We all love WordPress.
It has a ton of nifty plugins and themes, an easy-to-use interface, and a great community with members that help each other out.
No wonder WordPress is the most popular CMS of all time! 🙂
Unfortunately, it is also the most hacked CMS of all time. 🙁
Don’t get me wrong. Hackers target WordPress because the CMS is used by over 35% of the internet, which gives them more opportunities to work with. WordPress is inherently quite secure and the team is working consistently to keep security breaches to a minimum.
So, we still love WordPress.
As for that tiny matter of website security, we’ve listed a few handy security tips which can fill in any gaps that WordPress might have and make your site hack-proof.
Before we move on to the advanced security measures, here are some basics that you need to ensure right from the start.
Basic WordPress Security Checklist
- Keep your WordPress version up-to-date
- Update all your plugins and themes regularly
- Delete old plugins and themes that you have stopped using
- Download plugins and themes from trusted sources ONLY (especially while downloading free products)
- Install a firewall
- Backup your site regularly
- Conduct periodic security scans
- Assess the site for vulnerabilities
- Don’t use ‘admin’ as your username and password
- Create strong alpha-numeric passwords for your user accounts (your birthdate doesn’t count)
That covers the basic checklist of security tips you need while just starting out. Now, let’s move on to some bigger stuff.
We’ve sorted the advanced tips into categories addressing the different aspects of website security in WordPress, for ease of reference.
Alright. That’s enough introduction, let’s get down to business.
A. WordPress Hosting security
1. Choose a trusted hosting partner
When it comes to the security of your WordPress website, a lot rides on the hosting partner you choose. While there are different types of WordPress hosting plans, make sure that you pick a trusted and reliable hosting service provider like WPEngine or SiteGround.
Why is this important? A study by WP White Security plugins shows that 41% of WordPress websites were hacked because of a vulnerability in their hosting platform.
2. Secure your wp-config.php file
In addition to choosing a good, strong hosting plugin, one thing you can do to boost website security is to secure your wp-config.php file.
This file is located in the root folder of your website, along with the ‘/wp-content/’ folder. It is the most important file of your WordPress installation because it has the entire configuration of the site.
To secure it, all you need to do is move it up into a folder higher than the root directory.
Why is this important? Moving the wp-config file from its default location makes it inaccessible for hackers to locate or tamper with it.
3. Disable file Edit access for Administrators
The administrators on your WordPress website can edit any and all of the files in your installation. To disallow other admins from editing these files, you can restrict Edit access.
To do so, you will need to modify the wp-config file by adding this bit of code at the end of the file.
Why is this important? Disabling Edit access means that nobody other than you can edit the website’s files, irrespective of whether they have admin access or not. This way, even if a hacker were to get admin login credentials for your website, he/she cannot make any changes to your core files.
Hotlinking is when you add an image on your website from another website by directly entering its URL. In this scenario, you have no control over the image or its hosting server.
Conversely, if someone links to an image on your website, your server takes the load, which might result in slow site speeds.
To avoid this, block websites from hotlinking to your website.
5. Disable directory browsing
Every time you create a directory, all the elements listed under it can be accessed by a visitor by simply entering the directory URL. And unless you have some really obscure name for your directory listing, hackers are going to be able to guess and discover the data you have in that directory.
To avoid this, simply add ‘Options All -Indexes’ in your .htaccess file.
Why is this important? Hiding directory browsing prevents snoops from seeing what is listed in your directory without the required permissions.
6. Protect against DDoS attacks
DDoS attacks are when hackers try to overload your server by brute force and make your website crash.
Firewalls usually help block against such attacks but it is nevertheless a good idea to control the bandwidth being used and block DDoS attacks altogether.
B. Admin Panel and Login Page security
7. Enable Two-factor Authentication
Two-factor authentication is when you use two different steps to ensure that the user logging in is genuine. For instance, think of the verification question you ask your users after they have entered their username and password.
If you want to be even more cautious, you can send a verification link to the registered email address to be absolutely sure that a hacker is not trying to login using a fake username-password.
Why is this important? Two-factor authentication confirms that the user logging in has real login details and is not just a fluke.
8. Use email login instead of just username
WordPress logins usually ask for the username, by default. However, to ensure additional security, you can enable logging in only via email.
This is usually safer because guessing a username is relatively easier than guessing an email ID.
Why is this important? Hackers are adept at figuring out usernames as they usually have a typical format. However, email addresses are more difficult to predict which reduces the probability of your website being hacked.
9. Secure your website against brute force attacks
Brute force attacks are when a hacker tries to overwhelm your website by logging in repeatedly using multiple combinations of email IDs and passwords. To avoid this, you can limit the number of login attempts for users so that they cannot force their way in with unlimited login attempts.
An additional option is to block the IP or the account after the maximum number of login attempts is reached.
A WordFence survey shows, nearly 18% of security breaches happen because of brute force attacks where users repeatedly tried to log in using combinations of usernames and passwords. One way of countering this type of attack is by simply blocking invalid usernames from logging in again.
For instance, if you register an unknown username trying to login multiple times, you can block the IP after one or a fixed number of attempts.
Why is this important? Leaving your website open to brute force attacks makes it more vulnerable to breaches as hackers can keep trying combinations until they hit upon the right one. Limited login attempts ensure that this does not happen and besides, you come to know which account hackers are trying to break in to.
10. Rename URL login page
Anyone who is familiar with the basics of WordPress knows that the login page URL is usually ‘www.websitename.com/wp-admin’ or ‘www.websitename.com/wp-login’. If you know it, you can be sure potential hackers know it too, which makes it really easy for them to find the page and hack into your website.
To avoid this, you can change the URL of the login page, to something other than the ordinary. It does not have to be anything drastic as you still have to maintain a professional touch, but a simple, yet unexpected change can be enough.
11. Log out idle users automatically
Idle accounts are an ideal ground for hackers to use, as they can easily change information within such accounts or on your website. To prevent this, you can log out users automatically, after they have been idle for some specific duration, like 30mins or so.
There are several WordPress security plugins that can help you set up this feature on your website. Going one step further, you can even add a security question or password-protection to your login page, which can be accessed only after the user has entered his/her unique combination. This makes accessing the login page air-tight are reduces your worries immensely.
Why is this important? Logging out idle users ensures that no hacker can masquerade as a genuine user and wreak havoc on your website, especially using admin accounts.
12. Set up Website Lockdown feature
Facing a major breach or the threat of one? Set up a total Website Lockdown feature, which will automatically lock down your website if too many false sessions from a particular IP are observed.
If you install a WordPress security plugin like iThemes or SecuPress for the same, you can set up a system to get notifications when somebody tries to hack in with repetitive wrong passwords and accordingly lock down the website.
C. WordPress Theme and Plugin security
13. Check permissions required by the plugin/theme before installation
Plugin vulnerability is the most common reason why WordPress websites are hacked. There are over 55,000 plugins on WordPress and not all of them are coded well. So, it is necessary to ensure that you buy/download it from trusted developers. Avoid using nulled versions of plugins as they are not up-to-dated and often have major security breaches.
Having said that, don’t be complacent just because you are buying the plugin from a trusted source.
Check what permissions are required by the plugin or theme, before you download it.
Check which files it will be accessing, what rewriting permissions it requires, what changes it will be making to your website.
If there are administrator-level permissions required, make sure you know exactly what those are and understand how they are going to impact your website.
14. Set a plugin installation limit
When it comes to managing plugins on your WordPress website, there are four things you need to take care of:
- Check file permissions before installation
- Update the plugin regularly to the latest version to avoid security gaps
- Delete old and unused plugins from your website
- Set a plugin installation limit.
Why is this important? Having an installation limit forces you to keep only the plugins you need and none more than necessary. You keep stock of the plugins you are using and automatically delete those that are not in use. This makes for better website health in terms of security.
15. Disable Plugin and Theme editor
Seasoned developers and website owners are often tempted to edit the source code for the plugin or theme directly from the Dashboard. Since they know precisely what changes they are making and their implications, it does not seem like much of a big deal. However, it is.
Making changes in the source code can open security holes that you might not realize. In addition, if you share the website with other administrators, and each of them also makes changes in the plugins and theme, you can imagine what a mess it would create.
To avoid this, disable the Plugin and Theme Editor so that nobody except the core administrator has the authority to make source-level changes on the website.
16. Restrict access to Plugin Directory
Do you know that anybody with a little coding expertise can find out exactly which plugins you are using on your website? And if they know which plugins you are using, they can find out the loopholes in any of those. That’s usually what hackers do, to hack into your website.
To avoid any unauthorized person from finding out which plugins you use, restrict access to your plugin directory, as follows:
- Create a blank indext.html
- Upload this file to the plugin directory you want to hide
- Open the Root folder
- Open the .htaccess file
- Add Options – Indexes at the beginning of the file
17. Hide the plugin/theme version number
An extension of the tips to overcome plugin vulnerabilities, this one is necessary to avoid hackers from finding loopholes in the plugins you are using.
Every plugin and theme update is tested for security patches before release and tends to keep getting more hack-proof with time. However, using older versions of plugins/themes makes your website vulnerable to hackers as they can exploit the loopholes in the older versions.
Understandably, sometimes you cannot update a plugin if you have made too many modifications in it or updating it is going to cause conflicts on your website. In such a scenario, you can choose to hide the version number of the plugins/theme you are using, thereby making it more difficult for potential hackers to force their way in.
D. WordPress Database security
18. Change the default database table prefix
This is a point of debate among developers, but for all intents and purposes, a good tip for website security.
Your main website database usually has the format ‘wp-databasename’. This ‘wp-’ prefix is insanely easy to guess because it is the default prefix for WordPress. Your core database is where all the important information about your website is stored and if somebody manages to hack into it, they can steal all your data.
Which is why it is a good idea to change the prefix of your database tables. Choose something that is not predictable, to prevent potential hackers from guessing it and stealing your information.
19. Set up strong passwords for the database
It’s not just the website and user logins that need strong passwords, your database needs them too. As we’ve seen before, if your database is hacked, you stand to lose valuable client information and hence, credibility. So, make sure that you have a strong password – preferably alpha-numeric – for accessing your database.
In addition, you need to keep changing it regularly to ensure that website database security is not compromised.
20. Store database backups offline
We know that taking regular backups of the website is a required practice for maintaining website health. However, make sure that you save a copy of these backups offline, along with the one on the server.
Should a situation arise where your website gets breached completely, rebuilding becomes easier if you have a copy stored offline.
Why is this important? Storing all your database backups ensures that hackers cannot access them because they are not linked to your server. In addition, they save you from having to build the website from scratch.
21. Restrict database user privileges
To secure your website even further, avoid sharing database privileges with other website admins, especially in case of a multi-admin website. Suppose your website is a place where a lot of people have access to the backend, it increases the chances of someone tampering with your core files, whether by design or accident.
Prevent such instances by restricting database user privileges within your website to people you trust.
E. WordPress Dashboard security
22. Secure the wp-admin directory
The wp-admin directory contains all the core files of your website. If this gets breached, you might as well give up your website for lost.
Naturally, to avoid this, you need to protect it adequately. This can be done by setting up password-protection for the directory, where a user has to first login through the main login page and then to the directory.
Usually, this step is enough to protect your wp-admin directory and you can use cPanel’s password-protect the directory function to set it up.
23. Disable script injections and uploading of PHP files
The most vulnerable place where hackers might target on your website is the wp-uploads folder as they can upload files here with due permission.
Consider that a potential hacker uploads and runs a PHP file in wp-content/uploads. If you don’t place stringent file checks here, your server is going to run the malicious file which may cause your website to break.
So, it is important to set specific permissions for uploading files on your website and if possible, disable the uploading of PHP files from user accounts altogether.
24. Get an SSL certificate for your website
An SSL (Secure Socket Layer) certificate secures data transfer between the server and the user browser, which makes it difficult for hackers to interpret and modify the data.
In addition, an SSL certificate assures Google and your visitors that your website is secure, which is good for your business.
25. Restrict backend access for a multi-user site
If you have a website where multiple users have access to the backend, make sure you assign user roles and capabilities accordingly. Restrict backend access as much as possible to people you trust absolutely, and assign user roles with limited functionality (such as Contributor or Author) to others.
In addition, even for registered users, you can enforce the addition of strong usernames and passwords.
26. Monitor website activity and security logs
Monitoring your website activity is an excellent method of keeping track of what changes are made in your website files and detecting any possible breaches. Similarly, tracking security logs helps you identify potential threats and react quickly to prevent damage to your website.
…and last but not the least,
27. Use a good WordPress Security Plugin
If you are not much of a coder, it can be better to install a good security plugin that takes care of your website security.
There are some best WordPress security plugins available for WordPress, like SecuPress, iThemes Security, BulletProof Security, WordFence, etc.
Having a security plugin ensures that all the small tasks and loopholes you might overlook while maintaining your website are taken care of, as it runs in the background.
A Final Word on WordPress Website Security
This is a pretty extensive list of security tips for your WordPress website and yet, we have just scraped the surface. There are several other measures that can be taken to safeguard your website against hackers and preserve the trust your customers have in you.
In fact, there’s an entire section on wordpress.org dedicated to hardening your WordPress website, which has advanced tips to secure your website.
Website security breaches can be a messy thing to deal with, irrespective of whether your company is big or small.
This is why you need to be constantly alert about finding and patching security gaps on your website. In addition, you can use a security plugin to automate most of these activities and keep the site from being hacked.
What do you say? Any tips you would like to add? Share your advice in the comments below!
- What is WordPress security?
WordPress security means protecting your WordPress website from malicious hackers that try to steal your information. Google blacklists 10,000+ suspicious websites every day, so it is important that your website be completely secure.
- Why do WordPress websites get hacked?
WordPress websites get hacked mostly if there are any security loopholes in the plugins and themes that are being used on the site. The WordPress core is quite secure and regularly updated for maximum website security.
- How do I make my WordPress website secure?
Following the best security practices and proper website, management should be enough to make your website secure. In case you are not much of a coder, you can install a WordPress security plugin that does the work for you.
- Which is the best WordPress security plugin?
WordFence, Jetpack, SecuPress, and Sucuri are some of the most popular WordPress security plugins. You can read this article about Best WordPress Security plugins comparison for more information.