Searching for WordPress security tips to keep your website safe and secure?

Here we’re sharing all the tips and strategies you can apply on your WordPress website to protect your site against different attacks and vulnerabilities.

While WordPress is very secure, and it’s updated regularly by the WP developer team. Frequently, WordPress releases a new version not only to improve performance but also to eliminate risk.

However, security risk may arise in the WordPress websites because of the theme and plugins installed as well as hosting.

As a website owner and WordPress end-user, you can do a few things to secure your WordPress site. Even if you are a non-techie, this ultimate WordPress security guide with all tips and tricks will assist you to secure WordPress site from hackers.

Here are some measures that should help you:

  • to secure your website against brute force attacks. 
  • to limit the failed login attempts with Login LockDown
  • to restrict access to sensitive WordPress core files
  • to choose a right secured WordPress hosting provider

Let’s dive right in.

11 WordPress Security Tips That You Should Implement Right Away

Have a Strong Password

Having a strong password protects your website against many WordPress vulnerabilities like unauthorized login attempts.

Brute force attacks in WordPress refer to the trial and error method of entering various combinations of usernames and passwords until hackers get unauthorized access. A website with a simple username and password has high chances to get affected by brute force attacks.

Even if a brute force attack is unsuccessful, it can impact on the performance of the website and overload your system. Some shared hosting providers may suspend your account due to system overload.

A password can be strong and hard-to-guess if it contains case-sensitive alphabets, punctuation, and numbers. Experts also suggest you should never use alphabets in a password that matches a username.

You should use a plugin called password policy manager for WordPress to enforce a strong WordPress password on your site.

Limit Login Attempts

By default, WordPress allows users to try to login as many times as they want. This helps brute force attackers to try various combinations of usernames and passwords.

This can be easily configured with your WordPress admin dashboard to limit the failed login attempts.

First, you need to install and activate the Login LockDown plugin. Then you’ll find a Login LockDown option inside the Settings.

Login LockDown limit failed login attempts

With this plugin, you can specify the number of failed login attempts and the amount of time to lock out the IP address.

Enable Two-Factor Authentication

Enabling two-factor authentication to WordPress login on your website adds an extra security layer. Each time you enter login credentials, a new sensitive code is required from your Authenticator app in order to login to the WordPress admin dashboard.

Even if the attacker is able to guess your password, they can’t get access to the WordPress dashboard without the code that is sent on your smartphone. 

You can use the iThemes Security Pro plugin to activate two-factor authentication on your WordPress website.

Update to Latest WordPress Version

Using the latest version of WordPress CMS (Content Management System) is the most simple WordPress security tip for any website owner.

WordPress team frequently releases a new version of WordPress by adding more security features and most importantly, fixing bugs.

Whenever a new version of WordPress releases, all plugins and themes also release their new version to make them compatible with the latest WordPress version.

If a plugin or theme installed on your website has not released a new version for a while, find an alternative to it because there is more chance such a plugin or theme may create a security hole in your website.

If your WordPress site is running on a managed WordPress hosting platform, the hosting provider will take care of updating the WordPress version and also check whether a plugin or theme is creating a security hole.

Use The Latest PHP Version

WordPress is a PHP based CMS (Content Management System) and updating the PHP version of WordPress not only improves security but also improves the site performance.

You can easily change and update the PHP version within a few clicks through the cPanel of your website.

Before updating the PHP version, it is recommended to update all the active plugins & themes.

Follow every step mentioned right below to migrate from PHP 5.5 to PHP 7.0+.

Step 1:

  • Login to your cPanel
  • Search for section Software
  • Click on MultiPHP Manager or Select PHP Version option

Step 2:

By default, you may see the current PHP version 5.5 or 5.6 for your website. WordPress officially recommends at least 7 or higher versions to run any WordPress site.

Step 3:

If the current PHP version is set to 7.0+, no changes are required. Else, select the latest PHP version 7.3 and click on the Apply button.

MultiPHP Manager

Hide WordPress Version

By default, WordPress automatically adds and displays the current WordPress version to the head section of the theme.

Attackers get an idea with the listed older WP version to launch attacks against all known vulnerabilities.

If you wish to run your WordPress site with an older version and don’t want to update it, simply hide the version of WordPress core software.

Go to your theme’s functions.php file and include the following simple line of code to hide the WP version.

remove_action( 'wp_head', 'wp_generator' );

Change Default WordPress Prefix for Database

By default, all tables in the WordPress database use “wp_” as the prefix. If your website is using the default prefix for the database table name, hackers can guess the table names easily.

This is why most of the WordPress experts and developers recommend changing it.

Note: This can break out the connection between your website and database so only proceed if you feel comfortable with your coding skills.

You can follow this helpful guide to change the WordPress database prefix to improve WordPress site security.

Restrict Access to Sensitive Core Files

When you install a WordPress it comes with several sensitive core files, such as wp-config.php, error log, PHP.ini, install.php, and readme.html files. You must stop access to sensitive files of your WordPress website by keeping them hidden.

.htaccess is the one and only best file which prevents sensitive files from unauthorized access.

Follow every step mentioned right below to restrict access to sensitive files using .htaccess file.

Step 1:

Log in to your site’s cPanel and search for the file manager icon.

File Manager

Step 2:

If you are running only one website on your web hosting server, simply open the public_html folder where you will find all the core WordPress files.

But if you are running multiple websites, you may need to look for the specific folder in the root directory.

If you don’t find the .htaccess file, go to Settings at the top-right corner, and check the box to show hidden files.

Simply right-click on .htaccess file to edit.

htaccess file

Note: Backup the .htaccess file before making any changes. In case, if something goes wrong with your website, you can revert to the old .htaccess file.

Step 3:

Now you can add the following line of code between #BEGIN WordPress and #END WordPress in .htaccess file.

<files .htaccess>
Order allow,deny
Deny from all
</files>
<files readme.html>
Order allow,deny
Deny from all
</files>
<files install.php>
Order allow,deny
Deny from all
</files>
<files wp-config.php>
Order allow,deny
Deny from all
</files>
<files error_log>
Order allow,deny
Deny from all
</files>

Install a WordPress Backup Plugin

Backups are like the first defense plan for your WordPress website against any WordPress security issue and attacks. This ensures if something happens, you won’t lose anything.

Most of the WordPress website owners make a mistake by not installing a proper backup plugin.

So if you want to protect every file and data of your website, you need to have a backup plugin such as VaultPress or Updraftplus that generates daily or real-time backups.

If you don’t want to install a plugin and don’t have enough time to manage backup files then WordPress managed hosting can be the best solution for you. WordPress managed hosting provider will automate your backup setting.

Install SSL Certificate on your WordPress Site

SSL (Secure Socket Layer) is an Internet security protocol that encrypts the data transfer between your website and the reader’s browser. Once SSL is installed on your website, your website will start using HTTPS instead of HTTP.

Some hosting service (such as Cloudlaya) offers a free SSL certificate on both shared and managed WordPress hosting plans.

Scanning WordPress for Malware

WordPress Malware Scanner

If you doubt that your WordPress website may be hacked because of any malware and vulnerabilities, you can start a quick WordPress security scan.

There are a number of online security scanning tools that look for the possible security hole, malicious code, dubious links, and dubious redirects within your website.

Sucuri SiteCheck, WPScans, ScanWP, and wprecon are some of the best online WordPress malware and vulnerabilities scanners. But they can’t remove the malware from your website.

If your website is running on the managed WordPress hosting platform, your hosting provider will run automatic malware scanning frequently and also remove the malware from your website. 

And, if you are looking for a single solution that doesn’t need coding then, you can install the security plugin like Wordfence, iTheme Security, they will provide most of the WordPress securing features.

Conclusion on WordPress Security Tips

Regardless of your technical or non-technical knowledge, these are must-take security measures and tips to secure your WordPress website from hackers.

Because it would make no sense to put such an effort to get a website running to only find that someone has control over it and advertises and sells illegal items, or plans to infect your visitor’s devices with malware.

Of all, you must take regular automatic backups of your website to ensure you can roll back your website to the normal condition without losing any data.


You might also like: