A fast site is important, but a secure site is non-negotiable. WordPress powers more than 40% of all websites, which makes it a huge target for hackers and bots. Brute force logins, malware injections, spam registrations, and phishing attempts are happening constantly.
We compiled a few essential security best practices that every WordPress site should implement, with notes on where PeepSo fits in, because if you’re running a PeepSo-powered community, security matters even more: you’re not just protecting your own site, you’re safeguarding your members’ data and trust.
Hide Your WordPress Version
Attackers often scan sites for known vulnerabilities in older WordPress versions. Don’t give them that information. Add this snippet to your theme’s functions.php file, or snippets plugin of your choice.
remove_action('wp_head', 'wp_generator');
It’s a small tweak, but it removes one more clue for potential attackers.
Use SSL Everywhere
SSL (Secure Sockets Layer) encrypts the data between your site and your visitors. If you’re not on HTTPS yet, you’re behind.
Free SSL certificates are available through Let’s Encrypt.
For PeepSo sites, SSL is especially crucial, since members are logging in, sending messages, and sharing personal details.
Use a Custom Database Prefix (for new installs)
By default, WordPress databases use the prefix wp_, which is widely known and often targeted by attackers. When setting up a new site, choosing a unique prefix (e.g., psite_) adds an extra layer of defense.
Important: Manual changes on an existing site require editing your database tables and configuration files, which is risky and not recommended unless you’re very experienced with editing databases.
Disable File Editing in the Dashboard
Did you know hackers can edit your theme and plugin files directly from the WordPress dashboard if they break in? Disable that feature entirely by adding this to wp-config.php:
define( 'DISALLOW_FILE_EDIT', true );
Now even if someone compromises your admin account, they can’t inject malicious code through the editors within the WordPress dashboard.
Strengthen Authentication with PeepSo
Passwords are still the weakest link. Beyond WordPress-wide measures, PeepSo includes its own built-in login security features such as limiting failed login attempts, brute-force protection, enforcing password length requirements, enabling reCAPTCHA, and more. You can find detailed instructions here: Login & Logout Options.
Set Correct File Permissions
Permissions control who can read, write, and execute files on your server. Incorrect settings can give hackers free rein.
- Directories: 755
- Files: 644
- Configuration file (wp-config.php): 600
If you’re unsure, ask your host to audit permissions.
Block Hotlinking of Your Images
Hotlinking happens when another website embeds your images directly on their pages, which uses up your bandwidth without your permission. To prevent this, you can add the following code to your .htaccess file:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !example.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ - [F]
Be sure to replace example.com with your own domain.
Note that this method only works on servers that support .htaccess.
Review User Accounts and Roles Regularly
Over time, websites accumulate unused accounts, old editors, developers, or even test users. Each one is a potential entry point. Audit your user list monthly:
- Delete accounts that are no longer needed.
- Downgrade unused admins.
- For PeepSo sites, monitor community registrations and ensure spam profiles don’t slip through.
Security is not a one-time task, it’s a continuous practice. Hackers don’t rest, and neither should your security measures. By combining WordPress best practices with PeepSo’s built-in login protections, you can safeguard both your site and your community.
In Volume 4 of the WordPress Power Series, we’ll cover SEO & Marketing Strategies, because once your site is secure, the next step is to make sure people can actually find it.
Reactions & comments
Comments