,

25 Effective ways to Secure WordPress website

Looking for an easy way to secure wordpress website? Not sure what to do? Is your business is important than getting a website compromised?

If your answer is YES, here I’ve highlighted 25 effective ways to secure your wordpress site which will help you to reduce the wordpress security pain.

before we get started, answer me the following questions in the comment section:

  • Since when did you start wondering about wordpress security?
  • Do you implement any wordpress security tweaks when you install the wordpress?
  • Have you ever been the victim of the hacker?

If you did, Let’s begin the reading

25 Effective ways to Secure WordPress website

⇛ Importance of wordpress security:

Security, a word which we use in our Daily Life, not verbally but we do. The World is becoming more Digital every day. The day might be too much time, it’s becoming Digital every second. We are being introduced to New Features in SmartPhones, Computers, etc. Sometimes new Features come with new Vulnerabilities.

We all use some kind of Lock in our SmartPhones. There are few known features like Screen Lock, Pattern Lock, Password Lock, and the Vintage PIN Lock.

We use what we like in our Phones to Secure it from Unwanted Access and Data Thefts. When we are so serious about a Phone’s Security, then we should be aware of WordPress Security as well. As I said earlier, new features come with vulnerabilities sometimes.

If you don’t know how to do these, you can always hire our team to do it for you.

⇛ 25 effective ways to Secure WordPress Website

Let’s start exploring 25 effective ways to secure wordpress website.

1) Setup Daily Backups

Backing up your site often is essential. Every webmaster knows this. Regrettably, many new WordPress users do not take backing up as seriously as they must. In reality, if something goes wrong with a website or wordpress, You would end up having nothing which will eventually make you pay the developer again and develop the site from the stretch.

It is not always unusual for website owners to take backups no longer seriously until something goes wrong. It is a hard lesson they won’t in any way to forget. If you’re smart, you’ll get into the habit from the very beginning to back up your wordpress account.

We use WPvivid + S3 at wpzonify. we recommend the same.

A Good host takes backups regularly. See our “Hosting recommendation list

2) Keep Updating WordPress, Themes, and Plugins

WordPress is an open-source Blogging platform often developed and used by businesses and every attacker quite often aims to find the loophole in wordpress, themes, plugin.

So, it’s important to update your WordPress Core whenever there is one. The same goes for the Themes and Plugins you use in your Site. According to surveys, most of the WordPress blogs which are hacked or are victims of Cyber Attacks are those which were not updated.

There are 2 types of updates in WordPress. One is minor changes, which you can wait to update till a week. Some are Critical Updates, you need to update that as soon as possible.

Pro Tip: Make sure you have Backup before you updating the wordpress, themes and plugins else you may lose your Site.

How to update: You can go to your wordpress Dashboard, there you will the Notification to Update the Required Things. Or you can download the latest software from WordPress Official Website and upload it in your File Directory where wordpress is installed.

update wordpress

3) Use Strong Passwords and User Permissions

If you use the cPanel softaculous to install the wordpress, the wordpress will be installed with the “pass” as a password that enables attackers to compromise the wordpress website. For such a purpose, it is necessary to use a strong password to secure wordpress website.

And don’t share the admin privileged user credentials with the others. Either they are known personalities or friends. trust no one.

I recommend using a “temporary login plugin that allows you to create a temporary login URL where people can access the wordpress dashboard without login credentials if you want to share with the hosting provider support or someone you trust.

wordpress password

4) Install And Set-up a WAF (Web Application Firewall)

Enabling the firewall will help you reduce the number of bot attacks or suspicious activities on your wordpress websites. Although the server-side firewall is one step ahead than the application-level firewall.

Which Firewall plugin do I recommend?

Ninja advanced firewall. Why?

I did a wordfence & Ninja advanced firewall test which wordfence plugin usually uses more resources on the hosting account, while the Ninja firewall is lightweight, blocks many threats.

How to Install?

  • Straight login into the wordpress dashboard.
  • Navigate to Plugins >> Add new Plugin.
  • Search “Ninja Firewall” and Install the plugin.
  • Follow the Instruction offered by the plugin.
Ninja firewall

5) Use Different “admin” Username

A Username is what you write in place of default “admin” while installing WordPress on your Domain. And below that, you write a Password in place of “pass” which must be difficult for others for a guess.

