The internet is full of cyber threats, so webmasters shouldn’t leave website security up to luck. It’s paramount to stay safe online. That’s why in this article we will uncover how to secure WordPress by using the 12 best web security practices.
WordPress security is a topic of huge importance for every website owner. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week.
If you are serious about your website, then you need to pay attention to the WordPress security best practices. In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.
While WordPress core software is very secure, and it’s audited regularly by hundreds of developers, there is a lot that can be done to keep your site secure.
Why Do You Need to Secure WordPress?
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.
Powering 30.5% of all websites on the internet, WordPress is the most popular CMS to date. Unfortunately, its popularity also attracts hackers who seek to exploit the platform’s vulnerabilities. Sucuri confirmed this claim with a study that counted that 90% of 25,466 studied websites in 2018 that experienced security breaches use WordPress.
Hacking occurs to WordPress websites when bad actors manage to exploit vulnerabilities in the WordPress core, plugins, and themes. Based on WPScan vulnerability database statistics, we gathered some of the most common types of WordPress security vulnerabilities:
- Cross-site request forgery (CSRF) — forces the user to execute unwanted actions in a trusted web application.
- Distributed Denial-of-Service (DDoS) attack — incapacitates online services by flooding it with unwanted connections, thus rendering a site inaccessible.
- Authentication bypass — allows hackers to access website resources without needing to verify their authenticity.
- SQL injection (SQLi) — forces the system to execute malicious SQL queries and manipulates data within the database.
- Cross-site scripting (XXS) — injects malicious code that turns the site into a transporter of malware.
- Local file inclusion (LFI) — forces the site into processing malicious files placed on the server.
The consequences of getting hacked are far from pleasant. The hacked site, first and foremost, may experience significant data, asset, and credibility loss. Furthermore, if your website manages customer information, the incident can jeopardize your customers’ personal data and billing information.
Before you scramble to find another CMS, we have good news for you. The information above by no means indicates that WordPress has a terrible security system. On the contrary, most web security breaches happen due to the user’s lack of security awareness.
In short, you have the power to prevent hacking attacks from happening in the first place. And we’re here to help you do that.
How to Secure WordPress: 12 Best Practices
Securing a WordPress site doesn’t require a big budget or advanced technical knowledge. Here’s how to secure WordPress using 12 easy to implement security practices.
Worst, you may find yourself paying ransomware to hackers just to regain access to your website.
1. Keeping Your Site Updated with Secure WordPress Releases
The CMS releases regular software updates to improve site performance, including its security, making sure to keep secure WordPress. Thus, updating your website is the most basic web security practice you should do.
Despite sounding so simple, 41.9% of WordPress websites are still running on outdated versions. If your site isn’t using version 5.2 as of writing, then you put your site at a higher risk of a breach and need to update to secure WordPress.
To check whether or not you have the latest secure WordPress version, you can navigate to the Updates menu from your WordPress dashboard. For the complete list of all released and to be announced secure WordPress versions, see this codex.
In case you don’t know how to update WordPress, you can follow this tutorial.
2. Using Secure WordPress Admin Login Credentials
One of the most common mistakes many users still do to this day is using common usernames like “admin,” “administrator,” and “test.” This is a small yet fatal error as doing so puts your site at a higher risk of successful brute force attacks.
Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.
Here’s how to create a new secure WordPress administrator account:
- From your WordPress dashboard, navigate to the Users ->Add New.
- Create a new user and assign the Administrator role to that account. Hit Add New User once you’re done.
- Re-log with the newly created secure WordPress user.
- Head back to the Users section, then navigate to the All Users section. Tick the old admin account’s checkbox you want to delete. Change the Bulk Actions dropdown menu to Delete, and click Apply.
As brute force attacks can even target secure WordPress sites with weak passwords, it’s essential to use unique login details. Try to incorporate variations of numbers, uppercase letters, and special characters into your password to make it harder to guess. Tools like LastPass and 1Password can help you create and manage complex passwords effortlessly.
Additionally, be aware of the network you use before logging into even a secure WordPress site. Public networks, like a coffee shop and library wifi, may not be as secure as they seem. To protect your login credentials, we advise you to use a VPN before going online in public places.
3. Disable File Editing
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
You can easily do this by adding the following code in your wp-config.php file.
