How to Secure WordPress (2021)
WordPress security is a matter of opinion. Users tend to fall into one of two groups: those who take security seriously and learn how they can secure their site, and those who hope or believe nothing will happen because they don’t have enough importance.
The second group is often incorrect, unfortunately. Security breaches that are not personal occur when automated scripts don’t pay attention to the relative importance of sites.
WordPress security is, therefore, a concern for all. We will be sharing practical tips to help you secure your WordPress website. These tips will help you avoid dealing with the aftermath of your site being hacked or defaced.
Why Investing in WordPress Security Matters
WordPress is a popular content management system. It’s simple to use, there are thousands of themes and plugins available for it, and you can create any type of website with it. It’s no wonder then that WordPress powers more than 40% of all websites on the Internet.
However, popularity comes at a price. Hackers often target WordPress sites. According to Sucuri, in 2019, 94% of all website cleanup requests come from owners of WordPress sites, a 4% increase from 2018.
Is WordPress Secure Then?
This might seem to suggest that WordPress isn’t a good choice and that it is inherently insecure. But that is far from the truth.
The WordPress core product is very secure and, in fact, audited regularly by a security team of industry experts. However, the Internet is not 100% secure and many factors can determine whether a site will be compromised. Human error is the main reason for hacking successes. This is what we want to address with this post.
As mentioned above, hackers are attracted to the WordPress platform simply because of its large user base. This increases the chance that they will find victims.
What happens when you get hacked?
You don’t want to risk your reputation and revenue, lost information or stolen information, malware that infects visitors, and ransomware that blocks your site until the hacker pays, all of which sound very unpleasant. But that’s precisely what you’re putting at risk if WordPress security isn’t taken seriously.
Google may blacklist you for these types of offenses. Imagine all of your SEO efforts being lost in one go. It’s scary, right?
In other words, securing WordPress should be a top priority if you consider your website to be important for your business.
Use the following best practices to create baseline security
Here are some tips to help you secure WordPress. The first part will cover the essential, basic WordPress security measures that everyone should follow. Next, we’ll move onto more technical and advanced procedures. Your site will be safer than 99 percent of other websites if you only follow the tips in this first section.
1. Protect your computer, avoid being a risk factor
What does your computer have with your website? It’s simple: Your website can be infected if your computer has been infected by a virus or malware. You can avoid this by:
- Use a VPN to protect your site from being accessed by public wifi networks
- Keep your firewall up-to-date and install antivirus software
- Run regular virus and malware scans on your operating system
- Make sure to update your operating system, and any other critical software (such as your web browser).
For detailed instructions, check this post.
2. 2.Build a Safe Foundation with a Trustworthy Host
Hackers often break through the firewall to gain access to your website by attacking your hosting company. It is important to choose a hosting provider that has implemented security measures to secure your WordPress website. You will get the latest PHP, MySQL, Apache, and firewall. There will also be 24/7 security monitoring. You will also find SFTP and SSH connections available, rather than the less secure FTP.
In addition, choose a hosting company that performs daily backups and regular malware scans (like SiteGround for example). You can even find hosting companies that employ various DDoS prevention measures. Also, be sure to check out what your hosting company offers in terms of help to recover compromised websites. When in doubt, always ask your host what security procedures they have in place.
3. To close points of entry, use strong passwords
Every website has weak points, including passwords. They are something you can control, however. Strong passwords are essential to protect your WordPress website.
- Your user account
- FTP accounts
- The WordPress database
- Hosting account
- Email address
- Everything else connected to your site
You should also change your passwords frequently. You can also use a password generator to create a strong password for you if you are unable to come up with one.
WordPress offers secure passwords and an indicator to show you the strength of your password.
Finally, if you have problems remembering your passwords, you can use a password manager like LastPass.
4. Use minimal user permissions to reduce third-party risk
It’s not only about your passwords; it also applies to the passwords of others on your site. You can minimize the risks they present by making sure that everyone has only the permissions they need. For that, it makes sense to get familiar with WordPress user roles to understand what they do and what each role is capable of.
You don’t want to grant admin access to a guest blogger for a single occasion. A Contributor role will be more appropriate. To be safe, you might want to change your default user role from Subscriber to Subscriber under Settings > General > New Users Default Role.
It is a good practice for WordPress security that temporary permissions are granted and then revoked later. This can be done easily by switching user roles in the User menu, and then switching back once the person has completed their job.
You should also delete any user accounts that you don’t use anymore or no longer require. There are also ways to make sure that other users of your site use strong passwords. Many WordPress security plugins include this functionality and there are also paid products like Password Policy Manager.
