WordPress security is a very important area for all WordPress website owners. More than 10,000 WordPress websites have become victims of hackers and malware per day around the globe. Hence website owners must give first priority to enhance the security in their WordPress websites.
This article will aid to website owners to equip their website with advance WordPress security tips. As a website owner, you have to enhance the security of your website and there are several steps you should perform to protect your website from security vulnerabilities.
Why Website security is important?
Hackers can obtain your details including user information, passwords, install malicious software, distribute malware to other users and ask you to pay to obtain access to your website again while making significant damages to your company’s revenue and reputation. Hence it is essential to pay extra attention to the security of your website like your physical properties.
Keeping WordPress updated
WordPress is a regularly updated software. However, sometimes it may install minor updates only. Then you have manually initiated the update. As well as WordPress has many plugins and themes which are developed by various third-party developers. They also release updates and you should ensure whether WordPress core, plugins, and themes are up to date. Regular updating is vital for WordPress website stability.
Strong passwords and user permissions
You should use strong passwords for the WordPress admin area, FTP accounts, database, WordPress hosting account, and your email addresses with your site’s domain name. Many WordPress beginners do not give attention to maintain strong passwords due to difficulty in remembering them. But the thing you have to do is use a password manager for that task.
Another important point is not to give access for third parties to the WordPress admin account. If you have teams and guest authors, you should define their roles and capabilities in WordPress before they give them access to the site.
The role of WordPress hosting
The WordPress hosting company provide vital service on the security of your website and protect their servers from security threats by taking extra efforts. The WordPress hosting company does many tasks for the security of your WordPress website and database such as monitoring their network for suspicious activity, take actions to prevent large scale DDOS attacks, keeping the server software and hardware up to date, and arrangements to disaster recovery and accident plans. Well managed WordPress hosting companies are backups and update automatically and have advanced security configurations.
WordPress security in easy steps (No Coding)
01. Install a WordPress backup solution
Backups are the first defense you have against WordPress attacks and they quickly restore the WordPress website. It is available many WordPress backup plugins freely as well as you can purchase those plugins. You should save full-site backups regularly in a remote location. Your hosting account is not suitable for this. You can save your backups on a cloud service such as Amazon, Dropbox, or private clouds like Stash. You can save day backups or real-time backups simply by using plugins such as VaultPress or UpdraftPlus.
02. Best WordPress security plugin
The WordPress security plugin comprises file integrity monitoring, failed login attempts, malware scanning and etc. It works like an auditing and monitoring system and keeps tracks on everything on your website. The Sucuri scanner is one of the best security plugins. You have to install it and you can obtain more instructions by this article on how to install a WordPress plugin. Then you can follow the below steps.
- Go to the Sucuri menu in the WordPress admin.
- Click on the Generate a free API key tab.
- Click on the “Hardening “tab in the setting menu.
- Click on the “Apply Hardening” button after referring to all options. Those options will avoid hackers from their tasks.
It is better if you can customize Email alert settings. As default alert settings will clutter the inbox with emails. For that, you can configure email alerts as below.
- Go to the Sucuri settings and then for Alerts.
03. Enable web application Firewall (WAF)
The web application firewall blocks all malicious traffic before it reaches the website.
- DNS level website Firewall – This route website traffic through the cloud proxy servers and sent genuine traffic to the webserver.
- Application-level Firewall – This is not efficient to reduce the server load and it scans website traffics after it reaches the website before loading most WordPress scripts.
You can learn more by referring to this article on the best WordPress firewall plugins.
As well as Sucuri is one of the best web-application firewalls for WordPress and you can obtain more details by reading on how Sucuri helped us block 450,000 WordPress attacks in a month.
The Sucuri firewall has a malware cleanup and blacklist removal guarantee and they assure that they will fix the website against hackers.
Cloudflare is also DNS level firewall provider and you can get more details by referring to this comparison of Sucuri vs Cloudflare (Pros and Cons).
04. Move the WordPress site to SSL/HTTPS
The Secure Sockets Layer (SSL) is a protocol that encrypts the data transfer between the website and user browser. This makes it difficult for hackers to steal data.
After enabling SSL, the website will use HTTPS rather than HTTP and it appears padlock sign next to the website address. The SSL certificates are issued by certificate authorities and need to pay charges.
WordPress security for DIY users
Make sure that it requires your coding knowledge for some of the steps below.
01. Change the default “admin” username
Previously the WordPress admin username by default was “Admin” which allows hackers to do brute-force attacks simply. However, WordPress has changed it and now you can put a custom username when installing WordPress. But keep in your mind that some WordPress installer still set default username as “Admin”. If so, it is better to move from your web hosting. Because it does not allow you to select a custom username.
Normally you can change the username according to below three methods.
- Create a new admin username and delete the old one.
- Use username changer plugin.
- Update username from phpMyAdmin.
02. Disable file editing
WordPress has a built-in code. You can edit the theme and plugin files. However, your themes and plugin files are at a security risk. So it is better to turn off that feature in WordPress.
You can disable file editing by entering the below code in your wp-config.php file.
//Disallow file edit
Define ( ‘ DISALLOW_FILE_EDIT’ , True ) ;
This also can be done by click on the Hardening feature in the free Securi plugin.
03. Disable PHP file execution in certain WordPress directories
You can also disable PHP file execution in directories. This is one of the methods you allow to harden your WordPress security. Firstly you have to paste the below code in the Notepad.
<Files * .php>
Deny from all
Then you have to save the files like .htaccess and upload it to /wp-content/uploads/folders on WordPress by using an FTP client.
You can further refer the article on how to disable PHP execution in certain WordPress directories.
This also can be done by click on the Hardening feature in the free Securi plugin.
04. Limit login attempts
The WordPress user can attempt to log in any time they want by default. Then it allows hackers to simply try to crack passwords. This risk can avoid by setting a limit for failed login attempts. This issue can solve by a web application firewall also. If you have not a web application firewall setup, you can follow the below steps simply.
- Install and activate the Login LockDown plugin.
- Go for settings and then for the Login Lockdown page.
05. Add Two-factor Authentication
This technique allows users to log in by a two-step authentication method. In the first step, you have to enter your username and password. Then in the second step, you have to authenticate using a separate device or app. You have to perform the below steps to do it.
- Install and activate the Two Factor Authentication plugin.
- Click on the ‘Two Factor Auth’ Link in the WordPress admin sidebar.
- Install and open an authentication app on your phone. It is better to use LastPass Authenticator or Authy which allows you to back up your accounts to the cloud. This has an extra benefit to you. You can restore all your accounts logins simply if your phone is lost, reset or you move to a new phone.
- Open the authenticator app and click on the Add button.
- Select the scan bar code option.
- Point your phone’s camera on the QRcode shown on the plugin’s Settings page.
- The authentication app will save it and next time you have to give the two-factor code after you enter the password.
- Then open the authentication app on the phone and enter the code.
06. Change WordPress Database Prefix
WordPress use wp_ as the default prefix for tables in the WordPress database. If you allow remaining the default prefix, it is simple for hackers to guess the table name. So you have to change it and you can read the guide on how to change the WordPress database prefix to improve security.
07. Password protect WordPress admin and login page
You can add extra password protection on a server-side level to block requests from hackers. Because hackers can directly request your wp-admin folder and login page and then they can try hacking tricks and DDoS attacks. You can obtain a detailed guide by reading the article on how to password protect your WordPress admin (wp-admin) directory.
08. Disable directory indexing and browsing
Directory browsing can use to find out files with known vulnerabilities, to look at your files, copy images, find out directory structure and other details. So it good to turn off directory indexing and browsing. Otherwise, this may cause them to gain access to hackers. You can simply do it by following the below steps.
- Connect the WordPress website using FTP OR cPanel’s file manager.
- Locate the .htaccess file in the website’s root directory.
- Enter the below lines at the end of the .htacccess file.
- Save and upload the .htacccess file back to the website.
09. Disable XML-RPC in WordPress
XML-RPC has enabled in WordPress 3.5 by default to connect the website with web and mobile apps. However, XML-RPC will cause brute attacks because of its powerful nature. So it is good to disable the XML-RPC in WordPress. This can be solved by using the web application firewall also. You can read step by step guide on how to disable XML-RPC in WordPress.
10. Automatically log out idle users in WordPress
Logged in users will enhance security risk. Because some people can hijack a session, change passwords, and make changes to accounts. So it is essential to log out inactive users automatically from the WordPress website. For this, you have to install and activate the inactive logout plugin.
- Go for settings and then for the Inactive logout page.
- Set the time duration and add a logout message.
- Click on the Save changes button.
11. Add security questions to the WordPress login screen
Unauthorized access can prevent by adding a security question to the WordPress login screen. You can install the WP Security Question plugin to add a security question.
- Activate the WP Security Question plugin.
- Go for Settings and then Security Questions plugin.
You can get more details on how to add security questions to the WordPress login screen.
12. Scanning WordPress for malware and vulnerabilities
If you see a sudden drop in website traffic or search rankings, then run a scan manually using the WordPress security plugin or malware and security scanners. You have to enter your website URL and crawlers will go through the website for searching malware and malicious code. Make sure that WordPress security can only just scan the website and it cannot remove malware or clean a hacked WordPress website.
Fixing a Hacked WordPress site
Normally, hackers install backdoors on hacked websites. Then if it did not fix those backdoors properly, the website is a risk of hacking again. However, professional security companies such as Sucuri can solve this issue and further protect the website against future attacks. You can further read on fixing a hacked WordPress site.
Now you will have an idea on how to protect your WordPress website from security vulnerabilities in the future. As well as methods you should apply in advance for the safety of your website.
Connect with us
We would like to hear about your problems, questions, and suggestions. So feel free to contact us. This is free of charge service that we offer. But we receive thousands of emails per day. So it is impossible to reply to all of them. So we create a Community to help you individually. Go to Community and open help Topic under the relevant category. Please spread this post to your friends by sharing Facebook and other major social media. And make sure to like us on Facebook.