How to Secure Your WordPress Website

How to Secure Your WordPress Website

You invest lots of time, effort and money to build a website for your business or for your blog. However, all your investment on your website could be wasted due to a simple vulnerability exploited by a bad guy on the Internet. In this article, we explain how to secure your WordPress website in simple steps by explaining essential security guidelines and configurations.

Overview – How to Secure Your WordPress Website

You invest lots of time, effort and money to build a website for your business or for your blog. However, all your investment on your website could be wasted due to a simple vulnerability exploited by a bad guy on the Internet. In fact, damage to your business and reputation could be the real harm for you after a hacking incident.

Potentially, hackers can steal information from your website (such as personal information or passwords), install malicious software on your website (affecting both you and your users), encrypt all your file by installing a malware, deface your website ruining your reputation, or simply render it non-functioning (unreachable to your users).

In this article, we explain how to secure your WordPress website in simple steps by explaining essential security guidelines and configurations.

Why WordPress Security is Important?

WordPress is the most popular Content Management System (CMS) powering more than 30% of all the websites on the Internet. Not to be surprised, it is also one of the most targeted platforms on the Internet by hackers.

Widespread use of WordPress isn’t the only reason to make it popular among the hackers. WordPress is also an attractive target for hackers due to its potential vulnerabilities and wide attack surface.

As of this post’s date, a search for WordPress vulnerabilities on the National Vulnerability Database (NVD) returns a stunning result of 3,025. What is more, 1037 of these vulnerabilities have been discovered only in 2019. And so far, 263 vulnerabilities have been identified in 2020.

Figure 1: Number of WordPress Vulnerabilities by Years (Source: NVD)
Figure 1: Number of WordPress Vulnerabilities by Years (Source: NVD)

By now, you may have already decided not to use WordPress as a content management system. But we recommend deferring this decision until the end of this article. To give you the good news, WordPress core software can be considered as very secure, since it’s being audited regularly by hundreds of eyes, as being an open-source platform. For the bad news, it is not only the WordPress core software itself that we should be concerned about. Also, the themes and plugins that we use together with it render the WordPress more vulnerable to attacks. This is because, each theme or plugin that we install can also be considered as another application that comes with its own vulnerabilities, increasing the attack surface for the bad guys out there on the Internet.

So, you need be serious about your WordPress website to make it more secure to prevent possible attacks. For this purpose, in this article we share practical security tips and best practices to protect your website against hackers and malware.

However, keep in mind that there is no such thing as perfect security. Cyber security is all about reducing the risks and the attack surface, and building a layered defense in-depth model. To achieve these goals, just follow the simple, yet powerful and effective tips and tricks that we detail below.

Quote by Kevin Mitnick
Quote by Kevin Mitnick

You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risk.

Kevin Mitnick

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

Security Guidelines

1. Choose a Secure Hosting Provider

At the heart of securing your WordPress website is choosing a good hosting provider that is reliable, provides multiple layers of security and acts in due diligence to secure your website. The rest of the following guidelines that we present will only build up a security posture on the security mechanisms provided by your hosting company.

In general, a proper hosting provider is expected to:

  • Continuously monitor the network for suspicious activity and employ detective and preventative control measures,
  • Prevent Distributed Denial of Service (DDoS) Attacks and provide a reliable service,
  • Keep their hardware and software up to date to reduce attack likelihood,
  • And, conduct daily malware scans and remove them if detected.

In this sense, security features provided by a hosting company should be an essential factor affecting your decision on which hosting provider or the plan to choose.

2. Passwords, User Permissions and 2F Authentication (2FA)

The most common technique that hackers use is brute force or guessed login attempts to your website. And the well known countermeasure is to use strong and hard to guess usernames and passwords. In this sense, using the default user name (admin) should be strictly avoided. In addition to that, you can increase authentication security of your web site by these additional steps:

  • Limit Login Attempts: The default login attempt configuration of WordPress leaves your website vulnerable to brute force attacks. This vulnerability can be eliminated simply by limiting unsuccessful login attempts to your website. Installing a plugin like Limit Login Attempts Reloaded, you can define IP white/black lists or configure login lockouts according to your needs.
  • Use 2 Factor Authentication (2FA): Using 2F Authentication is another best practice to prevent unauthorized access to your account. If your installed security plugin already supports this feature, you can simply enable it. If not, you can choose and install a free plugin that is specific for this purpose, such as Two Factor Authentication.
  • Add a Security Question: Consider adding a security question to the WordPress login screen to make it harder for the intruders to get unauthorized access to your website. A plugin such as WP Security Questions can be installed for this purpose.

