The Ultimate WordPress Security Guide – 27+ Tips to Keep Your Website Secure!
Before starting our guide on WordPress Security, let’s take a quick look at a few stats related to WordPress in 2021 –
- WordPress powers 40% of the web today including business and news websites to blogs on – technology, fitness, personal coach, and lifestyle.
- WordPress has over 60% market share among all the CMS available in the market.
- Almost over 500 websites are getting build each day using WordPress.
- WordPress has over 55000 plugins in its plugin repository.
- and almost 22% among the top 1 million eCommerce websites are using WooCommerce Plugin.
Amazing stats, right?
But these stats and popularity also attracts hackers and spam users which makes your site vulnerable to attacks like –
- Malware,
- Backdoors,
- Malicious Redirects,
- Phishing,
- Pharma hacks,
- Drive-by downloads,
- Stolen passwords,
- Cross-site scripting or XSS attacks, and
- Many others.
Though thousands of developers from the WordPress community are working hard and trying to keep WordPress core vulnerability and bug-free, the main culprits are third-party themes and plugins.
Therefore, the security of your website should be at the topmost priority on your checklist.
Today, in this guide, I am going to share all the top WordPress security tips, tricks, and plugins that even beginners can use to protect their WordPress website.
Table of Contents
Why WordPress Security is Important?
If you won’t take WordPress security seriously, you might end up paying ransom to hackers to regain your website’s access.
So, if you have a –
- Business website,
- Running a successful blog, or
- An eCommerce WordPress website,
Hundreds of WordPress websites are getting hacked and their owners asking for help via different services, on social platforms, and forums.
A hacked WordPress website can hurt your website’s revenue, traffic, credibility, and reputation.
What Makes WordPress Vulnerable?
Well, there are multiple reasons for the vulnerability of WordPress. I am listing some popular ones –
- The popularity of WordPress,
- An older and outdated version of WordPress,
- An older and outdated version of WordPress Themes & Plugins,
- User’s own carelessness
- Poor Password Selection
- Choosing Cheap Hosting Solutions
- Lack of Web Knowledge
WordPress Security Checklist – Tips, Tricks, and Plugins!
I’ve compiled this WordPress security checklist in such a way that even a beginner can go through it and improve a website’s security (without even having technical knowledge).
These tips ensure that your website is secure and free from any kind of virus attacks and hacking tricks.
Let’s dive right in.
1. Update WordPress Regularly
There are 2 things that need to get updated on a regular basis –
a. WordPress Core Software
WordPress automatically installs minor updates, but major updates need manual installation.
Tip Always take backups before updating WordPress, themes, and plugins.
b. Third-party Themes and Plugins
Third-party themes and plugins also receive regular updates by the developers and companies managing them.
Takeaway Carefully read the terms and conditions of third-party themes and plugins before installing it on your website. Authors may include unwanted code for their personal benefit.
Why You Should Not Ignore WordPress Updates?
Remember that every update comes with enhanced security features which can save your website from being hacked.
Not updating WordPress can create compatibility, security and stability issues on your WordPress website.
Takeaway Keep a track on the last update date of the plugin and theme. This will make sure that the author is maintaining them well and will provide update and support from time to time.
Enable Auto-update Feature in WordPress
You can also enable WordPress auto-update to make sure your website remains updated. To enable core updates (both minor and major) add the below code in wp-config.php file.
#Enable all core updates, including minor and major:
define ( 'WP_AUTO_UPDATE_CORE', true );
If you’re not aware of how to add a code snippet to wp-config.php, then you can check this step-by-step guide on – How to Add Code Snippets to wp-config.php File?
2. Set Strong Passwords
We have all heard about how important it is to set strong passwords for our profiles, accounts, and websites everywhere.
From Facebook to LinkedIn to WordPress, every successful platform will advise you to create a strong password so that it is not easy to guess by a layman or get decoded by a hacker.
Best Tips to Make Your WordPress Login Password Strong
You must make use of –
- small and uppercase letters,
- numbers and special characters in your password with a length of more than 10 characters.
You can also install some plugins to restrict the number of login attempts on your website like Login Lockdown.
According to WordPress, What You Should Avoid While Choosing Passwords?
WordPress Auto-generated Passwords
You can also keep WordPress auto-generated passwords as it creates a secure password.
Takeaway Always tries to create strong passwords. You can create a strong password by including at least – 1 uppercase character, 1 lowercase character, 1 number, 1 special character, and 10 characters.
