WordPress Security Tips for 2021

By Mike Khorev

Even with all the newer and more tech-savvy website builders and CMSs, WordPress is at the moment, still the most popular CMS powering more than 75 million sites (that is, close to 40% of the internet). 

Part of the reason why WordPress is so popular is its open-source nature, making it very versatile to use. With its countless themes and plugins available, you can technically build all sorts of web pages according to your needs, as long as you have the technical know-how.

However, its open-source nature does act as a two-edged sword: it doesn’t come with built-in technical and security support like, for example, if you build your site with Wix or Weebly. The fact that WordPress is so popular has also made it a popular target for hackers and cybercriminals. 

So, if you own or run a WordPress-based website, know that your site might be vulnerable, and maintaining security best practices is very important in protecting your WordPress site from being hacked. Having a fast and stable site is one of the most important factors in developing a B2B SEO strategy to rank on the first page of Google

Below, we’ll share some important WordPress security tips for 2021 that you can use right away. 

1. Use Strong and Unique Credential

The basic, but very important security practice is to use a strong username and password so hackers can guess it (i.e. via brute force attacks). 

Also, don’t use the same credential you’ve used on another platform, so when one of your accounts is compromised, your WordPress account won’t. 

In general:

  • Use a long password with at least 10 characters.
  • Use uncommon words, avoid using sequential letters (abcd) or numbers (1234) and avoid common words like month names, interest-based words (‘football’), etc. 
  • Use a combination of uppercase, lowercase, symbols, and numbers.
  • Avoid using publicly searchable information like your birth date, your name, parent’s name, spouse’s name, etc.

You can use various password manager tools (a lot of them are free) to automatically generate and remember complex and unique passwords.

You should also use a strong password to authenticate access to the wp-admin directory. This way, the attacker will need to submit two different passwords before they can access your WordPress dashboard.

Multi-Factor Authentication

Using multi-factor authentication for your WordPress admin login is essentially adding another layer of security to your already strong password.

As the name suggests, multi-factor authentication (MFA) or two-factor authentication (2FA) is essentially asking for another information on top of the username/password credential pairing, which can be: 

  1. Something you are: face ID, iris/retinal scan, fingerprint, etc.
  2. Something you know: a secondary password, PIN, answer to a secret question, etc. 
  3. Something you have: a USB dongle, etc.

The idea is fairly simple, even if your password is compromised, the attacker won’t be able to access your WordPress account unless they also know the second factor of the MFA.

2. Restrict Database Usage Privileges and Hot-Linking

Make sure the file and server permissions are correct across for all your employees, on both your webserver and installation.

For files: 

  • Adjust the read permission to authenticate who can access the file
  • Adjust the write permission to authenticate who can edit the file
  • Adjust the execute permission to authenticate the rights to execute or run the file as a script

For directories:

  • Adjust the read permission to authenticate who can access the content of the directory folder
  • Adjust the write permission to authenticate who can add/delete files within a directory folder
  • Adjust the execute permission to authenticate the rights to execute functions and commands that will affect the directory

Even assigning the right permissions alone can go far in protecting your WordPress website from various potential security threats. 

Also, make sure to manage hotlinking on your WordPress website. Hotlinking is when other websites use your site’s URL to point directly to a file (image, video, etc.). It is not technically a ‘theft’ but can result in an increase of resource consumptions on your site including high hosting bills and slow page speed. 

3. Use The Latest PHP and Disable XML-RPC

XML-RPC can be useful if your WordPress website needs to connect with apps (both web apps and mobile apps), but it can be a major security vulnerability.

Why? With XML-RPC, a hacker can use ‘system.multicall function’ to try thousands of login attempts in a brute force attack with only less than 50 requests. Without XML-RPC, if an attacker wants to try 100 different passwords, they would have to make 100 different login attempts.

You can quite easily disable XML-RPC using the .httacess file, although there are also various plugins and themes that can help block login attempts utilizing XML-RPC.

Also, make sure your PHP is up-to-date to ensure any security vulnerabilities have been patched. Typically each PHP version has two-year support, so if your PHP version is now 7.0 or older, you might want to update to a newer one. According to WordPress themselves, over 30% of WordPress sites are still using PHP 5.6.

4. Delete Unused Themes and Plugins

Similar to the above, make sure all plugins and themes are always up-to-date. With the newest WordPress versions, we can easily set the plugins to automatically update, so there’s simply no excuse for this. 

Also, make a habit of removing themes and plugins that you are no longer using. Not only they are a waste of space and resources, but they can potentially be security vulnerabilities. 

5. Limit Login Attempts

By default, WordPress allows users an unlimited amount of login attempts, and while this can be a convenience in times when you forget your password, this can be a major security vulnerability especially for brute force attacks. There are various plugins available for this purpose, such as Limit Login Attempts Reloaded. 


It’s important to implement multiple security layers in securing your WordPress website. That is: start from your permissions and best practices like using strong passwords, but then you have to secure your systems with plugins, and also the technical configurations of your server/hosting. 
It’s important to remember that there’s not a single security approach that can protect us from all potential attack vectors. It’s always best to be careful upfront than sorry later.

About Mike Khorev

Mike is an SEO expert and digital marketing consultant who helps small and mid-size businesses generate more leads, sales and grow revenue online. He offers expert advice on marketing your company the right way through performance-based SEO digital marketing, web design, social media, search engine marketing, and many other online practices.

Email ID: mikekhorev3@gmail.com
Gravatar link: https://en.gravatar.com/khorevmike

Follow Brilliance Security Magazine on Twitter, Facebook, and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.