WordPress is one of the most widely used website platforms, making it a prime target for hackers. Many website owners install multiple security plugins, thinking they are improving security, but in reality, this often leads to performance issues.
In this guide, we’ll explain the best security practices for your WordPress site, highlight the most effective tools, and provide detailed, actionable steps to ensure your site stays protected.
Why Security Matters for WordPress Sites
Cyber threats are constantly evolving, and without proper security measures, your site could fall victim to hacking, data theft, or malware. A well-secured WordPress site protects your data, keeps your website running smoothly, and prevents disruptions to your business.
Essential WordPress Security Basics & How to Implement Them
Even the best hosting security features need some support from your end. Here are key security steps and how to implement them:
1. Use SSL Encryption
SSL (Secure Socket Layer) encrypts data transmitted between users and your website. This is essential for protecting login details, customer information, and preventing browser warnings.
- Check if SSL is active on your site: Visit your website using
https://instead ofhttp://. If you see a padlock icon in the address bar, SSL is enabled. - How to enable SSL: Most hosting providers, including 040Hosting, provide free SSL certificates via Let’s Encrypt.
- Log in to cPanel → Navigate to SSL/TLS Status → Ensure AutoSSL is enabled.
- If SSL is not active, force HTTPS using the plugin Really Simple SSL or manually configure
.htaccess:RewriteEngine On RewriteCond %{HTTPS} !=on RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
2. Use Strong Passwords & a Password Manager
- What makes a strong password? Use at least 12 characters, mix uppercase, lowercase, numbers, and special characters.
- How to manage passwords securely: Use KeePassXC (offline) or Bitwarden (cloud-based) for storing and generating secure passwords.
- Enable Two-Factor Authentication (2FA) to add an extra layer of security.
3. Set Correct File Permissions
Incorrect file permissions can allow hackers to modify important files.
- Check file permissions in cPanel:
- Navigate to File Manager → Right-click
wp-config.php→ Select Permissions - Recommended settings:
wp-config.php→ 400 or 440wp-content/uploads→ 755- Other WordPress files → 644
- Navigate to File Manager → Right-click
4. Hide WordPress Version
Hackers scan sites to identify outdated WordPress versions.
- Remove WordPress version from your site: Add this to
functions.php:function remove_wp_version() { return ''; } add_filter('the_generator', 'remove_wp_version');
Why You Shouldn’t Use Too Many Security Plugins
A common mistake WordPress users make is installing multiple security plugins. While these plugins provide protection, they often conflict with each other, slow down websites, and duplicate functionality available at the server level.
For example, many users install Wordfence alongside Imunify360, but this is counterproductive because:
- The free version of Wordfence is often a week behind in updates, while Imunify360 updates multiple times per day.
- Running both slows down your site due to redundant scanning.
- Imunify360 operates server-side, blocking threats before they reach WordPress.
Instead, stick to one server-side security tool and use only one WordPress plugin for minor additional security tweaks.
Advanced WordPress Security Practices
1. Disable XML-RPC to Prevent Unauthorized Access
XML-RPC allows remote access to WordPress, but it’s a frequent attack vector for hackers.
- How to disable it manually: Add this to
.htaccess:<Files xmlrpc.php> Order Deny,Allow Deny from all </Files> - Or use a plugin: Install and activate Disable XML-RPC.
2. Limit Login Attempts & Use 2FA
- Install a login protection plugin:
- Limit Login Attempts Reloaded → Blocks excessive failed logins.
- WP 2FA → Adds two-factor authentication via email, TOTP (Google Authenticator), or SMS.
Why SMS-based 2FA is NOT Recommended
While SMS-based 2FA is better than no 2FA, it is less secure due to the risk of SIM-swapping attacks, where hackers take control of your phone number. Instead, it is best to use an authenticator app like:
- Authy (recommended for multi-device support and cloud backup)
- Google Authenticator (secure but lacks backup options)
- Microsoft Authenticator (integrates well with Microsoft services)
3. Regular Backups with JetBackup
- Why? If your site gets hacked, you need a quick restore point.
- How to back up using JetBackup in cPanel:
- Log in to cPanel → Open JetBackup → Click Full Account Backup → Download a copy or restore instantly.
4. Cloudflare & Imunify360: Why a WAF on Both is Not a Problem
Some users worry that using a Cloudflare Web Application Firewall (WAF) along with a server-side WAF like Imunify360 might slow down their site. However, this is not an issue because:
- Cloudflare operates at the DNS level, blocking threats before they reach your server.
- Imunify360 operates at the server level, filtering out threats that manage to bypass Cloudflare.
- Since they are not running on the same server, they do not cause performance conflicts like having multiple security plugins inside WordPress.
Using both Cloudflare WAF and Imunify360 together offers layered protection, blocking different types of attacks at different points of entry.
Conclusion
Securing your WordPress site isn’t just about installing plugins – it’s about setting up proper configurations, limiting access points, and using server-side tools like Imunify360 effectively. Instead of overwhelming your site with unnecessary security plugins, stick to a smart, efficient security strategy that balances performance and protection.
By following these steps, using JetBackup for automatic backups, 2FA for secure logins, and KeePassXC for password management, your WordPress site will remain safe and perform at its best.
Need hosting that prioritizes security and performance? Check out 040Hosting, where Imunify360, JetBackup, and SSL certificates are included in all managed hosting plans!
