How to Secure WordPress

The internet is full of cyber threats, so webmasters shouldn’t leave website security up to luck. It’s paramount to stay safe online. That’s why in this article we will uncover how to secure WordPress by using the 12 best web security practices.

There’s no better time to secure your website than now. Let’s get started, shall we?

Why Do You Need to Secure WordPress?

Powering 30.5% of all websites on the internet, WordPress is the most popular CMS to date. Unfortunately, its popularity also attracts hackers who seek to exploit the platform’s vulnerabilities. Sucuri confirmed this claim with a study that counted that 90% of 25,466 studied websites in 2018 that experienced security breaches use WordPress.

Hacking occurs to WordPress websites when bad actors manage to exploit vulnerabilities in the WordPress core, plugins, and themes. Based on WPScan vulnerability database statistics, we gathered some of the most common types of WordPress security vulnerabilities:

• Cross-site request forgery (CSRF) — forces the user to execute unwanted actions in a trusted web application.
• Distributed Denial-of-Service (DDoS) attack — incapacitates online services by flooding it with unwanted connections, thus rendering a site inaccessible.
• Authentication bypass — allows hackers to access website resources without needing to verify their authenticity.
• SQL injection (SQLi) — forces the system to execute malicious SQL queries and manipulates data within the database.
• Cross-site scripting (XXS) — injects malicious code that turns the site into a transporter of malware.
• Local file inclusion (LFI) — forces the site into processing malicious files placed on the server.

The consequences of getting hacked are far from pleasant. The hacked site, first and foremost, may experience significant data, asset, and credibility loss. Furthermore, if your website manages customer information, the incident can jeopardize your customers’ personal data and billing information.

Before you scramble to find another CMS, we have good news for you. The information above by no means indicates that WordPress has a terrible security system. On the contrary, most web security breaches happen due to the user’s lack of security awareness.

In short, you have the power to prevent hacking attacks from happening in the first place. And we’re here to help you do that.

How to Secure WordPress: 12 Best Practices

Securing a WordPress site doesn’t require a big budget or advanced technical knowledge. Here’s how to secure WordPress using 12 easy to implement security practices.

1. Keeping Your Site Updated with Secure WordPress Releases

The CMS releases regular software updates to improve site performance, including its security, making sure to keep secure WordPress. Thus, updating your website is the most basic web security practice you should do.

Despite sounding so simple, 41.9% of WordPress websites are still running on outdated versions. If your site isn’t using version 5.2 as of writing, then you put your site at a higher risk of a breach and need to update to secure WordPress.

To check whether or not you have the latest secure WordPress version, you can navigate to the Updates menu from your WordPress dashboard. For the complete list of all released and to be announced secure WordPress versions, see this codex.

In case you don’t know how to update WordPress, you can follow this tutorial.

2. Using Secure WordPress Admin Login Credentials

One of the most common mistakes many users still do to this day is using common usernames like “admin,” “administrator,” and “test.” This is a small yet fatal error as doing so puts your site at a higher risk of successful brute force attacks.

In case you haven’t used unique admin login credentials yet, you can follow this tutorial to change your WordPress username. Alternatively, you can create a new secure WordPress administrator account with a different username and delete the old one.

Here’s how to create a new secure WordPress administrator account:

1. From your WordPress dashboard, navigate to the Users -> Add New.
2. Create a new user and assign an Administrator role to that account. Hit Add New User once you’re done.
   
3. Re-log with the newly created secure WordPress user.
4. Head back to the Users section, then navigate to the All Users section. Tick the old admin account’s checkbox you want to delete. Change the Bulk Actions dropdown menu to Delete, and click Apply.

As brute force attacks can even target secure WordPress sites with weak passwords, it’s essential to use unique login details. Try to incorporate variations of numbers, uppercase letters, and special characters into your password to make it harder to guess. Tools like LastPass and 1Password can help you create and manage complex passwords effortlessly.

Additionally, be aware of the network you use before logging into even a secure WordPress site. Public networks, like a coffee shop and library wifi, may not be as secure as they seem. To protect your login credentials, we advise you to use a VPN before going online in public places.

