A Complete WordPress Security Guide (How to secure WordPress Website)
WordPress is one of the most popular content management systems out there and with good reason. Google blacklists around 10,000+ websites every day for malware and around 50,000 for phishing every week. When it comes to WordPress security, users usually fall into two camps: the ones who take security seriously and take precautionary measures and those who believe or hope it will never happen to them because their site is not important enough.
In this guide, we will share all the top WordPress security tips to help you protect your website against hackers and malware.
Why Website Security is Important?
A hacked WordPress site can cause serious damage to your business revenue and reputation. Hackers can steal user information, passwords, install malicious software, and can even distribute malware to your users.
If your website is a business, then you need to pay extra attention to your WordPress security.
Similar to how it’s the business owner’s responsibility to protect their physical store building, as an online business owner it is your responsibility to protect your business website.
Follow the tips below to secure your WordPress website:
1. Keeping WordPress Updated for security:
WordPress is an open-source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.
WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by third-party developers which regularly release updates as well.
These WordPress updates are crucial for the security and stability of your WordPress site. You need to make sure that your WordPress core, plugins, and theme are up to date.
2.Use Strong Passwords:
Make sure that the passwords for your WordPress website as well as your hosting account area are both secure. Use a mix of uppercase and lowercase letters, numbers, and symbols to come up with a strong password. You can also use a password manager like LastPass to generate and store secure passwords for you.
Another way to reduce the risk is to not give anyone access to your WordPress admin account unless you absolutely have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.
3.Good-Bye to Default “admin” username:
WordPress used to set the default username as admin and most users never bothered to change it. As a result, admin is usually the first username hackers will try when they launch a brute force attack.
There are three methods you can use to change the username.
- Create a new admin username and delete the old one.
- Use the Username Changer plugin
- Update username from phpMyAdmin
Note: We’re talking about the username called “admin”, not the administrator role.
4.Enable WordPress Backup Solution:
Backups are your first defense against any WordPress attack. Remember, nothing is 100% secure. Backups allow you to quickly restore your WordPress site in case something bad was to happen.
You may checkout backup importance in our blog post
Based on how frequently you update your website, the ideal setting might be either once a day or real-time backups. You may select any backup plugin OR select a backup service if your WebHost provides it.
5.Harden The Admin Area:
When it comes to hardening the admin area, you’ll need to change the default admin URL and limit the number of failed login attempts before a user is locked out of your site.
By default, the admin URL for your website will look like this: yourdomain.com/wp-admin. Hackers know this and will attempt to access this URL directly so they can gain access to your site.
6. Change WordPress Database Prefix:
By default, WordPress uses wp_ as the prefix for all tables in your WordPress database. If your WordPress site is using the default database prefix, then it makes it easier for hackers to guess what your table name is. This is why we recommend changing it.
Changing your database prefix is a manual process that involves editing your wp-config.php file and changing the table names using phpMyAdmin. Before making the change, be sure to backup your site as a preventative measure. You can change your database prefix from cPanel >> phpMyAdmin
7.Disable File Editing:
WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.
You can easily do this by adding the following code in your wp-config.php file.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
8.Disable XML-RPC in WordPress:
XML-RPC was enabled by default in WordPress because it helps to connect your WordPress site with web and mobile apps.
XML-RPC can significantly amplify the brute-force attacks.
Use a plugin like Disable XML-RPC plugin to disable this feature. You may disable it using .htaccess file
9.Enable Web Application Firewall:
The easiest way to protect your site and be confident about your WordPress security is by using a web application firewall (WAF).
A website firewall blocks all malicious traffic before it reaches your website.
10. Use HTTPS and SSL:
The Internet has been buzzing with blog posts and articles about the importance of HTTPS protocol and adding SSL security certificates to your site for quite some time now.
Using both on your site will not only increase your site’s security, but it will also benefit your search engine rank, establish trust in your visitors, and improve your conversion rate.
Talk to your hosting provider and ask about the possibility of obtaining an SSL certificate or to point you in the direction of a reputable company where you can buy one.
Yoy may checkout our post on SSL importance for a website
11.Change Your WordPress Security Keys:
WordPress security keys are responsible for encrypting the information stored in the user’s cookies. They are located in the wp-config.php file and look like this:
Use the WordPress Salts Key Generator to change them and make your site more secure.
12. Use Of WordPress Security Plugins:
You may make use of popular WordPress security plugin, Sucuri Scanner. You need to install and activate the free Sucuri Security plugin.
After plugin installation activate the installed plugin. The first thing you will be asked to do is Generate a free API key. This enables audit logging, integrity checking, email alerts, and other important features.
13. Add Security Questions to WordPress Login Screen:
Adding a security question to your WordPress login screen makes it even harder for someone to get unauthorized access.
You can add security questions by installing the WP Security Questions plugin. Upon activation, you need to visit Settings » Security Questions page to configure the plugin settings.
14. Scanning WordPress for Malware and Vulnerabilies:
If you have a WordPress security plugin installed, then those plugins will routinely check for malware and signs of security breaches.
However, if you see a sudden drop in website traffic or search rankings, then you may want to manually run a scan. You can use your WordPress security plugin, or use one of the malware and security scanners.
15. Add Two Factor Authentication:
Two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.
Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can add the same functionality to your WordPress site.
First, you need to install and activate the Two Factor Authentication plugin. Upon activation, you need to click on the ‘Two Factor Auth’ link in the WordPress admin sidebar.
We hope this article will help you to learn the top WordPress security best practices as well as discover the best WordPress security plugins for your website.