Looking to improve the security of your WordPress website?
Here I’m sharing all the tips and strategies that I have learned running this award-winning WordPress blog.
Just to let you know,
In recent times, WordPress has been highly targeted by hackers. A lot of users has asked, “Is WordPress secure?”
and here is my answer:
Yes, WordPress is secure.
However, when we use various plugins, themes and some time it’s the hosting, which follows security worst-practices and thus makes our WordPress website vulnerable to different kind of attacks and hacks.
Fact: WordPress powers around 33% of the websites in the world, which not only makes it the most popular CMS platform but also is more prone to hacking.
As an end user, there are a few things you can do to secure WordPress blog.
Also read: Best WordPress security plugins (Opens in a new tab)
My site has been hacked nearly 2 times in the past by some Arabian and Turkish hackers (at least that’s what they claim). They infiltrated my site and left it with an ugly black background featuring GIF images of skulls and ravens. This is what made me find out how I could harden WordPress security.
Over the period of 10 years, I have learned many tricks which I’m sharing with you today so that you don’t have to face the hassle of losing your WordPress website in the hands of hackers.
If WordPress is safe the why WordPress security is crucial?
As I mentioned above, WordPress is secure by default but when you host it on an unsecured server or when you add new codes in the form of themes and plugins, you are increasing the possibilities of getting hacked.
As this help page on hardening WordPress adds
“The vulnerabilities most affecting WordPress website owners stem from the platform’s extensible parts, specifically plugins and themes. These are the #1 attack vector being exploited by cyber-criminals to hack and otherwise misuse WordPress sites.
These vulnerabilities are usually not introduced intentionally, they are a result of mistakes and oversights during development. Many plugin and theme developers are not highly versed in security, and so they are prone to inadvertently write vulnerable code. As vulnerabilities are discovered, developers usually address them by releasing updates”
Hackers usually hack a WordPress site for the personal gain, which is usually in the form of adding backlinks to some spammy sites or redirecting a WordPress site to other websites. Sometimes it’s done so sophisticatedly that you would not even know you are hacked or there is a backdoor installed on your website.
However, the owner starts losing the traffic over time (SEO penalty) and by the time they realize the real issue, things are way out of their hands. Another worse that could happen is getting blacklisted by a prominent blacklist authority. This will cost you a significant amount of time and money to get your website out of blacklist.
According to security firm Sucuri,
of all the CMS they cleaned in 2018, WordPress tops the infected CMS with 90%.
That’s some scary numbers for any WordPress owner and this is why it’s utmost important for you to roll your sleeve and follow these best practices to enhance WordPress security.
14 Proven Tips To Secure WordPress Blog
1. Configure WordPress Backups
Even though I have given a lot of proven tips below to secure your WordPress blog, you need to ensure that if something happens, you won’t lose anything.
Not having a proper WordPress backup solution in place is the biggest mistake you can make. When a big site like Sony or Dropbox can be hacked, your WordPress blog will be relatively easy to be cracked by a hacker.
So the first thing is to ensure you are taking a daily backup of your blog.
You can use the backup system offered by your hosting company or use a 3rd party backup system such as VaultPress or Updraftplus. You can find a list of WordPress backup plugins here.
If your hosting company offers backups, ensure they store the backup on a different server.
2. Use A Reliable & Secure Hosting Company
Your WordPress installation is just software installed on a server. The foundation of a secure website is a server which has enough protections that ensure your website is safeguarded against hackers.
A secure WordPress hosting usually has:
- Server level firewall to mitigate DDOS attacks.
- Uses the latest hardware and top-notch data center for physical security
- Regularly update the Operating system and apply the latest security patches
- Has intrusion detection systems for malicious activity or policy violations
I understand that it’s hard to know which hosting company is reliable against hackers & that’s why I have created this list of secure WordPress hosting companies:
- SiteGround: An award-winning hosting that uses anti-bot AI system to prevent some well-known attacks.
- Bluehost: One of the top rated hosts which offers great security.
- WPEngine: A managed WordPress hosting company which is recommended for business WordPress sites. They offer backups and security on multiple levels.
- Kinsta hosting: This one is perfect for WordPress blog with high traffic. ShoutMeLoud.com is also hosted on Kinsta hosting.
If your existing hosting company is not secure and provide no security-related support, moving to any of the above-listed hostings will make a huge difference.
3. Use the Latest version of WordPress
Keeping your WordPress software up to date is the most basic security tip for any WordPress blogger. This is something that you never want to miss.
Whenever WordPress is sending an update, it means that they have fixed some bugs, added some features, and most importantly, added some security features and fixes.
When you see the message: “WordPress x.x.x is available!”
Nowadays, with one click updates, it’s very easy to upgrade your blog.
Make sure your theme and plugins are compatible with this latest version of WordPress. If an update has been rolled out and it’s not a security update, I suggest you wait for 5-6 days before other users stop reporting bugs in the latest version.
4. Update WordPress Plugins
As I mentioned above, WordPress releases an update to fix bugs and security holes, and the same goes with plugins.
Many times, a vulnerable plugin or 3rd party script can create a security hole in your WordPress website.
One such issue which we have seen in the past is the Timthumb vulnerability. This was because of a script, and many plugins which were using this script became vulnerable too. Such kind of Zero-day vulnerability is hard to avoid, but by limiting the number of plugins, scripts, and themes you can make WordPress site more secure.
Always use plugins which are continually updated and have good support. If you are using a plugin which has not been updated for a while, find an alternative to it.
5. Use Latest PHP version
PHP is the backbone of WordPress and currently, the 7.3 is the latest version of PHP. According to the official PHP stats page, they offer security support to any stable version of PHP for 2 years only.
That means if you are using anything below PHP 7.1, you are not going to get security updates.
Here is an interesting stat from WordPress.org, about 71.8% of the WordPress website are using outdated PHP.
Depending upon the hosting environment you are using, you can quickly change your PHP version. I strongly recommend you to first create a staging environment and then test the latest PHP version. This is to ensure the compatibility as at times, outdated plugin and theme could cause an issue.
You can check the PHP version of WordPress from the dashboard and ask your hosting support to test and update your PHP version. Bluehost users can follow this tutorial to update PHP version on cPanel.
6. Use Web application firewall (WAF)
A firewall exists between your hosting server and network traffic. The role of the firewall is to filter out the most common threat before it reaches the machine your WordPress website is hosted.
There are three most common types of firewall solution that you can use on WordPress:
- At the network level: This is usually stored on the network level or machine level and works when you are hosting WordPress at a data center you own. This is the costliest option and usually used by an enterprise-level website where they have control over the physical space where the server is installed.
- At the host level: This is hosted on the web-application level, in our case it’s WordPress. This is not recommended as eventually, your host has to do the heavy lifting of filtering out the traffic. This is definitely better than a network-based WAF but the local server resources it requires, it’s not the best option.
- Cloud-based WAF: Cloud-based WAF are usually implemented at DNS level and it filters the most common type of threats before it even hit your WordPress server. This is the easiest one to implement and most economical in sense. The only downside is, it may require you to change the DNS.
Some common type of threat which is detected and protected by WAF are: Cross-site scripting (XSS) attacks, SQL injection attacks, session hijacking, and buffer overflows. This is a protocol level 7 defense in the OSI model.
There are two recommended services that you can use to implement WAF:
This is a highly recommended WordPress security feature for WooCommerce and other WordPress websites which is made for business.
7. Hide WordPress Version
Let’s assume you don’t have those 2 minutes to update your WordPress core files. The listed WP version can spark an idea for a hacker to break in. If you are running an older version of WP and everyone knows it, trust me, you are doomed.