Now coming to log in. By default, WordPress allows anyone to enter the password in as many attempts as a person wants.

Yes, there is a feature called Forget Password which you can use if you forget it. But what if the person who is trying to log in isn’t you?!

It is recommended to change the default wordpress username “Admin” to a random username unless you know how to secure wordpress site.

wordpress username

6) Disable WordPress File Editor

WordPress comes with 2 Editors with installation, one is the Theme Editor, and the other is known as the Plugin Editor. With Theme Editor, you can make changes to your current theme which is in use.

Like removing WordPress Credits from the Footer, or adding a Google Analytics code in the Header. You can use it if there is such a need for Editing the Theme. Plugin Editor is the least used Function in WordPress. It’s mostly used by developers only. If you have no knowledge of it, then you shouldn’t use it.

Let’s assume, a hacker enters in your WordPress site. The 1st thing he will do is to corrupt the site or inject his malware code to your Site and it can be easily done with both Editors as WordPress gives Unrestricted Access to anyone who has logged into the Dashboard. Once he’s done, then your Site will get compromised and whatnot.

That’s one reason to Disable both Editors. Another is, if you have multiple users on your WordPress Site, then you may need to hide both Editors since they can knowingly or by mistake make some changes in the Codes which might result in you losing your own Site. These are the common reasons why you must disable the Editors.

How to Disable: Login to your cPanel or SFTP account using the Filezilla. Edit the wp-config.php file and add the following code. save changes.

define( 'DISALLOW_FILE_EDIT', true );

Both Editors will be disabled once you reload your wordpress dashboard. Before disabling, make sure you have SFTP Access to website files or cPanel, Control panel.

Before disabling the wordpress file editor:

wordpress file editor

7) Disable PHP File Execution

As I stated earlier, once the hacker has accessed your site, if you have never disabled the wordpress file editing function, they would then add the malware code to your wordpress website which makes it easy for them to compromise the wordpress.

What if you’ve disabled editing the wordpress file? Ultimately attacker would then quickly upload his executable file to the upload directory and execute the code to gain access to your wordpress files.

How to disable: Login to SFTP again and head-over to /wp-content/uploads/ folders on your website. then create .htaccess file with the following code.

<Files *.php>
deny from all
</Files>

That’s it, Executing the code file in your Uploads directory would be kind of difficult for the attackers.

8) Limit Login Attempts

Well, there are many Plugins available to prevent unknown people trying to breach into your Website. One such plugin is a loginizer plugin. You can install it on your WordPress site and follow the instructions offered by the plugin to make sure the next time someone tries to enter your Site, the attempts restrict that person.

Once you have chosen the Username in wordpress Installation, you can’t change it. There are options but that will consume your time. If you have activated the loginizer plugin, then it will work for you as well. So, if you forgot the password, then don’t keep trying. Just click on Forget Password and Reset it. If you keep entering the wrong credentials, your Ip Address might get blocked for a while.

limit login attempts

9) Add Two Factor Authentication

2 Factor Authentication, in short 2FA, is a High-Level Security Feature used in many platforms. This Feature includes a Password and a Random Security Code generated on the Security App on your phone. There are apps that work as authenticators in 2 Factor Authentication. Like Google Authenticator.

How to set up 2 Factor Authentication: Login to your WordPress dashboard. Install and activate the 2FAS Light plugin. To set up the 2FA, You would also need to install the 2FA security app on your android device such as Google Authenticator, Authy.

10) Use Different WordPress Database Prefix

WordPress Database is the main source of everything you have in your WordPress Site. It’s the foundation of your WordPress Installation. That makes it the most important place digitally for Spammers and their seniors known as the Hackers.

By default, when you are installing WordPress via cPanel softaculous or Installing wordpress manually, you will see “wp_” in Table Prefix. That’s too common for anyone to guess. So, to make your WordPress Database more secure, you need to make it a bit tough to guess. Make sure whatever you enter there, it ends with an underscore(_). If you keep “wp” at the start, it will make the Directories be in Order.

For example: RandomPrefix_

wordpress table prefix

11) Password Protect WordPress Admin Folder

The additional layer of authentication to your wordpress makes it more difficult for someone to access. Your website will ask for the username and password as soon as someone tries to access the default URL / wp-admin wordpress.

