Every month or even a week, you might hear a security vulnerability that is detected on WordPress and is being fixed. Also during the time patches are released, there are a lot of reports of WordPress websites being hacked and losing their data.

The obvious reasons of so many countless reports of WordPress websites being hacked is due to the fact that WordPress users do not take the necessary steps to secure their websites. In this tutorial, I am going to write an extensive guide on how to secure your WordPress website. So, let’s jump right in and learn how to secure a WordPress website.

Part A: Basic WordPress Security Measures

1- Update The WordPress Version

Everyone should follow the basics of WordPress security. One of the most obvious security measures is to keep your WordPress website updated to the latest available version.

Whenever a new update is available, you will see a message on your WordPress admin panel asking you to update to the latest available version. The WordPress update process is very simple.

Keeping your WordPress website updated ensures that you are secure from vulnerabilities that were reported in the WordPress core.

2- Update WordPress Plugins

If you are using WordPress, then you are definitely going to be using a lot of WordPress plugins on your website. Keeping plugins updated is absolutely necessary because plugins inject code into your WordPress files, and any plugin that is compromised can result in your website getting hacked.

To update the WordPress plugins, login to your WordPress Admin > Dashboard > Updates. On this page, you will see all the available updates for your website.

It is also necessary to check the compatibility of plugins with the current version of your WordPress site.

3- Update WordPress Themes

WordPress themes are what makes the frontend of your website. Whether you opt to use a free WordPress theme or a Premium one, you should check its updates and apply them as soon as possible.

4- Setting a Secure Password and Username

If you have a password or username that is easy to guess, then this can be one of the top security flaws on your WordPress website.

Thankfully, WordPress generates secure and complex passwords on its own and I recommend you use them.

As for usernames, just keep it something else than Admin, or your real name. Just like passwords, you can set complex usernames.

5- Reduce Number Of Admin Users

Having a lot of users with admin rights would only mean that you have kept a lot of options for hackers to guess passwords and break into your WordPress website.

It is recommended to keep a single user with Admin rights and keep other users as Authors, Editors, Contributors, Subscribers.

6- Create Backups

The best way of keeping your WordPress website data secure is to have backups of your /wp-content folder and the database.

I have written a helpful guide on how to take backup of WordPress websites using BackWPup plugin.

Part B: Securing The WordPress Frontend

7- Limit Login Attempts & Stop Brute Force Attacks

Brute force attacks are very common when hacking WordPress website login passwords. Hackers have developed bots that continuously input usernames and passwords on the /wp-admin or /wp-login.php URLs until they are successfully logged in to your admin account.

In order to stop such attacks, it is wise to use a limit-login attempt plugin.

One of the most popular limit-login-attempt plugins is WP Limit Login Attempts.

8- Password Protect WP-Admin and Login

Anyone can access the /wp-login.php and /wp-admin URLs of your WordPress website. In order to protect them from Brute Force and DDoS attacks it is recommended to protect these urls by making them password protected via your .htaccess file.

A helpful guide on how to lockdown wp-admin and wp-login can be found here on the WordPress codex.

9- Disable Directory Browsing

By default, directory indexing is enabled on WordPress websites, a person with unfriendly intentions can browse and discover the files and structure of your website.

Directory browsing can make it easy for a hacker to discover vulnerabilities in your web files.

To disable directory browsing just add the following line in the .htaccess file of your WordPress website.

Options -Indexes

10- Add Security Questions on WordPress Login Page

Adding your own question and an unexpected answer to that question is one of the best ways to block unauthorized users to access your websites.

In order to add security questions to the login page of your WordPress website, you can install a plugin called WP Security Question. Just install the plugin and configure it with your question and answer.

11- Use 2-factor authentication

A 2-factor authentication has been a popular measure to protect your Google, Facebook and bank accounts for years now.

Adding 2FA on WordPress websites is also easy and one of the surest ways to keep unwanted people out of your WordPress admin.

We have listed some of the most helpful two factor authentication plugins on one of our past blog posts.

12- Use email as login

If you are not creative enough to come up with a difficult-to-guess username, then I recommend using your email address as the login to your WordPress admin.

You can use the Email Login plugin to start using email as the username. Guessing a username with an “@” will be difficult enough for Brute Force attacks.

In some cases, I would not recommend using this security measure, if you have kept your email address public or visible on the website, then it can be easier to guess the username.

If you chose to use this method then I recommend keeping the admin email separate, then a public email address.

13- Remove “Powered By WordPress” and WordPress Version Number

Making it apparent for hackers that you are using WordPress will make them move one step closer towards finding loopholes.

I recommend that you remove mention of “Powered by WordPress” from the frontend of your website and use Meta Generator and Version Info Remover to remove the version number of WordPress from RSS feeds, as well as the source code of your website.

14. Rename your login URL

By default, each and every WordPress website has wp-login and wp-admin urls as the paths to login to the admin panel.

If you can’t sleep at night just because your login urls are exposed, then the best way to change them is to use iThemes Security plugin and change the login url to something that can not be easily guessed.

Part C: Securing The WordPress Backend & Database

15- Hide Editor In WordPress Admin

If you login to the WordPress backend as the admin user, then you can access Editor under Appearance. Let’s assume if someone unauthorized gains access to your admin panel, this would mean he will have access to all the theme files.

To disable Editor for admin users, just add the following line in wp-config.php file.

// Disallow file edit

define( ‘DISALLOW_FILE_EDIT’, true );

16- Stop Execution of PHP Files

If a hacker finds a loophole and uploads a malicious php file and executes it on your live website, that could mean you losing your entire website.

It is a good practice to block writing of files in specific WordPress folders. Create a blank .htaccess file, upload to folders like wp-includes/ or /wp-content/uploads/ and add the following code:

<Files *.php> deny from all </Files> 1 2 3 < Files * . php > deny from all < / Files >

17- Disable XML-RPC in WordPress

XML-RPC is a method through which WordPress websites communicate with each other. XML-RPC can be used to compromise a WordPress website via attacking with brute-force attacks and also taking it down via DDoS attacks.

To disable XML-RPC add the following code in the .htaccess file

# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 123.123.123.123 </Files> 1 2 3 4 5 6 # Block WordPress xmlrpc.php requests < Files xmlrpc . php > order deny , allow deny from all allow from 123.123.123.123 < / Files >

18- Automatically logout Idle Users

If you have a WordPress website with multiple authors, editors or admins, then you should constantly practice logging out idle users from your WordPress website.

Why is logging out idle users is necessary you may ask? You can never be sure if the users of your site have either logged out from their session or not. Having sessions stored on your browser can expose users to session hijacking and your website will be easily hacked.

You can easily log out idle users by using security plugins like BulletProof Security.

19- Change WordPress Database Prefix

By default, WordPress creates wp_ as the prefix of its database tables. Keeping the default prefix will make it one step easier for hackers to get access to your WordPress database.

I am not saying that changing the database prefix will make your database entirely secure, but it is a definite step to make automated hacking tools and scripts that make guessing tougher.

You can read a helpful guide on how to change table prefix here.

20- Scan WordPress Websites Regularly

Sometimes your website may be compromised and you may not see anything unfamiliar until the entire website is done for.

To detect anything that may have be compromised, it is a good practice to regularly scan your website using a plugin such as Sucuri.

It will scan and identify any vulnerability on your WordPress website and will make suggestions on how to fix it.

You can read their article on recovering a hacked WordPress website here.

21- Set strong passwords for your database

Just as I suggested setting a strong password for WordPress dashboard, the same goes for the WordPress database. Make the passwords difficult by using special characters, numbers and upper and lower case alphabets.

Also set the username just as difficult as you set the password. Once you update the database password, make sure you make the necessary changes on your wp-config.php file.

22- Protect the wp-admin directory

A popular way of making your WordPress admin dashboard more secure from brute force attacks is by password protecting the entire wp-admin directory.

By doing so, anyone accessing wp-admin to login to your WordPress site will be prompted to enter a password in order to access the URL. If a correct password is entered, only then will users will have access to wp-admin and from there they can access the WP dashboard.

Using this method is not recommended for beginner users and we suggest you make a backup or practice this on a test site before deploying it on a live site.

Many hosting providers have helpful guides on how to protect wp-admin area such as this by InMotion Hosting: http://www.inmotionhosting.com/support/website/wordpress/prevent-unauthorized-wp-admin-wp-login-php-attempts

23- Restrict IP Address on WordPress Login Page

If you are not comfortable to password protect the wp-admin directory then another strong security measure is to restrict IP addresses from accessing your WP login page.

You first need to note down the IP addresses that you want to allow access to the WP login page. After that, you will need to add IP addresses to your .htacess file or if you prefer to use a plugin then IP Ban is the simplest and best plugin to restrict IPs.

24- Use SSL to encrypt data

Whenever you see a website being served over https, that means they have a SSL certificate on the website.

Google made HTTPs a ranking factor back in year 2015, and later Let’s Encrypt was launched that gives away free SSL certificates to all the websites.

I recommend having your entire website serve HTTPs content. This will have two major benefits, you and your visitors will have a secure, encrypted connection to your website and also you will have a better chance of ranking higher on the SERPs.

To read how to install SSL certificate, you can read a helpful guide from our friends at WPExplorer here.

Part D: Securing WordPress Web Host

25. Add Real-Time Monitoring

Knowing exactly and immediately the time when your website goes offline will make you act and fix your website faster.

There can be a lot of reasons why your WordPress website goes down, to name a few.

1- Datacenter of your web host goes down.

2- There is a spike on your website that your server is unable to handle

3- Your website is compromised or is hacked.

Either way, knowing immediately would mean you can be back up sooner.

To recover a hacked website we suggest you monitor the files that were changed without your permission, note them down and restore your WordPress website. Change the passwords and disable access to the files that were compromised.

Some hosting providers come built in with real time monitoring tools like Cloudways, other than that you can use services like Pingdom.

26. Protect the wp-config.php file

Wp-config.php is one of the most important WordPress files that you should protect and keep backups of. It has all the necessary details like database connections and other rules.

The best way to protect wp-config.php is to deny access by adding following rules to your .htaccess files

# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files> 1 2 3 4 5 # protect wpconfig.php < files wp - config . php > order allow , deny deny from all < / files >

Our friends at WPMU DEV have written an awesome post that defines in detail what you can do to protect wp-config.php here.

27. Disallow file editing in WordPress Dashboard

If you are fond of version controlling and want to track each of the changes made by your team on a WordPress site, then you should disable any sort of editing via the WordPress Dashboard itself.

You need to disable the theme editor, files and themes updates via the dashboard. You can easily do that by adding the following rule in wp-config.php file.

## Disable Editing in Dashboard define('DISALLOW_FILE_EDIT', true); 1 2 ## Disable Editing in Dashboard define ( 'DISALLOW_FILE_EDIT' , true ) ;

28. Use SFTP & SSH to access your server

Many hosting providers have FTP access. FTP is not a secure connection and I recommend you ask your hosting provider to provide SFTP access rather than FTP.

SFTP connection is encrypted, ensuring better security if your network is compromised by man-in-the-middle attacks.

On Linux-powered web servers, SSH access is the most secure way to connect. If your hosting provider has SSH access, then you are in good hands.

29. Set directory permissions on WordPress files and Folders

The default permissions on any WordPress site should be as follows

Files: 644

Folders: 755

You can ask your hosting provider to check and set the required permissions on the files and folders or you can use the FTP client to set the permissions.

In any case, avoid having 777 file permission on any file or folder.

30. Disable directory listing with .htaccess

Directories can be browsed by visitors and hackers alike to find out the file structure and files on your WordPress website. Directory browsing would let anyone find out what files you have and hence make it easier for a hacker to find a vulnerability.

To disable directory listing, add following rule to .htaccess file.

Options -Indexes

Conclusion:

I recommend reading up on Hardening WordPress on WordPress codex to get more details about WordPress security. You can also read Kinsta’s WordPress Security tips to get more insight into WordPress Security.

Other than that, I would like to add that implementing all the points above on a single website is not necessary. You can have a combination of a few security measures to improve your WordPress security.

If you have any questions, let me know in the comments section below.