Most theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line:
<?php remove_action(‘wp_head’, ‘wp_generator’); ?>
8. Use A Complex Login Password
I shouldn’t have to mention this, but I know too many people who use ingenious and insanely complex passwords like:
Please make your passwords complex, add a couple of special characters (%&*#), and keep changing it every 5 or 6 months.
I would also like to recommend a plugin called Login Lockdown. This plugin will record all IPs and time stamps of failed login attempts. After a specific number of failed attempts from a particular IP, the IP will be blacklisted. This helps a lot to prevent any brute-force attack.
At your end, you should also start using a password manager like Dashlane that will help you further improve your password security.
9. Change WordPress Login URL:
By changing the WordPress login URL page, you are preventing a lot of attacks and hacking attempt. Especially, if you are someone who has a handful of people or just you need to login to WordPress dashboard, changing login page will offer a great deal of help. There are a few added benefits that find it in my earlier tutorial on how to change the WordPress admin login URL.
10. Set Google alert for indexed pages
This is one of the less known tricks that you can use right away. You can use Google alerts to send you an alert whenever Google indexes a new page on your domain name. A lot of time, WordPress hackers adds new pages and posts which are not shown in the backend or frontend, but it gets indexed in Google.
When you set an alert like this, you would know if something is happening without your notice. Since it’s free and takes only 2-3 minutes to set it up, it’s totally worth it.
Here is how you can do it
- Head over to Google alerts
- In the “create an alert about” field, add site:domain.com
- Change How often to “as it happens”, language to “any language” and how many to “all results’
Now, you will get instant notifications when a new page is indexed in the search engine.
11. Check WordPress Folders File Permissions
Go to the File Manager in your cPanel, or log in to your FTP software, and check the file attributes of your WordPress folder.
It’s good if it’s 744 (read only). If you find it to be 777, consider yourself extremely lucky that you haven’t gotten hacked yet.
When most bloggers change hosting, they don’t realize how their file permissions also get changed. Make sure you verify all file permissions after migrating your hosting.
12. Delete Default Admin User
This is one of the most crucial tips for people who are looking to create a secure WordPress blog. The default “admin” username is prone to brute-force attacks because most people never change it.
When you install WordPress, make sure you use a custom username and do not use “admin”.
You can create a new user with “Administrator” rights, and give this new administrator a nickname that will be publicly displayed in case he/she writes a post. Now, log out and then log back into the newly created admin account and delete the old “admin” user.
Make sure you attribute all usernames and links to the new user which you have created.
Here is an alternative way to change the default username:
13. Hide The Plugins Directory
The plugins folder /wp-content/plugins/ should not be showing the list of folders and files inside of them.
Try visiting your plugins folder (replace domain.com with your domain name):
If you see a list of folders and files, you need to hide them.
To hide these folders, you need to create a new .htaccess file and drop it in your plugins directory.
# BEGIN WordPress
RewriteCond %REQUEST_FILENAME !-f
RewriteCond %REQUEST_FILENAME !-d
RewriteRule . /index.php [L]# Prevents directory listing
# END WordPress
If you already have a well written .htaccess file in your root directory, adding a separate .htaccess to an individual folder is not going to cause any harm.
Also, take a look at this post for better understanding of how to edit the .htaccess file.
14. Turn Off Database Errors
In older versions of WordPress, if there were errors in the MySQL database, it would show the exact error on the browser itself giving the hacker valuable information about your database.
To prevent this, you need to update your WordPress to the latest version, so that it will only show a general error message like “Database connection error” instead of showing exactly what’s wrong
Log in to your WP dashboard and update your WordPress core files.
WordPress Security: Over to you
Well, I hope this guide helped you to understand the importance of WordPress security and helped you harden it.
Again, it’s a wise idea to take automatic backups of your WordPress blog at regular intervals to make sure you can always roll back your blog to a healthy condition.
Do let us know what other security tips you would like to give to other bloggers to keep their WordPress blog secure. Share your tips in the comments below!
Don’t forget to share this post!
Here are a few hand-picked articles for you to read next: