WordPress Security – A Complete Guide On How To Secure Your Website

WordPress Security

In an average week, your WordPress website has to defend itself against several hack attacks. To keep your site secure, you need to take steps to improve your WordPress Security so you are not at risk of losing your hard work. In this guide, learn how to secure your WordPress site, and how to fix and prevent common WordPress security issues.

Although WordPress has basic defense features for security in place, you cannot rely on these alone to secure your WordPress website from hack attempts.

WordPress thus recommends that all users “harden” their website to prevent getting hacked; and this is good advice considering that as at the time of writing, up to 70% of websites using this platform have security vulnerabilities that hackers can exploit.

But why is it really important to secure your website?

Why You Should Secure Your WordPress Website.

Have you ever searched on Google and seen a warning that one of the WordPress websites on the search list may contain malware? What was your next move?

Most users avoid those hacked WordPress sites like the plague; nobody wants to be exposed to malware. This alone will lead to much loss in traffic.

But your most serious traffic loss will likely come from getting removed from google search results. In a recent poll, 45% of people who noticed their website was hacked saw a drop in search traffic. And 9% said they saw as much as 75% decrease in traffic. Those are scary numbers.

WordPress security becomes even more important if you use WordPress for your eCommerce business, or as a company website for your physical business.

If you run an online store, a notification about security issues in your WordPress site is going to turn a lot of customers away. And if someone uses your website and their financial details get stolen, you can be sure just about everybody they know will be warned to stay off your site. BAD FOR BUSINESS!

But how can you harden your WordPress security and keep hackers away?

How to Secure Your WordPress Site

Hardening WordPress security is a continuous process. While some of the recommendations in this guide can be done once and will to help keep you secure, most others have to be done from time to time. So you can consider the steps below to be a checklist with which you can address WordPress security issues, as well as improve your security from time to time.

Note: If your website has already been hacked and you need help restoring it, or you want us to help you audit your site and make it secure, please book our service and a developer will contact you.

WordPress Security Steps

Protect your WordPress admin login page and dashboard

  1. Use secure usernames and passwords.
  2. Use 2 factor authentication.
  3. Limit number of login attempts.
  4. Change your login URL.
  5. Disable file editing in WordPress admin area.

Securing themes, plugins, and WordPress Core

  1. Delete plugin or theme that is not in use.
  2. Regularly update themes, plugins, and WordPress core.
  3. Do not download themes or WordPress plugins from untrusted sites, download only from WordPress repository .

Securing WordPress files and folders

  1. Access your web server using secure connection.
  2. Use correct permissions on files and folders.
  3. Prevent directory browsing.

Securing database

  1. Use strong passwords
  2. Use different WordPress databases users for different WordPress websites on the same host.

Others

  1. Do regular  WordPress backups (files and DB)
  2. Use a WordPress Security Plugin

Now let us consider these steps one after the other.

Securing your WordPress Admin Login Page and Dashboard

The WordPress login page and admin dashboard are especially targeted by hackers. Gladly, there are simple steps you can take to prevent unauthorized access to these pages.

1. Use secure usernames and passwords

The place to start when hardening your WordPress Security is ensuring your usernames and passwords are not easy to guess. As simple as it sounds, this can help prevent WordPress security issues.

By default, WordPress creates an administrative user with “admin” as username. If that admin username is still active in your site, change it immediately to something more secure.

Also, use very secure passwords and require that everyone else who has access to your admin dashboard does the same. Using the WordFence security plugin, you can enforce strong passwords for all users.

If your password is something like “admin1234”, you are handing hackers the key to your WordPress admin dashboard. Instead, use something hard to guess like “Ne8L(&15mMz&^G”.

2. Use 2 factor authentication

Two factor authentication improves WordPress security by presenting an added layer a user has to go through to gain access to your website. One very common twofactor authentication is the one-time password (OTP) you receive when trying to sign up for some services.

Using WordFence security plugin, you can implement 2 factor authentication on your WordPress site, such that even if a person has your username and password, they will also need your mobile device to login to your WordPress dashboard.

Learn more about how to secure your WordPress site using two factor authentication.

3. Limit number of login attempts

Restrict login attempts to secure your WordPress site

This step is very important to defend your site against brute force attacks.

Using Brute Force, a hacker tries to login repeatedly using a random combination of usernames and passwords. If these WordPress login attempts go on unhindered, the brute force software will possibly arrive at your correct details and gain access to your dashboard.

How can you secure your WordPress site against this attack? Simple – you can limit login attempts to just 3 tries. That way, the brute force software only gets to try 3 combinations instead of thousands, and your site is protected.

This can be easily enabled using the WordFence security plugin.

Limit login attempts with WordFence to secure your WordPress site

4. Change your login url

By default, you can get to any WordPress admin page by adding “/wp-admin” to the domain name. This means that a hacker knows exactly where to go to carry out attacks on your login page.

You can prevent this by changing the location of your WordPress login page, and this can easily be done using the WPS Hide Login plugin.

5. Disable file editing in admin dashboard

By default, you can edit plugin and theme files using the editor in your admin dashboard.

Disable file editing in dashboard

We highly recommend that you disable this feature.

In the event that a hacker gains access to your dashboard, they can only carry out functions permitted in the dashboard, and according to the authorization level.

But if file editing is enabled, they can inject malicious code into your themes or plugins and gain complete control of your site.

To disable file editing in dashboard, add the following code to the end of your wp config php file.

## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

Securing Themes, Plugins and WordPress Core

Securing your WordPress plugins and themes is very important for keeping a secure website. Since these have complete access to your WordPress installation files and database, if a hacker is able to get into anyone of them, he can gain complete access to your website.

Thus, you need to use the following steps to secure your WordPress site plugins, themes, and other code areas.

1. Delete themes and plugins that are not in use

Any plugin or theme installed in your site that you are not currently using, should be deleted.

Delete themes and plugins that are not being used

Every theme and plugin adds extra code to your site that could contain vulnerabilities that hackers can exploit. And this opens up your site to WordPress security issues.

When you delete those that are not in use, you effectively reduce a hacker’s ability to gain access to your site.

2. Regularly update themes, plugins, and WordPress

One major reason WP is updated is to correct security loopholes in previous WordPress versions. Thus, you can improve security by regularly updating your WordPress core, themes, and plugins.

WordPress Security - Regularly update themes and plugins

3. Do not download themes or plugins from untrusted sites

Many premium themes and plugins have ripped versions that you can download from file sharing websites.

WordPress Security - Download themes and plugins from trusted sites

If you decide to skip the usually low fee, and get a premium plugin or theme from those sites, you will likely end up paying by giving a hacker control of your website.

We highly recommend that you download your themes and plugins directly from WordPress as these are thoroughly screened before being added to their WordPress databases.

However, there are other reputable WordPress theme sites with a track record of quality themes. If you are choosing a theme outside those featured on WordPress, ensure you do proper research and get it from a good source.

Securing WordPress Files and Folders

1. Access your server using secure connection

When connecting to your server to upload or edit files, use Secure FTP (SFTP) to keep your WordPress site secure. This will ensure that your files are correctly transferred and not hijacked and altered by a hacker.

You would need to contact your WordPress host for your SFTP details.

2. Use correct permissions on files and folders

WordPress recommends that folders should have 755 permission, while files should have 644.

Your WordPress files may be vulnerable to hacks if this scheme is not followed.

Also, NO FILE OR FOLDER should have a 777 permission! That file permissions grant all rights (read, write, execute) to everyone. You are surely going to have WordPress security issues if this permission is granted.

Using command line, you can change all folder permissions in your site to 755 by entering the following:

find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} ;

You can do the same for files using this command:

find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} ;

Alternatively, this can easily be done using an FTP client like Filezilla.

Use correct file permissions

3. Prevent directory browsing

If you have a folder in your site that doesn’t contain an index.html or index.php file, what happens is that all the files in that directory are displayed on screen when a visitor types in a link to that folder.

You don’t want that as it exposes you to WordPress security issues.

WordPress Security - Disable directory listing

Hackers can use this behavior to browse through your files in search for vulnerabilities.

Thus, you need to prevent directory browsing by adding the following code to the .htaccess file:

Options –Indexes

Securing Database

Another possible attack point is your database. If a hacker is able to gain control of your database, they can do much damage. For example, they can add a new admin user and password and gain unlimited access to your WordPress dashboard. It is thus important to secure your database with the following steps.

1. Use strong passwords

Ensure you use a secure password for your database user. If you checked and decided your current password is not secure enough, you have to change your database password in your host. When done, update it in WordPress as follow:

  • Access your WordPress files using Filezilla FTP client (preferably with secure FTP connection).
  • Locate the config php file in your WordPress base directory. Right click and select “View/Edit”
  • Look for:

define( 'DB_PASSWORD', 'Your old password' );

and change it to :

define( 'DB_PASSWORD', 'the_password_you_just_created');

WordPress Security - Use strong password for DB

  • Save the file and upload it.

2. Use different database users for different WP sites on the same host

If you are using a single web hosting account for multiple WordPress sites, you should refrain from using the same database user for them all.

In fact, each WordPress website should have its own database and each database should have its own user and password. This way, if a hacker gains access to the login details for one database, the other WordPress databases would still be secure.

Read this guide to learn how to create databases and database users.

Other WordPress Security Steps

1. Regularly Backup files and Database

ALWAYS! Always have a complete WordPress backups of your website files and database in a remote location.

WordPress backup plugins such as UpdraftPlus and BackWPup can be used to run regular WordPress backups of your website files and database to remote locations such as Amazon S3 and Google drive.

WordPress Security - Backup WordPress sites

In the event of a security breach, even if your data is compromised, you can first secure your site, and then fall back to your most recent backup to get your site up and running.

2. Use a WordPress Security Plugin

There are quite a few WordPress security plugins that provide a good number of tools and operations to secure your website. Some of the most popular include Wordfence and iThemes security.

WordPress Security - Security Plugins

Using these plugins, you can perform some of the operations covered in this guide, and also benefit from other real-time protection features.

For example, if an ip address is used to attempt a site hack in any site with one of these plugins, that ip is noted. If that ip address is used to launch attacks on your site, the attacks are completely blocked off.

This, and many other settings and features help keep your site more secure. Hence, we recommend that you use a security plugin.

WordPress Security – How Can You Use This Information?

Website security is an ongoing process. Many of the suggestions in this post have to be done from time to time. We encourage you to keep this article bookmarked and use it as a checklist on your current site, or whenever you are installing a new WordPress website.

If you have tried other WP security measures and seen good results, we would love to hear about them in the comments section.