11 Steps To Secure Your WordPress Website

Security tips to make your WordPress installation bulletproof!

How to secure a WordPress website

Security is one of the most critical issues in online fraternity. For keeping the website up and running, you have to safeguard your website from security vulnerabilities. This includes taking up the precautionary actions like setting file permissions, generating strong password, disabling file editing in WordPress admin area and monitoring the installation files and website interface on the regular basis. Besides these common activities there are several other ways through which you can discourage hackers from tampering the security system of your website. Here are 11 valuable tips to help you keep the WordPress installation soundproof and bulletproof.

1. Be Careful With Plugins

WordPress plugins are an efficient way of customizing and extending the functionality offered by WordPress. But, relying heavily on the plugins for extensibility can result in serious security loopholes. Plugins are an easy way for hackers to penetrate your WP installation. Therefore, from security point of view, being a little more careful with plugins can help you keep away from the security vulnerabilities.

  • Use Plugins Sparingly: Avoid using the plugins, at first place. In fact make it a habit to make changes to functions.php. It allows you better control over the functionality while maintaining safety against malicious / broken / out-of-date plugins. Prefer to install plugins only when the functionality you are seeking is tricky and beyond your coding abilities.
  • Regularly Update The Plugins: Update the plugins as and when the developer releases a new version. There is a probability of hackers and malicious code making way through the vulnerabilities of out-of-date plugins.
  • Hide Plugins Info: Safeguard your plugins by creating an empty wp-content/plugin/index.html file. This helps you in hiding the information about the plugins installed in your WordPress directory.
  • Cross Check The Credibility Of Plugins: Ensure and cross-check the credibility of the plugins demanding write access to WordPress files and directories at WordPress Support Forum.
  • Discard Unused Plugins: Remove the plugins that are not in use currently. You can perhaps, re-install and configure the plugins as and when required.

2. Secure WordPress Directory Tree

The aim behind securing WordPress directory tree is to restrict public access to sensitive files and folders. You can secure the installation directory through following settings:

  • Setting Folder Permissions: From a security perspective, lock down your file permissions as much as possible. All files should be owned by your user account and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the webserver. Make sure that the permission for all the files is set to 644 and that of folders to 755 to ensure that the files are writable by user account only. And if you are on a shared-server the permissions of your wp-config.php should be 750.
  • Securing wp-admin: Implement second layer of protection by adding server-side password protection to /wp-admin/. This “2nd layer” password protection requires an HTTPS SSL encrypted connection for your /wp-admin/directory, so that all communications and sensitive data is encrypted.
  • Use IP Lock On wp-admin Directory: Add the following lines of code in .htaccess (a hidden file) file in your wp-admin directory.
    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName "Access Control"
    AuthType Basic
    order deny, allow
    deny from all
    #IP whitelist
    allow from
    allow from

    Replace the IP addresses with your specific IPs.

    Only the users with the IP addresses mentioned in .htaccess will be allowed access to wp-admin folder.

  • Move wp-content Directory: Like the configuration file, you can also move wp-content directory to another location. When you do so, you will have to define the structure in configuration file to identify the new location:
    define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content');
  • Securing wp-config.php: In order to secure the configuration file, you can move the wp-config.php file to the directory above your WordPress install (wp-config.php can be stored one directory level above the WordPress; where wp-includes resides). This means for a site installed in the root of your web-space, you can store wp-config.php outside the web-root folder; so that only you and the web server can read the file.

