Last Updated on December 11, 2019
One of the few downsides about using WordPress as your content management system is that every hacker wants to break into it. Since WordPress powers up to a quarter of the world’s websites, this is not really a surprise.
The good news is that there are many ways to shore up your WordPress website to make life a bit harder for all but the most hardened cybercriminals.
Some of the tips below are widely known and easy to implement. Others are a little bit more sophisticated and may need you to write (or at least copy and paste) some snippets of code.
Without further ado, let’s check out 15 ways to secure your WordPress site.
15 Ways To Secure Your WordPress Site
1. Hide Away Your Log-In Page
If a hacker wanted to break into your WordPress website through the front door, they would use software to target your log-in page.
Seasoned WordPress users will know that the login page almost always resides at ‘yourwebsite.com/WordPress-Admin’ or ‘yourwebsite.com/WordPress-Login.php’. One way of foiling your attacker would be to use a plugin such as “Cerber Security, Antispam& Malware Scan’ by Cerber Tech Inc. to create a custom log-in URL.
2. Implement SSL/TLS
This is particularly important for ecommerce sites and websites sending or receiving sensitive user or business data. SSL (Secure Sockets Layer) was an encryption protocol which prevented third parties from reading intercepted data. If you have more than one domain, then SAN SSL certificate could be the best way to secure all domains under a single security protection.
TLS (Transport Layer Security) is the updated version of this. Your webhost should be able to help you to purchase and activate a TLS certificate (often confusingly still called an SSL certificate). Your WORDPRESS site will then display the padlock icon and the HTTPS (Hypertext Transfer Protocol Secure) prefix.
3. Choose a Competent Webhost
Hang fire a second. Before speaking to your webhost it is worth checking you are with a good one. 41 percent of successful cyberattacks come through vulnerabilities in the host servers so it is worth making sure that your webhost is optimized for WordPress sites (e.g. running the latest PHP and MySQL versions) and has enterprise-grade firewalls, malware scanners and intrusion detection software in place.
4. Ensure Updates Are Uploaded Promptly
Although minor, security-focused updates are now automatically updated by WordPress, major updates still require manual acceptance. You will normally be notified by email. If you miss it, there will be a prominent reminder on your dashboard as well as a blob on your sidebar menu. We recommend backing up your WordPress site before updating as major updates can sometimes lead to conflicts.
5. Only Download Quality Themes and Plugins
We’ve already mentioned a few trusted plugins that can help you to secure your website. Now is a good time to urge you to always download plugins from the WordPress Directory or a trusted vendor.
The same goes for themes. Whether you are looking for a specific or a Multi-Purpose WordPress theme, don’t risk downloading from an unknown source. Although a premium WordPress theme can carry malware, it is even more likely that a free WordPress theme will be infected so be careful. Therefore, always download your free and premium Multi-Purpose WordPress themes from a trusted vendor only.
6. WordPress Configuration File: Automate All Updates
The WordPress configuration file is a powerful little document which you will find in your WordPress files on your host’s file manager. It’s labeled “WordPress-config.php” and you can thwart many of your attackers’ moves by adding or amending code on this page.
Although it is normally best to manually apply major updates, you may want to enable automatic updates if you have a relatively simple website, look after lots of sensitive data or, you are slow to apply updates.
Here is the code for that:
add_filter( ‘auto_update_plugin’, ‘__return_true’ );
add_filter( ‘auto_update_theme’, ‘__return_true’ );
7. WordPress Configuration File: Add Security Keys (Salts)
For added security, you can encrypt the information in browser cookies using WordPress security keys (known as SALTs). Use a key generator to add the required keys to this code (a different key per line):
define(‘AUTH_KEY’, ‘put your unique key here’);
define(‘SECURE_AUTH_KEY’, ‘put your unique key here’);
define(‘LOGGED_IN_KEY’, ‘put your unique key here’);
define(‘NONCE_KEY’, ‘put your unique key here’);
define(‘AUTH_SALT’, ‘put your unique key here’);
define(‘SECURE_AUTH_SALT’, ‘put your unique key here’);
define(‘LOGGED_IN_SALT’, ‘put your unique key here’);
define(‘NONCE_SALT’, ‘put your unique key here’);
8. WordPress Configuration File: Disable Backend Theme and Plugin Editors
The WordPress dashboard includes raw code editors to enable developers to customize themes and plugins. Unfortunately, it also means that a hacker can mess with your website without accessing your server.
Add this one line of code to disable the backend editors:
9. WordPress Configuration File: Disable PHP Error Reports
Even an apparently harmless PHP error report adds unnecessary risk by revealing your server file structure. You can disable the reports with the following snippet of code:
10. Server Configuration File: Restrict Access To Core Files
The .htaccess file is another important file that controls access to your entire website. This is invisible by default, so always choose to reveal hidden files when using your file manager’s search function.
If you want to block access to a series of important files, including your WordPress-config.php file, enter the following code into your .htaccess file:
Deny from all
Note: You may need to replace php.ini with php5.ini or php7.ini if you use these versions.
11. Protect Your Devices
The devices you use to access your WordPress admin area also need to be fully secured to avoid hackers gaining easy entry to your WordPress site. Make sure you have a virus and malware scanner installed and a firewall in place and activated (the one with your operating system will normally be fine).
Apply updates regularly, use FTPS to access your server and never log on via a public WiFi connection.
12. Change Your Table Prefixes
Hands up who knows what the WordPress table prefix is? Experienced users (and hackers) will probably know that it’s simply ‘WordPress_’
You can change this in your WordPress configuration file by amending the line:
$table_prefix = ‘WordPress_’;
to a random string like:
$table_prefix = ‘hfu4y7fhuur_’;
You can then use a plugin like iThemes Security to update your databases to match.
13. Add In Two-Factor Authentication (2fa)
Normally, you only need to enter your username and password to access your WordPress website admin area from any device. If you want to add an extra step (something you have on top of something you know), a two-factor authentication plugin like Google Authenticator – WordPress Two Factor Authentication by MiniOrange or OpenID by DiSo Development Team can do that for you.
14. Restrict User Admin Access
As experienced WordPress users will already be aware, you can set different roles and capabilities for administrators of your website. It is always good practice to limit a user’s access rights to what is strictly needed for the job they do.
15. Keep Your Passwords Strong
While talking about good practice, it is worth stressing how important a strong password is. WordPress will automatically generate a strong password for you using random letters, numbers and characters. If you do decide to change this for something less abstract, keep an eye on the password strength indicator.
And there you have it: tips for securing your WordPress site and frustrating those annoying (and dangerous) hackers. There are more methods you could use (e.g. limiting the number of log-in attempts, disabling script injections and preventing the execution of PHP files) but the 15 steps above are a good way to start.