Nexthemes is much better when you have an account.

Get yourself one.

Don't have an account? Register


Nexthemes is much better when you have an account.

Get yourself one.

Have an account? Login

WordPress guidelines for better security

Wordpress Security

WordPress guidelines for better security

This post is written by the CTO of nexthemes.co so it will be blunt and straight to code.
Here is how to keep your WordPress secured:

WordPress Updated

Always keep your WordPress updated as it receives lots of security features directly from Automatic and sometimes during an all around the globe malicious attack it’s important to receive them fast. So keep the automatic updates also on. You should receive an email when your WordPress is being updated automatically – jump to your website and see that nothing broke.

Some would say that this is not stable or it involves to much hassle as the code just changes itself – believe me , during my career as a WP programmer, nothing is worse than cleaning a hacked server.

Plugins Updated

Always update plugins. See some arguments above. If something breaks after updating them, write to the plugin developer and wait for a fix (during the wait you can rollback to the previous version).


It’s a security plugin that bundles lots of great features even for the free plan. Install it and add scheduled scans and email alerts. It will also show you if some core of plugins/themes files differ from the originals in the WordPress repository (possible hack with code injection).

Secure Code

When you write code into your theme/plugin or download a new theme/plugin always check for code vulnerabilities. Everything that goes into the database or echoes in the page view should be properly escaped like the Codex says. Also all ajax calls should be with nonce and check the referrer. This can be a tedious job to check everything. The rule is – if the plugin/theme is on the WordPress official repository and has updates not older than 3 months then you can trust it – the review process is very strict and allows no security flaws.

Remove unused themes and plugins

Don’t just deactivate – remove them! Some old code sitting on your hard drive and exposing you to malicious attacks ? Do not allow that, go ahead and look in your plugins and themes, deactivate ones that you think you don’t need and then delete them. Check also other folders like wp-content/uploads in case there are files used by removed plugins that remained there.

Files Permissions

You need to set correct permissions for files. WordPress should have 755 for folders and 644 for files. You can do that faster from terminal with the following commands:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Also you can set the owner of the files to be your user (e.g. webadmin:webadmin) and not the web server (e.g. www-data:www-data). Then in case of a vulnerability it will not be able to spread. Note: uploads folder should be owned by the web server to be able to create images and other files when uploading to media.


    • Hi, yes you can use FileZilla right click on the file you want and click on Change Permissions and select the ones you need.
      You can set them from File Manager in your host service too.

Leave a comment

Become a Member

Get access to all our themes

Get access to all our products for just $89 / year. Plus you'll get new themes every month and our professional support!