You should also manage your WordPress user accounts carefully, if you have additional accounts other than the admin. You should assign user permissions according to the least privilege principle for each account. For this purpose, make sure that you understand user roles and capabilities in WordPress before creating new user accounts.

3. Reduce Your Attack Surface

In cyber security, the primary goal should be to reduce the likelihood of undesired malicious incidents. Having a reduced attack surface is a fundamental enabler for achieving reduced overall attack likelihood.

As mentioned above, what increases the possibility of introducing vulnerabilities into your website is the excessive installations of WordPress themes and plugins. Overall, only a single theme should be installed and the other theme installations should be removed. Similarly, you should only identify a minimal set of essential and critical plugins to be installed in WordPress. The selected plugins should come from trustworthy sources and and the most trusted version should be installed in your system. Don’t forget that each theme and plugin come with their own vulnerabilities to be exploited by the hackers.

4. Update Frequently

Keeping your WordPress up to date is a good practice to keep your website secure. About 86% of WordPress websites get hacked because of an outdated software. In doing so, you should not only update the core WordPress itself, but also all the installed themes and plugins. In general, core WordPress can be as considered secure in comparison to less trusted third party installations of themes and plugins. This is why, especially add-ons to the WordPress core should be updated frequently.

Since each new version mostly contains security updates too, having the most recent version is your best chance to reduce the existing vulnerabilities on your website. Also bear in mind that updates themselves could introduce new vulnerabilities into your system, especially when the updates include new feature sets.

5. Install a Back Up Solution

In cyber security, you should always be prepared for malicious incidents on your systems and having backups will allow you quickly restore your website after such incidents.

For this purpose, you could manually take full backups of your site through the Tools Export menu provided by WordPress. Better yet, you could choose among many free or paid backup plugins to help you take scheduled backups of your website automatically. As being one of the popular free plugins (also has a paid version), UpdraftPlus can be used for this purpose. Also note that, backups should be saved to a remote location, such as a cloud service like Google Drive, Dropbox or Amazon etc.

Figure 2: UpdraftPlus Backup/Restore
Figure 2: UpdraftPlus Backup/Restore

6. Install a Security Plugin

Setting up a security auditing and monitoring plugin is another best practice that we should follow for our WordPress website. Again, there are a number of free and paid security plugins that offer solutions such as malware scanning, monitoring file integrity, security hardening or keeping track of failed login attempts etc. Advanced features such as, Web Application Firewall (WAF) etc. are also provided by some of the plugins but these feature usually come with the paid plans.

Among many other alternatives, you can install Sucuri plugin to meet both essential and advanced security needs of your website. If your website is very critical for your business, you should also consider enabling the WAF feature to be more confident about your website’s security.

7. Use SSL Certificates (HTTPS)

You should use HTTPS protocol instead of its non-secure counterpart HTTP, through making use of SSL (Secure Socket Layer) certificates. HTTPS both prevents attackers from eavesdropping on and modifying your website traffic.

Most hosting providers provide SSL certificates with additional cost or free as part of your hosting plan. If you do not want to pay for a SSL certificate, you can use a free SSL certificate provided by a non-profit organization called Let’s Encrypt. However, setting up a free SSL certificate could be tricky. To prevent this hassle, you can use one of the free SSL plugins to get your SSL configured a lot easier. Also note that, free Let’s Encrypt SSL configuration can only be managed if you have a hosting plan with cPanel rather than a managed WordPress plan.

Security Configurations

Many of the security configurations described below can be managed more easily and automatically by a popular security plugin. Or, you can try to follow these simple configuration tricks to increase the security of your website.

