Tips for Secure WordPress Website Design and Development

/ /

From design through to development and into ongoing maintenance, security is a huge focus point in every step of bringing a WordPress website to life. In today’s online landscape there are a plethora of security threats to navigate: hackers, malware, brute force attacks, phishing, and more and more threats coming to the forefront every month. To keep your client’s websites safe from potential harm, it’s imperative to consider security at every stage of the design and development process.

You might think that WordPress security is something that comes later on in the process but keeping it in mind from the outset is the best way to ensure you’re building in these important security features and aren’t forgetting anything.

It’s worth taking some time at the beginning of the process to sit down with your client and run through the security measures you’re planning to implement throughout the design and development period. That way you’ll be educating them on how to keep their site safe once it’s up and running, and they may be able to give you insight into security needs that are relevant to their specific industry.

Of course, we always recommend spending time getting to know the legislation surrounding your client’s industry in case there are any areas of the website or pieces of data that require extra security measures. It might be tempting to gloss over this and jump straight into designing the look of the site, but dedicating time to this at the beginning will help you avoid getting caught short further down the line.

While security measure will vary from website to website, into today’s post we’ve gathered some of our favourite security tweaks you should be implementing on every new WordPress website build.

A note that we urge you to bear in mind is that these changes should always be tested on a staging site before you make any changes to a live client site.

Change the Admin Username

One of the first things you should be doing is changing the Admin username to something unique. The administrator account is the most dangerous in the hands of a hacker, so make sure this is changed to a secure, unique username that isn’t linked to the business name.

Use Secure Passwords

This might sound like an obvious one but you’d be surprised how often a client proceeds to set up users with insecure, easily hackable passwords. You can ensure that all future users who are added to the site have strong passwords by installing the Force Strong Passwords plugin.

Remove WordPress References

Leaving WordPress references scattered across the website makes it easier for hackers to target you, even more so if you have the WordPress version number listed. Certain versions are known for having specific vulnerabilities, so make sure you remove the reference by removing the readme.html file and adding the following code to the functions.php file: remove_action(‘wp_head’, ‘wp_generator’);

Limit Login Attempts

Another simple one that’s very effective, install a plugin that will limit the amount of login attempts a user can make before they’re blocked from logging in (the admin can set the block time manually). A lockout will also notify the admin by email so the site owner can easily keep track of any attempted hacks.

Enable SSL

There are so many benefits to enabling SSL that it’s something you should be doing automatically for all new sites you work on, though it’s worth the extra mention here for the security benefits to your client’s data. You’ll need to work with your client’s hosting provider to get a (free) SSL certificate.

Secure and Move wp-config.php

The wp-config.php file is something you’ll want to pay close attention to, both securing it and moving its location. First of all, deny access by adding the following to the top of the .htaccessfile:

<files wp-config.php>

order allow,deny

deny from all


Next, move the wp-config file into the directory above the WordPress installation, rendering it inaccessible from a browser.

Replace Default Secret Keys

Secret keys are automatically generated and written to the wp-config file to boost encryption and security. However, we recommend generating new keys to replace the existing ones for an extra level of security.

Remove PHP Error Reports

An eagle-eyed hacker can potentially use an error message on your site to uncover information about your server path and wreak havoc, so consider disabling PHP error reports. To do this you’ll need to add the following to the wp-config file:

error_reporting (0);

@ini_set (‘display_errors’, 0);

Disable Plugin Directory Access

Lock down access to the site’s plugin directory to ensure potential hackers can’t access a list of the plugins you’re using which, of course, could lead to known vulnerabilities being exploited. You can do this by adding the following at the beginning of the .htaccess file:

Options –Indexes

Opt for Regularly Updated Themes and Plugins

When you’re deciding on plugins that will best suit your client’s needs (this also goes for a theme, if you’re purchasing a theme to use) always take a look at how regularly the plugin is updated and which WordPress versions it’s compatible with. You want to make sure that plugins and themes you install on your client’s site are regularly updated and tested to work with the latest WordPress versions without any vulnerabilities.


We hope the tips above helped give you some food for thought when it comes to security during the design and development phase of bringing a client’s website brief to life. If you have any other WordPress security tips to share please don’t hesitate to leave a comment below.