WordPress is the most popular Content Management System (CMS) worldwide, but its popularity also makes it a prime target for cyberattacks.
Security is an ongoing process, and staying vigilant and proactive is essential in protecting your online presence.
By implementing these ten security measures, you can significantly harden your WordPress website against potential threats.
Keep WordPress core, themes and plugins updated
Always ensure you’re running the latest version of WordPress core, themes, and plugins. Developers frequently release updates to fix security vulnerabilities and bugs. Regularly check for updates and be cautious when choosing third-party themes and plugins; only use reputable sources from the official WordPress repository or trusted developers.
Before updating the WordPress core or any plugins that are part of core functionality, e.g. eCommerce plugins, make sure you backup your website. This step is crucial as upgrades can fail crashing your site, so it’s essential to have a current backup in place.
If you need help check out our WordPress maintenance service.
Install a security plugin
We secure all our sites with Wordfence the top-rated security plugin. The free version is enough for most sites and comes with many powerful features that include a firewall that can block malicious traffic and bots before they can access your site, and a free malware scanner.
Change the default login URL
Install a plugin like WPS Hide Login to make it more difficult for bots to break into your website.
Implement Two-Factor Authentication (2FA)
Two-Factor Authentication adds an extra layer of security by requiring users to verify their identity through a secondary method, such as their mobile phone. Wordfence offers free Two-Factor Authentication – watch the video to see how to set it up.
Limit login attempts
Limit the number of login attempts to prevent brute-force attacks. Wordfence again has this built in function to block IP addresses that exceed a certain number of login attempts within a specified time frame – watch the video to see how to set it up.
Harden wp-config.php for enhanced security
The wp-config.php file is a powerful core WordPress file that is vital for running your website. It contains critical configuration settings, database credentials and developer options. Here are the ones we routinely set on client sites.
a. Set file permissions to 644 and directory permissions to 755.
This configuration ensures that only the owner can modify files, while others can only read and execute them.
define('FS_CHMOD_DIR',0755); define('FS_CHMOD_FILE',0644);
b. Disable the file editor
This removes the ability to edit theme and plugin files directly from within the WordPress dashboard. Hackers can use this editor to distribute malware or launch DDOS attacks from your WordPress website.
define( 'DISALLOW_FILE_EDIT', true );
Harden .htaccess for enhanced security
The .htaccess file allows you to define server settings and enhance security. If you are not used to editing this file use a plugin like Safely Edit Htaccess File to avoid server errors. Here are the edits we add to client sites.
a. Disable server signature
Revealing web server signature can be a security risk as you are telling attackers about known vulnerabilities of your system.
# START DISABLE SERVER SIGNATURE # ServerSignature Off # END DISABLE SERVER SIGNATURE #
b. Secure your wp-config.php file
Block access to your wp-config.php from internal hacking and code modification.
# START SECURE WP-CONFIG FILE <files wp-config.php> order allow,deny deny from all </files> # END SECURE WP-CONFIG FILE
c. Protect .htaccess from unauthorized access
Prevents hackers manipulating your website through the .htaccess file.
# START SECURE .HTACCESS FILE <files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files> # END SECURE .HTACCESS FILE
Implement WordPress Security Headers
Leverage HTTP security headers to enhance browser security and mitigate certain types of attacks, such as Cross-Site Scripting (XSS) and Clickjacking. Some commonly used headers include X-Frame-Options, X-XSS-Protection and Content-Security-Policy.
Headers Security Advanced & HSTS WP is a simple one click install that will set up all best practices.
Regular backups
Frequent backups are essential to mitigate the impact of a successful hack, a server crash or failure, or even an unsuccessful update. We recommend Blogvault which stores encrypted copies of your site across multiple data-centers.
Choose a reliable web hosting provider and implement SSL
Select a web host that offers robust security measures and regular server updates. Ensure you obtain an SSL certificate and force HTTPS across your entire website to ensure all data transmission is encrypted.
Most hosts offer the Let’s Encrypt SSL Certificate which is a free, automated, and global Certificate Authority (CA).