If you are using the cPanel already, you can set up with the help of “Directory privacy” functionality offered by cPanel. If you are not using the cPanel, please go through the following steps.

  • Go to Htpasswd generate tool
  • Enter the username & password. Click create .htpasswd file.
  • You will see the encrypted password, copy it.
  • Now login to your SFTP and Navigate to your /wp-admin directory.
  • Create a .htpasswd file and paste the copied code. Save changes.
  • Create another .htaccess file in the same location /wp-admin and paste the following code:

AuthName "Admins Only"
AuthUserFile /home/yourdirectory/wp-admin/.htpasswd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere

Once you do the above steps, your default admin directory will then start requesting the login credentials that we created earlier in the .htpasswd.

12) Disable Directory Browsing

Directory indexing can be problematic, allowing attackers to view and download the website files easily to their system. Web server Litespeed will trigger the 404 not found error by default but if you are on a host that does not use the LiteSpeed, you can quickly add the following code to disable the directory indexing.

Options -Indexes

Please add the above code to your .htaccess file.

13) Disable xmlrpc.php in WordPress

The WordPress XML-RPC is a specification aimed at centralizing communication between multiple systems. It uses HTTP as the transport mechanism and XML as the encoding mechanism that allows the transmission of a vast range of data.

Causes of XML-RPC in wordpress:

  • DDoS via XML-RPC pingbacks
  • Brute force attacks via XML-RPC

How to disable it: Paste the following code in your .htaccess file.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all allow from 123.123.123.123
</Files>

14) Protect The Wp-Config File

The other way to tweak wordpress security is to safeguard the wp-config.php. Wp-config.php holds sensitive content such as security keys, database host, database user and database password that might allow attackers to pull your wordpress database completely.

Why would anyone want sensitive wordpress data to fall into wrong hands. do you? that’s why wp-config.php security is something you should be taken care of.

How to protect with .htaccess rule: Paste the following code in your .htaccess file and save changes.

<files wp-config.php>
order allow,deny
deny from all
</files>

Receive similar wordpress guides, eBooks in your email inbox!

15) Disable script injections

Attackers constantly try to inject their script into your wordpress website. Script injection not only impacts your business, but it can also be super expensive, the result of Google’s search will show as “hacked website,” you’ll have to hire developers to build the site for you again.

Guess what? It can be prevented by adding htaccess rule to your .htaccess file. Add the following code to your htaccess file and save the changes.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING}
(<|%3C).script.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

16) Fight Against Content Scrapers (hotlink)

Hotlink Protection makes it possible for you to prohibit the direct link to files from your website to other websites. It means that when some other website tried to link your files to their websites to load your files such as CSS, JS, and images it can not load content from your wordpress that lets you prevent bandwidth abuse and duplicate content.

How to enable hotlink: Place the following code in your .htaccess file and save changes.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)example.com/.*$ [NC]
RewriteRule .(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ – [F]

17) Add Security Questions to WordPress Login Screen

You can protect your wordpress login page for unauthorized login attempts. Anyone who tries to log in to your wordpress will have to answer the questions that you would add with the plugin.

How to set up: Install the WP Security Questions plugin on your wordpress website and follow the instruction offered by the plugin.

Pro Tip: If you already have Limit login attempts and 2FA security enabled on your wordpress, the WP Security Questions plugin really doesn’t have to be installed.

18) Prevent Unnecessary Info From Being Displayed

When somebody(or you?) failed to login to your wordpress dashboard, wordpress would display you unnecessary information such as “Username incorrect” and “Password is invalid for username XYZ” which will help attackers to find your wordpress site username.

Why don’t we just prevent from being displayed on your site? to do that, add the following piece of code to your theme function.php

add_filter( 'login_errors', create_function('$a', "return null;") );

OR Use the same plugin that I suggested earlier to change quickly.

change login error message

17) Use Cloudflare

Cloudflare is yet another CDN service that caches your website across its 200 other servers around the world and delivers the content from the nearest location and you can make use of it for security purposes as well. you won’t get any such service for absolutely free and I’d highly recommend setting up the Cloudflare.

