-best-practices\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/wpengine.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"7 WordPress Security Tips and Best Practices Every Site Owner Should Know\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/wpengine.com\\\/#website\",\"url\":\"https:\\\/\\\/wpengine.com\\\/\",\"name\":\"WP Engine\u00ae\",\"description\":\"Managed Hosting for WordPress\",\"publisher\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/wpengine.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/wpengine.com\\\/#organization\",\"name\":\"WP Engine\",\"url\":\"https:\\\/\\\/wpengine.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/wpengine.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/wpengine.com\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/WPEngine_OGImage-1.webp\",\"contentUrl\":\"https:\\\/\\\/wpengine.com\\\/wp-content\\\/uploads\\\/2025\\\/09\\\/WPEngine_OGImage-1.webp\",\"width\":1200,\"height\":630,\"caption\":\"WP Engine\"},\"image\":{\"@id\":\"https:\\\/\\\/wpengine.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/wpengine\\\/\",\"https:\\\/\\\/x.com\\\/wpengine\",\"https:\\\/\\\/www.instagram.com\\\/wpengine\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/wpengine\\\/\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UCJeAEAxX69v24CUBZ0WBYSg\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/wpengine.com\\\/#\\\/schema\\\/person\\\/67dae5c9952fb9a51f0125eea70c098e\",\"name\":\"Britt Dreisbach\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/8895e96ebec5211a4f9dc2483d055c38bcd0da21fb7ef6c38973ef8e83a733b4?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/8895e96ebec5211a4f9dc2483d055c38bcd0da21fb7ef6c38973ef8e83a733b4?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/8895e96ebec5211a4f9dc2483d055c38bcd0da21fb7ef6c38973ef8e83a733b4?s=96&d=mm&r=g\",\"caption\":\"Britt Dreisbach\"},\"url\":\"https:\\\/\\\/wpengine.com\\\/blog\\\/author\\\/britt-dreisbach\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"7 WordPress Security Best Practices Every Site Owner Should Know","description":"Learn how to reduce security risks and keep your websites secure with these WordPress security tips and best practices!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/","og_locale":"en_US","og_type":"article","og_title":"7 WordPress Security Best Practices Every Site Owner Should Know","og_description":"Learn how to reduce security risks and keep your websites secure with these WordPress security tips and best practices!","og_url":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/","og_site_name":"WP Engine\u00ae","article_publisher":"https:\/\/www.facebook.com\/wpengine\/","article_published_time":"2021-05-31T15:29:00+00:00","article_modified_time":"2025-11-25T15:44:22+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/wpengine.com\/wp-content\/uploads\/2025\/09\/WPE-IMG-Thumbnail-1200x630-1.jpg","type":"image\/jpeg"}],"author":"Britt Dreisbach","twitter_card":"summary_large_image","twitter_creator":"@wpengine","twitter_site":"@wpengine","twitter_misc":{"Written by":"Britt Dreisbach","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/#article","isPartOf":{"@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/"},"author":{"name":"Britt Dreisbach","@id":"https:\/\/wpengine.com\/#\/schema\/person\/67dae5c9952fb9a51f0125eea70c098e"},"headline":"7 WordPress Security Tips and Best Practices Every Site Owner Should Know","datePublished":"2021-05-31T15:29:00+00:00","dateModified":"2025-11-25T15:44:22+00:00","mainEntityOfPage":{"@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/"},"wordCount":1369,"publisher":{"@id":"https:\/\/wpengine.com\/#organization"},"image":{"@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/#primaryimage"},"thumbnailUrl":"https:\/\/wpengine.com\/wp-content\/uploads\/2021\/05\/wordpress-security-tips_1200x627-1.png","inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/","url":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/","name":"7 WordPress Security Best Practices Every Site Owner Should Know","isPartOf":{"@id":"https:\/\/wpengine.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/#primaryimage"},"image":{"@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/#primaryimage"},"thumbnailUrl":"https:\/\/wpengine.com\/wp-content\/uploads\/2021\/05\/wordpress-security-tips_1200x627-1.png","datePublished":"2021-05-31T15:29:00+00:00","dateModified":"2025-11-25T15:44:22+00:00","description":"Learn how to reduce security risks and keep your websites secure with these WordPress security tips and best practices!","breadcrumb":{"@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/#primaryimage","url":"https:\/\/wpengine.com\/wp-content\/uploads\/2021\/05\/wordpress-security-tips_1200x627-1.png","contentUrl":"https:\/\/wpengine.com\/wp-content\/uploads\/2021\/05\/wordpress-security-tips_1200x627-1.png","caption":"a man implements security best practices on his WordPress site"},{"@type":"BreadcrumbList","@id":"https:\/\/wpengine.com\/blog\/wordpress-security-tips-best-practices\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/wpengine.com\/"},{"@type":"ListItem","position":2,"name":"7 WordPress Security Tips and Best Practices Every Site Owner Should Know"}]},{"@type":"WebSite","@id":"https:\/\/wpengine.com\/#website","url":"https:\/\/wpengine.com\/","name":"WP Engine\u00ae","description":"Managed Hosting for WordPress","publisher":{"@id":"https:\/\/wpengine.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/wpengine.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/wpengine.com\/#organization","name":"WP Engine","url":"https:\/\/wpengine.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/wpengine.com\/#\/schema\/logo\/image\/","url":"https:\/\/wpengine.com\/wp-content\/uploads\/2025\/09\/WPEngine_OGImage-1.webp","contentUrl":"https:\/\/wpengine.com\/wp-content\/uploads\/2025\/09\/WPEngine_OGImage-1.webp","width":1200,"height":630,"caption":"WP Engine"},"image":{"@id":"https:\/\/wpengine.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/wpengine\/","https:\/\/x.com\/wpengine","https:\/\/www.instagram.com\/wpengine\/","https:\/\/www.linkedin.com\/company\/wpengine\/","https:\/\/www.youtube.com\/channel\/UCJeAEAxX69v24CUBZ0WBYSg"]},{"@type":"Person","@id":"https:\/\/wpengine.com\/#\/schema\/person\/67dae5c9952fb9a51f0125eea70c098e","name":"Britt Dreisbach","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/8895e96ebec5211a4f9dc2483d055c38bcd0da21fb7ef6c38973ef8e83a733b4?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/8895e96ebec5211a4f9dc2483d055c38bcd0da21fb7ef6c38973ef8e83a733b4?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8895e96ebec5211a4f9dc2483d055c38bcd0da21fb7ef6c38973ef8e83a733b4?s=96&d=mm&r=g","caption":"Britt Dreisbach"},"url":"https:\/\/wpengine.com\/blog\/author\/britt-dreisbach\/"}]}},"mediapress_workflow_parent_id":null,"_links":{"self":[{"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/posts\/4287","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/users\/36"}],"replies":[{"embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/comments?post=4287"}],"version-history":[{"count":0,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/posts\/4287\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/media\/2679"}],"wp:attachment":[{"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/media?parent=4287"}],"wp:term":[{"taxonomy":"audience","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/audience?post=4287"},{"taxonomy":"blog-category","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/blog-category?post=4287"},{"taxonomy":"buyer-stage","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/buyer-stage?post=4287"},{"taxonomy":"company-and-culture","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/company-and-culture?post=4287"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/content-type?post=4287"},{"taxonomy":"location","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/location?post=4287"},{"taxonomy":"persona","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/persona?post=4287"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/product?post=4287"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/topic?post=4287"},{"taxonomy":"use-cases","embeddable":true,"href":"https:\/\/wpengine.com\/wp-json\/wp\/v2\/use-cases?post=4287"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}