Securing our WordPress site has become paramount. As one of the most popular CMS platforms, WP powers 810 million websites worldwide, making it a prime target for cyber threats. Protecting our online presence is vital to guarding our data, holding user trust, and ensuring business continuity. This guide will list the top 15 essential ways to secure our WordPress site.

Basic Best Practices

1. Secure WP Admin Login

Securing our WordPress admin login is the first line of defence against unauthorized access.

  • Strong and Unique Passwords: Use a combination of uppercase and lowercase letters, then add numbers and special characters. Never use easily guessable passwords.
  • Two-Factor Authentication (2FA): Enable two-factor authentication (2FA) for an additional layer of security. This requires a second setup of verification.
  • Change Default Admin Username: WordPress comes with a default admin username, which is widely known. Change this to a more unique and less predictable username to reduce the risk of targeted attacks.

2. Using and Limiting Trusted WordPress Theme and Plugins

WordPress plugins and themes are powerful tools that extend the functionality and aesthetics of our website. However, themes and plugins can also introduce security vulnerabilities if not properly vetted and maintained. Follow these best practices:

  • Use Trusted Sources: Only download and install themes and plugins from trusted sources. Avoid the usage of pirated or nulled versions, as they may contain malicious code.
  • Keep Plugins and Themes Updated: Regularly update our installed plugins and themes to confirm we have the latest security patches and bug fixes. Outdated plugins and themes can leave our site vulnerable to known exploits.
  • Disable or Remove Unused Plugins and Themes: Regularly audit our installed plugins and themes, and disable or remove any that are no longer in use. Unused components can introduce unnecessary security risks and potential conflicts.
  • Limit Plugin and Theme Installations: Only install plugins and themes that are vital for our website’s functionality and design. Excessive installations can increase the attack surface and make it more challenging to manage security updates.

3. Regular Updates and Backups

Keeping our WordPress installation, themes, and plugins up-to-date is crucial for maintaining a secure and well-functioning website. Outdated software can hold known vulnerabilities that criminals can exploit to gain unauthorized access or inject malicious code. To stay ahead of potential threats, follow these best practices:

  • Enable Automatic Updates: Configure WordPress to automatically install minor updates as soon as they become available.
  • Manually Update Major Releases: While minor updates can be automated, it’s recommended to manually update major WordPress releases, themes, and plugins. This allows us to test the updates for compatibility and potential conflicts before deploying them on our live site.
  • Create Regular Backups: Implement a robust backup strategy to ensure we can quickly restore our site in case of data loss or corruption. Consider using a backup plugin or a third-party backup service to automate the process and store backups securely off-site.
  • Test Backups Regularly: Backups to ensure they are complete and can be successfully restored.

4. Secure WordPress Hosting

Choosing a secure and reliable hosting provider is crucial for the general security and performance of our WP site. A compromised hosting environment can expose our site to various threats, regardless of the security measures we implement on our end. Consider these when selecting a hosting:

  • Reputable and Trusted Provider: Research and choose a hosting provider with a settled track record of security and reliability. Look for hosting providers that are experts in WordPress hosting and offer dedicated security features.
  • Regular Security Updates: Ensure that our hosting provider regularly updates their server software and applies the latest security patches to mitigate known vulnerabilities.
  • Secure Server Configuration: Verify that our hosting provider follows industry best practices for secure server configurations, such as disabling unnecessary services, implementing firewalls, and restricting access to sensitive files and directories.
  • Robust Backup and Disaster Recovery: Evaluate the hosting provider’s backup and disaster recovery solutions to ensure that our site can be quickly restored in case of data loss or server failures.
  • DDoS Protection: Look for hosting providers that offer Distributed Denial of Service.

5. SSL Certificates and HTTPS

Implementing SSL (Secure Sockets Layer) certificates and enabling HTTPS (Hypertext Transfer Protocol Secure) is essential for securing our WordPress site and protecting sensitive data transmission. Here are the key benefits of using SSL/HTTPS:

  • Data Encryption: HTTPS encrypts all data transmitted between our website and visitors’ browsers, including login credentials, form submissions, and other sensitive information.
  • Enhanced Trust and Credibility: Websites with HTTPS are marked as secure by modern browsers, displaying a padlock icon and improving user trust and confidence.
  • Improved SEO Ranking: Search engines like Google prioritize secure websites in their rankings, giving HTTPS-enabled sites a potential SEO advantage.

6. Strong Passwords and User Permissions

Implementing strong password policies and properly managing user permissions are essential for protecting our WordPress site from unauthorized access and potential data breaches. Follow these best practices:

  • Strong Password Requirements: Enforce strong password requirements for all user accounts, including a minimum length, a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using easily guessable information, such as names or birthdates.
  • Limit User Permissions: Only grant the minimum necessary permissions to users based on their roles and responsibilities. Avoid granting administrative privileges to users who don’t require them.
  • Periodic Password Changes: Implement a policy for periodic password changes, especially for privileged accounts like administrators and editors.

Intermediate Best Practices

7. Regular Malware Scanning

To protect our site from these unethical threats, it’s essential to perform regular malware scans. Here are some best practices for malware scanning:

  • Automated Malware Scanning: Implement an automated malware scanning solution, such as a plugin or a third-party service, to continuously monitor our site for potential threats. These solutions can detect and remove known malware, as well as identify suspicious behaviour or code modifications.
  • Manual Malware Scanning: In addition to automated scanning, periodically perform manual malware scans using reputable security tools and scanners. This can help identify potential threats that may have been missed by automated solutions.
  • Monitor for Suspicious Behavior: Maintain an eye out for any unusual or suspicious behaviour on our site, such as unexpected changes to files or database entries, unexplained traffic spikes, or unauthorized administrative actions.
  • Incident Response Plan: Produce an incident response plan that outlines the steps to take in case of a malware infection or security breach. Plan it with steps for containment, analysis, and remediation, as well as communication protocols.

8. Protecting the wp-config.php File

The wp-config.php file is an important component of our WordPress installation, as it stores sensitive information such as database credentials and authentication keys. Given are some finest practices for securing the wp-config.php file:

  • File Permissions: Set appropriate file permissions for the wp-config.php file, ensuring that it is readable by the web server but not writable by anyone else. This can typically be achieved by setting the file permissions to 644 (read and write for the owner, read-only for the group and others).
  • Move the File Above the Root Directory: Consider moving the wp-config.php file one level above the root directory of our WordPress installation. This makes it more difficult for potential attackers to locate and access the file.
  • Disable File Editing: Disable the ability to edit files, including the wp-config.php file, from the WordPress admin dashboard. This can be executed by adding these line to our wp-config.php file: define(‘DISALLOW_FILE_EDIT’, true);
  • Regular Backups: Implement a regular backup strategy for the wp-config.php file, ensuring that we have a clean copy available in case of corruption or unauthorized modifications.
  • Monitoring and Auditing: Monitor the wp-config.php file for any unauthorized changes or modifications, and regularly audit the file to ensure that its contents are secure and up-to-date.

9. Disabling File Editing in the WordPress Dashboard

The WordPress dashboard provides a convenient interface for managing our site’s content, settings, and plugins. However, it also includes the ability to edit core WordPress files, themes, and plugins directly from the dashboard. While this feature can be practical for making quick changes, it can also introduce security risks if not properly managed. To mitigate these risks, it’s recommended to disable file editing in the WordPress dashboard. Follow to accomplish this:

  1. Open your wp-config.php file located in the root directory of our WordPress installation.
  2. Add: define(‘DISALLOW_FILE_EDIT’, true);
  3. Save to wp-config.php file.

Adding this line of code disables direct file editing from the WordPress dashboard, preventing accidental or malicious changes to core files, themes, and plugins. While we can still edit files via a code editor or FTP, this enhances security by restricting dashboard access and reducing the risk of vulnerabilities.

10. Changing Default Login URLs

By default, WordPress uses a predictable URL structure for the login page, typically example.com/wp-admin or example.com/wp-login.php. While these URLs are widely known and convenient for legitimate users, they can also make our site more susceptible to brute-force attacks and unauthorized access attempts. To enhance security, we should consider changing the default login URLs to a more obscure and less predictable path. Accomplish this:

  1. Install and activate a plugin such as “WPS Hide Login” or “iThemes Security Pro” (formerly “Better WP Security”).
  2. In the plugin settings, find ‘Change login URL.’
  3. Enter a new, unique URL path for our login page, such as example.com/my-secure-login or example.com/random-string.
  4. Save changes and test the new login URL to ensure it’s working correctly.

By changing the default login URLs, we make it more difficult for potential attackers to locate and target our login page, reducing the risk of brute-force attacks and unauthorized access attempts. However, it’s important to note that this measure should be combined with other security best practices, such as strong passwords, two-factor authentication, and limiting login attempts, for maximum protection.

Additionally, we should communicate the new login URL to all authorized users and update any documentation or bookmarks accordingly. It’s also recommended to periodically change the login URL to further enhance security and stay ahead of potential threats.

Advanced Best Practices

11. Disable XML-RPC

The XML-RPC (Remote Procedure Call) is a WordPress feature that allows remote systems and applications to interact with our site’s content and functionality. While this feature can be useful for certain use cases, such as mobile apps or third-party integrations, it can also introduce security risks if left enabled and unprotected. Cybercriminals can exploit the XML-RPC functionality to launch brute-force attacks, distribute spam, or perform other malicious activities. To mitigate these risks, it’s recommended to disable the XML-RPC feature if we don’t have a specific need for it. We can accomplish this:

  1. Open your wp-config.php file located in the root directory of our WordPress installation.
  2. Add in end of the file: define(‘DISABLE_XML_RPC’, true ); // Disable XML-RPC functionality
  3. Save to wp-config.php file.

Adding this line of code disables XML-RPC on our WordPress site, reducing potential vulnerabilities. If we need XML-RPC for specific uses, we should implement additional security measures like rate-limiting or IP whitelisting to mitigate risks.

12. Strong Server with Hosting Company

While securing our WordPress site is crucial, it’s equally important to ensure that our hosting environment is secure and reliable. A strong server configuration with our hosting company can significantly enhance the overall security of our WordPress site. Considerations when it comes to a strong server setup:

  • Secure Server Configuration: Ensure that our hosting company follows industry best practices for secure server configurations, such as disabling unnecessary services, implementing firewalls, and restricting access to sensitive files and directories.
  • Regular Security Updates: Verify that our hosting company regularly updates their server software and applies the latest security patches to mitigate known vulnerabilities.
  • Robust Backup and Disaster Recovery: Evaluate the hosting provider’s backup and disaster recovery solutions to ensure that our site can be quickly restored in case of data loss or server failures.
  • DDoS Protection: Look for hosting providers that offer Distributed Denial of Service protection to safeguard our site against malicious traffic and potential downtime.
  • SSL/TLS Encryption: Ensure that our hosting company supports and encourages the use of SSL/TLS encryption for secure data transmission between our site and visitors’ browsers.
  • Server Monitoring and Logging: Inquire about the server monitoring and logging practices implemented by our hosting company.

13. Web Application Firewall

A Web Application Firewall (WAF) is a security solution that monitors and filters incoming web traffic to our WordPress site, protecting it from various types of attacks. A WAF acts as a powerful security layer between our site and the internet, analyzing and blocking potential threats before they can reach our site’s server.

Implementing a WAF can provide several benefits for the security of our WordPress site:

  • Protection from Known Vulnerabilities: WAFs are designed to detect and block attacks targeting known vulnerabilities in WordPress, plugins, and themes, providing an additional layer of defence against exploits.
  • Real-time Threat Detection: WAFs can analyze incoming traffic in real time, identifying and blocking malicious requests or activities based on predefined security rules and patterns.
  • Customizable Security Rules: Many WAF solutions allow us to customize security rules and policies to align with our specific security requirements and threat landscape.
  • Centralized Security Management: WAFs often provide a centralized management console, allowing us to monitor and manage security policies, view logs, and receive alerts for potential threats across multiple sites or servers.

14. Block Hotlinking

Hotlinking happens when a website directly links to and displays images or other media files hosted on our WordPress site without our permission. This practice can lead to increased bandwidth usage, slower page load times, and potential copyright infringement issues.
To prevent hotlinking and protect our site’s resources, we can implement measures to block unauthorized access to our media files. We can accomplish this:

Apache Server Configuration:

If we’re using an Apache web server,

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?thedomain.com [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

Replace thedomain.com with our actual domain name. This code checks the HTTP Referer header and blocks requests for specified file types (e.g., JPG, PNG, GIF) if the referrer is not our domain.

Nginx Server Configuration:

If we’re using an Nginx web server,

location ~* \.(jpg|jpeg|png|gif)$ {

valid_referers none blocked thedomain.com;

if ($invalid_referer) {

return 403;

}

}

Again, replace thedomain.com with your actual domain name. This code checks the HTTP Referer header and blocks requests for specified file types if the referrer is not your domain or allowed sources.

WordPress Plugin:

Alternatively, you can install and activate a WordPress plugin like “No Hotlink” or “Hotlink Protection” to manage hotlinking protection through the WordPress admin interface.

15. Run Final Security Tests

After implementing the various security measures outlined in this guide, it’s crucial to perform final security tests to ensure that our WordPress site is properly secured and to identify any remaining vulnerabilities or potential issues. Here are some recommended security testing practices:

  • Vulnerability Scanning: Use reputable online vulnerability scanners or security plugins to scan our WP site for known vulnerabilities. These tools can help us easily identify and prioritize areas that demand further attention.
  • Penetration Testing: Consider hiring a professional security firm or ethical hacker to conduct penetration testing on our WordPress site. Penetration testing simulates real-world attacks and can help uncover vulnerabilities that may have been overlooked by automated scanning tools.
  • User Testing: Perform user testing by attempting to access restricted areas, upload malicious files, or perform other unauthorized actions on our site. This can help identify potential weaknesses in our user permissions, file upload restrictions, or other security controls.
  • Load Testing: Conduct load testing to evaluate our site’s performance and stability under high traffic or stress conditions.
  • Backup and Recovery Testing: Always test our backup and recovery processes by simulating a data loss or system failure scenario. Ensure that we can successfully restore our site from a backup and verify the integrity of the restored data.

Securing our WP site is an ongoing approach that requires vigilance, proactive measures, and a comprehensive approach. By implementing the top 15 essential ways outlined in this guide, we can greatly reduce the risk of cyber threats, data breaches, and other malicious activities, ensuring the safety and integrity of our online presence.

Remember, securing our WordPress site is not a single-time task; it’s a continuous consistency of effort that requires regular updates, monitoring, and adaptation to emerging threats. Stay informed about the latest security best practices, vulnerabilities, and patches, and don’t hesitate to seek professional assistance if needed.