How to Secure a WordPress Website

  CMS & Web development, Security
Securing a WordPress Website ubuntu debian redhat centos

Securing your WordPress website is crucial to protect it from hackers and malware. An unsecured WordPress site can be easily compromised, resulting in issues like spam, phishing attacks, and blacklisting by Google. Fortunately, there are several key steps you can take to lock down your WordPress security.

1. Use a Strong Password

The first step is using a strong password for your WordPress administrator account. Your admin login controls the entire site, so it’s the most critical thing to protect. Here are some password tips:

  • Minimum of 12 characters long
  • Mix of uppercase, lowercase, numbers and symbols
  • Avoid common words or phrases
  • Don’t use personal information
  • Unique for each site
  • Use a password manager

Enable two-factor authentication wherever possible for an extra layer of security on top of your password.

2. Limit Login Attempts

Brute force login attacks are very common on WordPress. To prevent this, install a plugin like Login LockDown that limits the number of attempts from a single IP address. After a certain number of failed logins, that IP will be locked out. This makes brute force attacks much more difficult.

Configure the plugin to lock out IPs after 6 failed attempts, for a duration of 60 minutes. Check the box to lockout after a combination of user and password failures. This prevents attacks that try multiple usernames with a single password.

3. Change Default Admin Username

Hackers widely target the default admin username on WordPress. Change this to a non-standard name that won’t be guessed.

Some good ways to create a secure admin username include:

  • Randomly generated string of numbers/letters
  • Phrase or series of words joined together
  • Prefix/suffix added to common username

Avoid anything that identifies you personally or is connected to your site’s name.

4. Use Strong Hosting provider and Complex Credentials

Choose a provider with expertise in WordPress and security:

  • Uses enterprise-grade infrastructure
  • Offers DDoS protection
  • Proactively monitors for threats
  • Provides SSL certificates
  • Manages updates and patches
  • Hardens configurations
  • Regularly backups your site

Your web hosting account credentials guard access to your site’s server. Use the same secure password practices for these as your WordPress login:

  • Long, complex password
  • Unique for each hosting account
  • Rotate periodically

Enable two-factor authentication at the host level too if available.

Also ensure you change any default credentials that may have come preset with your hosting plan.

5. Install Security Plugins

Plugins provide additional ways to lock down WordPress beyond what’s available out of the box. Here are some must-have security plugins:

Wordfence

Wordfence offers an enterprise-grade firewall, malware scans, blocking of known malicious IPs, and audit logging for changes. It’s the most comprehensive security plugin available.

Key Features:

  • Real-time firewall blocking threats
  • Malware scanning for vulnerabilities
  • Login/traffic monitoring
  • IP reputation monitoring
  • Country blocking
  • Configurable two-factor authentication

iThemes Security

iThemes Security makes it easy to implement many basic security best practices in one plugin. It “hardens” the site with features like:

  • Changing default paths
  • Disabling file editor
  • Forcing strong passwords
  • Proactive bot/scraper blocking
  • Sucuri malware scans
  • User action logging

This takes WordPress beyond its default settings to further reduce vulnerabilities.

Wordfence and iThemes Security together provide a robust security foundation. The firewall and malware protection of Wordfence combined with the hardening and extra protections of iThemes makes an unbeatable combo.

6. Limit Plugins

Too many unnecessary plugins can bog down your site’s performance and also increase vulnerabilities. Each plugin expands your attack surface, especially ones that are poorly coded, not updated, or add more login accounts.

Regularly audit the plugins on your site. Remove any that aren’t essential, like inactive ones or those with minimal usage.

For those you keep, maintain them by:

  • Keeping them updated
  • Checking plugin reviews
  • Looking for vulnerabilities
  • Using reputable sources like WordPress.org

Also limit use of premium commercial plugins, which may have undisclosed security issues. When possible, choose free open source alternatives that are more transparent.

