Step By Step Guide to Securing WordPress
1. Keep WordPress Updated
Regular updates are vital to ensure your WordPress site is protected against security vulnerabilities. Hackers often target outdated versions of WordPress, plugins, and themes.
Steps:
- Log in to your WordPress dashboard.
- Navigate to Dashboard → Updates.
- If there is an update for WordPress core, click Update Now.
- Scroll down to check for plugin and theme updates. Select all available updates and click Update Plugins or Update Themes.
Why: Updates frequently include important security patches, fixing known vulnerabilities that hackers might exploit.
2. Use Strong Passwords
Weak passwords are one of the easiest ways for hackers to gain access to your site. Ensure every user account, especially admin accounts, uses a complex password.
Steps:
- Go to Users → Profile and set a strong password.
- Use a combination of uppercase and lowercase letters, numbers, and symbols.
- Consider using a password manager like LastPass, Dashlane, or Bitwarden to generate and store passwords securely.
Why: Strong passwords make it harder for attackers to brute force their way into your site.
3. Add Two-Factor Authentication (2FA)
Two-Factor Authentication (2FA) adds an extra step during login, making it harder for attackers to gain access even if they know the password.
Steps:
- Install a plugin like Google Authenticator, Two Factor Authentication by WP 2FA, or Wordfence.
- Go to the plugin’s settings to configure 2FA for admin and key user accounts.
- Download a 2FA app like Google Authenticator or Authy on your smartphone.
- Follow the setup instructions to scan the QR code and enable 2FA.
Why: 2FA provides an extra layer of security, requiring both a password and a secondary code, typically generated by an app, to log in.
4. Limit Login Attempts
WordPress, by default, allows unlimited login attempts. Limiting the number of failed login attempts can block brute force attacks that try to guess your password.
Steps:
- Install the Limit Login Attempts Reloaded plugin.
- Go to Settings → Limit Login Attempts.
- Set a limit on failed login attempts (e.g., 3 to 5 attempts).
- Configure the lockout time (e.g., 15 minutes for the first few attempts, 24 hours after several failed attempts).
Why: This reduces the chances of a brute force attack successfully cracking your login credentials.
5. Change the Default Admin Username
Many WordPress installations default the admin username to “admin,” which is easy for hackers to guess. Changing it to something unique makes it harder for hackers to access your account.
Steps:
- Create a new admin account: Go to Users → Add New and create a new admin user with a unique username.
- Log in using the new username.
- Go back to Users, delete the default “admin” account, and assign its posts to the new account.
Why: Changing the default admin username adds an extra layer of security by making it harder for attackers to guess your login credentials.
6. Add Security Questions to the WordPress Login Screen
Adding security questions adds an extra hurdle for attackers who may have guessed your password.
Steps:
- Install the WP Security Questions plugin.
- Go to Settings → Security Questions to configure custom security questions.
- Choose the questions you’d like to appear on the login screen (e.g., “What’s your mother’s maiden name?” or “What was the name of your first pet?”).
Why: Even if a hacker obtains your password, they won’t be able to access your site without answering the security question correctly.
7. Disable File Editing
WordPress allows users to edit theme and plugin files directly from the dashboard, but this feature is a major security risk if hackers gain access. Disabling file editing prevents this from happening.
Steps:
- Open your
wp-config.php
file via FTP or your hosting file manager. - Add the following line of code:
define('DISALLOW_FILE_EDIT', true);
Why: Disabling file editing protects your site from attackers modifying files from the WordPress dashboard if they gain unauthorized access.
8. Disable PHP File Execution in Certain Directories
Malicious scripts are often uploaded in the /wp-content/uploads/
directory. Prevent PHP file execution in certain folders to block such scripts from running.
Steps:
- Create a
.htaccess
file in the/wp-content/uploads/
directory. - Add the following code:
<Files *.php>
deny from all
</Files>
Why: Disabling PHP execution in certain directories stops hackers from running malicious files that they’ve uploaded.
9. Disable Directory Indexing and Browsing
Directory browsing can give hackers insight into your site’s structure, making it easier for them to find vulnerabilities.
Steps:
- Open your
.htaccess
file (in the root of your WordPress installation). - Add the following line:
Options -Indexes
Why: Disabling directory browsing hides the content of your folders from attackers, preventing them from finding sensitive information.
10. Disable XML-RPC
XML-RPC enables remote connections to WordPress but is often targeted in brute force attacks. Disabling it can reduce the risk of certain attacks.
Steps:
- Disable XML-RPC by adding the following to your
.htaccess
file:
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Why: Disabling XML-RPC blocks many remote hacking attempts, especially those using brute force.
11. Have a Good Backup Plan
Regular backups ensure that you can quickly restore your website if it gets hacked or if something goes wrong.
Steps:
- Install a plugin like UpdraftPlus or Jetpack.
- Set the plugin to create daily or weekly backups.
- Store backups in a remote location, such as Google Drive, Dropbox, or Amazon S3.
Why: Backups are essential for restoring your site in case of an attack or data loss.
12. Use a Reputable WordPress Security Plugin
A security plugin monitors your website for malware and suspicious activity, blocks malicious traffic, and provides firewalls and other features to secure your website.
Steps:
- Install a plugin like Wordfence or Sucuri Security.
- Go to the plugin’s settings and enable features like malware scanning, brute force protection, and real-time threat defense.
Why: Security plugins help block malicious attacks and provide a real-time defense system for your site.
13. Use a Web Application Firewall (WAF)
A WAF helps protect your site by filtering and blocking harmful traffic before it even reaches your website.
Steps:
- Sign up for Cloudflare’s free plan or check with your hosting provider if they offer WAF services.
- Follow the setup instructions to connect your website to the WAF.
- Configure your firewall to block bad traffic and suspicious activities.
Why: A WAF helps protect your website from common threats like SQL injections and cross-site scripting (XSS).
14. Ensure You Have SSL/HTTPS
SSL encrypts the data transferred between your website and your visitors, ensuring sensitive information like passwords and credit card details remain private.
Steps:
- Purchase an SSL certificate from your hosting provider or use a free service like Let’s Encrypt.
- Once installed, force your website to load over HTTPS by going to Settings → General and updating the WordPress and site URLs to use
https://
instead ofhttp://
. - Install the Really Simple SSL plugin if needed to handle redirects.
Why: SSL is crucial for secure data transmission and improves your website’s SEO ranking.
15. Change the WordPress Database Prefix
By default, WordPress uses the wp_
prefix for its database tables, making it easier for hackers to guess table names during SQL injection attacks. Changing this prefix adds an extra layer of protection.
Steps:
- Use a plugin like Change Table Prefix to modify the prefix of your database tables.
- You can also manually change the prefix by editing the
wp-config.php
file and the database tables, but this is more complex and should be handled by advanced users.
Why: Changing the database prefix makes it harder for hackers to launch SQL injection attacks.
16. Automatically Log Out Idle Users in WordPress
Leaving sessions open for inactive users can be a security risk. Automatically logging out users who are idle for a certain period can help mitigate this risk.
Steps:
- Install the Inactive Logout plugin.
- Go to Settings → Inactive Logout and configure the plugin to log out users after a set time (e.g., 10-15 minutes of inactivity).
Why: Automatically logging out inactive users protects your site from unauthorized access if someone leaves their computer unattended.
17. Securing Your Website Beyond WordPress: The Importance of Server-Level Maintenance
While the steps outlined above provide essential protection for your WordPress website, it’s important to remember that these measures only cover security at the software level within WordPress itself. To fully safeguard your site, it’s equally crucial to ensure that the underlying server software is also updated and maintained properly. This includes key components such as:
- MySQL/MariaDB (Database)
- Apache or NGINX (Web Servers)
- PHP (The programming language WordPress is built on)
- The Operating System itself (Linux distributions like Ubuntu, CentOS, etc.)
Just like WordPress, these server components can have vulnerabilities that hackers exploit. Regular updates, patches, and performance tuning are necessary to ensure your site remains fast, secure, and reliable.
Why You Should Leave It to a Professional.
Managing these server-level updates and configurations can be complex and, if not done properly, could lead to downtime, security risks, or performance issues. It’s best to leave these tasks to a professional who is experienced in managing and securing servers.
A trusted hosting provider or a managed service professional can take care of tasks such as:
- Regularly updating your server’s software and applying security patches.
- Configuring advanced firewall rules and ensuring secure connections.
- Monitoring server performance and optimizing settings for speed and reliability.
In combination with the WordPress-level security steps, keeping your server environment up to date is crucial for the overall health and security of your website. If you’re unsure about how to handle these updates, consider partnering with a professional who can ensure your server runs smoothly and securely.