21 Best WordPress Security tips to Secure Your Website

WordPress is infamous as a website development platform. And security is an essential factor on every website. Most users have doubts about owning a less secure website with WordPress as it is an open-source CMS.

No one can guarantee absolute security for the website. You need to keep yourself up-to-date with the security solutions. Yes, you have to perform good security practices with the basic security precautions which are important for the website.

You may have questions like what can be the security issues that a website goes through?

• Content & SQL Injection

Content injection occurs when a hacker gains full accessibility to your content and modifies it without your permission.

A SQL injection occurs when a hacker accesses your SQL database. He includes malicious links and spam websites on your website.

• Cross-site scripting (XSS)

Cross-site scripting is the most common security vulnerability on the WordPress website. XSS enables hackers to inject into client-side scripting (JavaScript) and steal the private data of the client without notice.

• Brute force attack

A Brute force attack is a trial and error method where hackers try a number of login attempts until they succeed in accessing your account.

• Arbitrary file upload vulnerability

Arbitrary file upload vulnerability shows the path for hackers to get the code of the system. File upload may give access to the full system access to the back-end. This vulnerability impacts the server side or client side.

Eliminating all vulnerabilities on the website is a bit hard, but you can reduce them to some extent. Today, I’m going to outline the best tips for securing WordPress websites from hackers.

Here is a complete list of about 21 WordPress security tips, implementation of which can make your site secure from any hacking attacks.

1. Make Your Password Strong

The password comes in the first place when someone wants to login into their admin panel. Normally, users create a list of some guessed passwords according to their name, email address, date of birth, and anything related to them.

So when you create your website using WordPress, make sure you have created a strong enough password that no one can guess easily.

To build your password, use capital letters, small letters, numbers, and special characters. And best of all, use at least 14 + characters in your password, so your password will be hard to guess.

2. Limit the Login Attempts

Hackers are using brute force to break into WordPress sites. To prevent this from happening, use the Login Lockdown plugin that prevents a user from logging in to WordPress sites after a number of failed attempts.

Limiting login attempts will automatically lock down the login page and you’ll be notified of an unauthorized attempt. This approach will work whenever hackers struggle to enter your back end for repetitive times but failed.

You can set a number of login attempts on your admin login page. So, if someone reaches the maximum number of the specified limits, the user will be blocked for further login attempts. It will be very helpful to prevent unauthorized manual login attempts.

You can set this attempt by installing the WPS Limit Login plugin to your WordPress. It has a lot of features and it is updated regularly, so, you don’t have to worry about anything after installing it.

3. Use 2-factor Authentication (2FA)

Two-factor authentication involves an additional logging layer in the process. It adds an extra login process to verify the generated email code, the generated app code or the OTP-based SMS.

2-factor authentication is the best approach to WordPress security. This method will ask for 2 components for a successful login. These components can be username followed by security codes, security questions, email-based authentication or something else. You can find many WordPress plugins (like WP Google Authentication, Google Authenticator – Two Factor Authentication) that help you with this measure.

The 2FA is available in WordPress, but if you want to use that feature, you have to enable the wordpress.com login in the Jetpack.

You can also enable this service by installing the plugin Google Authenticator. It has a lot of features and is free forever for one user. If you want to use it for more than one user, you can upgrade it.

4. Change Your wp-admin URL

WordPress comes with a default admin login page for all those who install WordPress at www.yourwebsite.com/wp-admin.

It means, whoever wants to open your admin login page can simply open it by adding/wp-admin to your website.

And if you’re successful in guessing your username and password, you can enter your admin area.

So, do you want someone to easily access your admin login page?

If not, then change your WordPress admin page URL instantly.

The changing process is so simple, you don’t have to do anything like coding. Just Install WPS hide login and change your /wp-admin url.

Blocking Access to wp-admin

Use a .htaccess file in the ‘wp-admin’ directory to limit access to only certain IP addresses (your home, work etc). I already write WordPress htaccess tips post has more htaccess related tips only for You. Below is an example .htaccess file that can be used for this purpose (replace ‘x’ and ‘y’ with your IP address)

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from xxx.xxx.xxx.xxx
# whitelist work IP address
allow from yy.yyy.yyy.yyy

If you don’t have static IP addresses, then the above method can be a bit hard to implement. In that case, you could use the AskApache Password Protect WordPress plugin. That plugin adds good password protection to your WordPress blog. Consider reading this post about some of the best plugins that secure your blog very well.

5. Scan Your Website Weekly

WP Security Scan is a recommended plugin to protect the WordPress site and detect malicious codes. Whenever you run the plugin, it scans the whole site to detect any injected malicious scripts and codes. If any is detected, the scan result will show a list of problems and state “You do not have a stable version of WordPress”. Get rid of the errors immediately.

6. Always remove Unused Themes and Plugins

Plugins are excellent gateways for hackers as they contain vulnerabilities that hackers and malicious code are known to exploit.

That means the more plugins you use, the more exposed you are to hacking attacks.

If it is not absolutely necessary, do not use a plugin. When a plugin or theme is no longer in use, be quick to deactivate and delete them.

Yes, even deactivated plugins and themes can be used as back-doors to gain entry into your site.

So look through your themes and plugin directories. Can you find any inactive plugins or themes?

Completely delete them!

7. Limit wordpress admin access by IP address

Any visitor with web access can visit your site login page and take a guess at your admin password. If they get it right, they’ll have full control of your site.

What you can do is Restrict the WordPress admin folder to allow access only from your computer, or a small group of computers. To limit access by IP, create an .htaccess file in your /wp-admin/ folder (not in WordPress root) containing the following code:

order deny,allow
deny from all
# allow  IP address
allow from XX.XX.XXX.XXX
# allow  IP address
allow from XX.XX.XXX.XXX

Just google “what’s my IP” and you can find your IP address. Once you’ve done this, visitors without the allowed IP address will see a 404 message if they try to access your admin area or login.

8. Change the username “admin”

By default, WordPress provides “admin” as an administrative username for any WordPress blog. This is a very well-known matter to each and every one, so hackers go one step ahead to know your password. They try brute force attacks to break security. So, if your default username is not changed, change it as soon as you have finished the installation.

Another considerable issue is that you do not have any guessable username that matches either your name or your website name.

So, why make one step easier for unauthorized loggers? Now they only have to guess your password.

But here is one thing. You can’t change it after installing WordPress. So, change it during the installation process.

9. Use strong passwords for all admin accounts

I saw many of my friends using the WordPress admin password generated by WordPress during install time and think that their blog is protected from attacks as they are using a strong password! The WordPress admin password generated during install time is normally pretty strong (consists of lowercase and uppercase letters with numbers and symbols), so there is nothing wrong with that.

Admin123, cool123, and many more such easy-to-remember passwords are also easy to guess by hackers. Some simple precautions and your password will be more secure. What can you do to make your password more secure?

You can use reversed words in your password. E.g. rednow (the reversed word for wonder)

Use both upper and lower cases in your password . E.g RedNow
Use special characters in your website. E.g Red#@n)w

Keep it in your habit to change the password every now and then. You can also use a password management utility like Keepass to save your long unmemorable passwords in the encrypted form on your computer.

10. Change the default table prefix in the WordPress database.

WordPress uses a pre-defined prefix for your database so it can distinguish itself from other databases. The default prefix is “wp_”. It is best to change it to another prefix so hackers can’t hack your database easily.

This is probably the most important step in this tutorial. It is also one of the most complex steps to do if you are a newbie or don’t know much about working with PHPMyAdmin. But I will walk you through it. No worries. Just make sure you follow the steps carefully.

• Deactivate all your WordPress Plugins.
• Login to your cPanel
• Make a complete backup of your blog database.
• Once you have taken the backup of your database and downloaded the .sql file, open it with a text editor, my personal favorite is Notepad++.
• Find all the instances ‘wp_’ and replace it with a complex table prefix, eg: ‘rer349jt_ ‘(don’t use this, this is just an example), and save the file.
• Go back to  PHPMyAdmin and Drop all the tables in the database, make sure you do not delete the Database itself. You need to drop only the tables within the database.
• Now your database will be empty, use the Import option to import the new .sql file in which you replaced all the ‘wp_’ with your preferred prefix.
• After the import is complete, you need to edit one last file, called Wp-Config.php, if you don’t do this step your blog will not work. Open the file and look for the line,

$table_prefix = ‘wp_’;

replace the ‘wp_’ with your new table prefix and don’t forget to save the file.

• If you have done all the above steps correctly, your database prefixes would have changed and you will be able to login to your blog.

Note: If in case all the widgets appear to be broken, simple add a new dummy widget to your sidebar and reload the page and then remove it after the page loads properly.

11.Move your wp-config.php file

In your wp-config.php file there is database connection info as well as other data that should be kept from anybody’s access.

To do this, simply move your wp-config.php file up one directory from your WordPress root. WordPress will automatically look for your configuration file there if it can’t find it in your root directory.

This way, nobody except a user with FTP or SSH access to your server will be able to read this file.

12. Try WordPress Security Plugins

There are a lot of WordPress security plugins you can use one of them on your wordpress website.

Most popular security plugins give you a lot of features as follows:

• Block Brute force attacks
• Web application firewall
• Malware scanning
• Block spam generating IPs
• Detailed info about IP
• Secure Authentication
• And a lot

When having these features to your wordpress website, 99% chances are reduced of being attacked. The most popular plugins are as follows:

• Wordfence
• Sucuri
• iThemes security
• Jetpack premium

13.Check Ratings and Reviews Before Installing Plugin

There was one friend of mine who had installed a plugin on his blog without checking ratings and reviews. The fact was that the plugin was very new in the repository and, therefore, it didn’t have enough reviews and ratings to judge its usefulness. He took the risk of going ahead and installing it on his blog and finally ended up in a big mess. His blog was eventually hacked in a couple of days and, to exacerbate the situation, he didn’t have a backup.

I don’t want you to fall in similar situation and therefore keep checking reviews and ratings before installing a plugin.

14. Don’t Skip any WordPress Core or Plugin Updates

This is the step you must keep in mind all the time. If the WordPress update was rolled out 5 minutes ago, leave all the work and update it on a priority basis.

Keeping your WordPress up to date is the first and most basic security tip for any WordPress blogger. This is something that you never want to miss. Whenever WordPress sends an update, it means that they have fixed some bugs, added some features, and, most importantly, added some security features and fixes. You never want to miss out on this.

Don’t make excuses that I don’t have time to update. Will my plugins support the new version? Will my theme support the new WordPress version?

Buy only those themes or plugins which are frequently updated & use the minimum number of plugins on the site to decrease the dependability on plugins for updates.

Updating Plugins

As I mentioned above, WordPress releases an update to fix bugs and security holes, and the same goes with plugins. Many times, a vulnerable plugin or script used can cause mass WordPress hacking. One such issue which we have seen in the past is the Timthumb vulnerability. Though it was because of the script, many plugins were using this script and they became vulnerable too. It’s important to keep your plugin updated to keep it invincible. Always use the plugin which is constantly updated and gets good support. Being dependent on such plugins, which are not updated for a long time, is a bad idea. Also, always use the official WordPress repo to download free plugins.

This is the most common method hackers use to hack your website through plugins, which have not been updated to the latest version. So regularly update your wordpress core, themes, and plugins.

16. Don’t use themes from questionable sources.

There are a lot of really great and interesting themes out there, and they are accessible from just a simple Google search. The problem is, not all themes are safe to use, and some aren’t properly coded.

To find a reputable theme:

1. Search from the WordPress theme repository. All the themes listed in the repository are vetted thoroughly by the WordPress team, so they will be safe to use.

2. Search through a reputable marketplace like ThemeForest.

3. Buy premium themes like Genesis, Catalyst, etc. These themes are well-supported by the developers and have a great community to help you.

17. Use a Secure Web host

SSL (Secure Socket Layer) is a security measure that ensures the secure transfer of data. It protects the connection by encrypting it. This approach is especially important if you’re hosting an eCommerce site. Using a secure web host means using an SSL certificate for your website. An SSL certified website starts with https.

If your website doesn’t have an SSL certificate and you run a website where people share sensitive information, it could be dangerous. It would be better if you used a secure web host because, without https, your data could be stolen.

An SSL certified website creates an encrypted path between the web browser and the web server. So that your data is safe.

Normally, every site has a unique SSL Certificate. You can get an SSL Certificate either by purchasing it from the company or by contacting a WordPress hosting provider like SiteGround (which provides a free SSL Certificate for 1 year). The use of SSL Certificates also supports your ranking in the SERPs.

18. Dis-allow File Editing

If you have a multi-author blog or website, then make sure you have disabled file editing. When you disallow file editing, there will be no more available editor options in the appearance menu.

So, no one is able to edit or customize your website files after enabling this feature. This will be very helpful if you have a multi-admin website.

It will also be very helpful if hackers are able to enter your WordPress admin area, they can’t edit your WordPress files.

You can disallow this by simply adding this code line into your wp-config.php file at the end.

define (‘DISALLOW_FILE_EDIT’, true);

Don’t disclose Your Plugins

You should not display the list of plugins used on the site to anyone. The first step is to check whether the list of plugins is on display or not. To do this, use either of the paths:

• http://yoururl.com/wp-content/plugins
• http://yoururl.com/wp-content/

Replace yoururl.com with the real URL. You are safe if either of the above paths don’t display anything. If they do, there are two solutions:

Solution 1: Use cPanel to De-Index the File

• Login to cPanel
• Click on Advanced
• Choose Index Manager
• Choose the domain and folder you wish to de-index
• Select No Indexing
• Save

Check out both the paths again. It should solve the issue.

Or, try the second solution.

Solution 2: New .htaccess File

Login to cPanel and choose the relevant domain. Navigate to /wp-content/themes and create a new .htaccess file. Paste the following code.

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress

Save the file and refresh. Check the wp-content paths. Your plugins visibility access is restricted.

19. Change the Password Regularly

Changing passwords regularly also helps to secure your website from unauthorized users. It’s Logout all sessions from everywhere if you leave your site logged in on any PC. You can take it as another important wordpress security tip.

20. Do not show your WordPress Version:

If you feel some problems upgrading your recent WordPress version from the old one, do not show your WordPress version to others. Normally, WordPress.org releases the faults of the previous WordPress versions; it makes it easier for hackers to find the security holes in your blog. To hide the version of currently used WordPress, do as follows:

In case of old WordPress Theme remove the code line from header.php file:

<?php bloginfl(‘version’); ?>

In case of new WordPres theme add the following line of code in function.php file in current theme:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

21. Regular make Backups

If you follow all the above tips, then there are very few chances that your site will get hacked. But keep one percent chance from all the above tips. No matter how much your site is secured, if your site gets hacked, then you will lose everything.

And, you have to start again with everything from scratch. So, if you don’t want to lose everything, make backups on a regular basis. If you have your site backed up, you can restore your complete site within a few clicks to a working state again.

There are some awesome plugins that help you to make your backups seamlessly without any effort.

• VaultPress (by Automattic)
• BackWPup
• UpdraftPlus
• BackupBuddy

Final Thoughts on WordPress Security Tips

Securing the WordPress site is a crucial thing for everyone. If you have unseen these tips, then you make it a lot easier for hackers. Every tip related to WordPress security mentioned above in this article makes you one step ahead of hackers.

So follow these tips to secure your WordPress website. I know for beginners, it’s a lot to work with. But following these tips makes it harder for hackers to break into your site.