5. To close a common loophole, get rid of the admin username
WordPress used to assign the default username admin to website owners, and most never changed it. admin will often be the first username hackers use to attack your website. If they have that username, all they need is the password.
This is why you shouldn’t use the username “Sir” for your WordPress site.
6. Obscure Your Administrator Account: Post as a Contributor or Editor
To add articles and posts to your site, you might consider creating an editor or contributor account.
This is how it works. WordPress creates an author archive automatically for each author profile that publishes content on the site. It’s usually located under something like yoursite.com/author/authorname.
This leaves potential hackers with only one piece of login information since the URL contains the author’s login name in plain text. They now only need to guess the password. It is better to have authors who are visible on your site that do not have administrator rights.
7. Log out Idle Users to Prevent Third-Party Fraudulent Activities
Next, log out inactive users after a time of inactivity. This feature is probably familiar to you from banks’ websites. This feature prevents someone or something else from compromising your website by leaving their computer logged in accidentally on a public computer, or if they leave the screen for a while.
It is important to do this because hackers could hijack your session and take advantage of it for their own gain. If you have multiple users, it’s even more crucial to ending inactive sessions. Plus it’s easy, you can use a plugin like Inactive Logout to automatically do that.
8. Keep WordPress and its components up-to-date to reduce security risks
Sites with outdated files are a security risk as they can be exploited. This applies to both WordPress as a whole and components such as themes or plugins. They are updated for good reasons, including security bug fixes. In fact, vulnerable plugins are the number one source of site hacks according to WordFence.
You can manually update your site via Dashboard > Upgrades. Remember to backup your website before you make any changes. You can also apply updates to a staging site or development site before you apply them to your live site.
You can also use the WordPress auto-update function. Since version 5.6 is in the same menu, you can choose whether to automatically install only minor security and maintenance updates or major updates as well.
The latter is not recommended as it can cause site damage without your knowledge.
Automatic updates can be enabled for plugins and themes. To enable automatic updates for themes, go to Appearance > Templates, then click on the template you prefer, and then use the Enable Auto-Updates link.
This menu contains the plugins option.
Alternatively, use Easy Updates Manager to manage these permissions. You can also configure much of it via wp-config.php. It’s also possible to update WordPress and its components manually.
You should also make a regular check of your plugins to deactivate or delete any that you don’t use anymore.
9. To avoid compromising your site, only use themes and plugins from trusted sources
Unreliable themes or plugins are a major reason WordPress websites can be compromised, as we’ve already established. To reduce this risk, it is important to only use extensions that come from trusted sources.
This means you should avoid downloading nulled, torrented, and “free” themes and plugins. Developers are being scammed out of the benefits of their work. You never know what code may be in them. Uploading these files to your website could mean that hackers have access to your code. Stick with trusted premium vendors or the WordPress.org theme and plugin directory.
To be safe when downloading a theme/plugin, make sure to:
- Its popularity
- Ratings and reviews
- Are regular updates available to keep it updated?
- Compatibility with your WordPress version
Use plugins and themes that have been actively developed and are trusted by many other users.
10. For critical insurance, use a backup service or plugin
If you’re not backing up your website yet, you need to start right away. If your site is hacked or something happens to it, a backup system can help you restore it. These plugins and services can help you accomplish this.
Keep these things in mind
- Backup both your site files as well as your database WordPress websites are made up of two parts. You’ll regret not saving both.
- Establish a routine you can set up backups to occur automatically at regular intervals. The frequency of backups depends on the content you publish or change. A brochure website can be updated once per week. An active blog can be updated once per day, or more frequently.
- Keep the backup files off-site backup files should be sent to Dropbox, Google Drive, or another similar service and not to your server. You run the risk of having your backups infected or losing them altogether if your server crashes.
11. Secure Server Connections to Protect Your Traffic
As part of WordPress, security basics make sure you connect to your server securely. FTP is one of the most popular ways to manage a server. It will be mentioned a few more times in this guide.
FTP also has a safer cousin, SFTP. This automatically encrypts traffic between your server and computer. This protocol should be used whenever possible, instead of the unencrypted FTP protocol. You run the risk of having your traffic intercepted or spied upon. A good FTP client like FileZilla will allow you to do so.
Advanced WordPress Security Techniques
That was the end of basic WordPress security best practices. We will now discuss more advanced methods to protect your website. These techniques may not require technical expertise but they are very doable and will help protect your WordPress website from disaster.
12. Protect the Admin Area from Brute Force Attacks
The dashboard or back end is one of the most crucial and secure parts of your website. It is possible to access it by granting administrator rights.
