WordPress Security: The Ultimate Guide

WordPress security is a crucial topic for every website owner. Google blacklists over 20,000 malware websites and 50,000 phishing websites every week. If you truly care about your website’s security, you need to invest time and effort into implementing effective WordPress security measures. In this guide, we will share the most effective WordPress security measures to help you protect your website from hackers and malware.

While the WordPress core software is secure and reliable, with hundreds of developers regularly auditing it, there are still many ways to enhance your website’s security.

We believe security is not just about eliminating danger, but also about minimizing it. As a website owner, there are many things you can do to improve your website’s security, even without technical expertise.

We have numerous actionable steps you can take to enhance your WordPress security. For your convenience, we have created a table of contents to help you easily navigate our ultimate WordPress security guide.

Table of Contents

WordPress Security Basics

• Why is WordPress Security So Important?
• Keeping WordPress Updated
• Strong Passwords and User Permissions
• The Role of Web Hosting

Easy Ways to Improve WordPress Security (No Code Required)

• Installing a WordPress Backup Solution
• The Best WordPress Security Plugins
• Enabling a Web Application Firewall (WAF)

WordPress Security for DIY Users

• Changing the Default Username “admin”
• Disabling File Editing
• Disabling PHP File Execution
• Limiting Login Attempts
• Changing the WordPress Database Table Prefix
• Password Protecting WordPress Admin and Login Pages
• Disabling Directory Indexing and Browsing
• Disabling WordPress XML-RPC
• Automatically Logging Out Idle Users
• Adding Security Questions to WordPress Login
• Fixing a Hacked WordPress Website

Ready? Let’s get started!

Why is WordPress Security So Important?

A hacked WordPress website can severely damage your business’s revenue and reputation. Hackers can steal user information, passwords, install malware, and even distribute malware to your users. Worst of all, you might have to pay a ransom to hackers to regain access to your website.

In March 2016, Google reported that approximately 50 million website users received warnings when visiting websites that might contain malware or steal information. Additionally, Google blacklists approximately 20,000 malware websites and approximately 50,000 phishing websites every week.

If your website is a business website, you need to pay extra attention to website security.

Similar to a business owner’s responsibility to protect their physical store, as an online business owner, you have a responsibility to protect your business website.

Keeping WordPress Updated

WordPress is open-source software that is regularly maintained and updated. By default, WordPress automatically installs some minor updates. For major version updates, you need to manually initiate the update.

WordPress also has thousands of plugins and themes that can be installed. These plugins and themes are maintained by third-party developers and are regularly updated.

These WordPress updates play a crucial role in your website’s security and stability. You need to ensure that the WordPress core files, plugins, and themes are updated to the latest versions.

Strong Passwords and User Permissions

The most common type of hacking attack involves using stolen passwords. You can increase the difficulty of such attacks by creating a strong password specifically for your website. Not only should your WordPress admin dashboard password be strong, but also your FTP account, database, WordPress hosting account, and email passwords.

The main reason why beginners dislike using strong passwords is that they are too difficult to remember. To solve this problem, we recommend using a password manager.

Another way to reduce risk is to avoid giving your administrator account to other people unless absolutely necessary. If you have a large team or many freelance authors, make sure you understand WordPress user roles and permissions before adding new users and authors.

The Role of Web Hosting

Your web hosting service provider plays a very important role in website security. A qualified shared hosting provider, such as BlueHost or Siteground, will take certain measures to protect their servers from common threats.

However, on shared hosting, you share server resources with many other customers. This can lead to cross-site contamination, where hackers can exploit neighboring sites to attack your website.

Using a managed WordPress hosting service provides a more secure platform for your website. WordPress hosting companies offer automatic backups, automatic WordPress updates, and more advanced security configurations to protect your website.

We recommend using WPEngine as our preferred WordPress host. They are one of the most popular products in the industry.

Easy Ways to Improve WordPress Security (No Code Required)

We know that improving WordPress security can be a daunting task for beginners, especially if you don’t have technical skills. But don’t worry, you’re not the only one who doesn’t understand technology.

We will show you how to improve your website’s security with just a few mouse clicks (no code required). As long as you know how to use a mouse, you can do it!

Installing a WordPress Backup Solution

Backups are your first line of defense against WordPress attacks. Remember, nothing is 100% secure. If even government websites can be hacked, what about yours?

Backups allow you to quickly restore your website in case of a sudden problem. There are many free and paid backup plugins for WordPress. The most important thing to know about backups is that you must regularly save full-site backups to a remote location (not on the same host as your website).

We recommend saving backups to cloud storage services like Amazon S3, Dropbox, or a private cloud like Stash.

Depending on how frequently your website is updated, the ideal backup frequency is daily or real-time.

Fortunately, the tedious task of backing up can be automated using plugins like VaultPress or BackupBuddy. They are both very reliable, and most importantly, easy to use (no code required).

The Best WordPress Security Plugins

After backing up, the next thing we need to do is establish an auditing and monitoring system to track everything that happens on the website. This includes file integrity monitoring, failed login attempts, malware scanning, etc.

Fortunately, this can be done with the best free WordPress security plugin, Sucuri Scanner. You need to install and activate the Sucuri Security plugin. For specific installation steps, please refer to how to install a WordPress plugin.

After activation, access the Sucuri menu from the admin dashboard.

First, you need to generate a free API key. With the API key, you can enable audit log recording, integrity checks, email alerts, and other important functions.

Next, click on the Settings option in the Sucuri menu, click on the “Hardening” tab, and then click on the “Apply Hardening” button one by one.

These options lock down key areas that hackers often use in attacks. The only thing that requires payment is the Web Application Firewall, which we will explain in the next step, so skip it for now.

For those who want to perform these or other operations (such as “modify the database prefix” or “modify the administrator username”) without using plugins, we also introduce the relevant operations later.

After setting up the Hardening section, most of the default settings do not need to be modified. The only thing we recommend is to customize Email Alerts.

The default alarm settings may cause your inbox to receive a lot of useless emails. We recommend setting it to only receive emails for important operations, such as plugin changes, new user registrations, etc. You can set this in the Alerts tab in Sucuri settings.

This WordPress security plugin is very powerful. You can browse all the tabs and settings to understand its full functionality, such as malware scanning, audit logs, failed login attempt tracking, etc.

Enabling a Web Application Firewall (WAF)

The easiest way to protect your website and be confident in WordPress security is to use a Web Application Firewall (WAF). A firewall can block all malicious traffic before it reaches your website.

Sucuri is the best web application firewall we recommend for WordPress.

The best thing about the Sucuri firewall is that it also comes with malware cleanup and blacklist removal functions. Basically, as long as your website is hacked under the software’s monitoring, they guarantee to repair your website (no matter how many pages you have).

This is a very strong guarantee because repairing a hacked website is very expensive. Security experts usually charge $250 per hour, but you only need to spend $199 per year to get the complete Sucuri security package.

Sucuri is certainly not the only firewall provider. Another popular competitor is CloudFlare.

WordPress Security for DIY Users

If you have done the operations mentioned above, then your website should be very secure. However, there are still many ways to strengthen website security. Some of these steps may require coding knowledge.

Changing the Default Username “admin”

In older versions, the default username for the WordPress administrator was “admin”. Because knowing the username is equivalent to knowing 1/2 of the login credentials, this makes it easier for hackers to perform brute-force attacks.

Fortunately, in recent years, WordPress requires you to set a custom username when installing WordPress.

However, some WordPress one-click installation packages still set the default administrator username to “admin”. If you notice this, you may want to consider changing your hosting service provider.

Since WordPress does not allow you to modify the username by default, here are three ways that allow you to modify the username.

1. Create a new administrator username and then delete the previous one.
2. Use the Username Changer plugin.
3. Modify the username from phpMyAdmin.

We have a detailed tutorial on how to change the WordPress administrator username.

Note: We are discussing the username called “admin”, not the administrator role.

Disabling File Editing

WordPress comes with a code editor, which allows you to easily edit the files of themes or plugins in the admin dashboard interface. However, if used improperly, this function also poses a security risk, so we recommend turning it off.

You can add the following code to the wp-config.php file to turn off this function.

// Disallow file edit
define('DISALLOW_FILE_EDIT', true );

Alternatively, you can also click on the relevant item in the Hardening function in the free Sucuri plugin mentioned above to turn it off with one click.

Disabling PHP File Execution in Specific WordPress Directories

Another way to strengthen WordPress security is to disable PHP file execution in unnecessary directories (for example: /wp-content/uploads/).

Open a text editor and copy the following code into it:

<Files *.php>
deny from all
</Files>

Then, save the file and name it .htaccess. Use an FTP client to upload the file to /wp-content/uploads/.

Of course, you can also click on the relevant item in the Hardening function in the free Sucuri plugin mentioned above to turn it off with one click.

For more detailed instructions, please see how to disable PHP file execution in specific WordPress directories.

Limiting Login Attempts

WordPress allows users to continuously try to log in without restrictions by default, but this puts your website at risk of being brute-forced. Hackers will try to crack the password and log in to your website through different combinations.

This problem can be fixed by limiting the number of failed login attempts. If you are using the web application firewall mentioned above, then this function is automatically enabled.

If you have not set up a firewall, you can follow the steps below.

First, install and activate the Login LockDown plugin. For specific installation steps, please refer to how to install a WordPress plugin.

After activation, go to “Settings” – “Login LockDown” to set up the plugin.

For detailed operation steps, please see how and why you should limit WordPress login attempts.

Changing the WordPress Database Table Prefix

By default, the tables in the WordPress database use wp_ as the prefix. If your database uses the default prefix, it is easy for hackers to guess your table names, so we recommend changing the prefix.

You can modify it by following this article “How to modify the WordPress database prefix to improve security”.

Note: If not handled properly, your website will crash. Do not modify unless you are confident in your programming skills.

Password Protecting WordPress Admin and Login Pages

Normally, hackers can request your wp-admin folder and login page without restrictions, which gives hackers the opportunity to try their various hacking techniques and run DDoS attacks.

You can add additional password protection on the server side, which can effectively reject such requests.

You can follow this tutorial to learn how to use a password to protect the WordPress administrator (wp-admin) directory.

Disabling Directory Indexing and Browsing

Hackers can use directory browsing to see if there are any files with known vulnerabilities, so they can use these files to gain access.

Directory browsing can also be used by others to view your files, copy pictures, view your directory structure and other information. So we highly recommend that you turn off directory indexing and browsing.

Connect to your website using FTP or cPanel’s file manager, and then find the .htaccess file in the website’s root directory. If you cannot see the file, you can learn about why you cannot see the .htaccess file in WordPress.

Then, add the following code to the .htaccess file.

Options -Indexes

Finally, remember to save the file and upload it to the original location. For more detailed content on this topic, please read how to disable directory browsing in WordPress.

Disabling WordPress XML-RPC

Starting with WordPress 3.5, XML-RPC is enabled by default because it can help you connect WordPress websites to web applications or mobile applications.

However, due to its powerful features, XML-RPC can significantly increase the success rate of brute-force attacks.

For example, if a hacker wanted to try 500 different passwords to log in to your website, they would need to make 500 login attempts, but this would be detected and blocked by the Login LockDown plugin.

However, using XML-RPC, hackers can use the system.multicall function to make thousands of password attempts in 20 or 50 requests.

So if you don’t need XML-RPC, we recommend disabling it.

There are three ways to disable XML-RPC, all of which we have mentioned in “How to disable WordPress XML-RPC”.

Tip: .htaccess is the best method because it uses the least resources.

If you are using the web application firewall mentioned earlier, then the firewall can handle this problem.

Automatically Logging Out Idle Users

Logged-in users sometimes need to leave their computers for a while, which exposes a security risk. Someone can hack into their session, change their password, or modify their account.

This is why many banks and financial websites automatically log out inactive users. You can also implement similar functions on WordPress websites.

You need to install and activate the Idle User Logout plugin. After activation, go to the “Settings” – “Idle User Logout” page to set up the plugin.

Just set the time and uncheck the “Disable in WP Admin” option (for more security). Finally, don’t forget to click “Save Changes”.

For a more detailed tutorial, see how to automatically log out inactive users in WordPress.

Adding Security Questions to WordPress Login

Adding security questions to the WordPress login page can make it more difficult for some people to gain unauthorized access.

You can add security questions by installing the WP Security Questions plugin. After activating the plugin, go to the “WP Security Questions” – “Plugin Settings” page to set up the plugin.

For more detailed tutorials, please see how to add security questions to the WordPress login page.

Fixing a Hacked WordPress Website

Many WordPress users did not realize the importance of backups and website security until their websites were hacked.

Cleaning up a website is very difficult and time-consuming. Our preferred suggestion is to let a network security expert handle it.

Hackers will plant backdoors on infected websites. If these backdoors are not completely repaired, your website is likely to be hacked again.

Please ask a professional security company, such as Sucuri, to repair your website to ensure that the website is safe for future use and will also defend against future attacks.

For DIY users, we recommend this article on how to fix a hacked WordPress website.

The above is all the content of this guide. I hope this article can help you understand the content about WordPress security and find the best security plugins for your website.

Key Takeaways

• Keep your WordPress core, themes, and plugins updated.
• Use strong, unique passwords for all accounts related to your WordPress site.
• Implement a reliable backup solution to regularly back up your website.
• Use a security plugin like Sucuri or Wordfence to monitor and protect your site.
• Consider using a web application firewall (WAF) for enhanced protection.

FAQ

1. Why is WordPress security important? A hacked website can damage your reputation, steal sensitive data, and harm your business.
2. What is a web application firewall (WAF)? A WAF filters malicious traffic before it reaches your website, providing an extra layer of security.
3. How often should I back up my WordPress site? Ideally, back up your site daily or in real-time, especially if you frequently update content.
4. Can I improve WordPress security without coding? Yes, using security plugins and following best practices can significantly improve your site’s security.
5. What should I do if my WordPress site is hacked? Contact a professional security service like Sucuri or follow a detailed guide to clean and secure your site.