3. Don’t Use Default Settings

To ease the installation process, WordPress makes default settings which are uniform across systems, like admin username and MySQL database table prefix wp_. Owing to the public exposure of these settings, it becomes fairly simple for the hackers to break the security. Therefore, act upon the default settings, by

  • Changing Default Username: The default username for WordPress administrator is admin. Using the same account for running the operations can pose a serious threat as half of the puzzle (the username) is already solved for the hacker. You can either change the username via MySQL update command: UPDATE wp_users SET user_login = 'username' WHERE user_login = 'admin' or by creating new account with administrator rights and deleting the admin account created by WordPress.
  • Setting Custom Table Prefix: The default prefix for the database tables is set to wp_ during installation. Carefully, change the prefix at the time of installation itself otherwise you will have to change the prefix in wp-config.php and manually update the prefix for all the tables in the database.
  • Removing WordPress References: The source code for WordPress reveals the version info, specified in the head tag. If you are using the older versions, the hackers being aware of the vulnerabilities in older versions tend to tamper the WordPress installation. Hide the WordPress version number by removing the information from header.php (by inserting the following line of code in your theme’s functions.php):
    function remove_version_from_head() {
    return '';
    add_filter('the_generator', 'remove_version_from_head');

Website Security & Protection: How to Secure a Website

4. Strong Password

In the course of using password-protection, having a strong password requires special mention. Use the combinations of numbers and capital letters to generate secure passwords. Ideally, a secure password is at least 8 characters long and contains one or more capital letter, lower case letter, special character (*&$#), and number. You can even use password generators to arrive at password which is difficult for bots and hackers to crack. Additionally update WordPress salts and security keys on a regular basis for added security of WordPress login screen.

5. Regular Back-ups

Back-ups are an effective way of securing the installation files and database against probable damages like broken files, malicious code and and various types of malware attacks. Regular back-ups and periodic screenshots of the website helps in monitoring the website over time and also enable the website owners to re-build the website and revert the damages done to files.

6. Keep Up To Date With WordPress

WordPress developers release new versions and updates to fix the problems and security issues with the older versions. In order to keep your WordPress safe and secure, make sure you update the WordPress installation files, themes and plugins (as older versions are more open to attacks) whenever new versions for the same are released.

7. Choosing / Upgrading (To) A Reliable Web Host

Choosing a reliable web-host is a part and parcel of securing the sensitive data you are handing over to the host. The web host should take up the responsibility of ensuring secure, stable versions of your web server, database, scripting interpreter and that of using secure network connection. Particularly, your host should be making sure that their network is not poisoned by hackers.

8. Install Security Plugins

To make the task further easier for you, WordPress developers offer certain security plugins designed to scan security vulnerabilities or for strengthening the login procedure. Malcure Malware Scanner, Limit Login Attempts, BulletProof Security, Wordfence, NinjaFirewall, Activity log, etc. are some of the most popular plugins in this category. Also see:

Best Security Plugins to Safeguard Your WordPress Installation

9. Strengthen Login Procedure

One way to restrict the hackers from entering the WordPress admin panel is to strengthen the login procedure for your WordPress installation. Implementing the following techniques can help prevent third party intrusion.

  • Restrict the number of attempts for users to login. A plugin named Login Lock Down helps you in achieving the desired functionality where you can set the number of attempts or chances given to the user to login.
  • In case you are running a multi-user WordPress blog, it is better to specify the role for each user and accordingly set the access privileges.
  • To ensure that you always use a secure connection while logging to the server and administering the website, add the following line of code to wp-config.php.
    define('FORCE_SSL_LOGIN', true);
    define('FORCE_SSL_ADMIN', true);
    This will enforce the use secure encrypted connection between you and server.

10. Use Secret Keys

A secret key makes your site harder to hack and access harder to crack by adding random elements to the password. In simple terms, a secret key is a password with elements that make it harder to generate enough options to break through your security barriers. A password like “password” or “test” is simple and easily broken. A random, unpredictable password such as “88a7da62429ba6ad3cb3c76a09641fc” takes years to come up with the right combination. Learn more about secret keys here.

11. Monitoring

Following the above mentioned activities are a part of precautionary practices, while monitoring the logs (including WordPress debug log) and changes in files frequently helps you in detecting the intrusion attempts. One of the tool mentioned by WordPress in this regard is OSSEC (Open Source Host-based Intrusion Detection System). It performs log analysis, file integrity checking, policy monitoring, rootkit detection and alerts you about the issues as they occur.

Need help with securing your WordPress website? Our WordPress security hardening service helps protecting and securing your website from the bad guys.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.