Securing your WordPress blog is an essential thing you must do after setting it up on your server. There shouldn’t be any reason to leave your WordPress wide open for hackers to creep in and steal your information or destroy your data. Spend a few hours securing WordPress, and you’ll save countless hours dealing with constant attacks. This guide shows multiple ways to secure WordPress to keep your data and information safe.
Also helpful: you can get a free SSL certificate for your WordPress website to protect visitors to your site.
1. Use an All-in-One Security Plugin
To keep things simple, start with a WordPress security plugin that handles multiple tasks in a single place. One of the best options is All-In-One Security (AIOS). With an impressive 5-star rating across more than a million installations, it’s worth adding to your site. Plus, many of the features are completely free.
The plugin does the following:
- Stops brute force attacks
- Enables two-factor authentication
- Hides your login page from bots
- Forces logouts for users who love to stay logged in all the time
- Helps improve password strength
- Improves WordPress Salts (part of the hash process to encrypt passwords) by adding 64 new characters, which change weekly
- Adds firewall protection
- Includes malware protection (premium only)
- Reduces spam comments
This is just a tiny portion of what’s included. Setting up everything may take a while, but managing one plugin is better than multiple ones.
2. Stop Brute Force Attacks
Hackers can easily crack your login password and credentials using brute force attacks. To prevent that from happening, install the Login Lockdown plugin. This plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.
It also adds two other handy features: two-factor authentication and CAPTCHA. These also drastically reduce brute force attacks.
Tip: you can also install notification plugins for your WordPress site.
3. Use a Strong Password
Ensure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters, and upper/lower case letters to form your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.
Using a password manager to generate a completely random and secure password is another option. Even if you don’t store your passwords, these are still great tools for generating unique passwords for your site.
4. Protect Your WP-Admin Folder
Your “wp-admin” folder contains all the critical information about your site and is the last place you want to give access to others. The easiest way to protect it is by adding an extra password. Even if a hacker gets into your site with a user’s credentials, they still have to figure out the credentials of your
wp-admin folder. By this point, you may already know about the breach and be able to change the hacked user’s password and your wp-admin password for added security.
There are multiple ways to do this. The first depends on your web host. Many offer cPanel. Steps may vary slightly based on the host.
- Log in to the cPanel section of your site. Your web host will have instructions on how to do this.
- Scroll down to “Security,” and select “Password Protect Directories.”
- Select “Directory Privacy.”
- Select the directory you want to password-protect, and follow the prompts. There’s usually a tutorial that goes further into how to best protect directories using this method.
The second method is manual and not usually recommended, as if you don’t do it correctly, you could end up locked out of your site.
- Create a text file using your favorite text editor and name it “.htaccess”
- Add the following to the file, but change the AuthUserFile path to where you’ll upload the password file (in the next step) and change “yourusername” to your username.
AuthName "Admins Only" AuthUserFile /home/user/public_html/example.com/wp-admin/.htpasswd AuthGroupFile /dev/null AuthType basic require user yourusername
- Create another text file called “.htpasswd”
- Use an htpasswd generator to generate the file contents. Hosting Canada, web2generators and AskApache all have easy-to-use generators. After you fill out the generator, copy the text you’re given into the .htpasswd file you created.
- Copy both files to your wp-admin folder, and you’re all set.
Good to know: you can use wp-config tricks to change your WordPress database and other configuration options.
5. Remove WordPress Version Info
Many WordPress themes include the WordPress version info in the meta tag. Hackers can quickly get ahold of this information and plan specific attacks targeting the security vulnerability for that version.
To remove the WordPress version info:
- Log in to your WordPress dashboard.
- Go to “Design -> Theme Editor.”
- Look for your “Header” file on the right.
- Look for the following line of code:
<meta name="generator" content="WordPress versionnumber"/>
- Delete this line, and press “Update file.”
You can also use a WordPress security plugin, such as Sucuri Security, to hide this information.
6. Hide Your Plugins Folder
If you go to your website URL: https://yourwebsite.com/wp-content/plugins and you can see the whole list of plugins that you used, then your WordPress site is not very secure. You can easily hide this page by uploading an empty “index.html” to the plugin directory.
- Open your text editor. Save the blank document as “index.html.”
- Upload the “index.html” to the “/wp-content/plugins” folder using an FTP program.
Also helpful: use these WordPress statistics plugins to measure your website.
7. Change Your Login Name
The default username is “admin.” A simple way to secure WordPress is to change this. Otherwise, hackers already know half of your login info.
- Log in to your WordPress dashboard, and select “Users.”
- Select “New User.”
- Set the role to “Administrator,” and send an invitation to the desired email account. Once the invitation is accepted, you can log in, create a password, and become the new administrator account.
- Once the new user is set up, return to “Users.”
- Find the “admin” account, and delete it.
- Select “Attribute all posts and links to,” and select your username.
- Press “Confirm Deletion.”
8. Upgrade to the Latest Versions
WordPress, along with themes and plugins, receives regular updates. This adds new features, addresses bugs, and fixes security vulnerabilities. The last part is the most important. If hackers realize you have an older version with security flaws, they’ll exploit the opening immediately.
Schedule a day each month to perform updates. While you may not have new updates for everything, perform updates on what is available. This includes your core WordPress installation. It’s a simple way to secure WordPress but highly effective.
Before performing any significant updates, make a complete backup of your site, just in case.
Tip: if you notice any issues with your WordPress website, use these common WordPress error fixes to remedy the situation.
9. Perform Regular Security Scans
Every WordPress installation needs a security plugin. All-In-One Security (AIOS) and Sucuri Security, which we’ve already mentioned, are great options. You can also try the following:
10. Back Up Your WordPress Site
No matter how secure your site is, you still want to prepare for the worst. Install a WordPress backup plugin, and schedule it to back up your database daily.
You have a variety to choose from, but some of the top options include:
11. Define User Privilege
If there is more than one author for your blog, you can install the User Role Editor plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.
Good to know: if multiple users are logging in to your WordPress site, you’ll want to add these security features to your WP login page.
12. Upgrade to SSL
If you don’t have an SSL certificate, now is the time to get one. Secure Sockets Layer (SSL) is a protocol that encrypts what’s sent between users and websites. Many web hosts offer free or low-cost SSL certificates that are incredibly easy to install. These are especially important if users log in to your site or make purchases. Plus, Google prefers sites with SSL certificates.
Let’s Encrypt is an organization that helps secure the Web by providing free SSL certificates. Check out our list of other free SSL options. You can also get paid SSL certificates from:
13. Disable File Editing
You can edit your plugin and theme code directly from the admin area on your site. Imagine if someone else started tinkering with the code without your permission. To avoid nasty surprises, disable file editing.
While you can use a plugin like Sucuri, you can also add a few lines of code to your “wp-config.php” file.
- Locate the “wp-config.php” file in your site’s root folder. You can use any FTP client you wish to access your files.
- Download the file and open it in your favorite text editor, such as Notepad.
- Add the following to the code:
// Disable file edit define( 'DISALLOW_FILE_EDIT', true );
- Replace the existing “wp-config.php” file with the new version to disable file editing.
Also helpful: if you are adding a lot of media to your website, consider these WordPress image optimization tips.
14. Use Two-Factor Authentication
Even if hackers gain access to a user’s login information, two-factor authentication (2FA) means the hacker still needs access to another password. In this case, a code would usually be sent to the user’s phone. You can use security plugins, such as those mentioned earlier in this post, or a dedicated 2FA plugin, such as miniOrange Google Authenticator or WP 2FA.
Image credit: Unsplash. Screenshots by Crystal Crowder.
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox