WordPress Site Security Tips
WordPress security is an issue of great importance for every website owner. Google blacklists about 10,000+ websites every day for malware and about 50,000 websites for phishing every week.
If you’re serious about your website, you need to pay attention to WordPress security best practices.
1. First step for WordPress security; ‘admin’ is not used as username.
Avoiding common words (like admin) for your usernames can make brute force attacks much less effective.
If you’re working with an old site that is already an ‘ admin ‘ user, it may be time to delete that account and transfer any content or access a more secure username!
2. Use a complex password
Having a better password can make it harder to guess or brute force. An easy-to-remember tip: CLU : Complex. Long. Unique. Ex: Orange1chair?
3. Add two factor authentication (2FA)
Even if you don’t use ‘admin’ and have a strong, randomly generated password, brute force attacks can still be an issue. Don’t worry, two factor authentication can help protect your site.
You can use the Wordfence plugin to handle authentication in WordPress . If you are looking for an authentication plugin for mobile, the Google Authenticator and Rublon plugin will be useful for you. Make sure you don’t lose your backup codes or you may find yourself locked out.
4. Least authorized users
The concept of Least Privileges is simple. Only allow the following:
- those who need
- when they need it and
- only when they need it.
If someone needs temporary admin access for a config change, grant it but remove it after completing the task. The good news is that you don’t have to do much here except use best practices.
Not every user accessing your WordPress instance needs to be classified under the admin role . Assign people to appropriate roles and you greatly reduce your security risk.
5. Hide wp-config.php and. htaccess
You wp-config.php and .htaccess your file are critical to WordPress security. These usually contain your system credentials and provide information about your site’s structure and configuration. It is very important to ensure that attackers cannot access them.
These files are relatively easy to hide, but if done incorrectly, your site will be inaccessible. Get a backup and be careful.
For better WordPress security, .htaccess you need to add this to your file to protect it wp-config.php:
<Files wp-config.php> order allow,deny deny from all </Files>
This will prevent the file from being accessed. .htaccessSimilar code can be used for your file itself:
<Files .htaccess> order allow,deny deny from all </Files>
The foundation of WordPress security is to buy a good SSL.
6. Use WordPress security keys for authentication
‘Authentication keys are basically a set of random variables that are unique to your website and improve the security (encryption) of the information in cookies.
wp-config.php There is a special field in your file where you can provide your own variables.
7. Disable file editing
If a hacker gets in, the easiest way for them to modify your files would be to go to “View > Editor” in WordPress. To increase your WordPress security, you can disable editing of these files via the editor. Again, wp-config.php you can do this from within your file by adding this line of code:
You will be able to edit your templates via your favorite (S) FTP application. You cannot do this with WordPress itself.
8. Hide your login and limit login attempts
Brute force attacks often target your login form. Therefore, where lives change can make it harder for attackers to get in. The All in One WP Security and Firewall plugin has /wp-admin/ an option to change the default URL (from ) to something more secure.
You can also limit the number of attempts to login from a particular IP address. There are several WordPress plugins that will help you protect your login form from IP addresses that initiate a large number of login attempts.
9. Be selective with XML-RPC
XML-RPC is an application programming interface (API) that has been around for some time. It is used by some plugins and themes, so we warn the less technical to pay attention to how they apply this particular hardening tip.
While functional, disabling it may come at a cost. That’s why we don’t recommend disabling it for everything, but being more selective about how and what you allow access to it. In WordPress, if you’re using Jetpack, you’ll want to be more careful here.
There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.
10. Hosting and WordPress security
Even if you’re meticulous when it comes to your website’s security, if it’s hosted by a company that isn’t so meticulous, you might not have done anything.
If an attacker has access to your website hosting service, they can take full control of everything. It’s really important that you choose (or move) a host that takes hosting seriously . Cheaper hosting options often don’t come with good security or backups, or may not offer support to help you clean up a hacked site.
You need to protect your WordPress website from attackers, for this you will need the best hosting service. If you are looking for secure WordPress Hosting, this article will be useful for you.
Shared hosting (common on cheap packages) is often risky, as attackers can access your site through another compromised site on the same system . That’s why I recommend serious users always spend a little more on hosting and use a company with a great reputation for dedicated WordPress hosting.
11. Stay up to date
Keeping up to date is an easy statement, but we realize how difficult this can be for website owners on a daily basis. Our websites are complex entities. There are so many different things going on at any given time. And sometimes it’s hard to implement changes quickly. That’s why it’s not uncommon for websites to run out of outdated codes. Both in its plugins and in its core software. Unfortunately, this makes them particularly vulnerable to known exploits.
It is essential that updating your themes, software, plugins and other components is part of an ongoing routine. Otherwise, you leave the door open to attackers.
12. Put more layers of security
The best security solutions prevent attackers from getting anywhere near your website. That’s why we recommend most sites run some kind of WordPress firewall plugin. These plugins look for known attackers and common attack patterns and stop them before they have a chance to compromise your site.
Wordfence is a good firewall plugin, it can meet all your needs. I strongly suggest you download and install the plugin.
Also, consider that many Content Delivery Systems now include firewall functionality; combines performance optimization with protection. Cloudflare in particular does a great job of blocking ‘bad traffic’ and there are even rules and scans developed specifically to protect WordPress sites.
13. Best security plugins and themes
Most WordPress users tend to apply themes and plugins to their sites whenever they want. We recommend paying attention to testing different themes or plugins, especially if you are not using a test server.
Most plugins and many themes are free, and security may not be a top priority during development unless the developer has a solid business model to accompany these free gifts. In other words, if a developer is protecting a plugin just because it’s fun, they haven’t taken the time to do the proper security checks.
How to choose the right plugin
As described above, free plugins and themes can be a potential vulnerability. When adding a plugin (or theme for that matter), always check its rating on WordPress.org. Remember that a 5-star rating won’t tell you anything, so always check the rating count. Depending on the niche, a plugin should be able to receive multiple reviews. If more people think a plugin is great and you take the time to evaluate it, you may feel more secure using it as well.
There is something else you want to check. If a plugin hasn’t been updated for two years, WordPress will tell you. Now, that doesn’t necessarily mean it’s a bad plugin. It can also mean that the plugin doesn’t need to be updated because it’s still working. Ratings will help you decide if this is the case. And take a look at the compatibility with the current WordPress version, which is also shown on the plugin page at wordpress.org.
Based on ratings and compatibility, you can choose your plugins carefully and at the same time be careful about your WordPress security.