A Web.com Partner

WordPress Security: Top 16 WordPress Security Tips & Tricks

Today we’ll be discussing 16 of the best tips and tricks to secure WordPress, enabling you to secure your own website.

1/ Regularly Update WordPress


Current versions of WordPress feature one-click updates. You can launch the update by clicking the link in the new version banner or by going to the Dashboard > Updates screen. Once you are on the “Update WordPress” page, click the button “Update Now” to start the process off. You shouldn’t need to do anything else and, once it’s finished, you will be up-to-date.

In general we would recommend the following steps when performing an update:

  1. Back your website up
  2. Turn off any caching plugins
  3. Update your plugins and theme framework
  4. Update WordPress
  5. Reactivate your caching plugin and clear your cache

2/ Backup Your Website

Always rely on a strong backup and recovery protocol for your website. It’s not just hacking that may compromise your website but other factors like a faulty upgrade or plugin install.

This tutorial will show you how to manually backup your website with cPanel:

How to backup your website with cPanel

If you are looking for an automated backup solution that runs inside your WordPress site then review the following plugins:

  • VaultPress (recommended) “VaultPress provides realtime, continuous backup and synchronization of every post, comment, media file, revision and dash­board setting.”
  • DropBox for WordPress “WordPress Backup to Dropbox has been created to give you piece of mind that your blog is backed up on a regular basis.”
  • BackupBuddy (VMware Cloud VPS Required)“Backup your entire Single or Multisite WordPress install. Including the widgets, themes and plugins.”
  • BackWPUp “Do backups and more for your WordPress Blog.”

3/ Manage Your Plugins

secure-wordpress-2-300x214Third party plugins is what makes WordPress so popular but at the same they are a primary point in allowing an attack on your website. Every plugins is another item that you have to ensure is updated or patched.

For this reason it’s important to install only those extensions that have a good reputation. You should read the reviews at the WordPress Plugin Directory as many plugins contain vulnerable code, which when installed makes it easy for hackers to compromise your website.

Also check to see if there are any associated exploits or vulnerabilities with the plugin you are about to install. This can be done at Secunia or ExploitDB.

3/ Remove Unused Plugins

People often test different plugins or themes and forget to remove them once they finish working with them. Leaving these plugins or themes installed, even if they are disabled, can create a potential security risk so it’s advisable to remove these after any testing has been completed.

4/ Use Strong Login Details

secure-wordpress-3-250x300For almost every website that you build, there will be various user accounts that you have to create and manage. For each of these you should create a secure password. Choosing a password that other people won’t guess easily is a matter of creating unlikely letter and number combinations.

A strong password:

  • Is at least eight characters long
  • Does not contain your user name, real name, or company name
  • Does not contain a complete word
  • Is different from previously used passwords
  • Contains a mixture of uppercase, lowercase characters and numbers

You can use a free tool like the Norton Identity Safe Password Generator to create a complex password for your WordPress accounts.

5/ Block Unwanted Visitors

Bots are automated computer programs operated by hackers who use these tools to aggressively attack and gain access to your website. This can quickly rack up bandwidth and resources for your hosting account, and ultimately may lead to your WordPress site being compromised.

A simple but effective method of restricting bots can be implemented by creating, or modifying an existing, .htaccess file in your WordPress root directory with the following lines:

SetEnvIfNoCase User-Agent ^$ keep_out
SetEnvIfNoCase User-Agent (pycurl|casper|cmsworldmap|diavol|dotbot) keep_out
SetEnvIfNoCase User-Agent (flicky|ia_archiver|jakarta|kmccrew) keep_out
SetEnvIfNoCase User-Agent (purebot|comodo|feedfinder|planetwork) keep_out

Order Allow,Deny
Allow from all
Deny from env=keep_out

A more comprehensive approach is to use the 5G Blacklist provided by Perishable Press.

The 5G Blacklist is a simple, flexible blacklist added to your current .htaccess file that checks all web pages requests against a series of carefully constructed htaccess directives. This happens behind the scenes at the server level, saving important resources for WordPress site and protecting it from unwanted visitors.

6/ Protect Your Administrative Page


You can significantly improve the security of your WordPress site if you restrict the access to your admin area.

First, you can password protect the /administrator folder of your site. Once you protect your /wp-admin folder an additional password will be required in order to see the standard administrator login form.

Next, you can restrict the access to the /wp-admin directory only to your IP address.

Create a file called “.htaccess” in your /wp-admin directory

Open the file and add the following lines

Deny from ALL
Allow from x.x.x.x

Note that you need to replace x.x.x.x with your actual public IP address. To find out your address, you can use the What Is My IP website. To add multiple IPs, simply replicate the Allow from x.x.x.x command to a new line and change the address.

If your Internet service provider provides you with a dynamic IP address, the IP restriction option might not be suitable for you because you’ll have to edit the .htaccess file each time your IP changes.

7/ Change The Admin User

In WordPress the default user name for the Super Administrator is admin. Intruders usually rely on this during a brute force attack, but simply changing the name this will provide protection from attacks that attempt to guess the name of the Administrator (admin) account. There are also other attacks that may attempt to guess the default ID of the Administrator account in order to gain access to the site.

To create a new Administrative account just:

  1. Login to your WordPress Admin area.
  2. Click on “Add new” in the “Users” menu.
  3. Type in the information for the new user account. You need to use a different email address than what you have setup for your “admin” username.Make sure you select “Administrator” as the role. Choose a new user name that is not similar to the name you display publicly on your blog.
  4. Click on the “Add User” button.
  5. Logout of WordPress.
  6. Login to your WordPress again, using your new username.
  7. Click on “Users” in the “Users” menu.
  8. Move your mouse cursor over the “admin” row. You will see links for “Edit” and “Delete”. Click on “Delete”.
  9. Select “Attribute all posts and links to” and then select your new username from the drop-down list. Ensure that you select this option otherwise all your posts will be deleted!
  10. Click on the “Confirm Deletion” button.

Some people may prefer an alternative method using the iThemes Security plugin which allows you to do all of these tasks, and change the default ID at the same time.

8/ Implement Two-Factor Authentication


Two-Factor Authentication is a login method whereby a person has to provide his/her user name, password and a random generated OTP (One Time Password).

OTP is six numeric digit code, generated by cryptographic functions in a short interval. Even if a hacker was to guess your WordPress Administrator username and password correctly, they would still require the OTP to login.

To implement Two-Factor Authentication on your WordPress site we can recommend using either:

9/ Use SSL Certification

Use SSL on your site and force WordPress into SSL mode for all logins. Just be aware that you must have a properly configured SSL certificate for your site’s domain, or you will not be able to enable this feature.

When you have an SSL certificate on your website, this setting will have the user’s browser encrypt their user name and password before it’s sent over the internet to your server.

To enable the SSL Login feature for your administrative section open up the wp-config.php found in your root WordPress folder and enter one of these:

Force only admin sessions to happen over SSL

define('FORCE_SSL_ADMIN', true);

Force all logins and all admin sessions to happen over SSL

define('FORCE_SSL_LOGIN', true);

10/ Disable Access To The wp-content Folder

Uploaded images and other media are stored in the wp-content folder. To prevent unauthorised access to this with the exception to client-side media create an .htaccess file within your /wp-content/ directory with the following statements:

Order Allow,Deny
Deny from all
<files ?.(jpg|gif|png|js|css)$? ~>
Allow from all

11/ Disable Directory Browsing in WordPress

To prevent visitors from traversing through our site folders and viewing their contents you can disabled directory browsing for your website. Create or modify an existing .htaccess file in your root WordPress directory with the following contents:

Options -Indexes

12/ Use Proper File Permissions & Ownership

File permissions are a method of controlling what you and other people can do with a file or folder. You will want to configure your permissions so that files and folders can only be accessed by your account, and that outside visitors can’t read important WordPress configuration files.

  • All files should be set with a CHMOD value of 644
  • All folders should be set with a CHMOD value of 755
  • Your wp-configuration.php file should be set with a CHMOD value of 640

13/ Hide WordPress Reporting

When things go awry, only you should know about it. Displaying errors to our visitors can be an absolute disaster, especially if they have malicious intentions.

A common method of a WordPress attack is to crawl sites that have a particular version number, with a number of known security exploits and vulnerabilities associated to them.

In order to remove WordPress version reporting simply place the following line of code in your theme’s functions.php file:

remove_action('wp_head', 'wp_generator');

To hide any WordPress login errors by place the following snippet of code in your theme’s functions.php file:

add_filter('login_errors',create_function('$a', "return null;"));

14/ Disable file editing via the dashboard

In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the dashboard.

However, if a hacker managed to gain access to your admin panel, they could also edit your files that way, and execute whatever code they wanted to.

So it’s a good idea to disable this method of file editing, by adding the following to your wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

15/ Monitor For Malware secure-wordpress-malware-150x150

Malware is malicious computer code that can harm your website, steal personal information and enable malicious individuals to cause you financial, electronic or any other kind of harm.

It’s imperative that you have some kind of system in place to constantly monitor your site for malware.

Sucuri – https://sucuri.net/ is a company that offers a security service that detects unauthorized changes to network assets, including WordPress web sites, DNS, Whois records, SSL certificates and others.

How you monitor is vitally important. Choose a method that can actually dive into your file structure and detect deep breaches, rather than one that just shows you where you’re vulnerable.

16/ Use Security Plugins

secure-wordpress-ithemesSecurity extensions provide a way to monitor, review and secure important files and components for your WordPress installation.

One of the most popular is the free iThemes Security fix your file and directory permissions, protect your administrator directory, change your database prefix, set a secure Super Administrator ID and a whole host of other recommended security improvements.

You can learn more about iThemes Security by visiting https://wordpress.org/plugins/better-wp-security/.