An Ultimate Guide for WordPress Security

In this competitive world of smart people, Security of WordPress sites is emerged as one of the essential and important points to be taken into consideration.

Every serious site owner need to pay attention to the best practices and implementation strategies for security of their WordPress site.

Even though the WordPress Core is secure and audited regularly by talented developers and community members. There is still some scope to harden the security of your WordPress site.

As a site owner, there are lots of areas where you can work upon to improve the security of your WordPress site (even if you’re not a technical person).

In this guide, I will share all the essential and most important techniques to strengthen the security of your WordPress site. Implementing these techniques will help you protect your WordPress site against hackers and malware.

Before proceeding further, you must know the importance of Security and Why it is essential to be implemented.

Why WordPress Security is Important?

If your website or blog is insecure, then any hacker can easily hack your website and hamper your revenue and reputation (considering your monthly earning would be $100000).

Hackers are capable of stealing sensitive user information like their passwords, address, and phone number. Also, they can install malicious software to infect user devices and lead you to some legal complications as well.

Worst scenarios can be that you should pay ransom amount to hackers to get access back of your website.

Every Week, Google blacklists around 60K+ websites for malware and around 100K+ for phishing.

Being an online business owner, it is your responsibility to protect your website from illegal access, similar to how you protect your physical store from theft.

Effective Steps to Secure your WordPress site

I know that thinking about improving WordPress security can be a horrible and scary thought for beginners.

Initially, It was a challenging task for me too. But, as time passed and constant learning helped me overcome this challenge.

After that, I’ve started helping other newbies as much possible. I’ve helped around hundreds of WordPress users in hardening their WordPress security with the essential and most important steps.

I’ve hand-crafted a list of essential and most important security measures that will help you to harden WordPress security with just a few clicks and almost no coding required.

#1 Use Managed WordPress Hosting

Take Regular Backups via Reliable Sources

Backups are essential and first defensive step to fight back against any kind of WordPress attack. Remember, nothing is 100% secure. If government websites can be hacked, then so yours.

It will allow you to quickly restore your WordPress site in case of mess up, your website hacked or anything bad happened.

There are so many free and paid WordPress backup plugins available that you can use. But, all of these backup plugins can prove to be resources intensive when it comes to site performance.

The most important thing you need to know is that you must regularly save full-site backups to a safe remote location like Amazon, DropBox, Google Drive, and Stash as well as enable backups on your hosting providers like WPX HostingFlyWheel, and Kinsta to do it (as they provide hack proof guarantee).

Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups (most of the managed hosting providers provide real-time backups).

Also, backups can be easily done by using plugins like VaultPress or BackupBuddy. They are both reliable and most importantly easy to use (no coding needed).

It is your choice whether you need to back up your complete WordPress site using any third party WordPress plugin or utilize the backups feature of Managed Hosting Providers or using both of them.

Personally, My hosting provider (WPX Hosting) is automatically doing it for me daily for my site so I need not worry about backups anymore.

Change Default Database Prefix

By default, WordPress default database prefix is: wp_ 

If your WordPress site is using the default table prefix, then it will be easier for hackers to predict the table name of your database and perform malicious activities on your site. So, I recommend you to change the table prefix of your site database for WordPress security

Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills or you can hire a developer to accomplish this point.

Using Unique WordPress Secret Keys

Use WordPress Secret Keys to ensure additional layer of WordPress Security.
Unique WordPress Secret Keys

A WordPress Secret Key is a unique, random, and complicated string of data that hashes to ensure better encryption of information stored in the form of user cookies. It makes your site harder to hack by adding random elements to the password.

Using WordPress Secret Key is very important to ensure an additional layer of security to WordPress. You can find these WordPress Secret Keys in wp-config.php file under WordPress root.

These WordPress Secret Keys are divided into 2 categories:

  • Keys, and
  • Salts

Each of these categories have four different secret keys to add additional layer of security. From these, four keys are required for the enhanced security. While other four salts are recommended, but are not required, because WordPress will generate salts automatically for you, if none are provided.

In simple words, a secret key is a password with elements that make it harder to have enough scope to break through the site security barriers.

For example, A password like “password” or “test” is simple and easily broken. A random, long password which uses no dictionary words, such as “88a7da62429ba6ad3cb3c76a09641fc” would take a brute force attacker millions of hours to crack. So, A salt is used to further enhance the security of the generated result.

You don’t have to remember these salts, instead make them long, random and complicated or simply use the online generator to generate new unique WordPress salts. You can change these at any time to invalidate all existing cookies.

Disable Directory Indexing

Directory indexing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.

It can also be used by other people to look into your files, copy images, find out your directory structure, and other information to create a clone of your site. Hence, I highly recommended that you turn off directory indexing on your server.

If you use any WordPress optimized hosting provider like MilesWeb, WPX Hosting, FlyWheel or Kinsta, then you’ll have Directory Indexing disabled by default which is a plus point.

If you are using any other hosting, then you need to connect to your website using FTP or cPanel’s file manager. Then, locate the .htaccess file in your website’s root directory.

After that, you need to add the below line of code at the end of the .htaccess file:

Options -Indexes

Then, save and upload .htaccess file back to your site and confirm that the directory indexing is disabled or not.

If you’re not technical to do it at your own. Then, you can contact the support team of your hosting provider and ask them to disable directory indexing on your site. So, I believe all the hosting providers will do it free of cost for you.

#2 Keep WordPress Core, Plugins & Themes Updated

WordPress is an open source web software which is regularly maintained and updated by a team of developers and contributors.

By default, WordPress automatically installs minor updates. You need to manually update the major releases from WordPress.

There are thousands of plugins and themes available on WordPress Plugins and Themes directory respectively that you can install on your website with a single click. These plugins and themes are maintained by third-party developers who regularly release updates as well.

These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date on your WordPress websites.

Alternatively, if you’re running out of time managing content and marketing, then I would suggest you to use services like InfiniteWP and ManageWP for automating all the updates within a single dashboard.

#3 Use Strong Passwords

The most common WordPress hacking attempts use stolen passwords or weak passwords. You can make that difficult by using stronger passwords that are unique for your website. Not just for WordPress admin area, but also for FTP accounts, Database, hosting account, and even for your professional email address.

The main reason behind why beginners don’t like using strong passwords is because they’re hard to remember. The good thing is you don’t need to remember passwords anymore. You can use a password manager such as DashLane and LastPass.

Another way to reduce the risk is by providing access of WordPress admin to only those persons you trust and are part of your team considering the user roles and capabilities in WordPress.

#4 Don’t use default username

Previously, the default WordPress admin username is “admin” and usernames make up half of login credentials. Hence, this made it easier for hackers to perform brute-force attacks and crack the passwords.

Thanks to WordPress since they changed this and now allows you to select a custom username at the time of installing WordPress.

However, there are certain 1-click WordPress installers, still set the default admin username to “admin”. So, I would recommend that if you notice “admin” as default username, then it’s probably a good idea to change the username of the website or switch your web hosting to a better one.

Note: I’m talking about the username called “admin”, not the administrator user role to avoid further confusion.

#5 Disable File Editing

By default, WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area.

This feature can be a considered high security risk as any unauthorized user can easily change the code of your WordPress website.

Hence, I recommend you to disable file editing. You can easily disable file editing by adding following line of code in your wp-config.php

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

#6 Limit Login Attempts

By default, WordPress allows everyone to try to login as many time as they want. Due to this behaviour, all the WordPress sites are vulnerable to brute force attacks. Hackers try to hack passwords by trying to login with different combinations.

This can be easily fixed by limiting the failed login attempts per user and then blocking the site access to IP Addresses which are trying frequent failed login attempts.

To implement login attempt limitations, you need to install and activate the Login LockDown plugin. After activating the plugin, visit Settings » Login LockDown page to configure the plugin as per your needs and frequency of brute force attacks on your WordPress website.

#7 Disable XML-RPC

XML-RPC was introduced in WordPress 3.5 and is enabled by default because it helps connecting your WordPress site with web and mobile apps.

However because of it’s powerful and vibrant nature, XML-RPC can exponentially increase the risk of the brute-force attacks to your site.

For example, traditionally if a hacker wanted to try 500 different passwords on your website, they would have to make 500 separate login attempts which will be caught and blocked by the login lockdown plugin.

Instead with XML-RPC, a hacker can use the system.multicall function to try thousands of password with around 20 to 50 requests.

Hence, I would recommend to disable XML-RPC, if you’re not using it.

#8 Auto Logout Idle Users

Sometimes, Logged in users can go away from screen being idle instantly after login, and this poses a high security risk. Someone can hijack their session, change passwords, or make changes to their account in the mean time (specially on public computers).

This is the reason why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You need to install and activate the Idle User Logout plugin. After activating the plugin, visit Settings » Idle User Logout page to configure plugin settings.

#9 Add Security Questions

Login screen is the most risk sensitive area for any website. Adding a security question to your WordPress login screen will make it harder for anyone to get unauthorized access to the site.

You can easily add security questions by installing the WP Security Questions plugin. After activating the plugin, you need to visit Settings » Security Questions page to configure the plugin settings.

Conclusion

These are the WordPress security steps which I follow to secure my site.

You can do the same to secure your WordPress site from hackers who can inject malicious code into your site.

If you still have any questions, you can contact me anytime, I’ll revert back to you with all the possible ways you can secure your WordPress site.

Get instant free access to my monthly developer friendly newsletter where I'll share my best informative tips about WordPress and my Life Experiences.
%d bloggers like this: