August 28, 2020
17min Read
Edvinas B.
Nowadays it’s paramount to stay safe online since the Internet is full of cyber threats. Because of that, webmasters shouldn’t neglect their tasks towards WordPress security.
That’s why in this article we will uncover the best WordPress security tactics by using the 18 easy-to-implement web security practices.
Better WordPress security doesn’t require a huge investment or advanced technical knowledge. Here’s how to improve your website’s protection by using simple to learn security practices.
Looking for a trustworthy WordPress hosting? Migrate your site to Hostinger today.
The CMS releases regular software updates to improve site performance, including its security, making sure to keep it secure from new online threats. Thus, updating your website is the most fundamental WordPress security practice you can do.
Surprisingly, less than 50% of websites are still running on the newest WordPress version. If your site is using older versions, such as 4.x, then you put your site at a higher risk of a breach and are in dire need of an update.
To check whether or not you have the latest WordPress version, you can navigate to the Updates menu from your dashboard. For the complete list of all released and to be announced WordPress versions, you can follow this page.
In case you don’t know how to update WordPress, you can follow this tutorial.
One of the most common mistakes many users still do to this day is using common usernames such as “admin,” “administrator,” and “test.” Since these usernames are so universal, you shouldn’t be surprised to find failed login attempts while browsing through your WordPress website logs. This is a small yet fatal error as doing so puts your site at a higher risk of successful brute force attacks.
In case you haven’t changed your admin login credentials yet, you can follow this tutorial to change your WordPress username. Alternatively, you can create a new secure administrator account with a different username and delete the old one.
Here’s how to create a new WordPress administrator account:
Brute force attacks can easily target a WordPress site with a weak password, so it’s essential to use unique login details. Try to incorporate variations of numbers, both uppercase and lowercase letters, and special characters into your strong password to make it much harder for someone to guess. Such tools as LastPass and 1Password can help you create and manage strong passwords effortlessly.
Additionally, be aware of the network you use before logging into even a well-protected WordPress site. Public networks, such as a coffee shop or school library WiFi, may not be as secure as they appear. To protect your login credentials, we advise you to use a VPN before going online from a public place.
If you want to reinforce the login process even further, you should consider implementing two-factor authentication to secure your WordPress website. This authentication method adds a second layer of WordPress security to your login page, which requires you to input a unique code to complete the login process. This code is available only to you via a text message or a third-party authentication app.
You can find our detailed tutorial on how to enable better authentication features for a more secure WordPress website here.
The PHP error reporting feature is useful for monitoring the site’s PHP scripts. However, broadcasting your website’s vulnerabilities to other people is a serious WordPress security flaw and won’t help much in the future.
There are two ways to disable PHP error reporting in order to improve WordPress security – via the PHP file or hosting control panel.
The first method requires you to add the following code snippet to the site’s wp-config.php file to help better secure your WordPress website. Be sure to add it before any other PHP directive. You can either use an FTP client, such as FileZilla, or File Manager to make the modification.
error_reporting(0); @ini_set(‘display_errors’, 0);
If you don’t want to deal with coding, you can opt for the second method. Here’s how you can disable PHP error reporting from the hPanel:
Nulled WordPress themes are pirated versions of the original premium themes. HomePress, for example, is one among many premium themes that fall victim to this illegal practice.
Despite being more affordable, nulled themes have a ton of security flaws. They often carry malware, spam links, and backdoors that can endanger your WordPress security.
Being distributed illegally, nulled themes don’t receive any support from the developers. That means if something critical happens to your site, you’re on your own, without any advice on how to secure your WordPress website after the initial incident.
For this reason, it’s best to avoid using nulled themes at all costs and pick a WordPress theme from its official repositories or trusted developers and their official marketplaces.
Despite being cautious about the plugins and themes you install on your site, there’s no guarantee that they won’t carry any malware with them. The most common types of malware are viruses, spyware, and ransomware – all of which can be incredibly harmful to your site.
Therefore, it’s crucial to scan your site regularly and learn what various WordPress plugins are able to offer.
Fortunately, there are plenty of great plugins to choose from. Here are some of our recommendations for WordPress security plugins, so feel free to pick one that best suits your preference:
Don’t know how to install a WordPress security plugin? Not to worry, this comprehensive guide can help you set one up in no time.
41% of WordPress websites were hacked due to security loopholes in their hosting accounts. Your web hosting provider has a significant role in keeping your server secure. In other words, your website security won’t matter much if the server it’s on is prone to cyberattacks.
If you think your current web hosting provider is unreliable, it’s time to migrate your WordPress site to a new one. Here’s what you need to consider when searching for a reliable web host:
With Hostinger, we make sure you get all the essential resources and features needed to protect your WordPress website. Not only do we provide various types of hosting services, but we also offer them for an affordable price. Additionally, our customer support team is always ready to assist you 24/7.
While it’s essential that you arm your website with various security measures, regularly backing up the entire site is equally important. When thinking about how to better protect your WordPress site, you won’t need to worry about losing all your hard work in the event of a security breach.
There are a few ways to create backups. You can manually download website files and export the database or use your hosting provider’s backup tools. Various WordPress backup plugins can also help you to do the job more easily.
Here are several top-notch WordPress backup plugins worth considering:
If you don’t know where to start, feel free to check this tutorial on how to create WordPress backups in Dropbox with UpdraftPlus. Alternatively, see this article for more information about WordPress backups.
WordPress offers an in-built file editor that allows you to edit PHP files easily. Despite that, this feature can become a double-edged sword if hackers gain control of it.
For this reason, some WordPress users prefer to deactivate this feature completely. You can disable it by adding the following line of code to the wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
IMPORTANT: In case you want to re-enable this feature on your WordPress website, simply remove the previous code from the wp-config.php file using an FTP client or your hosting provider’s File Manager.
As themes and plugins can potentially have vulnerabilities, it’s not a good idea to pile them up on your site for no reason, especially if it has been a while since they were last updated.
Furthermore, having outdated yet active plugins increases the risk of cyberattacks as hackers can use them to gain access to your site. Thus, it’s best to remove unused plugins and themes altogether.
The .htaccess file ensures WordPress links work properly. Without this file declaring the correct rules, you will get a lot of 404 errors. Additionally, the file can also help you secure your website even further.
For example, .htaccess allows you to block access from specific IPs or disable PHP execution on specific folders. The examples below show you how to use .htaccess to harden security for WordPress.
IMPORTANT: Before making any changes, we strongly advise you to backup the old .htaccess file. If anything goes wrong, you’ll be able to restore your site as it was.
Here, the following code grants access to only specific IPs of the administrator area.
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from 00.00.00.000 </LIMIT>
Be sure to change 00.00.00.000 to your IP address. If you’re not sure what your IP address is, WhatIsMyIP can help you identify it.
If you use more than one connection to manage your WordPress website, make sure to include all other IPs by repeating the allow from code as many times as necessary.
Hackers like to upload backdoor scripts to the Uploads folder. By default, this folder only hosts uploaded media files. So, it shouldn’t contain any PHP files. To keep a safe WordPress site, you can easily disable PHP execution in the folder by creating a new .htaccess file in /wp-content/uploads/ with these rules:
<Files *.php> deny from all </Files>
The wp-config.php file contains WordPress core settings and MySQL database details, thus making it the most important file in your site. For the same reason, the wp-config.php file is also a hacker’s primary target.
You can easily protect this file and keep WordPress secure by implementing these .htaccess rules:
<files wp-config.php> order allow,deny deny from all </files>
The database holds and stores all crucial information required for your site to function. Due to this reason, hackers often target it with SQL injection attacks.
SQL injections comprise 80% of cyber-attacks executed on WordPress websites, making it one of the biggest threats. One of the reasons why hackers consider this type of cyberattack is because many users forget to change the default database prefix wp_.
In this step, we will briefly overview how to protect your WordPress site against such attacks.
IMPORTANT: Make sure to backup your secure MySQL database before proceeding.
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_1secure1_';
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'MySQL Database' ); /** MySQL database username */ define( 'DB_USER', 'MySQL Username' );
RENAME table `wp_tablename` TO `wp_1secure1_tablename`;
Depending on the number of plugins you’ve installed on the site, you might need to update some values in the database manually. You can do it by running separate SQL queries on tables that are likely to have values with the wp_ prefix – these include Options and Usermeta tables, for example.
Instead of going through all your tables one by one, you can use the code below to filter all values that contain the following prefix:
SELECT * FROM `wp_1secure1_tablename` WHERE `field_name` LIKE '%wp_%'
`wp_1secure1_tablename` contains the table name in which you want to perform the query. Meanwhile, field_name represents the name of the field/column where values with wp_ prefix most likely appear.
Here’s how to manually change the prefix value:
If you are planning on installing a fresh site and want to keep your WordPress database safe, you don’t have to perform the beforementioned steps.
WordPress automatically requires you to decide what table prefix you want to use during the database setup process. Refer to this tutorial for more information on how to set up a WordPress database.
WordPress allows its users to make an unlimited number of attempts a single user can make trying to log in, which means people can try as many times as they want to try to log into a site. However, this is a perfect opportunity for hackers to brute force their way in using various password combinations until they find the right one.
That’s why placing a limit on the number of WordPress failed attempts is necessary to prevent brute force attacks. Thereby, anyone who exceeds the number of allowed attempts will be temporarily or permanently locked out.
Limiting failed attempts can also help you monitor any suspicious activities happening on your website. Most people only need a single try or a few failed attempts, so you should be suspicious of any questionable IP addresses.
One way to limit login attempts in order to increase WordPress security is by using a third-party plugin. There are many great options available. Here are some of our recommendations:
If you’re suddenly getting locked out of your WordPress account, we have an article that can help you to fix the issue.
XML-RPC is a WordPress feature that helps users to access and publish content via mobile devices, enable trackbacks and pingbacks, and use the JetPack plugin on their site. Though this file comes by default, it’s best to disable it if you’re not using its functions.
Some security concerns arise when you enable XML-RPC since this element has weaknesses that hackers can easily exploit.
The XML-RPC function is created to publish content in large, making it possible for attackers to make hundreds of login attempts without being detected by security software.
What’s more, hackers can take advantage of the XML-RPC pingback function to implement DDoS attacks. This feature allows attackers to send pingbacks to thousands of websites at once, which can crash the targeted sites.
To know whether XML-RPC is enabled, run your site through the XML-RPC validation service and see whether you receive either an error or a success message. If you get the latter, it means the XML-RPC function is running on your website.
You can use any of these two methods to improve WordPress security – either use a plugin or do it manually – to disable the XML-RPC function.
Should you want a faster and simpler way to block the XML-RPC feature, we recommend installing a plugin called Disable XML-RPC Pingback.
This plugin will automatically turn off some of the XML-RPC functionalities that don’t allow hackers to perform targeted attacks towards this security flaw.
Another way to stop all incoming XML-RPC requests before it gets passed onto WordPress is by doing it manually.
To use this method, you need to locate the .htaccess file in your root directory. If you find difficulties locating the file, you can check our guide to identify or possibly create a new .htaccess file.
From here, copy and paste the following example inside your .htaccess file to disable XML-RPC:
# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all allow from 000.00.000.000 </Files>
If you want to allow XML-RPC to access a particular IP, replace 000.00.000.000 with the IP address or delete this line altogether.
Many users tend to forget to log out and leave their session running, allowing the next person who uses the device to access their account and potentially exploit their confidential information. This is especially true if you’re using a computer on Internet cafés or public libraries.
Thus, it’s crucial to configure your website to log off inactive users automatically. By doing so, an idle user will be kicked out from their account after some time.
Most bank and financial institution websites use this technique to prevent hackers from hijacking their sites, ensuring that their clients’ data is safe.
Using a WordPress security plugin is one of the easiest ways to automatically log an idle user out.
Inactive Logout is one such solution. Aside from terminating unattended idle users, this plugin can also send a custom message to alert an idle user that their session will be ended soon.
Furthermore, the beforementioned BulletProof Security can also log out an idle user in addition to other security features.
It’s easier for hackers to break into your site when they know which version of WordPress you’re running. Using this information, they can use the vulnerabilities of that version to attack your site, especially if it’s been a while since you last updated your site to the latest version.
To hide the WordPress version from all areas of your site, do the following steps:
function dartcreations_remove_version() { return ''; } add_filter('the_generator', 'dartcreations_remove_version'); You can also add this line to remove WordPress generator meta tag: remove_action('wp_head', 'wp_generator');
Keep in mind that hiding your version doesn’t prevent your site from being vulnerable and doesn’t improve WordPress security by itself. Therefore it’s still necessary to keep track when was your website last updated.
Hotlinking is a term used when someone uses your image’s URL to display the picture on their own site. It’s a bad practice because every time people visit a website with hotlinks that lead to your content, it uses up your bandwidth.
As a result, your site will be slow down, potentially running out of bandwidth. Aside from additional costs, hotlinking is also illegal if the content theft links to licensed images that you’ve acquired.
To see if your content is hotlinked somewhere on the web, you can type in the following in Google Images.
inurl:yourwebsite.com -site:yourwebsite.com
Make sure to replace the yourwebsite.com with your own domain name. Doing so will help you find some websites that have hotlinked your images.
Should you want to prevent hotlinking, here are a few ways to do that:
This method is one of the most effective ways to disable hotlinking. All you need to do is connect to your website via an FTP client and paste in the code snippet to your .htaccess file.
First of all, ensure that you have an FTP client set and ready before we continue. We recommend using FileZilla for this job.
Once you’re connected to your site, look for the .htaccess file and add this code:
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ - [F]
This code will block hotlinking from all sites, so it’s crucial to add your own domains, popular search engines, and social media networks to allow them to them crawl your image.
IMPORTANT: Remember to add the file formats you want to block. This is listed in the last line of the given code.
If you prefer to install a plugin instead, we recommend trying All in One WP Security & Firewall.
After installing and activating the plugin, from your WordPress dashboard, go to WP Security -> Firewall -> Prevent Hotlinks. Check Prevent Image Hotlinking and click Save Settings to finish the process.
A CDN uses a group of servers to provide fast content delivery, managing traffic by handling user requests much faster. Utilizing CDN servers can improve security, reduce bandwidth, and increase speed.
That being said, the method to disable hotlinking might be different for each CDN provider. For instance, Cloudflare has a built-in dashboard setting called Hotlink Protection, which you can easily enable under the ScrapeShield tab within its dashboard.
If you want to setup Cloudflare CDN on your WordPress site, feel free to check this article.
To prevent hotlinking from your cPanel, you have to log in to your hosting account and go to the Security section. Choose the Hotlink Protection option, set the necessary configurations, and click Submit.
If you’re using Hostinger, this guide can help you to activate Hotlink Protection in the hPanel.
Determining which users can read, write, or execute your site’s files or folders helps prevent hackers to gain access to your admin account and server.
You can use any of these two options to manage your files and folders permissions:
Powering more than 35% of all websites on the Internet, WordPress is the most popular CMS to date. Unfortunately, its popularity also attracts hackers who seek to exploit the platform’s vulnerabilities. Sucuri confirmed this claim with a study resulting in 94% of 60,299 studied websites in 2019 that experienced WordPress security breaches use WordPress.
Hacking occurs when someone manages to exploit vulnerabilities in the WordPress core or vulnerable plugins and themes. Based on WPScan Vulnerability Database statistics, we gathered some of the most common types of WordPress security vulnerabilities:
The consequences of getting hacked are far from pleasant. A website that has been breached, first and foremost, may experience significant data, assets, and credibility loss. Furthermore, if your website manages customer information, the incident can jeopardize your customers’ personal data and billing information.
Before you scramble to find another CMS, we have good news for you, these facts by no means indicate that WordPress has a terrible security system. On the contrary, most web WordPress security breaches happen due to the user’s lack of security awareness.
There are plenty of cyber threats that are lurking on the Internet. As a result, all webmasters must ensure that their sites are protected as much as possible. Since the CMS a common target for hackers due to its popularity, everyone should take extra steps to ensure the security of your WordPress website.
Here’s how to ensure security for a WordPress site with 18 impactful safety practices:
What do you think is the best way to secure WordPress? Let us know in the comments section below!
September 07 2020
Thanks For this Awesome Tips. Just one Question Do you feel we need Any plugins like wordfence etc after Taking these Steps? i have read these plugins slows down the site and also security is something which should be taken care by hosting company rather than a Plugin so Any help. Like i am asking for serious Business Sites with lakhs of traffics. and last thing would u suggest using sucuri CDN and WAF or cloudflare is Enough?
Tomislav T.
Replied on November 11 2020
Hey Aditya. You can definitely use plugins such as Wordfence, but they do slow the website as they spend your resources (it takes more RAM, CPU power etc to run each plugin). As for the CDN - CloudFlare should be enough. You don't want to add more than 1 CDN as they may conflict with each other.