In this guide, I’ll discuss WordPress Security in detail to keep your site safe and secure.
Here I’ve talked about important techniques, tools, and the best WordPress security plugins to safeguard your site from hackers and malware.
This guide covers basic techniques like taking regular backups, using SSL, keeping WordPress updates, and advanced security measures like securing the login page, mitigating DDoS attacks, and more.
Although securing a WordPress site is important and essential nowadays, it can be challenging. But if you follow the right security practices, you can safeguard your site from hackers.
Go through this guide on WordPress security with a full practical approach.
General WordPress Security Practices for a Safe & Secure Website
Keep WordPress, Plugins, & Themes updated
Most of the attacks on WordPress sites happen due to the use of backdated WordPress core files, plugins, and themes. It is highly recommended to keep your WordPress, plugins, and themes updated.
Use SSL
SSL certificates play a big role in your WordPress site’s security. SSL certificates will help your site transfer data within an encrypted environment and enable your site to serve content through HTTPS.
Use a strong password for user accounts
Using a strong and secure password for your WordPress account is one of the most important steps to your WordPress site’s security. Choose a WordPress account password with a combination of capital letters, small letters, special symbols, and numbers.
Keep a regular backup of your site
Backing up your WordPress site is peace of mind because when you keep a regular backup of your WordPress site, files, and databases, there are fewer to no chances of losing important site data.
Install plugins that are highly trusted and regularly updated
Installing plugins from unauthenticated sources which are not been updated for a long time can be dangerous for your site’s security. If you are looking for a plugin that can fulfill your requirement, then install and use only trusted plugins from the WordPress plugins directory and authentic sources.
Remove all unused or deactivated plugins
Sometimes it has been seen that WordPress users keep unused plugins on their site, which might be a huge security risk. If you have deactivated and not used a plugin for a long time, then it is best to delete those from your site.
Conduct regular security scans
You can use a WordPress vulnerability scanner (WPScan, Wordfence, Jetpack Scan, Sucuri SiteCheck) to regularly scan your WordPress site for malware or other security loopholes.
WordPress Security: Important Techniques to Safeguard Your Site
Get a Secure Hosting
The security of your WordPress site starts with secure hosting. Choose a reputable hosting company that will provide robust security Infrastructure with all essential features, monitoring, and support to safeguard your site from various online threats.
Check the Best WordPress Hosting Services.
Harden WordPress Login Security
The most important way to access your WordPress site is through the login panel. Hackers also target this entry point to gain access to your WordPress. There are many ways to harden WordPress Login Security that I have discussed below.
Keeping your WordPress login panel secure helps in your business success and maintains site performance. Here are various security measures to secure your login page.
Use a strong password
Always use a strong password to login into your WordPress. Use a mix of letters, numbers, symbols, uppercase & lowercase in your password. You can use a reputable password generator and password manager tool to do this.
Change or Hide WordPress Login URL
To change or Hide the URL of the WordPress login panel you can use plugins like WPS Hide Login.
Changing the WordPress login URL (wp-login.php) is not a full proof security solution, you can take other security measures like setting a strong password and activating two-factor authentication.
Password protect login page
To password protect your WordPress login panel you can set a password to your wp-admin directory using your hosting control panel.
This process will add a layer of security before accessing your WordPress login page.
If you have access to your hosting cPanel, go to the “Files” section and then click on “Directory Privacy”.
From your website’s root directory go to the “wp-admin” folder.
Now enable Password to protect this directory”.
Set a username and password to reach your login panel.
Finally, save the settings.
Limit the number of login attempts
By limiting the number of login attempts you can safeguard your WordPress site from brute-force attacks.
To limit login attempts on your site you can use a plugin like Limit Login Attempts Reloaded.
Add two-factor Authentication to your login page
Activating two-factor Authentication (2FA) on your WordPress login page is also helpful in mitigating brute-force attacks.
With 2FA a user needs to provide both a password and secondary code (received on the phone, email, or authenticator app) to login into your WordPress site.
WordPress two-factor authentication can be achieved with Wordfence Login Security plugin.
Check File Permission
WordPress file permissions are important to manage restrictions on certain parts of your website directory and files.
Like all files should be writable only by your user account on directories;
- /wp-admin/
- /wp-includes/
- /wp-content/plugins/
While all writable by both your user account and web server on directory;
- /wp-content/
If you have cell access you can change file permission as per the need. It is better to tighten permission as much as possible and loosen when needed.
The recommended permission is 644 for files and 755 for directories.
For wp-config.php it is best to keep 400 or 440 for enhanced security.
Securing wp-config.php
You can move the wp-config.php file to one directory above your WordPress installation. Also, make sure that you can only read it (400 or 440 permission).
If you have a server with .htaccess then you can put this code at the very top of your .htaccess to deny access to anyone who is searching for it.
<Files "wp-config.php">
Require all denied
</Files>Block HTTP requests using the XML-RPC protocol
Blocking HTTP requests that use the XML-RPC protocol is one of the effective ways to prevent brute-force attacks on your WordPress site.
If you have access to the .htaccess file, add this code to disable xml.rpc
<Files "xmlrpc.php">
Require all denied
</Files>You can also use a plugin like Wordfence to disable xml-rpc.
Hide WordPress Version
Hiding your WordPress version is like hiding your a**. If the WordPress version appears in your WordPress site then an attacker might get valuable information to search for security loopholes. It actually helps the attacker to exploit known vulnerabilities in that particular release.
You can use a plugin or function to remove the WordPress version.
Using plugin
You can use plugins like Wordfence to hide the WordPress version on your site.
Using code in functions.php
Using the below codes in your themes functions.php you can remove the wp_generator tag from the header, which displays the WordPress Version.
remove_action('wp_head', 'wp_generator');Or
function wp_remove_version() {
return '';
}
add_filter('the_generator', 'wp_remove_version');
remove_action('wp_head', 'wp_generator');Note: It is a minor security method to secure WordPress. Also, this approach removes the version number from the header only but it may appear in other places like RSS feed or file paths.
Use a Firewall
A Firewall acts as a security layer to your WordPress site which helps to filter malicious traffic and secure the website against potential threats.
Firewall helps your site in many ways including SQL Injection, XSS, and DDoS attacks.
Firewalls are of two types;
A web application firewall (WAF) monitors and filters traffic specific to your WordPress application.
A DNS-Level firewall routes your site traffic through their server to filter malicious traffic before reaching your web server.
WordPress security plugins are great solutions to implement firewall on your site.
Wordfence is a popular WordPress security plugin that provides a Web Application Firewall (WAF) to protect your site from malicious threats.
Cloudflare is one of the best Content Delivery Networks (CDN) that provides a WAF that protects your site from cross-site scripting (XSS), SQL Injection, and DDoS attacks. Cloudflare also helps to mitigate large-scale DDoS attacks on your site.
Mitigate DDoS Attacks
You can Mitigate DDoS Attacks on your WordPress site by following general security practices and using a firewall and CDN.
General security practices include login security, form security, keeping software and plugins updated, xml-rpc protection, monitoring traffic, and others.
Wordfence provides a Web Application Firewall (WAF) which creates a barrier between your site and the internet to filter malicious traffic.
On the other hand, CDNs like Cloudflare provide excellent DDoS attack protection for your WordPress site. It will help to filter all malicious traffic and keep your site available and secure during attacks.
WordPress Database Security
Change the Default WordPress Table Prefix
Changing the default table prefix is one way to keep your WordPress database secure. This technique is security through obscurity.
By default, the WordPress table prefix is set to wp_. If you keep the default setting it becomes easy for attackers to target it. If you want to achieve advanced security to your WordPress then you need to change the default table prefix.
The best approach is to do it at the time of WordPress installation. If you are installing WordPress for the first time, then follow the prompts to enter a new table prefix.
To change the table prefix, you need to apply the steps below.
Important: First, take a full backup of your database through phpMyAdmin or other tools.
1. Update wp-config.php
Find the line $table_prefix = ‘wp_’; in your wp-config file.
Change wp_ to your desired prefix for ex; $table_prefix = ‘myprefix_’;
2. Change table names in the database
Access your database through phpMyAdmin.
For each table, start with wp_ prefix change it to your new prefix.
Here are the SQL queries you need to run;
RENAME TABLE 'wp_posts' TO 'myprefix_posts';
RENAME TABLE 'wp_options' TO 'myprefix_options';
RENAME TABLE 'wp_users' TO 'myprefix_users';… and so on for all tables
After changing the prefix for all tables, you need to update preferences to the old prefix.
Here are the SQL queries to achieve that;
UPDATE 'myprefix_options' SET 'option_name' = REPLACE('option_name', 'wp_', 'myprefix_') WHERE 'option_name' LIKE 'wp_%';
UPDATE 'myprefix_usermeta' SET 'meta_key' = REPLACE('meta_key', 'wp_', 'myprefix_') WHERE 'meta_key' LIKE 'wp_%';Finally, deactivate and reactivate all plugins and themes to refresh the prefix. In that way, plugins & themes that are using the old prefix will now start using your new prefix.
After taking these steps, test your site thoroughly, including posts, pages, the login system, and others.
Rename the user_ login
Renaming the WordPress username is a step forward to your site security. As generic usernames like admin are easier to guess, hackers can apply various automated techniques to launch brute-force and dictionary attacks on your site.
Changing the WordPress username is not possible through your WordPress dashboard and you need to do it through the database.
Here are the steps;
- You need to access the phpMyAdmin through your web hosting hosting dashboard.
- You need to select your WordPress database and click on the wp_users table.
- Click on the edit button next to the username you want to change.
- You will be able to set a new username in the user_login field.
- Click on the Go button to save changes.
Prevent SQL Injection
- Implement a Firewall: Set up a web application firewall (WAF) to block malicious traffic and protect your site from SQL Injection, XSS & other attacks. You can use WordPress security plugins like Wordfence and Cloudflare to block several types of SQL injection attacks.
- Change WordPress Database Prefix
- Validate user input
- Perform regular updates
- Hide your WordPress version
- Limit user role access
- Remove unnecessary database functionality
- Creates custom database error messages
- Use prepared statements
Disable Hotlinking
Hotlinking allows third parties to embed images and media files directly from your site, without hosting those on their own server. When this happens repeatedly it consumes significant bandwidth on your server which in turn slows down your website’s performance.
If you are using Cloudflare you can easily implement hotlinking on your site by enabling Hotlink Protection under Scrape Shield.
Monitor user activity
Attacks on your WordPress site can happen both internally and externally. Checking your server log and user activity regularly helps you detect any suspicious behavior.
What are the best WordPress Security Plugins?
The best WordPress Security plugins that provide security to your website:
Frequently Asked Questions: WordPress Security
How to scan WordPress websites for vulnerabilities?
Choose a vulnerability scanner like Jetpack Scan (uses WPScan database), Sucuri free SiteCheck tool, and Wordfence scan to check for vulnerabilities in your WordPress site.
How to choose a secure WordPress hosting?
While choosing WordPress hosting check for security features like; SSL, firewalls, malware scanning, DDoS protection, automatic updates & regular backups.
How to scan WordPress sites for malware?
To scan WordPress for malware you can use plugins like Wordfence, Sucuri, & MalCare. You can also use online tools like Sucuri SiteCheck.
Which is the most trusted WordPress vulnerability scanner online?
WPScan is the best online WordPress vulnerability scanner continuously updated by leading WordPress security professionals.
If you want to ask anything about WordPress security, mention it in the comment below.
