Nearly 50% of all WordPress websites operating at the moment are self-hosted, which means the platform bears most of the responsibility related to the safety of the installation process. Concerned owners can also take matters into their hands and trigger extra safety hacks and WordPress security features, but surprisingly enough, most of them choose not to do it. This is exactly why hackers have no troubles breaking into WordPress websites, and perform all types of malicious activities.

WordPress’s core installation is actually simple and well protected, and troubles appear only once the user adds functionality via themes, plugins, and codes with questionable origin. The more things you install, the more challenging it will be to secure your WordPress website, regardless of whether you’re running a personal blog or a complex business platform.

How to secure WordPress websites on your own? Here are some WordPress security tips and tricks you should consider to improve the safety of your website:

Discourage forced attacks by securing your login page

The URL of WordPress’s login page is a standardized one, which is why hackers find it easy to access backend operations by forcing their way through it. All they have to do is to paste /wp-login.php/ or /wp-admin/ next to the domain name of your site, and their mission will be half done.

This problem is nevertheless easy to solve – you should install a lockdown feature that will disable hackers to access the site after several failed attempts and incorrect password entries. These features also notify you each time an unauthorized activity is being performed on your website.

Update your WordPress version as often as necessary

Most of us choose to neglect the ‘Update available’ banner appearing on our WordPress dashboard, but a fresher version of the platform is the best way to keep it safe. Therefore, put updates on top of your security checklist, and close the vulnerability gaps hackers have already explored. We’ve got safe tips on how to update WordPress.

Update your themes and plugins

Just the way you renew your core installation, update the themes and plugins and uninstall those you’re not using. As good as they may be, themes and plugins can be used as backdoors to your admin settings and personal information, but with regular updating, there will be nothing to worry about.

Get rid of the themes and plugins you’re not using

The fewer plugins and themes you have, the more difficult it will be for hackers to attack your website, so why keeping the ones you’re not using? Unless you’re really willing to update them all the time, we recommend you to uninstall them as soon as possible.

Choose a username different than ‘admin’

Default WordPress installation uses ‘admin’ as a standard username, and keeping it like that makes hackers’ work easier. What you should do is to add an SQL query to PHPMyAdmin, and change the username into something more complex.

Log in with your email

Logging in with your email ID is a much safer approach than using whatever username. As creative and unique you think it is, a username is easier to guess than an email ID, in particular, because WordPress generates a new email for every user, and validates it for the purpose.

You can get a dedicated email using the WP Email Login Plugin. The plugin takes almost no time or configuration efforts and starts working immediately upon activation.

In order to evaluate its functionality, log out, and use your new email address to log back in.

Strengthen your password, and change it as often as possible

Instead of using personalized and easy-to-guess passwords, replace them with random letter-number strings, which you can create manually or use an automated password generator (Strong Password Generator and Norton Password Generator are great options).

Remember two-step authentication

Two-step authentication is a smart mechanism that helps prevent brute force attacks and one of the best WordPress security tricks you should consider. What this means is that while logging in, users will be required to provide an authorization code next to their passwords, delivered by email or SMS. There are several plugins that make this possible, such as Google Authenticator, Duo Two-Factor Authenticator, and Clef.

Avoid premium plugins offered for free

Generally, premium plugins should be downloaded only from their official vendors’ pages, as pirated and ‘free’ versions are frequently corrupted with malware. Most of the time, it is hackers that are offering them on illegal websites, and crack their original code to secure a direct connection to the backend settings of your site.

Disable the theme and plugin editor

Unless you’re using the plugin and theme editor installed on your WP dashboard on regular basis, it would be better to disable it completely. The reason for this is that once an authorized user’s account is hacked, the attacker obtains direct access to the editor and gets to modify all important codes contained there.

Disable PHP error reports

While plugin error reports are the best way to troubleshoot problems, they happen to include the full server path of your website, which won’t be such an issue as long as hackers don’t lay hands on them. This is why you should disable error reporting, and look for a different way to handle troubleshooting.

Use .htaccess to protect important files

.htaccess files are certainly familiar to experienced WordPress users, and so is their vital role and impact on the security of their entire websites. The reason for this is that .htaccess files are the core of WP’s functionality, and dictate the site’s ability to structure permalinks and protect itself. There is a variety of code snippets that can be inserted in .htaccess files to determine which files will be visible in the website’s directory, including #BEGIN and #END WordPress tags sourced straight from the WordPress Codex.

The first step we’d recommend you is to hide the wp-config.php file, as this is the heart of the website that contains all security details and personal information. Or, if you’re not familiar with .htaccess, check it first. 

Get the best hosting your budget can respond to

None of these trendy security hacks will make sense without a solid hosting provider, in particular when using a shared hosting plan that offers no isolation for your website. Prominent hosting providers block unwanted visitors from accessing your site’s backend and ensure that the underperformance of other sites on your server won’t affect you in any way. Ideally, you should choose a hosting service catered exclusively towards WP sites, as it provides a WP firewall, updated MySQL and PHP, and constant malware scanning. Most of these providers also allow you to connect to a knowledgeable team of WP experts for all questions and inquiries.

