Secure WordPress in Easy Steps

This guide features simple security measures you can implement to secure your WordPress site, prevent hacking attacks and keep your content safe. I’ll include the best WordPress security solutions and precautions in this post. If you follow them, you’ll be sleeping safely.
There are many WordPress security guides with 20-30 or even more steps on how to protect your WordPress site. Many of those steps are completely unnecessary for the average user.
Here are quick and simple steps you should take to keep your WordPress site safe and secure:
1. Don’t use ‘admin’ as a username
Most WordPress ‘hacks’ and attacks don’t do anything more sophisticated than try and brute-force their way into your admin area by guessing your password. That’s much easier for them to do if they don’t also have to guess your admin username! Avoiding using common words (like admin) for your usernames can make brute-force attacks much less effective.
If you’re working with an older site that already has an ‘admin’ user, it might be time to delete that account and transfer any content or access to a more secure username!
2. Use a complex password
Having a better password can make it much harder to guess or to brute-force. An easy tip to remember is CLU: Complex. Long. Unique.
But longer, unique passwords can be hard to remember, right? That’s where tools like 1Password and LastPass come into play, as they each have password generators. You type in the required length, and it generates a password for you. You save the link, save the password, and move on with your day. Depending on how secure you want the password to be, it’s sensible to set a long password (20 characters is good) and decide on things like the inclusion of less usual characters like #
or *
.
3. Add two-factor authentication
Even if you’re not using ‘admin’ and have a strong, randomly generated password, brute-force attacks can still be a problem. Don’t worry though, two-factor authentication can help protect your site.
The principle is that, rather than just entering your login details, you also need to confirm that you’re you by entering a one-time code from another device you own (usually through an app on your phone). That’s much harder for attackers to fake!
Two popular plugins for handling authentification in WordPress are the Google Authenticator and Rublon Plugin (which takes a slightly different approach). Just make sure that you don’t lose your backup codes, or you might find yourself locked out.
4. Employ least privileged principles
The WordPress.org team has put together a great article in the WordPress Codex regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to the following step.
The concept of Least Privileged is simple. Only give permissions to:
- those that need it,
- when they need it and
- only for the time they need it.
If someone requires temporary administrator access for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.
Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles, and you’ll greatly reduce your security risk.
5. Hide wp-config.php
and .htaccess
Your wp-config.php
and .htaccess
file are critical to your WordPress security. They often contain your system credentials and expose information about your site’s structure and configuration. Ensuring that attackers can’t gain access to them is vital.
Hiding these files is relatively easy to do, but doing it wrong might make your site inaccessible. Make a backup and proceed with caution. Yoast SEO for WordPress makes this process somewhat easier for you. Just go to “Tools > File Editor” to edit your .htaccess
.
For better WordPress security, you will need to add this to your .htaccess
file to protect wp-config.php
:
<Files wp-config.php>
order allow,deny
deny from all
</Files>
That will prevent the file from being accessed. Similar code can be used for your .htaccess
file itself:
<Files .htaccess>
order allow,deny
deny from all
</Files>
6. Use WordPress security keys for authentication
Authentication keys’ and ‘salts’ are basically a set of random variables, unique to your website, which improve the security (encryption) of information in cookies.
Your wp-config.php
file has a dedicated area where you can provide your own variables (simply get a new set of keys from here and paste them in).
7. Disable file editing
If a hacker gets in, the easiest way for them to change your files would be to go to “Appearance > Editor” in WordPress. To improve your WordPress security, you could disable the editing of these files via that editor. Again, you can do this from within your wp-config.php
file by adding this line of code:
define('DISALLOW_FILE_EDIT', true);
You will still be able to edit your templates via your favorite (S)FTP application. You just won’t be able to do it via WordPress itself.
8. Use HTTPS and SSL
The Internet has been buzzing with blog posts and articles about the importance of HTTPS protocol and adding SSL security certificates to your site for quite some time now.
HTTPS stands for Hypertext Transfer Protocol Secure while SSL stands for Secure Socket Layers. In a nutshell, HTTPS allows visitor’s browser to establish a secure connection with your hosting server (and therefore, your site). The HTTPS protocol is secured via SSL. Together, HTTPS and SSL ensure that all the information between a visitors’ browser and your site is encrypted.
Using both on your site will not only increase your site’s security, but it will also benefit your search engine rank, establish trust in your visitors, and improve your conversion rate.
Talk to your hosting provider and ask about the possibility of obtaining an SSL certificate or to point you in the direction of a reputable company where you can buy one.
9. Harden The Admin Area
When it comes to hardening the admin area, you’ll need to change the default admin URL and limit the number of failed login attempts before a user is locked out of your site.
By default, the admin URL for your website will look like this: yourdomain.com/wp-admin. Hackers know this and will attempt to access this URL directly so they can gain access to your site.
You can change this URL with a plugin like WPS Hide Login.
10. Use Security Headers
Another way to secure your WordPress website is to implement security headers. Typically they are set at the server level in order to prevent hacking attacks and reduce the number of security vulnerability exploits. You can add them yourself by modifying your theme’s functions.php file.
Cross-scripting attacks
Add the following code to whitelist allowed content, script, styles, and other content sources:
header('Content-Security-Policy: default-src https:');
This will prevent the browser from loading malicious files.
Iframe clickjacking
Add the line below to instruct the browser not to render a page in a frame: header(‘X-Frame-Options: SAMEORIGIN’);
X-XSS-Protection and X-Content-Type-Options
Add the following lines to prevent XSS attacks and tell Internet Explorer not to sniff mime types
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
Enforce HTTPS
Add the code below to instruct the browser to only use HTTPS:
header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');
Cookie with HTTPOnly and Secure flag in WordPress
Tell the browser to trust only the cookie set by the server and that the cookie is available over SSL channels by adding the following:
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);
If you don’t want to add these headers manually, consider using a plugin like Security Headers. Regardless of which method you choose to implement the security headers, be sure to test them using https://securityheaders.io website and entering your site’s URL.
We recommends you SUCURI plugin.
If you don’t want to use plugin then there is browser based online tool to check quick website scan.
You can quick scan your website here
Wrapping Up
WordPress is a powerful and popular CMS that makes it easy for anyone to create a website. But because it’s so popular, it’s also a favorite target for hackers. Luckily, there are a number of steps you can take to protect your WordPress site and if you follow the tips in this article, you’ll be well on your way to having a secure WordPress website.
If you have any more tips in your mind then we would love to read them in comments below 🙂
- Solution: How to Fix the 500 Internal Server Error in WordPress - April 18, 2021
- You may not send or receive WhatsApp messages from May 15 onwards. - April 16, 2021
- Best 2020 Tips for Boosting the Speed of your Shopify Website - September 3, 2020