How to secure your WordPress website
WordPress is the most popular CMS used today. And with more than 30% of all websites powered by WordPress it is no wonder that hackers focus a lot of attention on these sites. It doesn’t matter what kind of content you have on your WordPress website… if you don’t take precautions to secure your WordPress website, you’re likely to get hacked.
So let’s take a look at 15 ways you can secure your WordPress website.
1. Choose a good web hosting company
It may be tempting to choose the cheapest hosting available, however, cheap web hosting often means the server administrator hasn’t purchased additional security software and there are no additional layers of security in place.
Rather choose a hosting company who has installed additional security software and configured the server to protect against attacks. You might pay more, but at least you’ll know you have extra security against malicious intent.
2. Change the database prefix
When installing a WordPress website, you have the option to change the database prefix. The generic one is
wp_. Change this to something random which has no connection to your site content.
3. Choose a good username for the admin login
The first thing hackers do is try the usual admin user names so it is important to use a random name which can’t easily be guessed.
Avoid using the company name or your personal name for the admin login and rather create a secondary account for posting articles which has limited access to back end functionality.
4. Use a strong password
Use a very strong password which is hard to guess for all your accounts. If you’re unsure, use a password generator. I may be a bit paranoid when I create my passwords, but I usually string two passwrods together for that extra bit of protection.
5. Install a WordPress Security Plugin
A good WordPress security plugin is essential to keeping your WordPress website secure. It will scan for viruses and malware, protect you from brute force attacks and blacklist suspicious IPs.
Some plugins will allow you to rewrite your login url and allow you to login via email. Other will also have anti-spam measures in place and will protect your forms.
6. Be careful which themes and plugins you install
A lot of problems arise when using some themes and plugins, especially the free ones, so do a lot of research before installing a theme / plugin and read the reviews to ensure the theme / plugin is kept up to date and is secure.
Stay away from cracked themes / plugins as they contain hidden malicious code which could destroy your website and database or get access to your admin credentials.
7. Limit login attempts and whitelist your IP
If you security plugin allows it (and a good one will), limit the amount of login attempts to the back-end and additionally, only allow logins from trusted IP addresses.
Futhermore, you can change your wp-admin and wp-login url to something random which will further protect you from brute force attacks.
8. Use SSL to encrypt data
Install an SSL certificate to secure your WordPress website data. A good hosting company will provide free and auto SSL certificates, so all you need to do is ensure the certificate has been installed and that your website is using HTTPS instead of HTTP.
An SSL certificate encrypts data being sent to and from the server, so this is a vital security measure if you’re using any kind of form on your website.
9. Make regular backups
No matter how secure your WordPress website is, it’s always a good idea to make regular backups. While your hosting company may provide you with regular backups, you’ll want to ensure you have your own backups which can be downloaded to a local drive as well.
10. Keep your site up to date
A big part in keeping your WordPress site secure is to update it often. WordPress sends out updates regularly to close any security flaws they find. So as soon as an update is released, it is a good idea to apply it. This applies to the core files, themes and plugins.
11. Use the latest PHP version
Ensure you are using the latest PHP version as any versions older than two years will no longer be supported. This means that any vulnerabilities in older, unsupported versions are no longer being fixed.
12. Update your WordPress Security Keys
WordPress security keys are random variables which improve the encryption of information stored in the user’s cookies.
WordPress has a free tool which you can use to generate these keys. You can update your current keys which are stored in your wp-config file.
13. Change wp-config location and permissions
Check your file and folder permissions and ensure that the correct permissions are in place. Your wp-config file should be set to 440 or 400 to prevent other users on the server from reading.
Additionally, you’ll want to move your wp-config to a new location in your hosting environment. To do so, copy everything from your wp-config to a new file then place the following snippet in your old wp-config file to point to the new location:
Note: the directory path may differ based on your web host and setup.
14. Add the latest HTTP security headers
Another step you can take to further secure your WordPress site is by using the latest HTTP security headers. In a LiteSpeed environment, these headers are placed in your .htaccess file. If you cannot see your .htaccess file, simply unhide the file in your cPanel File Manager. And if it’s still not there, you’ll need to create a new one.
There are a lot of HTTP security headers, but the most important ones are:
- Content-Security Policy
To see which HTTP headers are currently running on your WordPress site, open Chrome devtools, go to Network and press Ctrl + R to reload the page, then click on the url and headers.
15. Disable File Editing in WordPress
If your WordPress site has multiple users and administrators, it is a good idea to disable file editing in order to further secure your WordPress website. Not only does this prevent users from editing your files, but it also prevents outside access to your files.
To do so, go to your wp-config file and add the following code:
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );
To sum it all up, here are the 15 things you can do to secure your WordPress website:
- Choose a good web hosting company
- Change the database prefix
- Choose a good username
- Use a strong password
- Install a security plugin
- Install themes and plugins with care
- Limit login attempts
- Use SSL
- Make regular backups
- Update WordPress
- Use the latest PHP version
- Update your security keys
- Change wp-config location and permissions
- Add the latest HTTP security headers
- Disable file editing