WordPress Security Hardening Essentials to Keep Your Site Safe
That’s according to Wordfence.
If your site isn’t secure, hackers could attain your personal information and use it to hack your other accounts, sell it off for spam, deface your site with political propaganda or spam and other similar WordPress security horrors.
Your visitors share the same risks as well.
With these WordPress security hardening basics, you can save your website from over 70% of vulnerabilities and take the first steps toward starting to secure your website from hackers.
WordPress Security Basics
Below are some basic WordPress security tactics to start off with that you can add to your website. All without touching code to boot.
Use Secure Hosting
Most hosting providers have security measures in place, but not all of them are equally secure. According to WP White Security, 41% of hacked sites occur through insecure hosting.
Check with your host about their protocol. If you want something a little more secure, managed hosting like Kinsta offers automatic backups, malware scans and advanced security configurations to protect your site.
Also, all servers have potential vulnerabilities and if you’re on a shared server with a website that’s compromised – even if it’s someone else’s site – it’s possible to have cross-site contamination.
So, if your website is on a shared or VPS server, there are inherent security risks you need to consider.
For details, check out Shared, VPS, Dedicated or Cloud Hosting? Which is Best for WordPress?
Beyond that, the security of your server is your responsibility. So, it’s important to be sure you implement WordPress security strategies starting with the tactics below.
Use and Enforce Strong Passwords
With all the various accounts we use these days, using a complicated password is enough to make your brain explode. But, simple passwords are a cinch for hackers to crack using automated scripts so it’s a must to create a complex one.
It’s also important to use different strong passwords for each website you use, including your WordPress site. That way, if one of your accounts gets hacked, there won’t be several other sites the hacker could log into instantly.
Here are other ways to up your WordPress security game with passwords:
- WordPress inherently provides an option to create a strong password so it’s important to use the suggested ones.
- You can use a plugin to require your users to have a strong password such as the Force Strong Password plugin or many security plugins with this feature.
- Limit the number of times someone tries to log into your site before they’re locked out with plugins like Login Lockdown, Limit Login Attempts or Jetpack Protect.
- Use an app-based password manager to help you remember and store your passwords, but avoid browser-based password managers since they’re inherently insecure.
For details, check out A Complete Guide to WordPress Password Security.
Update Your Themes and Plugins
Take a good hard look at all your themes and plugins. Not only should you delete anything that you aren’t using, but staying attentive to when they need updates is a must.
It’s extremely important to keep all plugins updated because outdated files can be traced by hackers and leave your site vulnerable. WP White Security reports that 54% of WordPress security vulnerabilities can be attributed to outdated plugins.
Hide Your WordPress Version
WordPress is an open source software so anyone can read the source code and technically have access to a few of your files.
When you display your WordPress version on your site, you’re letting hackers know the exact framework your site is sitting on. There are a variety of security plugins that are listed below that can help hide your version number.
Use SSL for Encrypted WordPress Security
Using SSL(Secure Socket Layer) protocol to encrypt all information sent to and from your site is a major way to add security to your site. You can do this by installing an SSL certificate on your domain.
Many hosting providers offer SSL Certificates or you can obtain a free one through Let’s Encrypt.
For details, check out Why HTTPS and SSL for WordPress Websites are Absolutely Essential.
Also, use File Transfer Protocol Secure (FTPS) or SSH File Transfer Protocol (SFTP). They encrypt your connection using your domain’s SSL certificate when you’re transferring files on your server.
Install a Security Plugin
While there are so many ways you can manually take charge of your WordPress security, installing a professional security plugin can help keep your site secure around the clock and without intervention.
This is especially important since Google blacklists around 70,000 hacked websites each week. This is also after a generous waiting period to let the website owner resolve the issue.
That’s why every WordPress website should have a security plugin installed and active so here are a few popular WordPress security plugins worth considering that have both free and premium versions.
Sucuri Security is a robust and popular WordPress security plugin offering security activity auditing, file integrity monitoring, website firewalls and more.
This plugin also has SSL certificates and continuous security scanning plans as well as alerts to let you know when the scanner has found any security-related events you should know about.
iThemes Security (formerly known as Better WP Security) has over 30 offerings to help you lock down WordPress and protect your site with features like file change detection, secure password enforcement, two-factor authentication and malware scan scheduling.
The plugin works to protect against brute force attacks and forces both SSL configuration as well as strong passwords.
WordFence is an extremely popular plugin that not only has exceptional features like a full firewall suite and live traffic monitoring, but it’s also quite cost-effective for developers who have multiple sites.
This plugin checks your site for known vulnerabilities and alerts you to them immediately. It also has robust login security features and security incident recovery tools.
Many security issues occur in smaller areas of your site from vulnerabilities in the code to particular files paths hackers use to force their way in.
Below are a number of ways to help solidify the security of your site.
One of the main routes hackers will use to get into your site is through a brute force attack, which is trying to manually log in by guessing your login credentials.
But, you can up your WordPress security and protect your site by complicating the typical login pathway in several ways such as through the suggestions below.
It’s no secret that the default WordPress login url is www.yoursitehere.com/wp-admin/ both for you and hackers.
If you change the url as well as the wp-login.php file to something like my-new-login.php, you can significantly reduce the number of possible attacks.
For details, check out How To Change WordPress Admin Login URL For Improved Security.
Remove the “admin” Username
If you have set up your WordPress website with a one-click install, you may have an account with the username “admin.” While it seems typical and harmless, it’s 50% of your login details hackers don’t have to try and guess.
Check out How to Properly Change Your WordPress Username (Step by Step) for details.
To add an extra layer of WordPress security, consider enabling Two-Factor Authentication (2FA). It’s an additional piece of information that only you can give when logging in such as a code sent to your physical phone.
Here are a few plugins you can use to enable 2FA:
While many hosting providers have file protection, it’s a good idea to take further security precautions to ensure your files’ safety. You can use a plugin, but here’s a couple manual steps you can take.
Prevent Unauthorized Access
Your database login credentials exist in the wp-config.php file. It’s the most important file in your WordPress root directory and should be protected.
Paste this code in your .htaccess file to prevent unauthorized access to your wp-config.php file:
<files wp-config.php> order allow,deny deny from all </files>
You also can move the file one level higher than the root directory and WordPress will still be able to access it.
Disable File Editing and Directory Browsing
If a hacker gets into your WordPress dashboard, they can edit any files connected to your site including plugins and themes.
You can disallow editing by placing this code toward the bottom of your wp-config.php file above the “happy blogging” line:
You can also prevent directory browsing by putting this code in your .htaccess file. It’s possible to see contents of files even just through file paths in your url.
The code below is an extra precaution to prevent hackers from taking that route:
Options All -Indexes
WordPress security and site-hardening can feel layered and complicated. That’s without mentioning the stress of dealing with compromised security and hacking attempts.
When you’re aware of potential vulnerabilities, it’s much easier to know how to protect your website.
What WordPress security hardening tactics do you use? Were you able to successfully implement the strategies above? Share your experience in the comments below.