3. Enabling 2-Step Authentication

If you want to reinforce the login process even further, you should consider implementing 2-step authentication to secure WordPress. This authentication method adds a second layer of security to your login page, which requires you to input a unique code to complete the login process. The code is available only to you via a text message or a third-party authentication app.

You can find our detailed tutorial on how to enable 2-step authentication for a more secure WordPress site here.

4. Disabling PHP Error Reporting to Secure WordPress

The PHP error reporting feature is useful for monitoring the site’s PHP scripts. However, broadcasting your website’s vulnerabilities to other people is a serious security flaw and won’t help secure WordPress.

There are two ways to disable PHP error reporting to secure WordPress — via the PHP file or hosting control panel.

The first method requires you to add the following code snippet to the site’s wp-config.php file to help secure WordPress. Be sure to add it before any other PHP directive. You can use either an FTP client or File Manager to make the modification.

error_reporting(0);

@ini_set(‘display_errors’, 0);

If you don’t want to deal with coding, you can opt for the second method. Here’s how you can disable PHP error reporting for a secure WordPress site from Hostinger’s hPanel:

1. From your hPanel dashboard, navigate to the Advanced -> PHP Configuration.
2. On the PHP Options tab, uncheck the display_errors option. Then, click Save.
   

5. Not Using Nulled Themes Instead of Secure WordPress Themes

Nulled WordPress themes are the pirated version of original premium themes. HomePress and Integrio are two among many premium themes that fall victim to this illegal practice.

Despite being more affordable, nulled themes have a ton of security flaws. They often carry malware, spam links, and backdoors that can endanger your website’s security.

Being distributed illegally, nulled themes also don’t come with any support from the developers. That means if something bad happens to your site, you’re on your own, without any advice on how to secure WordPress after an incident.

For this reason, it’s best to avoid using nulled themes at all costs and opt for secure WordPress themes from official repositories or trusted developers and their official marketplaces.

6. Scanning WordPress for Malware

Despite being cautious about the plugins and themes you install on your site while trying to secure WordPress, there’s no guarantee that they won’t carry any malware with them. The most common types of malware are viruses, spyware, and ransomware — all of which are incredibly harmful to your site.

Therefore, it’s crucial to scan your site regularly. To know how to secure WordPress best, you should check out what the various plugins offer.

Fortunately, there are plenty of great security plugins to choose from. Take a look at our recommendations of WordPress security plugins below and see which one best suits your preference:

• Wordfence — a popular security plugin with real-time malware signature updates, a block alert that notifies you if another site blacklists yours for suspicious activity, and reCAPTCHA protection.
• BulletProof Security — helps secure WordPress with an idle session logout feature that prevents other users from hijacking an unattended device, hidden plugin folders that aren’t visible in the WordPress plugins section, and database backup and restoration tools.
• Sucuri Security — one of the best WordPress security plugins on the market that offers various SSL certificates, remote malware scanning, and post-hack security action features that can show you how to secure WordPress after a breach and help resolve technical issues and improve security.

Don’t know how to install a secure WordPress plugin? Not to worry, this comprehensive guide can help you set one up in no time.

7. Migrating a Site to More Secure WordPress Hosting

41% of WordPress websites were hacked due to security loopholes in their hosting accounts. Despite being seemingly unrelated, your web hosting provider has a significant role in keeping your server secure. In other words, your website security won’t matter much if the server it’s on is prone to cyberattacks.

If you think your current web hosting provider is unreliable, it’s time to migrate your WordPress site to a new one. Here’s what you need to consider when deciding how to secure WordPress through hosting:

• Type of web hosting
  Due to server sharing, shared hosting tends to be more prone to cyberattacks than other types of hosting. So, you either make sure your account is isolated from other users or migrate to VPS or dedicated hosting.
• Security
  A good hosting provider monitors its network for suspicious activity and updates its server software and hardware periodically. They also need to have server security and protection against all types of cyberattacks.
• Features
  Regardless of the type of hosting, having automatic backups and security tools for preventing malware is a must-have feature to secure WordPress. In the worst-case scenario, you can use it to restore a compromised website.
• Support
  Having a 24/7 support team with excellent technical knowledge to help you secure WordPress is essential in tackling any technical and safety problems that may occur.

With Hostinger, we ensure you get all the essential resources and features needed to protect your WordPress site. Not only do we provide various types of hosting services, but we also offer them for an affordable price. Additionally, our customer support team is always ready to assist you 24/7. Check out what our secure WordPress hosting plans have to offer.

8. Backing Up as Frequently as Possible

While it’s essential that you arm your website with various security measures, regularly backing up the entire site is equally important. When thinking about how to secure WordPress, you won’t need to worry about losing all your hard work in the event of a security breach.

There are a few ways to create backups. You can manually download WordPress files and export the database or use your hosting provider’s backup tool. Various WordPress backup plugins can also help you do the job easily.

Here are several top-notch secure WordPress backup plugins worth considering:

• VaultPress — a Jetpack-powered plugin equipped with backup and restoration tools, site migration services, and automated file repair that restores infected files.
• BackUpWordPress — a beginner-friendly, multilanguage secure WordPress backup plugin that allows you to backup selected files or the entire website and provides you with the option to send them via email.
• Backup Guard — a feature-packed plugin that offers unlimited backups, cloud storage integration with popular platforms like Dropbox and Google Drive, backup logs that recap your backup history, and mail notification features.

If you don’t know where to start, feel free to check this tutorial on how to create secure WordPress backups in Dropbox with UpdraftPlus. Alternatively, see this article for more information about WordPress backups.

9. Turning Off File Editing

WordPress’ in-built file editor allows you to edit PHP files easily. Despite so, this feature can become a double-edged sword if hackers gain control of it.

For this reason, some WordPress users prefer to deactivate this feature completely. You can disable it by adding the following line of code to the wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

10. Removing Unused Themes and Plugins

As themes and plugins can potentially have vulnerabilities, it’s not a good idea to pile them up on your site for no reason when considering how to secure WordPress. Furthermore, having outdated yet active plugins increases the risk of cyberattacks as hackers can use them to gain access to your site.

Thus, it’s best to remove unused plugins and themes altogether.

11. Using .htaccess for Better Security

The .htaccess file ensures WordPress links work properly. Without this file declaring the correct rules, you will get a lot of 404 errors. Additionally, the file can help you secure WordPress

For example, .htaccess allows you to block access from specific IPs or disable PHP execution on specific folders and helps run secure WordPress sites. The examples below show you how to use .htaccess to harden WordPress security.

Disallowing Access to the WordPress Administrator Area

The code below grants access to only specific IPs to the administrator area, helping secure WordPress.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
allow from xx.xx.xx.xxx
allow from xx.xx.xx.xxx
</LIMIT>

Be sure to change XX.XX.XX.XXX to your IP address. If you’re not sure what your IP address is, WhatIsMyIP can help you identify it.

If you use more than one connection to manage your secure WordPress site, make sure to include all other IPs by repeating the allow from code as many times as necessary.

Disabling PHP Execution in Specific Folders

Hackers like to upload backdoor scripts to the Uploads folder. By default, this folder only hosts uploaded media files. So, it shouldn’t contain any PHP files. To keep a secure WordPress site, you can easily disable PHP execution in the folder by creating a new .htaccess file in /wp-content/uploads/ with these rules:

<Files *.php>

deny from all

</Files>

Protecting the wp-config.php File

The wp-config.php file contains WordPress core settings and MySQL database details, thus making it the most important file in your site. For the same reason, wp-config.php file is also a hacker’s primary target. You can easily protect this file and keep WordPress secure by implementing these .htaccess rules:

<files wp-config.php>

order allow,deny

deny from all

</files>

12. Changing the Default WordPress Database Prefix to Prevent SQL Injections

The database holds and stores all crucial information required for your site to function. Due to this reason, hackers often target it with SQL injection attacks.

SQL injections comprise 80% of cyber-attacks executed on WordPress websites, making it one of the biggest threats. One of the reasons why hackers go with this type of cyberattack is because many users forget to change the default database prefix wp_.

In this step, we will briefly overview how to secure WordPress against such attacks.

Changing Table Prefix

1. From your hPanel dashboard, navigate to the File Manager section and open the wp-config.php file. You can also use an FTP client.
2. Look for the $table_prefix value within the following block of code, then replace the default database prefix wp_ with the new one. You can use a combination of letters and numbers to create a unique prefix.

   /**
    * WordPress Database Table prefix.
    *
    * You can have multiple installations in one database if you give each
    * a unique prefix. Only numbers, letters, and underscores please!
    */
   $table_prefix = 'wp_1secure1_';
   

3. Moving back to the hPanel dashboard, access the phpMyAdmin section. Then, open your WordPress database by clicking Enter phpMyAdmin.
   If you have multiple databases, you can find the database’s name in the wp-config.php file. Look for the following block of code:

   // ** MySQL settings - You can get this info from your web host ** //
   /** The name of the database for WordPress */
   define( 'WordPress database', 'user' );
   

4. From the phpMyAdmin dashboard, navigate to the SQL tab at the top menu bar.
5. Enter the following query in the SQL query editor to change your database prefix to secure WordPress:

   RENAME table `wp_tablename` TO `wp_1secure1_tablename`;

   Be sure to change `wp_tablename` with your current table name, and `wp_1secure1_tablename` with the new prefix and table name to help secure WordPress. Repeat this line of code based on the number of the tables you want to rename, then select Go.
   

Changing Value Prefix Manually

Depending on the number of plugins you installed on the site, you might need to update some values in the database manually to help secure WordPress. You can do it by running separate SQL queries on tables that are likely to have values with the wp_ prefix — Options and Usermeta tables, for example.

Instead of going through all your tables one by one, you can use the syntax below to filter all values that contain the prefix:

SELECT * FROM `wp_1secure1_tablename` WHERE `field_name` LIKE '%wp_%'

`wp_1secure1_tablename` contains the table name in which you want to perform the query. Meanwhile, `field_name` represents the name of the field/column where values with wp_ prefix most likely appear.

Here’s how to manually change the prefix value to one that helps secure WordPress:

1. From phpMyAdmin dashboard, navigate to the SQL tab at the top menu bar.
   
2. Enter the above Select query in the SQL query editor to filter the values that contain wp_, then click Go. Be sure to modify the syntax according to your real table and field name.
   
3. Once you get the results, update all values from wp_ to your newly configured prefix by clicking the Edit button next to the targeted field. Change the prefix value to the new one, then click Go. Do this to all the filtered values.
4. Repeat these steps for the rest of the tables within the database to help secure WordPress.

Securing WordPress New Installation

If you are planning on installing a fresh site and want to keep a secure WordPress database, you don’t have to perform the above steps. WordPress automatically requires you to decide what table prefix you want to use during the database setup process. Refer to this tutorial for more information on how to set up a secure WordPress database.

Conclusion

As many cyber threats are lurking on the internet, all websites must have an excellent security system. As WordPress is a common target for hackers due to its popularity, webmasters should definitely take extra steps to ensure safety.

Here’s how to secure WordPress with 12 impactful web security practices:

• Keeping your site up to date with the latest secure WordPress release.
• Using unique admin login credentials.
• Enabling 2-step authentication to secure WordPress.
• Disabling PHP error reporting.
• Avoiding the use of nulled WordPress themes.
• Scanning WordPress for malware.
• Migrating a site to more secure WordPress hosting.
• Backing up the WordPress site frequently.
• Turning off the File Editing feature.
• Removing unused themes and plugins.
• Using .htaccess to disable PHP execution and protect the wp-config.php file.
• Changing the default WordPress database prefix.

What do you think is the best way to secure WordPress? Let us know in the comments section below!