// Disallow file edit define( 'DISALLOW_FILE_EDIT', true );
Alternatively, you can do this with 1-click using the Hardening feature in the free Sucuri plugin.
4. Enabling 2-Step Authentication
Two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.
Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.
First, you need to install and activate the Two Factor Authentication plugin. Upon activation, you need to click on the ‘Two Factor Auth’ link in WordPress admin sidebar.
Next, you need to install and open an authenticator app on your phone. There are several of them available like Google Authenticator, Authy, and LastPass Authenticator.
We recommend using LastPass Authenticator or Authy because they both allow you to back up your accounts to the cloud. This is very useful in case your phone is lost, reset, or you buy a new phone. All your account logins will be easily restored.
We will be using the LastPass Authenticator for the tutorial. However, instructions are similar for all auth apps. Open your authenticator app, and then click on the Add button.
You will be asked if you’d like to scan a site manually or scan the bar code. Select the scan bar code option and then point your phone’s camera on the QRcode shown on the plugin’s settings page.
That’s all, your authentication app will now save it. Next time you log in to your website, you will be asked for the two-factor auth code after you enter your password.
Simply open the authenticator app on your phone and enter the code you see on it.
5. Disabling PHP Error Reporting to Secure WordPress
The PHP error reporting feature is useful for monitoring the site’s PHP scripts. However, broadcasting your website’s vulnerabilities to other people is a serious security flaw and won’t help secure WordPress.
There are two ways to disable PHP error reporting to secure WordPress — via the PHP file or hosting control panel.
The first method requires you to add the following code snippet to the site’s wp-config.php file to help secure WordPress. Be sure to add it before any other PHP directive. You can use either an FTP client or File Manager to make the modification.
error_reporting(0); @ini_set(‘display_errors’, 0);
If you don’t want to deal with coding, you can opt for the second method. Here’s how you can disable PHP error reporting for a secure WordPress site from Hostinger’s hPanel:
- From your hPanel dashboard, navigate to the Advanced -> PHP Configuration.
- On the PHP Options tab, uncheck the display_errors option. Then, click Save.
6. Not Using Nulled Themes Instead of Secure WordPress Themes
Despite being more affordable, nulled themes have a ton of security flaws. They often carry malware, spam links, and backdoors that can endanger your website’s security.
Being distributed illegally, nulled themes also don’t come with any support from the developers. That means if something bad happens to your site, you’re on your own, without any advice on how to secure WordPress after an incident.
For this reason, it’s best to avoid using nulled themes at all costs and opt for secure WordPress themes from official repositories or trusted developers and their official marketplaces.
7. Change WordPress Database Prefix
By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.
Note: This can break your site if it’s not done properly. Only proceed, if you feel comfortable with your coding skills.
8. Password Protect WordPress Admin and Login Page
Normally, hackers can request your wp-admin folder and login page without any restriction. This allows them to try their hacking tricks or run DDoS attacks.
You can add additional password protection on a server-side level, which will effectively block those requests.
9. Scanning WordPress for Malware
Despite being cautious about the plugins and themes you install on your site while trying to secure WordPress, there’s no guarantee that they won’t carry any malware with them. The most common types of malware are viruses, spyware, and ransomware — all of which are incredibly harmful to your site.
Therefore, it’s crucial to scan your site regularly. To know how to secure WordPress best, you should check out what the various plugins offer.
Fortunately, there are plenty of great security plugins to choose from. Take a look at our recommendations of WordPress security plugins below and see which one best suits your preference:
- Wordfence — a popular security plugin with real-time malware signature updates, a block alert that notifies you if another site blacklists yours for suspicious activity, and reCAPTCHA protection.
- BulletProof Security — helps secure WordPress with an idle session logout feature that prevents other users from hijacking an unattended device, hidden plugin folders that aren’t visible in the WordPress plugins section, and database backup and restoration tools.
- Sucuri Security — one of the best WordPress security plugins on the market that offers various SSL certificates, remote malware scanning, and post-hack security action features that can show you how to secure WordPress after a breach and help resolve technical issues and improve security.
Don’t know how to install a secure WordPress plugin? Not to worry, this comprehensive guide can help you set one up in no time.
10. Disable Directory Indexing and Browsing
Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access.
Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.
You need to connect to your website using FTP or cPanel’s file manager. Next, locate the .htaccess file in your website’s root directory.
After that, you need to add the following line at the end of the .htaccess file:
Now save your
.htaccess file and upload it back to your server using your FTP client. That’s all you need to do. Directory browsing is now disabled on your WordPress site and people trying to locate a directory index on your website will be redirected to WordPress 404 page.
11. Migrating a Site to More Secure WordPress Hosting
41% of WordPress websites were hacked due to security loopholes in their hosting accounts. Despite being seemingly unrelated, your web hosting provider has a significant role in keeping your server secure. In other words, your website security won’t matter much if the server it’s on is prone to cyberattacks.
If you think your current web hosting provider is unreliable, it’s time to migrate your WordPress site to a new one. Here’s what you need to consider when deciding how to secure WordPress through hosting:
- Type of web hosting
Due to server sharing, shared hosting tends to be more prone to cyberattacks than other types of hosting. So, you either make sure your account is isolated from other users or migrate to VPS or dedicated hosting.
A good hosting provider monitors its network for suspicious activity and updates its server software and hardware periodically. They also need to have server security and protection against all types of cyberattacks.
Regardless of the type of hosting, having automatic backups and security tools for preventing malware is a must-have feature to secure WordPress. In the worst-case scenario, you can use it to restore a compromised website.
Having a 24/7 support team with excellent technical knowledge to help you secure WordPress is essential in tackling any technical and safety problems that may occur.
We recommend Hostinger as our preferred managed WordPress hosting provider. They’re also the most popular one in the industry.
12. Backing Up as Frequently as Possible
While it’s essential that you arm your website with various security measures, regularly backing up the entire site is equally important. When thinking about how to secure WordPress, you won’t need to worry about losing all your hard work in the event of a security breach.
There are a few ways to create backups. You can manually download WordPress files and export the database or use your hosting provider’s backup tool. Various WordPress backup plugins can also help you do the job easily.
Here are several top-notch secure WordPress backup plugins worth considering:
- VaultPress — a Jetpack-powered plugin equipped with backup and restoration tools, site migration services, and automated file repair that restores infected files.
- BackUpWordPress — a beginner-friendly, multilanguage secure WordPress backup plugin that allows you to backup selected files or the entire website and provides you with the option to send them via email.
- Backup Guard — a feature-packed plugin that offers unlimited backups, cloud storage integration with popular platforms like Dropbox and Google Drive, backup logs that recap your backup history, and mail notification features.
13. Removing Unused Themes and Plugins
As themes and plugins can potentially have vulnerabilities, it’s not a good idea to pile them up on your site for no reason when considering how to secure WordPress. Furthermore, having outdated yet active plugins increases the risk of cyberattacks as hackers can use them to gain access to your site.
Thus, it’s best to remove unused plugins and themes altogether.
14. Using .htaccess for Better Security
The .htaccess file ensures WordPress links work properly. Without this file declaring the correct rules, you will get a lot of 404 errors. Additionally, the file can help you secure WordPress
For example, .htaccess allows you to block access from specific IPs or disable PHP execution on specific folders and helps run secure WordPress sites. The examples below show you how to use .htaccess to harden WordPress security.
IMPORTANT: Before making any changes, we strongly advise you to backup the old .htaccess file using either an FTP client or a File Manager. If anything goes wrong, you’ll be able to restore to a secure WordPress site.
15. Disallowing Access to the WordPress Administrator Area
The code below grants access to only specific IPs to the administrator area, helping secure WordPress.
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from xx.xx.xx.xxx allow from xx.xx.xx.xxx </LIMIT>
Be sure to change XX.XX.XX.XXX to your IP address. If you’re not sure what your IP address is, WhatIsMyIP can help you identify it.
If you use more than one connection to manage your secure WordPress site, make sure to include all other IPs by repeating the allow from code as many times as necessary.
