14 Ways to Secure Your WordPress Site – Step by Step
WordPress security should be a top priority for site owners. Why? Because there are up to 90,000 attacks on WordPress sites every minute.
If that’s not concerning enough, each week Google blacklists around 20,000 websites for malware and 50,000 for phishing. And when a website is blacklisted – and users forced to agree to the risks – it results in a loss of around 95% of traffic.
While the latest version of WordPress is always the most secure release available, there’s more you can do to your site to ensure it’s impenetrable to hackers and bots.
Here are some best practice tips to help you secure your site.
- Use a Good Web Host
- Only Use Quality Themes and Plugins
- Keep WordPress Core, Themes, and Plugins Up-to-Date
- Don’t Use “Admin” As a Username
- Use a Strong Password
- Use Two-Factor Authentication
- Limit Login Attempts
- Install an SSL certificate
- Change Database Prefix
- Protecting wp-config.php and .htaccess Files
- Add Security Keys
- Disable File Editing
- Prevent PHP Files from Being Executed
- Disable XML-RPC Selectively
1. Use a Good Web Host
A good web host is your first line of defense against attacks on your site. So don’t automatically opt for cheap shared hosting. Instead, do your homework.
Go with a reputable host that supports the latest versions of basic web technologies, such as PHP and MySQL. Be sure to check your host supports PHP 7 – it is the official recommended PHP version for WordPress.
Consider choosing a managed WordPress host. These services are set up specifically for WordPress and look after all the important technical aspects of hosting, including security, backups, uptime, and performance.
2. Only Use Quality Themes and Plugins
According to WPScan, 52% of website vulnerabilities are caused by plugins while 11% are caused by themes. Combine, that’s more than 60% of WordPress security
The easiest way to ensure your plugins and themes can stand up to attacks is to only download them from reputable sources. This includes WordPress.org and premium providers. Downloading from dodgy developers who hide malicious code in their themes and plugins could compromise your site.
If you’re not sure if a website you want to download from is safe, look for testimonials and reviews to ensure the product you want is of sound quality.
Also, ensure any plugins and themes you use are also well-supported and regularly updated. If a plugin or theme hasn’t been updated in a long time, chances are it contains security holes that are unpatched or even bad code that could leave you vulnerable to hacks.
Lastly, only keep plugins and themes that you actually need and use. The more you have, the higher the risk of being hacked. So regularly review your list of plugins and themes and deactivate and delete any that you don’t need.
3. Keep WordPress Core, Themes, and Plugins Up-to-Date
WordPress is open source software and developed and maintained by a worldwide community of volunteers. With each new release, any security vulnerabilities are patched.
By default, WordPress automatically installs minor updates (i.e. WordPress 4.9.4). But for major releases (i.e. WordPress 4.9), the onus is on you to manually update to the latest version.
These core updates are critical for the security and performance of your site. So be sure to backup your site and apply any core updates when they become available.
Likewise, it’s also important to regularly update any plugins and themes so you’re always using the most up-to-date and secure versions of software.
4. Don’t Use “Admin” As a Username
Don’t use “admin” as the username for your site. Earlier versions of WordPress used “admin” as the default username, making it easier for hackers – one less piece of the puzzle to guess during a brute force attack.
But recent releases of WordPress changed this, giving users the opportunity to enter their own username during installation. However, some people still opt to use “admin” rather than come up with an original username. Just don’t.
You want to make it harder for malicious attackers to penetrate your site, so attacks take longer and you or your hosting provider can identify any attacks before they are successful and stop them.
5. Use a Strong Password
Always create strong and unique passwords for your WordPress admin account, database, hosting account, email address and any FTP accounts. Like usernames, passwords are another piece of the puzzle for hackers to guess, and the stronger your password, the more difficult you make it for hackers to successfully login to your site.
During installation, WordPress will try to force a strong password on you and ask you to check a box if you enter a weak one. While you might want to come up with your own password, tools like Secure Password Generator can create a strong password for you.
6. Use Two-Factor Authentication
Even with a strong username and password, brute force attacks are still a problem for many websites. This is where two-factor authentication can help.
Two-factor authentication adds another step in the login process, forcing users to enter a code sent to their mobile phone in addition to entering their usual login credentials. This can thwart automatic attacks and ensure your site doesn’t fall victim to hackers.
Plugins like iThemes Security can implement two-factor authentication. There are also free plugins like Two Factor Authentication that can add this extra layer of security to your site.
7. Limit Login Attempts
By default, you can attempt to login to your WordPress account as many times are you want. While this might be convenient for you if you’re forgetful and don’t always get your password right on the first or even third go, it’s also convenient for hackers carrying out brute force attackers – it gives them an unlimited number of attempts to crack your username and password combination.
This can be easily fixed by limiting the number of failed login attempts a user can make on your site. Free plugins like WP Limit Login Attempts let you limit login attempts and block IP addresses temporarily.
8. Install an SSL Certificate
Installing an SSL certificate on your site is a must, especially if you have an eCommerce store. Not only because it will make it difficult for hackers to intercept sensitive information between user browsers and your server, but because Google now insists that all sites should have one.
Starting in July 2018 with the release of Chrome 68, web pages that load without HTTPS will be marked as “not secure.” This means that users who try to access sites that don’t have an SSL certificate will get a warning that the site is untrustworthy.
This announcement is a big deal because, according to Cloudflare, more than half of web visitors will see these warnings.
Getting an SSL certificate is becoming more and more easier to do. Let’s Encrypt offers free open source certificates while hosting companies will generally provide one for a free (and sometimes even for free).
9. Change Database Prefix
By default, WordPress uses wp_ as the prefix for all tables in your site’s database. This means that if you’re using the default – which is common WordPress knowledge – hackers can easily guess what your table name is, making it vulnerable for SQL injections.
A simple way to fix this it to change the prefix to something random, like 5jiqtu69dg_
using a random string generator. In order to update your table’s prefix, open the wp-config.php file in the root of your site’s file directory and find this line:
$table_prefix = 'wp_';
Using my example, you would replace the line like so:
$table_prefix = '5jiqtu69dg_';
Next, you’ll need to update the prefix used in your database. While security plugins like iThemes Security can help you do it quickly and easily, you can learn how to do it manually via phpMyAdmin here.
10. Protecting wp-config.php and .htaccess Files
Your site’s wp-config.php file, which is usually located in the root folder of your website, contains critical information about your WordPress installation, including the name, host, username and password for your database. Meanwhile, .htaccess is a hidden file that sets directory level server configuration, enables pretty permalinks, and allows for redirects.
Preventing access to these critical files is easy. Simply add the following to your .htaccess file to protect wp-config.php:
<Files wp-config.php> order allow,deny deny from all </Files>
Alternatively, you could simply move your wp-config.php file on directory higher as WordPress will automatically look for it there.
To stop unwanted access to .htaccess, all you need to do is change the file name in the code:
<Files .htaccess> order allow,deny deny from all </Files>
11. Add Security Keys
WordPress security keys and salts encrypt information stored in browser cookies, protecting passwords and other sensitive information. There are four security keys in total: AUTH_KEY
, SECURE_AUTH_KEY
, LOGGED_IN_KEY
, and NONCE_KEY
.
These authentication keys are basically a set of random variables and make it harder to crack your passwords. A non-encrypted password like “wordpress” doesn’t take much effort for attackers to break. But a long and random password like “L2(Bpw 6#:S.}tjSKYnrR~.Dys5c>+>2l2YMMSVWno4`!%wz^GOBf};uj*>-tkye” is much more difficult to crack.
Adding security keys and salts is a manual process and easy to do. Here’s how to do it:
- Get a new set of security keys and salts. You can randomly generate them here.
- Next, update your wp-config.php file. Open your file and scroll down until you find the section below and replace the old values with your new keys and salts:
/**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define('AUTH_KEY', 'add unique variables here'); define('SECURE_AUTH_KEY', 'add unique variables here'); define('LOGGED_IN_KEY', 'add unique variables here'); define('NONCE_KEY', 'add unique variables here'); define('AUTH_SALT', 'add unique variables here'); define('SECURE_AUTH_SALT', 'add unique variables here'); define('LOGGED_IN_SALT', 'add unique variables here'); define('NONCE_SALT', 'add unique variables here'); /**#@-*/
- Save your wp-config.php file. You’ll be automatically logged out of your WordPress site and will need to log in again.
12. Disable File Editing
WordPress features an internal code editor for plugin and theme files. While this is useful for admins who want to make quick changes to files, it also means hackers and high-level users can also make file changes. You can find this feature by going to Appearance > Editor in your WordPress admin.
You can disable file editing in your wp-config.php file. Just open your file and add this line of code:
define('DISALLOW_FILE_EDIT', true);
You’ll still be able to edit your plugins and themes via FTP or cPanel, just not in the WordPress admin.