How to setup: Head over to the cloudflare.com website and signup with your website address. you will be offered the name servers which you need to update in your current domain name provider.

cloudflare security

18) Install or use SSL Certificate

I assume I would not need to explain more about the importance of an SSL certificate because the SSL certificate is to encrypt sensitive information sent across the internet and now SSL is extremely important as chrome announced the “unsecured” budge that will be displayed in the visitor browser if you don’t use the SSL certificate or redirect users to https.

SSL is being offered for free with the hosting services that I listed in my hosting recommendation list and if you have installed the SSL certificate already. you sure you need to redirect Http to Https.

Chrome “NOT SECURE”
Image Credits

19) Blacklist Undesired Users And Bots

We had multiple login attempts to our wordpress (before installing and putting security rules in place to avoid such attacks) from the IP address, what we did was, add htaccess rule to block that IP address to restrict access to our website, which helped to stop repeated failed login attempts.

Not just the failed login attempts but you can block any IP address which you would wish to prevent from accessing your wordpress website.

  • Preventing failed login attempts.
  • Prevent spam comment form the IP
  • Limit access to any suspicious IP address

How to do it: Place the following code in htaccess file by replacing the IP address:

Order Allow,
Deny Allow from all
Deny from 111.222.333.444

20) Use secure hosting services

Web hosting also plays a big role when it comes to wordpress security. whether you have a personal website that you use for blogging or a large-scale business, secure hosting is essential.

if you were using any hosting services and they are not serious about their hosting security, you may encounter a shared hosting security breach. Make sure to have a word with the hosting provider before making the purchase.

Hosting that we recommend:

As I previously stated several times, wordpress hack can be super expensive and you wouldn’t want to spend your time and money on developing another website. would you?

21) Use Latest PHP version

Using the latest version of PHP is yet another wordpress security tweak that you can make Because the latest version of PHP is always updated for security vulnerabilities on a regular basis, and you will also experience the fast loading website with the latest PHP version.

Approximately 40%-50% of wordpress websites are still using the outdated versions of PHP which might allow attackers to compromise the wordpress website.

I recommend using the 7.2 or 7.3

22) Hide wordpress version

By default, WordPress doesn’t let you hide the wordpress version that could allow attackers to easily compromise the wordpress. As you need to be aware some of the updates contain security patch that needs to be updated

use latest version of the wordpress

And using the latest version of the wordpress is what I strongly suggest to most people but if you’re using some outdated version for some reason or some comfortability issue, you can hide their versions instead.

How to hide version: add the following code to your function.php file

function remove_version_from_style_js( $src ) {
if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
$src = remove_query_arg( 'ver', $src );
return $src;
}
add_filter( 'style_loader_src', 'remove_version_from_style_js');
add_filter( 'script_loader_src', 'remove_version_from_style_js');

23) Automatically log idle users out of your site

Remember when you log in to your online bank account, and after a while, if you’re inactive it would automatically log you out? the automated logging out of inactive users is one of the security tweaks most banking systems implement because it will help the system to prevent attackers from accessing the website from cookies or cache.

To achieve the same on your wordpress website, all you have to do is install the Inactive Logout plugin and make a few setting changes in plugin settings.

24) Keep eye on recent changes

Keeping an eye on recent changes makes it easy to track suspicious activities and take them down before wordpress gets compromised which can help you troubleshoot wordpress errors, locate the breach of security and much more.

Aryo activity log plugin is free and lighting fast which you can use to monitor your activity logs.

  • if someone is trying to hack your site.
  • Or, when a post was published, and who published it.
  • Or, if a plugin was activated/deactivated.
  • Log suspicious admin activity Securing your site.

25) Safeguard your computer

Last but not least. Safeguarding your computer is also very necessary because you use the same computer to sign in to your wordpress site which will effectively help attackers hack your website easily.

Final Words:

This is the very extensive list of wordpress security enhancements that you can make sure to secure wordpress website. additionally, I would also recommend, you should only use trustworthy plugins and never trust plugins/themes from the unknown developers.

Finally, I’m curious about your wordpress security settings. Please do mention in the comment section.

About Manoj lk

Manoj is a guy who helps small business owners to securely run their wordpress website while also increasing their business revenue. You can reach out to him by sending an email to Manoj@wpzonify.com

6 thoughts on “25 Effective ways to Secure WordPress website”

Leave a Comment

Previous

Top 5 Awesome Fastest wordpress themes (Free + 2020)