3. User Permissions – Roles & Capabilities
Make sure not to give anyone access to your WordPress admin account.
Also, If you allow services like guest posting on your blog or have a team that accesses your website’s admin area, then make sure you assign them a proper role and capability.
You can change user roles from Dashboard > Users.
4. Choose a Good Hosting Company
Server level security is as important as client-side security.
No matter how much you’re spending on your website’s security, if your hosting server is not secure, it’s all a waste.
Therefore make sure you choose a good hosting provider that provides multi-layer security.
A secure hosting provider –
- Continuously monitor their servers,
- Protect your website by preventing DDOS attacks,
- Provide services like daily malware scans,
- Fast server response time,
- Provide support 24/7, 365 days a year.
You can check out the complete features in my other post on web hosting.
Also, here are some recommendations from my side of fast and reliable web hosting –
5. Move Your WordPress Site to HTTPS by Installing SSL Certificate
WordPress has made it mandatory for websites to include an SSL certificate if they want to rank better in Google’s search results.
It is now considered as a part of SEO optimization and one of the ranking factors in Google’s algorithm.
In fact, from July 2018, Google has started to mark website NOT SECURE which are –
- Still using HTTP, and
- Without an SSL certificate.
What Does SSL Certificate and HTTPS Do Anyway?
Basically, HTTPS encrypts the connection between your web browser and your web server, which will keep away hackers from getting into your way when you transfer the data from one server to the other.
Plus, it protects your website from unreliable hidden scripts on your computer system and there are even scripts that can hack into your login forms which are protected from SSL certificates.
6. Use Latest PHP Version
Updating your server’s PHP version is equally important as updating your WordPress version.
Just like WordPress, PHP versions also have minor and major updates in which issues related to bugs and security gets fixed.
So, if you’re not updating your server’s PHP version, then you might be risking your website to the older version’s security vulnerability.
How To Update PHP Version?
All you need to do is to open up your cPanel, go to Select PHP version under the Software category.
There, you can easily select the desired version from the dropdown and click on Set as current.
7. Don’t Use Nulled WordPress Themes and Plugins
Nulled themes and plugins contain malware and malicious code.
You might end up losing your website’s access and data if you choose to use a nulled theme or plugin.
In fact, the malware can spread to other websites on the server or hosting platform as well and your site can be removed for spreading malware knowingly or unknowingly.
Therefore, as a security measure, make sure you avoid nulled WordPress themes and plugins.
8. Install a WordPress Backup Plugin
Precaution is better than cure. Isn’t it?
Keeping a backup of your website is a safe option to have, if you ever lose your data or someone hacks into your website you can always go back to your backups and upload all the files that you downloaded while taking the backup.
This almost acts as a reconstructive blueprint of your website.
Backups allow you to restore your WordPress website, in case something bad happens.
There are many free, paid, and freemium backup WordPress plugins available.
We’ve compiled a list of best backup restore WordPress plugins to make your task easy.
I use UpdraftPlus for TheMaverickSpirit as our WordPress backup solution.
9. Install the Best WordPress Security Plugin
After backups, you can harden your website’s security by installing a security WordPress plugin.
A security WordPress plugin automatically –
- Does malware scanning
- Block threats,
- Add firewalls,
- Track file integrity monitoring,
- The track failed login attempts,
- Track user activities, and
- Scan every data that is being passed on to the website.
We use Sucuri Security WordPress plugin at TheMaverickSpirit to monitor and audit our website for security.
Why Sucuri Security WordPress Plugin?
Sucuri Scanner is one of the best and free security WordPress plugins available.
All you need to do is to install and activate the free Sucuri Security plugin and sit back.
For more details, you can check our step by step guide on – How to install a WordPress plugin?
10. Pre-login Captchas
Pre-login captcha is another way to keep your WordPress login secure.
It prevents login attacks from any automated and unauthentic source such as bots and brute force attack.
You can add captcha to your WordPress login by installing one of the below plugins –
11. Add Two Factor Authentication Plugin
I use 2-factor authentication in almost every other application these days.
It means that you need to prove your identity twice before being able to log into your WordPress website.
This usually involves either a push notification (sends a prompt to your devices) or a one time password on your registered mobile number.
Even though it becomes overwhelming at times and takes longer than usual to get access to your dashboard, it is highly advisable that you use 2-factor authentication on your website.
For that, you need to install and activate a Two Factor Authentication plugin.
Once installed, the next step is to install an authenticator app on your phone, tablet or any other device you are using.
There are several authenticator apps. Some of them are –
- Google Authenticator,
- Authy, and
- LastPass Authenticator.
Now when you try to login to your WordPress website, you will be asked a one time password.
Open up your authenticator app, enter the code and login.
12. Limit Login Attempts
Hackers use a technique called brute force attack in which they try to login to your WordPress website by trying different password combinations.
By default, WordPress allows unlimited login attempts which makes a WordPress website vulnerable to attacks like brute force attack.
You can avoid this by simply installing Login Lockdown WordPress Plugin. For more details, see our step by step guide on how to install a WordPress plugin.
Upon activation, you can set –
- Maximum number of login attempts,
- Retry time period, and
- Whether you want to lockout Invalid Usernames or not.
13. Rename Your WordPress Login Page
This is one of the most effective and simple ways of protecting your website.
If you are a single owner of your website or even if you have multiple administrators (up to a certain limit) this security method can be of high importance and use.
You can rename your WordPress login page using the Rename wp-login.php plugin.
But if you have an e-commerce store which has multiple users then you need a stronger way to secure your website.
14. Add Security Questions to WordPress Login Screen
Asking security questions while login is a practice you might see on banking websites. Adding something same to your website will add an extra layer of security.
And you can add security questions on the WordPress login screen just by installing and activating WP Security Plugin.
Upon activation, you need to configure the plugin settings.
15. Automatically log out Idle Users in WordPress
Logging out an inactive user might save your website from getting hacked.
You may be careful with your website’s security, but other users might leave your website wide open for hackers.
Hackers might hack their sessions, change passwords, change content and other critical information on your website.
And all you need to do is to install a plugin to log out inactive users. I can suggest you 2 plugins here –
16. Change the Default “admin” username
WordPress sets the default username as “admin”.
You will be at high risk if hackers already know your WordPress login username. They can easily attack with brute force attack.
So, it’s a best practice to change your WordPress username from admin to a custom username.
17. Disable File Editing
WordPress comes with a built-in code editor named as “Theme Editor”. It allows the user to edit theme and plugin files within the WordPress admin area.
But I won’t recommend you to edit your WordPress files within the dashboard. It’s as risky as any other vulnerability.
If someone gets access to your credentials and can edit files, you might end up compromising your website’s security.
Therefore, it’s a best practice to disable file editing in WordPress.
How to Disable File Editing in WordPress?
And you can do that by adding the below code to your website’s wp-config.php file.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
18. Disable PHP File Execution in Certain WordPress Directories
WordPress is written in PHP language.
So, if you will disable the PHP execution in directories like WordPress uploads where there is no use of executing PHP codes, then you will end up hardening your WordPress website’s security.
How to Disable PHP File Execution in WordPress Directories?
All you need to do is to add the following code in your website’s htaccess file.
<Files *.php>
deny from all
</Files>
19. Change WordPress Database Prefix
WordPress sets wp_ prefix to the database tables as its default practice.
Changing the WordPress database prefix will definitely add another layer of security to your website.
And you can do that just by following another article about How to Change WordPress database prefix in the right way.
20. Disable Directory Indexing and Browsing
What is Directory Indexing and Browsing?
Directory Browsing and indexing is a listing of your website files that can be easily accessed in the browser by anyone.
Why You Should Disable Directory Indexing and Browsing?
Hackers use directory browsing to find a vulnerability in files.
On the other hand, not only anyone can copy and download your website images and files, but can also find your website’s directory structure and other critical information.
How to Directory Indexing and Browsing?
All you need to do is to add the following code in your website’s htaccess file to disable directory indexing and browsing.
Options -Indexes
21. Disable XML-RPC in WordPress
What is XMP-RPC?
XML-RPC is a protocol used to exchange information between 2 devices (computers, laptops, mobile devices, etc.) over a network. It is named as XML-RPC because it is a remote procedure call (RPC) that uses XML encoding.
But Why Disable XML-RPC Does in WordPress?
XML-RPC makes a WordPress website vulnerable because –
- It uses basic authentication and sends the username and password with each request.
- XML-RPC is an ideal target for hacking attacks like the brute force attack.
So if you’re not using a mobile app or remote connections to publish on your WordPress website, disable XML-RPC as a best practice.
How to Disable XML-RPC in WordPress?
All you need to do is to add the following code in the functions.php file of your theme folder.
add_filter('xmlrpc_enabled', '__return_false');
22. Protect The wp-admin Directory
Apart from creating a strong password at first login screen of your website, you can create a second password to access the dashboard.
Create a strong password for your wp-admin directory to increase your website’s security.
This way you will have 2 passwords, one at the login page and one at the WordPress admin area.
It then becomes difficult for a hacker to cross a 2-factor authentication in addition with double password protection.
23. Hide wp-config.php
A wp-config.php file is the main file of a WordPress blog consisting of data about the installation, which is by default kept in the root directory.
So, if hackers get their hands on this file, you might end up in trouble.
The best way to keep wp-config.php secure is to hide and make it inaccessible for hackers.
How to Hide wp-config.php File?
You need to add the following code in your .htaccess file to hide wp-config.php. Some code rules changes according to the Apache version.
I am including code for both versions 2.2 and 2.4 of Apache Server.
Hide wp-config.php File on Apache 2.2 version
# Protect wp-config Apache 2.2
<files wp-config.php>
order allow,deny
deny from all
</files>
Hide wp-config.php file in Apache 2.4 version
#Protect wp-config Apache 2.4
<Files "wp-config.php">
Require all denied
Require ip 1.1.1.1
</Files>
24. Hide Htaccess file
On the other hand, htaccess restricts unknown and malicious access from hackers.
Just like wp-config.php, it’s the best practice to hide htaccess file as well.
Hide htaccess file on Apache 2.2 version
# Protect htaccess Apache 2.2
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow, deny
deny from all
satisfy all
</files>
Hide htaccess file on Apache 2.4 version
# Protect htaccess Apache 2.4
<FilesMatch "^.*\.([Hh][Tt][Aa])">
Require all denied
</FilesMatch>
25. Prevent Image Hotlinking
Hotlinking prevents other websites from using your website images.
Hotlinking doesn’t lead to hacking, but it increases your website server load unnecessarily.
Change example.com with your domain name in the below code.
# Prevent image hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} \
!^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|png)$ - [NC,F,L]
26. Block WordPress Includes
WordPress includes folder contains crucial information. It’s better to block any requests from hackers to this folder.
You need to add the following code to block access to –
- /wp-admin/includes/
- /wp-includes
- /wp-includes/js/tinymce/langs/
- /wp-includes/theme-compat/
# Block Includes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php \
- [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
27. Prevent PHP Backdoors
Hackers usually try to upload files in these two core folders –
- wp-includes, and
- wp-content/uploads
Below code restricts hackers and breachers from placing malicious PHP code in these WordPress core folders.
Prevent PHP Backdoors in Apache 2.2 version
# Prevent Backdoor Protection Apache 2.2
<Files *.php>
deny from all
</Files>
Prevent PHP Backdoors in Apache 2.4 version
# Prevent Backdoor Protection Apache 2.4
<FilesMatch ".+\.php$">
Require all denied
</FilesMatch>
28. Hide WordPress Version
If the hacker knows your WordPress version, then it will be easy for him to hack into your website through the vulnerability available for the same version.
Therefore, it’s a good security practice to hide the WordPress version and you can do that just by adding the following code in functions.php file.
function themaverickspirit_remove_wp_version() {
return '';
}
add_filter('the_generator', 'themaverickspirit_remove_wp_version');
29. Monitor Audit Logs
When you have a WordPress multisite (a website with multiple authors and users), you give access to the other users to make changes in the website and modify it.
However, there are some things which only an admin can edit, like widgets or themes, basically the things which can possibly have a greater impact cannot be edited by every other contributor of the website.
Keep a track of all the changes that are being made by to the website by its contributors and authors on a daily basis.
And you can keep logs and monitor your website’s activity by installing WP Security Audit Log plugin.
This way you will be able to undo any changes that might harm your traffic or your user base.
30. Remove Unused Themes & Plugins
Always remove unused themes and plugins to reduce the chances of getting hacked. Remove them even if they are disabled or deactivated.
My Final Verdict on WordPress Security
These are some of the simple ways you can use to protect your WordPress website from hackers.
Take requisite actions in order to secure your website with some simple plugins, settings, and customizations.
You should never compromise on your website’s security as it might lead to permanent damage resulting in a complete loss of data.