13. Prevent PHP Files from Being Executed
A common folder for hackers to upload malware in WordPress is wp-content/uploads, but also wp-includes/. To prevent files from being executed in these folders, create a new text file in a text editor and paste in this code:
<Files *.php> deny from all </Files>
Next, save this file as .htaccess and upload it to both your /wp-content/uploads and wp-includes/ folders via FTP or cPanel.
14. Disable XML-RPC Selectively
XML-RPC, or XML Remote Procedure Call, is an API that helps connect web and mobile apps with your WordPress site. It was enabled by default in WordPress 3.5 but has since been found to significantly amplify brute force attacks.
For example, if a hacker wanted to try 500 different passwords on your site, usually they would have to make 500 separate login attempts. But with XML-RPC, the hacker could use the system.multicall
function to try a large number of username and passwords combinations in a single HTTP request.
While it would be easy to simply disable this feature altogether for your site, it would mean losing functionality for plugins like Jetpack. Instead, it’s best to selective in the way you implement and disable XML-RPC using specially designed plugins.
Bonus: How to Check for Vulnerabilities
There are a couple of different ways you can check your site for vulnerabilities: with an online site scanner or with a plugin.
With these free online tools, all you need to do it enter your site’s URL and they will start scanning your site for known vulnerabilities:
WordPress Security Scan – This tool passively checks for basic security issues. You’ll need to upgrade to a premium plan for advanced testing.
Sucuri SiteCheck – Check your website for known malware, blacklisting status, website errors, and out-of-date software. With a premium upgrade, this tool will do malware cleanup, DDoS/brute force protection, blacklist removal and security monitoring.
WPScan – This black box WordPress vulnerability scanner hosted at GitHub lets you scan your site for known vulnerabilities with core, plugins and themes. You’ll need to use the Terminal to run this application. It’s free for personal use and sponsored by Sucuri.
Bonus: Best WordPress Security Plugins
Installing a security plugin on your WordPress site adds another line of defense against possible attacks. They offer a wide range of features to help secure your site – including site scans – and can notify you when your site has been compromised.
Here are the top 3 plugins:
Wordfence
WordFence is a hugely popular free security plugin with 2+ million active installations and a premium option available. It features a “Threat Defense Feed” that pulls in the newest firewall rules, malware signatures and malicious IP addresses, keeping your website site.
A web application firewall identifies and blocks malicious traffic, while a real-time IP blacklist blocks all requests from malicious IPs, protecting your site while reducing load.
This plugin protects against brute force attacks by limiting login attempts, enforcing strong passwords, and other login security measures. If it finds any kind of infection in your site, it will notify you by email. You can also monitor the traffic to your site in real-time to check if it’s under attack.
Sucuri
For a free security plugin, Sucuri’s security plugin provides a comprehensive set of features, including security activity auditing so you can keep an eye on any changes made to your site, file integrity monitoring, remote malware scanning, blacklist monitoring, and security hardening measures.
A “post-hack security actions” section of the plugin walks you through the three key things you should do after a compromise. You can also enable security notifications so when an infection is found on your site or it’s compromised, you’ll be immediately alerted.
When you upgrade to the premium version, you get access to a website firewall for added protection.
iThemes Security
While the free version of iThemes Security helps lock down WordPress, fix common holes and strengthen user credentials, the pro version features just about every security measure you could need.
There’s two-factor authentication, malware scan scheduling, and user action logging so you can track when users editor content, login or logout. You can update security keys and salts, set password expiration and add Google reCAPTCHA to your site.
Other features include online file comparison, WP-CLI integration, and temporary privilege escalation so you can grant temporary admin or editor access to your site.
Conclusion
There’s no right way to protect your WordPress site against security threats. The best you can do is keep WordPress core, themes and plugins up-to-date and implement a number of different solutions that patch vulnerabilities, protect critical files, and force users to strengthen their credentials.
Scheduling regular backups is also a must. You never know when your site might succumb to an attack, so it’s important you’re ready and have a plan in place for quickly restoring your site in case of an emergency.
Investing in a solid security plugin that lets you scan your site for vulnerabilities, monitor actions, and alert you when something isn’t right will also help harden your site and ensure it’s well-protected against threats.
Great Post. Thanks. I am using iThemes Security to protect my website.
Do you have any suggestions for good hosting options? Thanks
Glad you liked the post.
Yes, I’d recommend going with either SIteGround or Kinsta, both are fantastic hosting providers. DesignBombs is also hosted on Kinsta, we have been using their service since 2015.
Additional resources:
– https://www.designbombs.com/siteground-review//
– https://www.designbombs.com/kinsta-review/
Hope that helps.