16. Disabling PHP Execution in Specific Folders
Hackers like to upload backdoor scripts to the Uploads folder. By default, this folder only hosts uploaded media files. So, it shouldn’t contain any PHP files. To keep a secure WordPress site, you can easily disable PHP execution in the folder by creating a new .htaccess file in /wp-content/uploads/ with these rules:
<Files *.php> deny from all </Files>
17. Protecting the wp-config.php File
The wp-config.php file contains WordPress core settings and MySQL database details, thus making it the most important file in your site. For the same reason, wp-config.php file is also a hacker’s primary target. You can easily protect this file and keep WordPress secure by implementing these .htaccess rules:
<files wp-config.php> order allow,deny deny from all </files>
18. Changing the Default WordPress Database Prefix to Prevent SQL Injections
The database holds and stores all crucial information required for your site to function. Due to this reason, hackers often target it with SQL injection attacks.
SQL injections comprise 80% of cyber-attacks executed on WordPress websites, making it one of the biggest threats. One of the reasons why hackers go with this type of cyberattack is because many users forget to change the default database prefix wp_.
In this step, we will briefly overview how to secure WordPress against such attacks.
19. Changing Table Prefix
IMPORTANT: Make sure to backup your secure WordPress MySQL database before proceeding.
- From your hPanel dashboard, navigate to the File Manager section and open the wp-config.php file. You can also use an FTP client.
- Look for the $table_prefix value within the following block of code, then replace the default database prefix wp_ with the new one. You can use a combination of letters and numbers to create a unique prefix.
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_1secure1_';
- Moving back to the hPanel dashboard, access the phpMyAdmin section. Then, open your WordPress database by clicking Enter phpMyAdmin.
If you have multiple databases, you can find the database’s name in the wp-config.php file. Look for the following block of code:
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'WordPress database', 'user' );
- From the phpMyAdmin dashboard, navigate to the SQL tab at the top menu bar.
- Enter the following query in the SQL query editor to change your database prefix to secure WordPress:
RENAME table `wp_tablename` TO `wp_1secure1_tablename`;
Be sure to change `wp_tablename` with your current table name, and `wp_1secure1_tablename` with the new prefix and table name to help secure WordPress. Repeat this line of code based on the number of the tables you want to rename, then select Go.
Changing Value Prefix Manually
Depending on the number of plugins you installed on the site, you might need to update some values in the database manually to help secure WordPress. You can do it by running separate SQL queries on tables that are likely to have values with the wp_ prefix — Options and Usermeta tables, for example.
Instead of going through all your tables one by one, you can use the syntax below to filter all values that contain the prefix:
SELECT * FROM `wp_1secure1_tablename` WHERE `field_name` LIKE '%wp_%'
`wp_1secure1_tablename` contains the table name in which you want to perform the query. Meanwhile, `field_name` represents the name of the field/column where values with wp_ prefix most likely appear.
Here’s how to manually change the prefix value to one that helps secure WordPress:
- From phpMyAdmin dashboard, navigate to the SQL tab at the top menu bar.
- Enter the above Select query in the SQL query editor to filter the values that contain wp_, then click Go. Be sure to modify the syntax according to your real table and field name.
- Once you get the results, update all values from wp_ to your newly configured prefix by clicking the Edit button next to the targeted field. Change the prefix value to the new one, then click Go. Do this to all the filtered values.
- Repeat these steps for the rest of the tables within the database to help secure WordPress.
Securing WordPress New Installation
If you are planning on installing a fresh site and want to keep a secure WordPress database, you don’t have to perform the above steps. WordPress automatically requires you to decide what table prefix you want to use during the database setup process. Refer to this tutorial for more information on how to set up a secure WordPress database.
As many cyber threats are lurking on the internet, all websites must have an excellent security system. As WordPress is a common target for hackers due to its popularity, webmasters should definitely take extra steps to ensure safety.
Here’s how to secure WordPress with 20 impactful web security practices:
- Keeping your site up to date with the latest secure WordPress release.
- Using unique admin login credentials.
- Disable File Editing
- Enabling 2-step authentication to secure WordPress.
- Disabling PHP error reporting.
- Avoiding the use of nulled WordPress themes.
- Scanning WordPress for malware.
- Migrating a site to more secure WordPress hosting.
- Backing up the WordPress site frequently.
- Turning off the File Editing feature.
- Removing unused themes and plugins.
- Using .htaccess to disable PHP execution and protect the wp-config.php file.
- Changing the default WordPress database prefix.
What do you think is the best way to secure WordPress? Let us know in the comments section below!