So-called brute force attacks are used by hackers to gain access. This means that hackers will automatically attempt hundreds to thousands of password and login combinations before they find the right combination. Let’s look at some ways that we can prevent this from happening.
a) Modify the Default Administrator and Login URL
By default, the URLs to log into your site are located at yourdomain.com/wp-admin or yourdomain.com/wp-login.php. Hackers are aware of this and will try to hack into these addresses so that they can force their way in.
It is therefore possible to avoid most of these attacks by moving the WordPress admin and login pages elsewhere. Any attack on them will be futile. A plugin like WPS Hide Login makes this pretty simple.
b) Limit Login Attempts
Limiting the number of times someone can log in before they are blocked is another way to stop these attacks. WordPress has many plugins for that as well, such as Limit Login Attempts Reloaded.
c) Two-Factor Authentication
Two-factor authentication requires that users enter their password and also enter the code generated by a mobile application or another device to log in to your website. Even if hackers can crack or acquire your password, they will not be able to access your site without your mobile phone.
Consider using a plugin like Google Authenticator to set up two-factor authentication for your site:
d) Password Protect the
Another way to combat this kind of security risk is to protect the entire directory with another password. Hackers won’t be able to access the WordPress login page if this password isn’t used.
Password protecting directories happens server-side. If you are running an apache server, create a text file named
.htaccess (more on that soon) and input the following
This code creates a password-protected area called “Members Only” that’s only accessible to valid users with fitting passwords included in a file called d and where it is located. The last part is an exception for that your need for it to work with WordPress. Upload this file to the
After that create another file called, you guessed it,
.htpasswd and put this data into it:
These usernames (currently just one) have access to the directory. They are also their passwords.
It is important to make sure that your password is encrypted before it can work. You can do this by entering your username and plain-text password and then copying the output.
Upload it to the location where your point. You can do the same thing on an NGINX server. You can also use a Firewall to lock the URL and add an exception that only allows you to access it.
13. Protect your files: Disable the WordPress Theme Editor and Plugin Editor
You have default access to the file editor under Appearance > Plugins > Plugin Editor.
You can also make changes to WordPress files directly from the backend. This is useful if you just need to add one line of code quickly. It also means anyone with the correct permissions can access these files, which could lead to disastrous results.
This code will disable this feature. Add the following code in your wpconfig.php file before it says “That’s all! Stop editing!” Happy blogging.:
What can you do instead? You can download your files via FTP and edit them locally before re-uploading them. Better yet, test all changes on a local development site, and only upload files once you have made sure everything is safe.
14. To protect data on your server, check and change the file permission levels
Different permission levels are available for files and folders located in the WordPress directory. There are three types of permissions: execute, read and write. These permissions determine who can access files and whether they can make changes to, delete, or run them. The same applies to directories.
If the permissions are not correct, they can allow people to access files that they shouldn’t have access to. This could be used to take down your website. However, permissions that are too restrictive can cause some functionality to be disabled.
This can be checked and changed with an FTP client. FileZilla, for example, has the Permissions column right in its user interface.
It is easy to change them by right-clicking on a file or directory and selecting File permissions… Next, enter the correct numeric value (see below), and click OK.
For instructions for cPanel, check here (toward the bottom). As for what permission level is right, according to the WordPress codex, they should be set as follows:
- All directories must be 755 or more than 750
- All files must be 644 or 644.
wp-config.phpshould be 600
You might have different permissions for some hosts. Talk to your hosting provider if this is the case.
15. Secure Site Traffic with HTTPS and SSL
HTTPS (Hypertext Transport Protocol Secure) allows visitors’ browsers to establish secure connections with your hosting server (and thus your site). They make sure that all information between them is encrypted.
SSL is required for all eCommerce sites and websites that store credit card numbers. It makes it easier to steal login information even for normal websites and blogs. This is particularly important if you have many people logging into your website. In fact, the US government is moving all of its websites to HTTPS.
Your search engine rank will improve if you encrypt your site traffic. Google Chrome now displays all websites that are not HTTPS-enabled in the browser bar.
HTTPS is also faster because it uses HTTP/2 by default. So, it’s even something that can improve your site speed. You can test it yourself, here.
SSL used to be very expensive. It was expensive to get a certificate from a vendor, and then make it work on your site. However, now we have Let’s Encrypt, a project backed by Mozilla, Facebook, Google Chrome, Automattic, and others. Anyone can use it as a free SSL certificate.
Ask your hosting provider about this possibility. Even if they do not offer Let’s Encrypt they may be able to help you get one or point you in direction of a company that does. If you want to find out more about how to move your WordPress website to HTTPS/SSL, you can use our detailed guide on that topic.
16. Remove XML-RPC from your computer and close down any other point of entry
XML-RPC lets your site connect to WordPress mobile apps and plugins such as Jetpack. It’s also a popular protocol for WordPress hackers, who can use it to execute multiple commands at once. Instead of trying to remember one password after the other, hackers can now test multiple passwords simultaneously and gain more access to your site.
Some plugins require XML-RPC to function properly. To find out if your site has it activated, enter your site address here. You will get an error message if it isn’t active.
It might be a good idea, in this case, to deactivate the plugin to close the loophole. You can use a plugin like Disable XML-RPC-API to do so. Alternatively, it’s also possible to disable it by pasting the code below to your
.htaccess file (more on that below).
The line that says
allow from XXX.XXX.XXX.XXX is optional. It can be used to permit continued access to XMLRPC for a specific IP address if needed. You can delete it if you don’t want it.
17. To Take Advantage Of Security Updates, Make Sure You Use the Most Current Version of PHP
PHP is the basis of WordPress. It is present on every website that uses the CMS. The programming language is under constant development, just like WordPress. The latest versions include performance improvements and vulnerability fixes.
You must always use the most recent version of PHP. Each new PHP version is also supported for support and updates for a maximum of two years. The currently supported versions of PHP are 8.0, 7.4, and 7.3. It is highly recommended that you use one of these versions. Unfortunately, only a little more than half of the WordPress sites are following that advice.
This isn’t the best, but it has improved in recent years.
What is the best way to update your PHP version? You will usually find an option to do this in your hosting administration menu.
Make sure you test your site first for compatibility. So, first, try out the new version in a testing environment to see if all your plugins and theme functions work with the new version.
wp-config.php, Protecting One of Your Most Vital Files
controls lots of important functionality on your site, not least the connection to your database. Your entire site will be affected if it is not there. It’s time to protect it.
a) Move it to a Non-WWW Accessible Directory
Move the file from the root directory to another directory that is not accessible via browser to make it more difficult to access. It is easiest to move the file up one level on your server. If your root directory is located at /var/www/HTML you can simply move the file there. WordPress will find it automatically so you don’t have to do anything.
Copy the file to another location if you wish to place it elsewhere. Next, tell WordPress where the file is by replacing its content with this one (be sure you adjust it to your actual path).
b) Modify Your WordPress Security Keys
WordPress security keys can be used to encrypt the data stored in users’ cookies. They are located in the
wp-config.php file and look like this
These will be generated randomly upon installation. It is a good idea if you have moved your site or given it to someone else. For that, use the WordPress Salts Key Generator to get a new set of random keys.
Just copy and paste the keys into your wpconfig.php file, and then save.
c) Verify File Permissions
As mentioned earlier, to keep it safe
wp-config.php should have a permission level of 600. Now is a good moment to verify that this is true. Follow the steps above.
19. The WordPress File Integrity Test alerts you when your site has been compromised
A file integrity check is a way to see if any data has been modified on your site. You will see changes or new files in files that have been modified by malware.
Website File Changes Monitor is a WordPress security plugin that checks your files against the originals and will email you when it detects modifications or files that don’t belong. This will allow you to catch hackers early and find malware, backdoors, and infected file.
20. Find Weak Links Early With Activity Logging
Activity logging is a great combination of the above. WP Activity Log tracks what users are doing on your site, what changes they make, when they log in, settings they change, etc.
This knowledge will allow you to find out who was responsible for a particular error. It is also possible to see if any other users have taken actions that could endanger your site. It is also possible to check if anyone visits your site and causes havoc.
Technical WordPress Security Measures
Let’s move on to the last part of our guide to WordPress security. We will be discussing some more complicated ways to protect your website. These can seem intimidating because they are very technical. Don’t let this scare you, it is possible to do everything.
21. Use .htaccess to Further Lock Down Your Site
is a bit of a tricky file because it is hidden by default (as are all files that begin with a period). If you don’t see it on your server, then it is likely that you cannot find it.
It is very simple. You will find a function in your FTP client that allows you to show them in the menu. FileZilla has this function under Server > Force hiding files. In cPanel, you can use these instructions.
You can then download and modify. htaccess once you have it visible. To ensure that the changes aren’t overwritten by each update, all the code below must be placed outside of the # BEGIN WordPress or # END WordPress tags.
a) Protect Yours.htaccess And wp-config.php Files
wp-config.php are the most important files in your WordPress installation. You must ensure that they are protected. These snippets will restrict external access to them.
b) Limit Access to
wp-login.php Your Own IP
You can also add the code snippet to the above. This will prevent everyone from accessing the login page of the site except the designated IP. To prevent yourself from being locked out, make sure you fill in your IP address! If you don’t know your IP address, you can find it here.
This can be used to restrict access to wp-admin, instead of password protecting it. The following code can be found in the. htaccess file located inside your wp_admin folder.
c) Disable Directory Indexing and Browsing
Any directory that’s part of your website architecture is browsable by default if no file is in it. This can be dangerous as it allows others to see your directory and possibly use it against you. Protect yourself from that by adding this line of code to
d) To keep hackers out, disable PHP execution in WordPress directories
WordPress is powered by PHP. This means that users must be able to access and execute PHP files. Hackers can use this ability to access and execute malicious files in these locations and gain backdoors into your website. It can be a good idea to disable this ability in directories that you don’t use, such as the wp_content/uploads folder and wp_includes. You can create your own
.htaccess file (simply create a text file and name it that) and then add the snippet below:
22. Disable Error Reporting and Keep Confidential Information Safe
You can use error reporting to troubleshoot and determine which plugin or theme is causing the problem on your WordPress site.
The system will also display the server path if it reports an error. This is an excellent opportunity for hackers to find vulnerabilities in your site. You can disable this by adding the code below to your
23. Remove the WordPress Version Number to Stop Broadcasting Vulnerabilities
If you take a look at your website’s source code, anyone can tell which version of WordPress you are using.
Since each WordPress version has public changelogs that detail the list of bugs and security patches, they can easily determine which security holes they can take advantage of. So, that’s not information you want to give out.
There is an easy solution. You can securely remove the WordPress version number from your site and RSS feed by editing your theme’s
functions.php file and adding the following:
24. HTTP Security Headers Fix Browser Weak Spots
Security headers are another way to protect your WordPress website. These directives control how web browsers interact with your site/server. The browser development tools allow you to see which headers are currently active on your site.
Alternatively, you can use this service to scan your site and find out.
Typically they are set at the server level to prevent hacking attacks and reduce the number of security vulnerability exploits. You can add them yourself by modifying
.htaccess them to keep web browsers safe from potential attackers.
Be aware that the implementation of anything below can have an impact on your subdomains. If you have subdomains on your site, it might be necessary to add them as well. If you don’t want to add these headers manually, consider using a plugin like Security Headers. Make sure you test them with the tools provided.
PReventCross-Site Scripting Attacks
These occur when hackers inject malicious code onto your website to make it load by the client browser. The following code can be used to prevent malicious files from being loaded by the browser: Thwart Iframe Clickjacking
To instruct the browser to not render a page within a frame, add the following line. This prevents clickjacking.
Enable X-XSS-Protection and X-Content-Type-Options
To prevent XSS attacks, add the following lines and tell Internet Explorer to not sniff mime types. This is done to stop hackers from accessing files on your server via browser functionality.
To instruct the browser to use HTTPS only, add the code below. We’ve already discussed how encryption can help protect data. This is why your site must be running on HTTPS to take advantage of it.
Add the following to tell the browser that it will only trust the server-set cookie and that the cookie can be accessed over SSL channels.
25. You can use a Firewall to stop attacks before they begin
We will be discussing premium options in the second and third parts of this WordPress security guide. One is a web application firewall (WAF). This is another layer of protection you can put in place before any traffic reaches your site.
There are many benefits to installing a firewall on your website. You can create rules that govern who can access your site. It monitors and manages the network traffic. It can block IP addresses and users. This includes entire countries that have attempted to harm your site or are on the blacklist.
If it finds malicious traffic, a firewall can also stop DDoS attacks. This means that it doesn’t hit your web server and won’t slow it down.
Some security plugins include free firewalls. (See below). If you want to get the best out of it, pay for it. Hosting is a case of getting what you pay for. Sucuri and Cloudflare are the gold standards in this area.
26. Ease the Burden By Installing a WordPress Security Plugin
A security plugin is a final tip for how to secure WordPress. Many all-in-one security plugins can automate many of the tasks covered in this guide. These solutions will alert you to any weaknesses in your security system. Be aware that features can vary between models. Do your research before you decide on the right one for you.
WordPress Website Security: Last Words
WordPress is a powerful and popular CMS that makes it easy for anyone to create a website. It’s also a popular target for hackers because of its popularity.
There are many steps you can take to protect your WordPress website. You don’t need to do everything mentioned. You will be well ahead of the game if you follow the best practices.
Then, do what you feel comfortable doing. Security is an ongoing process and not a one-and-done deal. There are many things you can do, but the most important thing to do is get started.