1. Disable File Editing

The built-in code editor that you can access via Appearance Theme Editor menu, can allow you to customize your theme. However, this feature is also a security risk since it gives the same power to the hackers that could obtain admin access to your website. For this reason, we suggest that you disable file editing and re-enable it temporarily when you need to use Theme Editor.

You can disable this feature by the help of a security plugin already installed (E.g., using one click security hardening feature of the Sucuri) on your system, or by adding the following code in the wp-config.php file (that you can locate via cPanel File Manager).

// Disable Theme Editor
define('DISABLE_FILE_EDIT', true);

2. Disable PHP File Execution in Certain Directories

PHP file execution is another way attackers can target your WordPress website via uploading a shell script. As a preventative mechanism, you can disable PHP file execution in certain directories where it’s not needed (E.g., includes, content, and/or uploads folders.)

However, you should be careful while applying this hardening feature as there are many plugins and themes that rely on the ability to execute PHP file in these directories. For this reason, we do not suggest disabling file execution by configuring the .htaccess file manually. Instead, you are advised to use a security plugin to help you make this configuration more securely and safely. For instance, you can use one click security hardening feature of the Sucuri and set exceptions to blocked PHP files (whitelisting) for your installed themes and plugins.

3. Disable Directory Browsing

If directory browsing is not disabled in the default configuration of your website, you should definitely disable it. Because, directory browsing can let hackers gain access to some of your folders and/or files that you don’t intend to share with your website visitors. With the help of the information gained by directory browsing, hackers can find out if you have any known vulnerabilities on your system. For instance, browsing the /wp-content directory, hackers can enumerate uploaded files (/uploads), themes (/themes) and plugins (/plugins), and use that information to find vulnerabilities specific to the installed add-ons.

To disable directory browsing, all you need to do is to add the following line at the end of the .htaccess file (that you can locate via cPanel File Manager).

Options All -Indexes

Or as usual, you can use a security plugin, such as All In One WP Security & Firewall, to make such security configurations more easily and safely. You can explore more the following YouTube content to find out more on how to secure your WordPress website with All In One WP Security & Firewall.

YouTube: All In One WP Security & Firewall Overview

4. Protect Critical Configuration Files

The first configuration file that needs to be protected from unauthorized access is the wp-config.php file. It holds crucial information about your WordPress installation and securing it means securing the core of your WordPress. In order to secure this file, you can simply move it to a higher folder than your root directory (via cPanel File Manager).

The second critical file that could be protected from unauthorized access is the .htaccess file. In order to hide this file you can add the following code to your .htaccess file. (You can also add the same code to the wp-config.php file, instead of changing its folder location.)

order allow, deny
deny from all

However, we strongly recommend that only experienced developers make such manual configurations on these files. To stay on the safe side, you can secure both of these files easily with the help of a security plugin, such as All In One WP Security & Firewall.

5. Disable XML-RPC

XML-RPC is a specification that enables communication between WordPress and other systems. It uses HTTP as the transport mechanism and XML as the encoding mechanism. It is also a feature that hackers can use to conduct automated brute force login attempts or denial of service attacks on your website. This is why, if you’re not using XML-RPC, then you should disable it. But before disabling it, make sure that your installed plugins do not require this feature. In order disable it easily, again a security plugin such as All In One WP Security & Firewall can be used.

6. Change the WordPress Login URL

If you are using the default login URLs (wp-admin or wp-login.php), hackers can try brute force login attempts on these login addresses. Limiting login attempts can slow the hackers when trying brute force logins. Better yet, you can change the default login URL, so that they cannot find it. For this purpose, we suggest using a plugin, such as WPS Hide Login to configure a different login URL.

Final Remarks

WordPress is the most popular Content Management System (CMS) powering more than 30% of all the websites on the Internet. However, it is also one of the most targeted platforms on the Internet by hackers. In this article, we have explained how to secure your WordPress website in simple steps by explaining essential security guidelines and configurations.

If you have more suggestions on how to secure a WordPress website, please share with us via the comment section below. Or, if you are confused and need help, you can also comment below or contact us.

You could also read our popular articles What is a Security Vulnerability? or What is Vulnerability Scanning?