Therefore, put aside a reasonable amount to cover the service, and pay attention to the web hosting security checklist before you’ve made a deal.

Keep your wp-admin directory protected

All core WP operations are governed from your wp-admin directory, which means that a hacker who’s ensured access to it literally has access to your entire website, and can thereof cause irreversible damage.

An idea to prevent unwanted wp-admin access is to protect the database with two unique passwords, one used to log into the website, and the second one to access the admin area. The admin will also be enabled to unblock selected parts of the wp-admin database and give access to particular users while preserving control over the rest.

The admin area is best secured using the AskApache Password Protect plugin, used to generate .htpasswd files, configure and correct file permissions, and encrypt both of the passwords.

Plugins that you should use

WordPress Exploit Scanner

This plugin is used to monitor and examine all files available in the admin database, including posts and comments. It will report each suspicious activity such as inactive plugins and unusual file names, but it won’t remove them. Instead, it will notify the user and invite him to do that.

BulletProof Security

Security matters to a website owner just as much as performance does. BulletProof Security is a popular plugin that optimizes both performance and security and provides database security and backup, login security, firewall security, and much more. They also offer a Bonus Custom Code for websites processing large volumes of sensitive data.

How exactly does BulletProof Security optimize performance? While keeping your data secure, this plugin also makes sure your website won’t perform slowly or poorly, and that there will be no memory errors and non-essential storing of data to worry about. Ultimately, the plugin improves and speeds up performance, and does so with its Speed Boost Cache Bonus Code.

Ending thoughts

With all things put into perspective, it is plugins we ought to blame for most of our WP site’s vulnerability. The WP market is simply overwhelmed by supposedly useful plugins with a suspicious origin that may put your entire website at risk, which is why we ought to be extremely careful with the extras we’re installing.

The best way to protect our website from unwanted attacks is to limit the number of installed plugins to the ones we absolutely need. This is actually quite difficult to achieve, having in mind that most bloggers choose WP exactly because of the large plugin ecosystem. Of course, the owner is not expected to remove plugins altogether, but instead to eliminate those he’s not using and keep the rest regularly updated to lower the number of vulnerabilities and security gaps. We also recommend keeping an eye on plugins that are abandoned by their developers and to replace them with better alternatives.

Believe it or not, most brute force attacks are lucky guesses, as bot attackers try as many username-password combinations as they can think of to find the right one. This is fairly easy to prevent, by simply choosing a username and a password that are not easy to guess. This refers to complex, long, and unusual phrases that will give hackers the trouble they didn’t expect.

As you saw, WordPress is not that difficult to secure, as you’re already counting on the solid foundation created by its developers, and a large user community that suggests ideas on how to protect your blog from unwanted attacks.

Remember that the most attractive website zone for every hacker is the admin dashboard, and that’s where most of your precaution efforts should be concentrated. Therefore, do the impossible to prevent them from taking over your website, and causing damage you may never repair.

Last, but not least, accept the idea that corrupted websites were not well protected to start with. Everything that happens is your fault for not assuming the responsibility of securing your website, so start doing something about it right now.

there is 1 comment added

  1. John Pong 5th April 2018

    Some of the tips made on this page are very dangerous and you shouldn't follow the advices made. Especially frequent change of passwords actually lowers your security instead of increasing it. The more often you HAVE to change it, the higher the risk that it will be easy to guess with ongoing time. You also should never ever use a email address as a username - for many, many reasons. First one: It is easy to guess and most users wouldn't create something like a dedicated mail adresse. More dangerous: If you use the same address as username which you use for receiving notidfications, it's even easier for an attacker to phish you or try some social engineering. The most valuable recommendations were: - Use OTP / MFA if possible. Consider using a hardware token - FIDO U2F is actually quite cheap and secure. - Be really careful with plugins and themes. Every third party component you have installed on the server (it doesn't matter if active or not) is additional risk. - Consider using WordPress on a safe host behind a firewall and render static content - it also is a boost for your page. Comments still can be integrated e.g. with disqus - Always disable API access to wordpress. Really: Do never ever activate API access. - Even if it is obvious: Use transport layer security at least when using the admin interface (SSL) - Do never ever use WordPress as an admin through any proxy, onion routing etc. pp. - you never know who's watching you - Consider that there might by an SSL proxy playing man in the middle if working on a company network or in an evil country ;-) - Consider using passwords NOT containing years, months (as name or number), something personal like parts of or your whole name, phone number, street etc. pp. - Use plugins to reduce maximum number of login attempts. Very effective against bots. - Alway upgrade your software! It's better to have some issues with plugins or theme than have been hacked! - Always have a desaster plan... Really,,, Have it,... If your site has been hacked, you need a checklist made with a clear mind earlier. - Backup, backup, backup, backup! Keep on blogging :)

Reset fields

back to top