7. Strong User Passwords

Any user accounts you create for visitors/subscribers on your site should also follow good password practices.

Require them to use secure passwords by enforcing these rules:

  • Minimum 12 characters
  • Can’t contain username or email
  • Must have numbers, symbols, caps
  • Force reset at first login
  • Prevent previous reuse

This keeps brute force attacks on user accounts to a minimum.

You can enforce stronger passwords for users with a plugin like Force Strong Passwords.

8. Secure wp-config.php

The wp-config.php file contains database credentials and keys. It can be used to gain access if publicly accessible.

There are a few ways to lock this file down:

  • Move it above web root so it’s not web accessible
  • Update file permissions to make it read only
  • Block direct web access via .htaccess
  • Disable PHP error messages from revealing paths

9. Avoid Exposing Version Numbers

By default WordPress exposes its version number in the generator meta tag, RSS feeds, and REST API endpoints. This can help attackers target specific known vulnerabilities.

Use a plugin like Remove Generator Tag to remove version numbers from places like:

  • wp_head()
  • RSS feeds
  • RDF namespaces
  • REST API

10. Use SFTP Over FTP

When managing your WordPress files, always use SFTP rather than regular FTP. SFTP is encrypted for secure transfer of files while FTP sends everything in plain text.

SFTP helps prevent sniffing of credentials or files during transfers. Ensure your hosting provider offers SFTP access as the preferred option over unencrypted FTP.

11. Unique Salts

WordPress salts provide some randomness to hashes to protect passwords and cookies. The default salts should be customized per site for enhanced security.

Install a plugin like Unique Salts to generate new unique salts. Then update your wp-config.php with the custom salts. This prevents exposing common defaults.

12. Disable PHP Execution

Some servers allow executing PHP code uploads for things like file attachment thumbnails. This can lead to arbitrary code execution vulnerabilities.

If possible, disable PHP code execution privileges in wp-config.php:

// Disallow PHP code execution
define( 'DISALLOW_FILE_MODS', true );

Also check with your hosting provider to disable PHP execution privileges at the server level when not needed.

13. Use HTTPS Everywhere

Enable HTTPS sitewide and redirect all HTTP traffic to HTTPS to encrypt connections. This protects credentials and data from interception on insecure WiFi networks.

The really simple SSL plugin makes enabling SSL easy by handling everything like obtaining certificates and configuring WordPress. Just install, activate, and enable automated HTTPS redirection.

14. Limit Access

Reduce what visitors can do on your site by limiting access only to what’s needed. For example:

  • Disable XML-RPC if not using for mobile apps or API
  • Disable REST API endpoints if not needed
  • Disable image hotlinking to prevent bandwidth theft
  • Disable indexing of non-public directories like wp-admin
  • Block outbound emails to cut spam potential

The fewer avenues available to exploit, the better. Disable anything superfluous that may expose attack vectors.

15. Use Recaptcha

reCAPTCHA blocks bots and other internet nuisances from interacting with your site. Installing it protects you from automated brute force login attacks, spam registrations, and other malicious activities.

Get reCAPTCHA keys for your site and set it up to secure:

  • Login forms
  • Registration forms
  • Password reset forms
  • Comments section

This requires humans to pass a quick validation test before submitting data, limiting bots and abusive traffic.

16. Change Default Database Prefix

The default WordPress database table prefix of wp_ makes it obvious what software you are running. Obscure this by changing to a custom prefix like:

  • Random letters/numbers
  • Brand name or initials
  • Project name

Update wp-config.php with your custom prefix. This makes it slightly harder for attackers to target WordPress specifically in your database.

17. Avoid Duplicating Content

Scrapers and content thieves target WordPress sites with duplicate content issues. Avoid copying content between staging sites or duplicating posts/pages.

Also prevent indexing any development or staging sites publicly. Keep them behind authentication until ready to launch.

Duplicate content signals scraping opportunities and makes your site appear lower quality. Produce original content and limit copies.

18. Use Trusted Themes/Plugins

Downloading random themes/plugins from anywhere opens you up to compromised code injected with malware.

Stick to respected repositories like WordPress.org for themes and plugins where submissions are vetted. Avoid nulled software or pirated options which are high risk.

Also research the author and reviews to identify reputable plugins from trustworthy developers.

19. Limit Admin Users

Reduce the number of users with admin access to only those who legitimately need it. Avoid assigning the administrator role freely.

Create lower permission roles for general users like Editor, Author, or Contributor. They can view/update some content but without full privileges.

The fewer admins, the lower chance of a compromised account taking over everything. Revoke admin permissions whenever possible by using the lowest role needed.

20. Remove Default Themes/Plugins

WordPress installs with default themes (Twenty*) and several starter plugins activated by default.

These commonly targeted defaults provide attack vectors if left intact. Eliminate what you don’t need:

  • Switch default theme
  • Delete unused themes
  • Uninstall starter plugins
  • Remove Hello Dolly plugin

Less you have active, the smaller your attack surface.

21. Protect Uploads Folder

The wp-content/uploads folder contains all user-uploaded files. This is regularly targeted for injection of malware or executable scripts.

Lock it down by:

  • Setting strict permissions of 755
  • Disallow indexing with robots.txt
  • Block PHP execution

Also use a plugin like Secure Copy Protection to add .htaccess hardening that blocks PHP/JS execution in uploads.

22. Login Screen Customization

Keep login and admin URLs obscure by customizing the login screen:

  • Change default /wp-login
  • Use a completely random path
  • Mask it behind a fake 404 page

This makes it harder for hackers to find and target your login area.

23. Careful With Contributor Accounts

Allowing contributor users still enables them to potentially compromise your site. Limit what contributors can do:

  • Moderate and review all posts
  • Disable JSON API access
  • Restrict allowed posts per hour
  • Limit upload size/type

Contributors should focus just on content, with site management done solely by admins. Review their permissions carefully.

24. Update Everything

Running outdated software is asking for trouble security wise.

Stay on top of updates:

  • WordPress core
  • Themes
  • Plugins
  • PHP version
  • Any other site software

Subscribe to update notifications from your host and enable auto-updates where possible. Also regularly check manually for anything to patch.

25. Disable Directory Listing

Directory listing provides a full index of all files in folders like wp-includes and wp-content. This reveals sensitive paths and file names better kept hidden.

Disable directory listing in .htaccess:

Options -Indexes

Also ask your host to disable it at the server level for enhanced security against snooping.

26. Manage User Sessions

Keep user sessions as short as possible and frequently rotate session IDs.

Add this to wp-config.php:

define('AUTH_COOKIE_LIFETIME', 172800); // 48 hours
define('AUTH_REFRESH', true); 
define('AUTH_SALT', 'complex phrase');

This invalidates sessions after 48 hours and assigns a unique salt per site for stronger session IDs.

Also consider using a plugin like Manage WP Worker for more granular user session management.

27. Content Security Policy

A Content Security Policy (CSP) restricts what resources browsers can load from your site. This mitigates cross-site scripting attacks.

The official CSP plugin configures a strict policy disabling unsafe practices like:

  • Inline JavaScript
  • Embedded scripts
  • Frames
  • Flash

This limits external scripts and code execution to only authorized sources you define.

28. Regular Scans

Run in-depth security scans monthly or more often to detect vulnerabilities or malicious code. This identifies issues to address proactively instead of after being hacked.

  • Sucuri SiteCheck – Free malware and blacklist monitoring
  • Wordfence Security Scans – Firewall, malware, and file integrity scans
  • iThemes Security scans – Broad vulnerability detection

Fix any problems found immediately and rescan regularly. Don’t ignore warnings.

29. Secure Database Backups

Backing up your WordPress database is critical. But also be sure to secure backups properly:

  • Encrypt with a password
  • Use SFTP to transfer
  • Exclude wp-config.php from backups
  • Store encrypted backups off-server
  • Limit backup retention periods

This keeps your data, users, and settings safe if compromised.

30. Disable File Editing

As mentioned earlier, the file editor in WordPress enables editing plugins and themes right from the admin screen. This is very dangerous from a security perspective.

Plugins like WP Force Disable File Editor do more than just removing access – they completely disable the editor functions across WordPress.

For maximum safety, force disable the file editor entirely across all areas of WordPress.

31. Limit PHP Memory

The PHP memory limit determines how much data a script can use. Too high, and it can enable DDoS attacks and system crashes.

Lower the memory limit in wp-config.php:

define( 'WP_MEMORY_LIMIT', '64M' );

Also work with your host to set server-level PHP memory ceilings appropriate for your site.

32. Disable Pingbacks

Pingbacks allow notifications between blogs when linked. This can lead to amplification attacks and overload your site.

It’s recommended to disable XML-RPC pingbacks if you don’t need them:

// Disable pingbacks
add_filter( 'xmlrpc_methods', function( $methods ) {
    unset( $methods['pingback.ping'] );
    return $methods;
} );

33. Hide Error Reporting

By default WordPress displays errors that may provide insights into your environment and code.

Disable error reporting in wp-config.php:

// Disable error reporting
ini_set('display_errors', 0);

And consider installing a plugin like Remove Error Reporting which eliminates any existing error notices.

34. Brute Force Mitigation

Brute force attacks that try endless username and password combinations are standard fare for WordPress. Using plugins in combination helps thwart them:

  • Limit Login Attempts
  • Loginizer for temporary blocks
  • Captcha plugins like reCAPTCHA
  • Security keys like Google Authenticator
  • VPN detection plugins to block malicious locations
  • Wordfence firewall for real-time blocking

Combining brute force mitigations ensures maximum protection even under heavy attacks.

35. Mandatory Security Keys

For stronger user authentication, require security keys in addition to passwords. This uses two factor verification via authenticator apps, SMS, or hardware tokens.

With a plugin like Google Authenticator, enable mandatory app-generated codes during login for all user types. Don’t make it optional.

Mandatory two factor blocks unauthorized access even with correct passwords.

36. Change wp-includes Path

The wp-includes path contains sensitive WordPress core files. Obscure the path to hide it from prying eyes.

For example, change wp-includes to something random like ‘secure_files’ with a plugin or custom code. This secures files like wp-config away from the public.

37. Disable XML-RPC

XML-RPC allows remote access to administer WordPress and is often abused by attackers. If you don’t need it, disable XML-RPC entirely.

Plugins like Disable XML-RPC do this with one-click. Or use code like this:

add_filter('xmlrpc_enabled', '__return_false');
remove_action('wp_head', 'rsd_link');
remove_action('wp_head', 'wlwmanifest_link');

This breaks the API and limits an attack vector without affecting normal site usage.

38. Automatic Security Updates

While manual updates give you more control, enabling automatic background updates for security releases ensures you patch quickly when an exploit is found.

Use a plugin like Automatic WP Updates to enable automatic security updates for:

  • WordPress Core
  • Plugins
  • Themes

This ensures you always run the latest secure versions without delay or missing a vulnerability.

Conclusion

These tips represent essential WordPress security best practices to harden any site. Implement as many as possible based on your needs and risk tolerance using the combinations of plugins, tweaks, and techniques outlined above.

WordPress security is an ongoing process, requiring constant vigilance and adaptation as threats evolve. Use these tips as a blueprint, and bolster based on your own site, hosting, traffic, and data sensitivity.

With proper precautions, you can confidently run a WordPress site that withstands the vast majority of hacker attacks and remains incredibly difficult to compromise. Staying up to date and using the latest security protections will keep your site safe far into the future.

LEAVE A COMMENT