WordPress powers about 43% of all websites on the Internet. Being so popular, it attracts a lot of attention, some being negative, which often comes from hackers who want to exploit various WordPress security vulnerabilities.
Unfortunately, there are many WordPress vulnerabilities. According to WPScan (a WordPress vulnerability database), over 38,000 known WordPress vulnerabilities exist. Insecure web hosting, weak passwords, and unprotected access to WordPress admin are among the top reasons WordPress websites get hacked. Plug-ins are another main source of vulnerabilities.
Key takeaways:
- Basic steps necessary for keeping your WordPress blog secure
- Intermediate steps you can take to harden your WordPress blog
- Advanced security strategies for securing your WordPress site
When it comes to WordPress security, most people make the same common mistakes:
- Using “admin” as their username
- Having an easy-to-guess password
- Using the same password for every other site
And finally, a good majority of people completely ignore updates – be it for WordPress core, themes, or plug-ins. This leads to many problems down the road and many headaches for you as the website owner.
21 Ways To Secure Your WordPress Site
With an average of 30,000 new websites hacked every day, you should take steps to secure your WordPress site immediately. See how you can make sure your website is safe, hardened, and secure — a must for every WordPress website owner.
1. Make sure your username is not admin
To this day, there are still plenty of people who use admin as their username. However, this is the username that hackers first use when trying to break into your site. In case you are still using admin as your username, it’s not too late to change it.
Simply log in to your WordPress dashboard and go to Users > Add New to create a new user. Choose a username that is not obvious like your first name/last name combination, and fill out the rest of the details.
Don’t forget to use a different email address than the one you used for your original admin account and make sure to set the role to Administrator.
After that, log out of your dashboard and log in with your new user information. Go back to Users > All and delete your old admin account. Before you click on the final delete button, don’t forget to assign all your old posts to your new admin user.
2. Use an editor account
Speaking of admin accounts, many people make the mistake of using an administrator account to publish their blog posts. This is bad because the information that a hacker needs, such as your username, will be visible when you publish a post.
Now all they need is to guess your password, and when they do, you just handed them your site on a silver platter.
An admin account is not needed to publish blog posts; that mistake can easily be fixed by creating a new user with the Editor role.
3. Choose a strong password
Every year, SplashData compiles a list of the most common passwords. And every year, the same three ones appear as the most commonly used (and very insecure) passwords: they are 123456, password, and 12345678.
Your password should ideally have eight characters, at the very least. Also, use both lowercase and uppercase letters mixed with numbers and special characters.
You can use a strong password generator to create one for you and if you fear you won’t be able to remember it, then opting for a password manager such as LastPass or Dashlane is a wise decision.
4. Enable two-factor authentication
Two-factor authentication (2FA) adds an extra layer of security to your WordPress site to prevent phishing and brute force attacks. As the name suggests, 2FA requires two sets of authentication methods to be able to log into your WordPress.
This means you’ll need a username and password plus a one-time passcode that is sent to your phone to log in to your site. Several plug-ins can be used here, including Google Authenticator and Duo Two-Factor Authentication.
5. Backup and update regularly
WordPress updates bring new functionality as well as patch important security holes, making it that much harder for hackers to exploit vulnerabilities. That’s why it’s important to keep your WordPress installation up-to-date. That also includes keeping your plug-ins and themes up-to-date.
Before any major update is applied to your site, WordPress will warn you to back up your database. This prevents data loss in case something goes wrong during the update, and is a good practice to adopt in case the worst happens and your site gets hacked.
The easiest way to back up your site is with a plug-in like Solid Backups or Jetpack, paid solutions that automatically backup your entire website and allow you to easily restore it. UpdraftPlus WordPress Backup Plug-in is one of the most popular scheduled backup plug-ins in the world. There are free and paid versions.
While using plug-ins is an easy solution, there are times when even plug-ins fail. That’s why it’s a good idea to perform your backup manually as well:
- The first thing you need to do to manually back up your site is to download all your WordPress files into a folder on your computer. If you’re performing a backup for the first time, download the WordPress folder.
- After that’s done, you have to backup your database, which contains all the information related to your site. Since phpMyAdmin is one of the most widespread applications for managing MySQL databases, let’s see how we can manually backup our database using phpMyAdmin.
- Log in to your web host’s cPanel and click on phpMyAdmin. In some cases, you won’t need to enter the username and password, but if it asks you for the login information use the information provided by your web host.
- Once you are logged in, choose the database that contains your WordPress data by selecting it in the left panel. You can recognize by the default wp_ prefix in the name. You will see the list of the tables forming your database.
- At the top of the screen, you should see a few tabs. Click on the one labeled Export.
- You should be able to see two methods: ‘Quick’ and ‘Custom’. If your website is relatively new, select Quick. Otherwise, choose the Custom option.
- A list will then allow you to select the tables you want to export. If you’ve never done a backup of your site before, select all the tables and then select the default option: Save output to a file. Make sure to select the SQL format.
- Once your options are chosen, hit the Go button to generate a file containing your database. The time it takes to do this will vary depending on the size of your database.
6. Limit the number of plug-ins and themes
Using too many plug-ins can slow down your site, but it can also leave it vulnerable to attacks if you stop using certain plug-ins and ignore their updates.
It’s not enough to simply deactivate the plug-in if you are no longer using it. The same goes for themes. All the inactive themes and plug-ins which are still on your server can easily be used to inject all sorts of malicious code. Do yourself a favor and delete any and all plug-ins and themes you are currently not using.
7. Be careful of free WordPress themes and plug-ins
There are loads of awesome free WordPress themes and plug-in out there. However, free is not always free, and when it comes to WordPress plug-ins and themes sometimes free comes packed with malicious code, viruses, and encrypted links.
Use a common sense approach. WordPress.org is the safest place when you are looking for free themes and plug-ins. Most plug-in and theme creators and major marketplaces like Themeforest and CodeCanyon are safe too but if you are installing a premium/paid theme or plug-in which someone made available for free (or nulled) then you are asking for trouble.
You can use these plug-ins to look for suspicious code:
- Sucuri Security – This free tool will check your site for malicious code and other issues that could threaten your page.
- AntiVirus– While the name of this tool implies that it only checks for viruses, it will also look for malware and other vulnerabilitites. It is a free tool that is easy to use even for beginners.
- Malcare – If you are looking for something more advanced, and don’t mind paying for it, MalCare will offer comprehensive security scanning for $99 per year per site.
Intermediate WordPress Security Tips
8. Limit login attempts
By default, WordPress allows users to enter passwords as many times as they want which makes it easy for hackers to exploit this by using scripts until they find the right combination.
To prevent this, install and activate the Login LockDown plug-in. After activation, go to Settings > Login LockDown to configure the plug-in’s settings.
Define how many login attempts can be made. After that choose how long a user will be unable to retry if they exceed the failed attempts. You can also define the lockout period for IP range blocks as well as prevent hackers from entering different invalid usernames.
It’s a good idea to also disable the message which lets the user know whether they entered an invalid username or invalid password on failed logins. After configuring the settings, click on Update Settings to save your changes.
9. Change your wp_ database prefix
WordPress applies a table prefix to all database tables which is wp_. Changing the table prefix can help prevent SQL injection vulnerabilities as hackers will need to guess the prefix which makes their job harder.
You will find the table prefix in your wp-config.php file:
$table_prefix = 'wp_';
Simply change it to something that isn’t guessed easily like:
$table_prefix = 'wp_34CS($';
Bear in mind that you will still need to update the prefix of your tables manually for an existing installation of WordPress.
One of the easiest ways to do this is to install the plug-in Solid Security. The plug-in can automatically do all the necessary changes for you with a click of a button. You can find this setting under the Advanced tab.
Alternatively, you can do this manually, by using an SQL query to rename each table. Below is an example of how this is done:
RENAME table `wp_links` TO `newprefix_links`;
Make sure to change the new prefix in the above example to the prefix you have defined in wp-config.php. You need to run the above query for each database table including all core tables and any additional tables added by plug-ins.
Next, you need to update the references to the table prefix in the user meta and options tables, again by using an SQL query. To update the user meta table, enter the following SQL query through the PHPMyAdmin SQL tab:
UPDATE `newprefix_usermeta` SET `meta_key` = REPLACE( `meta_key`, 'wp_', 'newprefix_' )
Finally, to update the options table, enter the following SQL query through the PHPMyAdmin SQL tab:
UPDATE `newprefix_options` SET `option_name` = 'newprefix_user_roles' WHERE `option_name` = 'wp_user_roles'
10. Rename the login page
The WordPress admin dashboard default login URL is /wp-login.php (or you can just type in /wp-admin/ and it will redirect you). Changing the URLs for WordPress dashboard areas add an extra layer of security. You can do this with the Solid Security plug-in.
11. Protect your .htaccess file
The .htaccess file is used to redirect URLs, configure pretty permalinks, and it can also be used to harden WordPress security.
The code snippets below will strengthen the security of your WordPress website. Note that the code has to be placed outside of the # BEGIN WordPress and # END WordPress tags, as anything between those tags can be updated by WordPress, thus overriding your changes.
First, let’s make sure we protect the most important file: wp-config.php, an important file as it contains your database connection settings, table prefix, security keys, and other sensitive information. Add this to your .htaccess file:
order allow,deny
deny from all
Next, let’s protect .htaccess itself by adding the following to it:
order allow,deny
deny from all
Finally, let’s limit the access to wp-login.php:
order deny,allow
Deny from all
# allow access from my IP address
allow from 111.111.1.1
Make sure to replace the IP address with your own IP address. Using .htaccess you can also restrict access to your entire WordPress dashboard to a specific IP address:
order deny,allow
allow from 111.111.1.1
deny from all
Again, replace the IP address with your own.
12. Use correct file permissions
Incorrect file permission such as 777 could allow a hacker to upload a file or modify an existing file. To change your file permissions you will have to log in to your cPanel, navigate to File Manager and make the necessary changes.
According to WordPress, these are the correct permissions to use on a WordPress website:
- All directories should be 755 or 750
- All files should be 644 or 640
- wp-config.php should be 600
For a thorough guide on setting the correct file permissions, take a look at the Changing File Permissions guide on WordPress.org.
Advanced WordPress Security Tips
13. Move your wp-config.php file
As mentioned before, your wp-config.php file is a very important file as it contains your database connection settings, table prefix, security keys, and other sensitive information.
Move the wp-config.php file into the folder above your WordPress installation. For example, if your folder structure is this and where WordPress is installed /home/yoursite/public_html/ you would move wp-config.php into /home/yousite/.
14. Tweak your wp-config.php file
Your wp-config.php file contains all of the confidential details for your WordPress site. Luckily there are a few tweaks you can make to make your website more secure.
Change the default secret keys to something else
WordPress Security Keys handle the encryption of information stored in the user’s cookies. Those keys need to be generated randomly for each WordPress install. If you are unsure how to change them you can randomly generate them with the help of the WordPress Salts Key Generator. Alternatively, you can generate new security keys using a security plug-in like Salt Shaker:
Disable error reporting
If a plug-in or theme causes an error, the error message may display your server path, which can be abused by hackers. Therefore, it’s better to disable error reporting by adding the following code to your wp-config.php file:
error_reporting(0);
@ini_set(‘display_errors’, 0);
Alternatively, you can add the following single line of code to your functions.php file.
add_filter('login_errors',create_function('$a', "return null;"));
Disable the plug-in and theme editor
Unless you are a developer who likes to make changes to your theme/plug-in files on the fly, there is no real reason for being able to access the plug-in and theme editor. You can disable it by adding the following to your wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
15. Disable WordPress login hints
When logging into WordPress and typing in an incorrect or non-existent password or username, a detailed error message is shown saying either the username is wrong, or the password doesn’t match with that username.
This can be used to guess a username or password. To override default WordPress login errors and disable login hints add this code to the functions.php, instead, a custom error message will be shown.
function no_wordpress_errors(){
return 'Nothing to see here, move along!';}
add_filter( 'login_errors', 'no_wordpress_errors' );
16. Remove the WordPress version number
By default, WordPress places a meta tag in your website’s code that states the version of WordPress you are using. This information is useful to hackers because it makes it easy to know which security holes they can abuse.
You can easily prevent this by adding the following code to the top of your theme’s functions.php file:
remove_action('wp_head', 'wp_generator');
An easier method of doing this is using a plug-in like Remove WordPress Version Number.
17. Implement HTTP header security
HTTP security headers help mitigate attacks and security vulnerabilities.
There are a total of six HTTP security headers that you can implement on your website by adding the following lines to your functions.php file.
Content Security Policy (CSP)
CSP helps mitigate XSS attacks by whitelisting the allowed sources of content such as scripts, styles, and images. A CSP can prevent the browser from loading malicious assets.
Unfortunately, there isn’t a one size fits all approach to CSPs. Before you create your CSP you need to evaluate the resources you’re actually loading. Once you have a handle on how resources are loading you can set up a policy based on those requirements.
When you got your CSP ready add it to your functions.php file like this (below is the actual one we’re using on WhoIsHostingThis.com):
header('Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:');
FYI: This uses single quote marks and you need to escape the single quote marks otherwise you will see a PHP parse error message. You escape a character by typing a backslash before it.
Let’s break it down. Our CSP allows all resource types from the current domain, ‘self’. ‘Unsafe-inline’ tells that inline style and script tags are allowed and ‘unsafe-eval’ tells that unsafe dynamic code evaluation such as JS is allowed. ‘https:’ and ‘data:’ indicate that loading resources only over HTTPS and data schemes are allowed. CSPs can also be implemented via a meta tag in your HTML. Like this:
X-Frame-options
This header helps prevent clickjacking by indicating to a browser that it shouldn’t render the page in a frame (or an iframe or object). Include it in your functions.php like so:
header('X-Frame-Options: SAMEORIGIN');
X-XSS-Protection and X-Content-Type-Options
The X-XSS-Protection helps mitigate Cross-site scripting (XSS) attacks and X-Content-Type-Options header instructs IE not to sniff mime types, preventing attacks related to mime-sniffing. Include them in your functions.php with the following snippet:
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
HTTP Strict Transport Security (HSTS)
HSTS is a way for the server to instruct the browser that the browser should only communicate with the server over HTTPS. Add it to your functions.php like this:
header('Strict-Transport-Security:max-age=31536000; includeSubdomains; preload');
Implement cookie with HTTPOnly and secure flag in WordPress
This instructs the browser to trust the cookie only by the server and that cookie is accessible over secure SSL channels. Add this to your functions.php file:
@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);
You can and should test your HTTP security headers by going to https://securityheaders.io. Another way to secure HTTP Headers manually is via your .htaccess file. Here’s how to set it up in .htaccess:
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "sameorigin"
Header set X-Content-Type-Options "nosniff"
Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:";
Alternatively, you can use a plug-in such as Security Headers if you don’t want to implement them manually.
18. Add Google Search Console (GSC)
There are lots of benefits to adding your WordPress site to Google Search Console (formerly Google Webmaster Tools). Not only is GSC useful for SEO and how Google understands your site but another important feature is the “security issues” dashboard.
If Google detects issues with your site and if it has been compromised you will get an alert via email.
19. Consider using SSL
SSL (Secure Sockets Layer) is a technology that allows you to encrypt the connection between your web server and your visitors’ browsers. This is especially useful if your WordPress website is e-commerce oriented and it can also play a role in the search engine rankings.
To enable the SSL for your site, you need to get the SSL certificate itself which may be provided by your hosting provider or you could get it for free from sites like Let’s Encrypt or WoTrus. Finally, you need to integrate it with your WordPress site with a plug-in like WP Force SSL.
20. Use a managed WordPress host
If you can afford it, go with a managed WordPress host. In a 2014 study WP White Security reported that 41% of WordPress sites were hacked due to a security vulnerability on the web host itself, so don’t simply go for the cheapest available.
There are several companies offering managed WordPress hosting and whilst you pay a premium for managed WP hosting compared to more traditional shared or unmanaged hosting, it’s worth it.
However, some shared hosting companies like SiteGround offer security features such as SSLs and HTTP/2, custom WAF rules, automatic updates of WordPress and its plug-ins, and free daily backups and restores of your hosting account.
Their bread and butter is WordPress, a managed WP host only does WordPress and they look after all the WordPress technical aspects such as security, speed, WordPress updates, daily backups, website uptime, scalability and more.
21. Consider using third parties
If you can afford it you should consider using a third-party WordPress security protection service. Companies like Sucuri and WPWSS offer both subscription-based and one-off services like malware and blacklist scanning, DDoS protection, malware cleanup, firewall protection, and those extra layers to keep your WordPress site safe and secure.
WordPress security is no laughing matter. While it’s true that WordPress can be an easy target for hackers, if you take the proper precautions you can avoid being a victim of an attack.
Frequently Asked Questions (FAQs)
Does WordPress have good security?
Yes, WordPress is a secure platform. Still, you should be responsible for safeguarding your WordPress site with security protocols.
How do I make my WordPress site more secure?
You can keep your WordPress version updated, install an SSL certificate, use secure login credentials, use trusted WordPress themes, and remove unused WordPress plugins and themes.
Can my WordPress site be hacked?
Yes, your WordPress site can be hacked just like any other site. But you can minimize your risk by taking security measures that deter hackers.