How to Secure WordPress? (33 Methods)

How to secure a WordPress website? One of the biggest issues in the WordPress and CMS community is its security. Recent statistics show that over 30% of webmasters on the internet use WordPress to build their websites. Therefore, about 30% of Internet website security is based on WordPress security. In short, WordPress security is important.

WordPress security relies on the security of the WordPress core, including features, code, settings, themes, and plugins installed on them.

Security is taken very seriously in WordPress, but as with any system, potential security issues can arise if some basic precautions are not taken.

In this article, we’ll look at ways to improve WordPress security using available tools and methods. Using these methods, you can effectively secure your WordPress website.

WordPress Security

Your website tells visitors who you are, the type of content and services you offer, and what they can expect from your brand. That’s why it’s so important to make sure your website is always available. If your website is down, you lose visitors.

Most of the time, websites are attacked by malicious hackers and spammers who can use the website for their own purposes if there are any bugs or hacks.

WordPress is generally considered a secure content management system, but it’s not 100% safe. The problem is with themes and plugins. Some plugins or themes may use dangerous code or not protect the code at all. This is where the best and most secure themes and plugins shine in WordPress.

Security is never 100%. Securing your WordPress site is an ongoing process, and these attack vectors need to be evaluated frequently, as risks are always present. At this level, you can easily update WordPress to improve security and fix bugs.

When it comes to WordPress security, there are many things you can do to lock down your site and prevent hackers and vulnerabilities from affecting your e-commerce site or blog. Below, we’ll cover how to secure your WordPress website and how to do it with and without plugins.

Why you need to secure WordPress

If an attacker obtains personal information about you or your website visitors, you don’t know what they will do with the stolen information. Security breaches expose you to public data leaks, identity theft, ransomware, server crashes, and more. Unfortunately, the list goes on and on. As you can imagine, none of these events not well for the company’s reputation.

Visitors expect websites to be secure. Failure to provide this essential service from the start erodes customer trust. Earning this trust can help ensure that visitors have a positive experience with your business and keep coming back.

Whether it’s contact information, payment information (requires PCI compliance), or answering a quick survey, it’s important for customers to trust that their data is used and stored responsibly.

Everyone wants to rank high on search engine result pages (SERPs). The higher the ranking, the higher the recognition, and the higher the recognition, the more visitors. Luckily, one way to increase your chances of getting Google to like your site is to make it secure.

Website attack types

Cross-site request forgery (CSRF) – Force users to perform unwanted actions in trusted web applications.
Distributed denial-of-service (DDoS) attack – incapacitates online services by flooding them with unwanted connections, thus rendering a site inaccessible.
Authentication bypass – It floods and disables unnecessary connections to online services, making websites inaccessible.
SQL injection (SQLi) – Forces the system to execute malicious SQL queries and manipulate data in the database.
Cross-site scripting (XSS) – Injects malicious code that turns websites into malware transporters.
Local file inclusion (LFI) – Forces websites to handle malicious files dropped on the web server.

WordPress security checklist (Steps to secure WordPress)

Keep your site up to date.
Use secure wp-admin login credentials.
Set up a safelist and blocklist for the admin page.
Use a trusted WordPress theme.
Install an SSL certificate for a secure data transfer.
Remove unused WordPress themes and plugins.
Enable two-factor authentication.
Create backups regularly.
Limit the number of failed login attempts.
Change your WordPress login page URL.
Automatically log out idle users.
Monitor user activity.
Regularly scan your site for malware.
Disable the PHP error reporting feature.
Migrate to a more secure web host.
Disable file editing.
Use .htaccess to disable PHP file execution and protect the wp-config.php file.
Change the default WordPress database prefix.
Disable the XML-RPC feature.
Hide your WordPress version.
Block hotlinking from other websites.
Manage file and folder permissions.

Update WordPress

WordPress is an open-source software that is regularly maintained and updated. WordPress releases regular software updates to improve performance and security. Keeping your WordPress up to date at all times is critical to maintaining the security and stability of your site. These updates protect your site from cyber threats.

Every time a WordPress security vulnerability is reported, the core team starts working to release an update that fixes the issue.

By default, WordPress automatically installs minor updates. For the original version, the update must be started manually.

If you aren’t updating your WordPress website, then you are likely using a version of WordPress that has known vulnerabilities.

To check whether you have the latest WordPress version, open your WordPress admin area, and navigate to Dashboard -> Updates on the left menu panel. If it shows that your version is not up to date, we recommend updating it as soon as possible.

1. How to Update WordPress?

The most important thing you need to do before updating WordPress is to create a complete WordPress backup.

A complete WordPress backup includes everything.

Your WordPress database
All your images and media uploads
Your WordPress plugins and themes
Core WordPress files

You can do this from your host admin panel or with plugins.

To update, log in to the admin panel of your WordPress website and go to Dashboard > Updates.

You will see the notice that a new version of WordPress is available. Now you just need to click on the “Update Now” button to initiate the update. WordPress will now fetch the latest version of the software and install it for you. You will see the update progress on your screen during the update.

Choose the proper Theme and update it regularly

Themes are the interface of a WordPress website. They are made with PHP codes. Then, themes can be vulnerable and cause a WordPress secure thread. Using a secure theme for a website is as important as WordPress because if there is a bug in the theme, hackers and attackers can corrupt WordPress itself.

1. How to Choose a WordPress Theme?

Choosing the right theme is important. You must choose a suitable and secure WordPress theme.

Consider these steps when you want to install a theme.

Does the theme have a large install base?
Are there a lot of user reviews, and is the average rating high?
Are the developers actively supporting their theme and pushing frequent updates or security patches?
Does the vendor list terms of service or a privacy policy?
Does the vendor include a physical contact address in the ToS or from a contact page?
Don’t use nulled WordPress themes

If the theme has these questions’ answers, you can choose one of them but remember it, even the best themes may have bugs.

If your template does not have the mentioned features, we suggest you change it. To change the WordPress theme, you can use the tutorial posted on the site.

2. How to Install WordPress Themes?

Log in to your WordPress admin page, then go to Appearance and select Themes.
To add a theme, click Add New.
If you know the name of the theme you want, search for it in the Theme directory. If you don’t know your preferred theme’s name, use the Feature Filter to hone down your selection, check any tags and click Apply Filter for a screen filled with themes that meet your search criteria.
To unlock a theme’s options, hover over it; you can either choose Preview to see a demo of the theme or install it by clicking the Install button once you’re ready. Once installed, click the Activate link.
You’re all done, now preview your site to see how it looks.
If you have downloaded a theme on your system, click on Upload Theme and browse it on your system and click the Install Now button.

3. How to Update the WordPress Theme?

Sometimes themes can become deprecated. Check them to be sure, you are using the right theme. If there is an update for it, update it.

Go to Appearance > Themes. In this section, you can see which theme needs an update. If you are not using a child/parent theme for customizations, you’ll need to copy your modifications to a new theme folder.

On this website, we have prepared a tutorial titled how to update the WordPress theme safely.

Plugins

Plugins are some codes to increase the capability of WordPress websites. These days every WordPress website uses plugins.

1. How to Choose a WordPress Plugin?

Like themes, choosing the right plugins is important. If there is a bug in one of the plugins, your website is at risk.

Consider these steps when you want to install a plugin.

Does the plugin have a large install base?
Are there a lot of user reviews, and is the average rating high?
Are the developers actively supporting their plugin and pushing frequent updates or security patches?
Does the vendor list terms of service or a privacy policy?
Does the vendor include a physical contact address in the ToS or from a contact page?
Don’t use nulled WordPress plugins

If the plugin has these questions answered, you can choose it but remember, even the best plugins may have bugs. This is the reason why the developers of the plugins update their plugins.

2. How to Install WordPress Plugins?

Browse to the plugin archive and select it. Then click Install Now and the plugin will be installed shortly.

3. How to Update the WordPress Plugin?

Log in to the WP admin section. Go to Plugins. If there is an update for the plugin, you will see the update now link in the plugin area. After clicking, the plugin will be updated shortly.

Tips about themes and plugins

1. Remove Unused WordPress Plugins & Themes

If you don’t need a plugin or theme, remove them. By default, there are themes on WordPress that they install with WordPress, if you don’t want to use them and use another theme, remove them.

How to remove a WordPress theme completely

2. Keep WordPress, Theme, and Plugins Updated All the Time

You should always apply updates as soon as possible to keep your WordPress site safe & secure.

Use Secure WordPress Admin Login Credentials

One of the most common mistakes users make is using easy-to-guess usernames such as ‘admin’, ‘administrator’, or ‘test’. This makes the website more susceptible to brute-force attacks. Additionally, attackers use this type of attack to target WordPress sites that do not have strong passwords.

Therefore, it is recommended that usernames and passwords be unique and complex.

Use proper username

Never use the “admin” username. Since “admin” is a very common username, it’s easy to guess, making it much easier for scammers to trick users into giving up their credentials.

This makes them vulnerable to brute force attacks and social engineering scams.

Require & Use Strong Passwords

It may be tempting to use or reuse passwords that are familiar or easy to remember, but doing so puts you, your users, and the site at risk.

Improving the strength and security of passwords makes them less likely to be hacked.

The stronger your password, the less likely you are to become a victim of a cyberattack and the more secure your WordPress website.

Add Security Questions to WordPress Login Screen

Adding security questions to your WordPress login screen makes it even harder for someone to gain unauthorized access. You can add security questions by installing the WP Security Questions plugin.

Set Up Safelist and Blocklist for the Admin Page

Enabling URL blocking protects your login page from malicious IP addresses and brute force attacks. To do this, you need a web application firewall (WAF) service such as Cloudflare or Sucuri.

Alternatively, you can configure your website’s .htaccess file to restrict access to the login page. Go to the root directory to access the files.

Adding this rule to your .htaccess will restrict access to wp-login.php to only one IP. Therefore, an attacker cannot access the login page from anywhere else.

# Block IPs for login Apache 2.2
<files /wp-login.php>
    order deny,allow
    allow from MYIP
    allow from MYIP2
    deny from all
</files>
# Block IPS for login Apache 2.4
<Files "wp-login.php">
    Require all denied
</Files>

This rule should be placed after the # BEGIN WordPress and # END WordPress directives.

This rule applies even if you don’t have a static IP, because you can limit your logins to a common range of ISPs.

Install SSL Certificate

The Secure Sockets Layer (SSL) is a data transfer protocol that encrypts data exchanged between a website and its visitors, making it difficult for attackers to steal sensitive information. This standard technology creates an encrypted connection between a web server (host) and a web browser (client).

It’s an industry standard used by millions of websites to protect online transactions with customers.

Websites that have an SSL certificate installed use HTTPS instead of HTTP and are easily identifiable.

You can also purchase an SSL certificate, but most hosting providers offer it for free.

Plugins like Really Simple SSL and SSL Insecure Content Fixer take care of the technical aspects and enable SSL with just a few clicks. The Premium version of Really Simple SSL can enable the HTTP Strict Transport Security header which enforces the use of HTTPS when accessing websites.

Enable Two-Factor Authentication for WP-Admin

Enable two-factor authentication (2FA) to secure the login process for your WordPress website. This authentication method adds a second layer of WordPress security to your login page as you have to enter a unique code to complete the login process.

To enforce 2FA on your WordPress site, install a login security plugin such as Wordfence Login Security. You’ll also need to install a third-party authenticator app such as Google Authenticator on your phone.

Back-Up WordPress Regularly

Creating regular backups of your WordPress site is an important damage control task as it helps your site recover from incidents such as cyberattacks and physical damage to your data center. The backup file should contain all WordPress installation files, including the database and WordPress core files.

We have discussed several backup methods in an article titled How to Backup WordPress.

Limit Login Attempts

WordPress allows users an unlimited number of login attempts on your website. Unfortunately, hackers can hack WordPress admins mercilessly using different password combinations until they find the right one.

Therefore, login attempts should be limited to prevent such website attacks. Limiting failed attempts is also useful for monitoring suspicious activity on your website.

One way to limit login attempts and increase WordPress security is to use plugins. There are many great options such as:

Limit Login Attempts Reloaded – Set the number of failed attempts for a particular IP address, add the user to a safe list or block it completely, and notify website users of the remaining block time.
Loginizer – Provides login security features such as 2FA, reCAPTCHA, and login challenge questions.
Limit Attempts by BestWebSoft – Automatically block IP addresses that reach the login attempt limit and add them to the deny list.

Change the WordPress Login Page URL

To further secure your website from brute force attacks, consider changing the WordPress login page URL.

Hackers and scammers can attempt to guess your username and password to access your admin dashboard once you identify your login page.

All WordPress websites have the same default login URL (yourdomain.com/wp-admin). Using a default login URL makes it easier for hackers to target your login page.

Plugins like WPS Hide Login and Change wp-admin Login allow you to set a custom login URL.

Log Idle Users Out Automatically

Many users leave their sessions running by forgetting to log out of websites. Therefore, someone else using the same device can access your user’s account and misuse sensitive data. This is especially true for internet users using public computers in their cafes or public library.

Monitor User Activity

Identify unwanted or malicious actions that are putting your website at risk by tracking activity in your admin panel.

We recommend this method if you have multiple users or authors accessing your WordPress site. This is because users can change settings that they shouldn’t, such as changing the theme or configuring plugins.

The easiest way to track user activity is with a WordPress plugin such as:

WP Activity Log – Monitor changes in multiple website areas such as posts, pages, themes, and plugins. It also records newly added files, deleted files, and changes made to each file.
Activity Log – You can monitor various activities and set rules for email notifications in your WordPress admin panel.
Simple History – In addition to recording activity logs in your WordPress admin screens, it supports multiple third-party plugins such as Jetpack, WP Crontrol, and Beaver Builder and records all related activities.

Check for Malware

Attackers are constantly creating new types of threats, so it’s important to regularly scan your WordPress site for malware.

Luckily, many good WordPress hack scanner plugins can scan for malware and improve your WordPress security.

Our experts recommend installing these security plugins on your website.

Wordfence – A popular WordPress security plugin that lets you know if another website has blocked suspicious activity with real-time malware signature updates and alerts.
BulletProof Security – It helps secure your WordPress site with idle session logout functionality, a hidden plugins folder that does not appear in the WordPress plugins section, and database backup and restore tools.
Sucuri Security – It is one of the best security plugins, offering various SSL certificates, remote malware scanning, and post-hack security action features.

Disable PHP error reporting

PHP Error Reporting is a great feature for monitoring your website’s PHP scripts as it displays complete information about your website’s paths and file structure.

However, exposing a website vulnerability on the backend is a serious security flaw in WordPress.

Follow these steps to modify your PHP file:

Open your website’s wp-config.php file using an FTP client such as FileZilla or your hosting provider’s file manager.
Add the following code snippet to the file. Make sure to add it before any other PHP statements.

error_reporting(0);
@ini_set(‘display_errors’, 0);

Use the more secure web host for your WordPress website

WordPress’ multiple security measures don’t make much sense if your hosting environment is vulnerable to cyberattacks. A hosting provider should guarantee a safe storage space for all your website data and files on their servers, so choosing a provider with a good level of security is important.

Turn File Editing Off

WordPress has a built-in file editor that makes it easy to edit WordPress PHP files. However, this feature can become a problem if hackers gain control over it.

For this reason, some WordPress users prefer to disable this feature. Add the following line of code to your wp-config.php file to disable file editing.

define( 'DISALLOW_FILE_EDIT', true );

Restrict Access Using the .htaccess File

The .htaccess file ensures that WordPress links work properly. If this file doesn’t declare the correct rules, your website will get a lot of 404 Not Found errors.

Additionally, .htaccess can block access from specific IPs, restrict access to only one IP, and disable PHP execution for specific folders. Here’s how .htaccess can be used to enhance WordPress security.

1. Disabling PHP Execution in Specific Folders

Hackers often upload backdoor scripts to upload folders. By default, this folder only hosts uploaded media files and cannot contain PHP files.

To secure your WordPress site, disable PHP execution in the folder by creating a new .htaccess file in /wp-content/uploads/ with the following rules:

<Files *.php>
    deny from all
</Files>

2. Protecting the wp-config.php File

The wp-config.php file in the root directory contains the WordPress core configuration and MySQL database details. Therefore, files are usually a prime target for hackers.

Protect this file and keep WordPress safe by implementing the following .htaccess rules.

<files wp-config.php>
    order allow,deny
    deny from all
</files>

Change the Default WordPress Database Prefix

The WordPress database contains and stores all the essential information your website needs to function. That’s why hackers often target databases with SQL injection attacks. This technique can inject malicious code into the database and bypass WordPress security measures to retrieve the contents of the database.

More than 50% of cyberattacks consist of SQL injection, making it one of the biggest threats.

To make this type of attack more difficult, it is better to change the default database from wp_ to something else.

To change the default database tables, log in to your host’s admin panel and open the wp_config.php file.

Look for the $table_prefix value within the code.

Replace the default WordPress database prefix wp_ with a new one.

Find the name of your database in this file and remember it.

define( 'DB_NAME', 'MySQL Database' );

Go to the database section of your host admin and enter phpMyAdmin. Log in to your database. The database is the one you remember and it is in the wp_config.php file.

Enter the following query in the SQL query editor to change the WordPress database prefix.

RENAME table `wp_tablename` TO `wp_myprefix`;

If you have changed the default of your database, you should keep in mind that some plugins store the names of the tables for identification, which you should also find and replace the previous default with the current default. Most of these values are stored in the usermeta and options tables, but check other tables as well.

Disable XML-RPC

XML-RPC is a WordPress feature for accessing and publishing content via mobile devices, enabling trackbacks and pingbacks, and using Jetpack plugins on your WordPress website.

However, XML-RPC has some weaknesses that hackers can exploit. This feature allows multiple login attempts without being detected by the security software, making your website vulnerable to brute-force attacks.

A hacker can also use the XML-RPC pinback feature to carry out his DDoS attack. An attacker could send pingbacks to thousands of websites simultaneously, potentially causing your landing page to crash. Plugins are a quicker and easier way to block XML-RPC functionality on your website. We recommend using the Disable XML-RPC Pingback plugin.

Another way to stop all incoming XML-RPC requests is to do it manually. Find the .htaccess file in your root directory and paste the following code snippet.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 000.00.000.000
</Files>

To allow XML-RPC to access a specific IP, replace 000.00.000.000 with your IP address or remove the line of code entirely.

Hide the WordPress Version

Hackers can break into your website more easily if they know the version of WordPress you’re using. Vulnerabilities in this version can be used to attack websites, especially for older versions of WordPress.

To remove the version number from headers and RSS feeds, add the following code to your functions.php file.

function dartcreations_remove_version() {
    return '';
} 
add_filter('the_generator', 'dartcreations_remove_version');

The WordPress generator meta tag also displays the WordPress version number. To get rid of them, add the line:

remove_action('wp_head', 'wp_generator');

Block Hotlinking

Hotlinking occurs when another website displays embedded content (usually images) hosted on your website without your permission, making the content look like its own. Every time people visit a website that contains hotlinks to content, it consumes web server resources and slows down the website.

To check if your content has been hotlinked, enter the following query in Google Image Search, replacing yourwebsite.com with your domain name:

inurl:yourwebsite.com -site:yourwebsite.com

To prevent hotlinking, use an FTP client, WordPress security plugin, or CDN, or edit your control panel settings.

To prevent hotlinking in Apache, simply add the following code to your .htaccess file.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://dropbox.com/hotlink-placeholder.jpg [NC,R,L]

To prevent hotlinking with NGINX, simply add the following code to your configuration file:

location ~ .(gif|png|jpe?g)$ {
    valid_referers none blocked ~.google. ~.bing. ~.yahoo yourdomain.com *.yourdomain.com;
    if ($invalid_referer) {
        return 403;
    }
}

Manage File Permissions

Prevent hackers from gaining access to administrator accounts by controlling who can read, write, or execute WordPress files and folders.

You can manage file and folder permissions using your web host’s file manager, FTP client, or the command line.

Permissions are generally set by default and may vary for different files or folders. Especially for the wp-admin folder and wp-config file, make sure that only the owner is allowed to write to them.

Disable Directory Indexing and Browsing

A hacker can use directory browsing to find out if there are files with known vulnerabilities and exploit them to gain access.
Directory browsing can also be used by others to examine files, copy images, explore directory structures, and other information. For this reason, it is highly recommended to disable directory indexing and directory browsing.

You need to connect to your website using FTP or cPanel files manager. Then find the .htaccess file at the root of your website. After that you need to add the following line to the end of your .htaccess file:

Options -Indexes

Install A Security Plugin

Installing a security plugin is an easy way to add an extra layer of protection to your website.

First, check out our list of recommended WordPress security plugins.

Wordfence Security – Firewall & Malware Scan
All In One WP Security & Firewall
iThemes Security
Jetpack – WP Security, Backup, Speed, & Growth

Many of the above methods can be controlled through a security plugin. For example, checking a strong password, disabling Hotlinks, etc.

Use A Web Application Firewall

One last thing you can do to secure your WordPress website is to use a web application firewall (WAF).
A WAF is typically a cloud-based security system that provides another layer of protection around your website.

Blocks all hacking attempts and filters out other malicious types of traffic such as Distributed Denial of Service (DDoS) attacks or spammers.

Add a CDN-level firewall

All websites are vulnerable to attacks from bots and other malicious actors. A DDoS (distributed denial of service) attack can overload a server by sending requests to it, crashing it, and making your website inaccessible.

A CDN-level firewall adds an extra layer of security by identifying and filtering out suspicious traffic before it reaches your servers. This helps protect your WordPress website from DDoS and other bot attacks.

Add security headers

Security headers prevent malicious code injection and reduce the risk of cross-site scripting attacks. Adding them can also help block payload-based attacks and reduce the chances of your website being compromised by malware.

Some types of security headers I recommend adding to your website include:

Referrer policies.
HTTP Strict-Transport-Security (HSTS).
A content security policy.
X-Frame options.
X-Content-Type-Options.
Cross-site scripting (XSS) protection.

Use the Latest PHP Version

PHP is the backbone of your WordPress site, so having the latest version on your server is very important. Each major version of PHP is generally fully supported for two years after release. During this time, bugs and security issues are fixed and patched regularly. Anyone running PHP 7.1 or earlier will lose security support and be exposed to unpatched vulnerabilities.

Move WP-Config outside the root folder

The wp-config.php file is a very important configuration file that contains sensitive information about your WordPress site, such as database connections.

If the wp-config.php file doesn’t exist in the root directory, WordPress will automatically look for it in a folder above the root directory. Moving this file out of the root folder will make wp-config.php inaccessible from the internet.

What are common WordPress Security issues?

Here are some of the most common types of cyberattacks that WordPress sites face and may cause leak secure websites.

Brute-Force Login Attempts

The brute-force login attempt is one of the simplest forms of attack. It occurs when a hacker uses automation to enter as many username-password combinations very quickly, eventually guessing the right credentials.

Cross-Site Scripting (XSS)

This type of attack occurs when an attacker “injects” malicious code into the target website to extract information and wreak havoc on the site’s functionality.

SQL Injections

This form of attack happens when an attacker submits a string of harmful code to a website through some user input, like a contact form. The website then stores the code in its database or retrieves data from the database.

Backdoors

A backdoor is a file that contains code allowing an attacker to bypass the standard WordPress login, ultimately accessing your site at any time. Attackers tend to place backdoors among other WordPress source files, making them difficult to find inexperienced users. Even when removed, attackers can write variants of this backdoor and continue using them to bypass your login.

Denial-of-Service (DoS) Attacks

Denial of service attack. These attacks prevent authorized users from accessing their website. DoS attacks are most commonly carried out by overloading the server with traffic and causing it to crash. The impact is exacerbated in the case of distributed denial of service attacks (DDoS). This is her DoS attack performed by many computers simultaneously.

Phishing

You may already be familiar with phishing. This happens when an attacker contacts a target that pretends to be a legitimate company or service. Phishing attempts usually trick the target into disclosing personal information, downloading malware, or visiting dangerous websites that can damage the computer. Once an attacker has access to your girlfriend’s WordPress account, they can even coordinate phishing attacks against your customers by impersonating you, which, as you can imagine, is not good for the company’s reputation.