December 5, 2019
December 5, 2019
The internet is full of cyber threats, so webmasters shouldn’t leave website security up to luck. It’s paramount to stay safe online. That’s why in this article we will uncover how to secure WordPress by using the 12 best web security practices.
There’s no better time to secure your website than now. Let’s get started, shall we?
Powering 30.5% of all websites on the internet, WordPress is the most popular CMS to date. Unfortunately, its popularity also attracts hackers who seek to exploit the platform’s vulnerabilities. Sucuri confirmed this claim with a study that counted that 90% of 25,466 studied websites in 2018 that experienced security breaches use WordPress.
Hacking occurs to WordPress websites when bad actors manage to exploit vulnerabilities in the WordPress core, plugins, and themes. Based on WPScan vulnerability database statistics, we gathered some of the most common types of WordPress security vulnerabilities:
The consequences of getting hacked are far from pleasant. The hacked site, first and foremost, may experience significant data, asset, and credibility loss. Furthermore, if your website manages customer information, the incident can jeopardize your customers’ personal data and billing information.
Before you scramble to find another CMS, we have good news for you. The information above by no means indicates that WordPress has a terrible security system. On the contrary, most web security breaches happen due to the user’s lack of security awareness.
In short, you have the power to prevent hacking attacks from happening in the first place. And we’re here to help you do that.
Securing a WordPress site doesn’t require a big budget or advanced technical knowledge. Here’s how to secure WordPress using 12 easy to implement security practices.
The CMS releases regular software updates to improve site performance, including its security, making sure to keep secure WordPress. Thus, updating your website is the most basic web security practice you should do.
Despite sounding so simple, 41.9% of WordPress websites are still running on outdated versions. If your site isn’t using version 5.2 as of writing, then you put your site at a higher risk of a breach and need to update to secure WordPress.
To check whether or not you have the latest secure WordPress version, you can navigate to the Updates menu from your WordPress dashboard. For the complete list of all released and to be announced secure WordPress versions, see this codex.
In case you don’t know how to update WordPress, you can follow this tutorial.
One of the most common mistakes many users still do to this day is using common usernames like “admin,” “administrator,” and “test.” This is a small yet fatal error as doing so puts your site at a higher risk of successful brute force attacks.
In case you haven’t used unique admin login credentials yet, you can follow this tutorial to change your WordPress username. Alternatively, you can create a new secure WordPress administrator account with a different username and delete the old one.
Here’s how to create a new secure WordPress administrator account:
As brute force attacks can even target secure WordPress sites with weak passwords, it’s essential to use unique login details. Try to incorporate variations of numbers, uppercase letters, and special characters into your password to make it harder to guess. Tools like LastPass and 1Password can help you create and manage complex passwords effortlessly.
Additionally, be aware of the network you use before logging into even a secure WordPress site. Public networks, like a coffee shop and library wifi, may not be as secure as they seem. To protect your login credentials, we advise you to use a VPN before going online in public places.
If you want to reinforce the login process even further, you should consider implementing 2-step authentication to secure WordPress. This authentication method adds a second layer of security to your login page, which requires you to input a unique code to complete the login process. The code is available only to you via a text message or a third-party authentication app.
You can find our detailed tutorial on how to enable 2-step authentication for a more secure WordPress site here.
The PHP error reporting feature is useful for monitoring the site’s PHP scripts. However, broadcasting your website’s vulnerabilities to other people is a serious security flaw and won’t help secure WordPress.
There are two ways to disable PHP error reporting to secure WordPress — via the PHP file or hosting control panel.
The first method requires you to add the following code snippet to the site’s wp-config.php file to help secure WordPress. Be sure to add it before any other PHP directive. You can use either an FTP client or File Manager to make the modification.
error_reporting(0); @ini_set(‘display_errors’, 0);
If you don’t want to deal with coding, you can opt for the second method. Here’s how you can disable PHP error reporting for a secure WordPress site from Hostinger’s hPanel:
Despite being more affordable, nulled themes have a ton of security flaws. They often carry malware, spam links, and backdoors that can endanger your website’s security.
Being distributed illegally, nulled themes also don’t come with any support from the developers. That means if something bad happens to your site, you’re on your own, without any advice on how to secure WordPress after an incident.
For this reason, it’s best to avoid using nulled themes at all costs and opt for secure WordPress themes from official repositories or trusted developers and their official marketplaces.
Despite being cautious about the plugins and themes you install on your site while trying to secure WordPress, there’s no guarantee that they won’t carry any malware with them. The most common types of malware are viruses, spyware, and ransomware — all of which are incredibly harmful to your site.
Therefore, it’s crucial to scan your site regularly. To know how to secure WordPress best, you should check out what the various plugins offer.
Fortunately, there are plenty of great security plugins to choose from. Take a look at our recommendations of WordPress security plugins below and see which one best suits your preference:
Don’t know how to install a secure WordPress plugin? Not to worry, this comprehensive guide can help you set one up in no time.
41% of WordPress websites were hacked due to security loopholes in their hosting accounts. Despite being seemingly unrelated, your web hosting provider has a significant role in keeping your server secure. In other words, your website security won’t matter much if the server it’s on is prone to cyberattacks.
If you think your current web hosting provider is unreliable, it’s time to migrate your WordPress site to a new one. Here’s what you need to consider when deciding how to secure WordPress through hosting:
With Hostinger, we ensure you get all the essential resources and features needed to protect your WordPress site. Not only do we provide various types of hosting services, but we also offer them for an affordable price. Additionally, our customer support team is always ready to assist you 24/7. Check out what our secure WordPress hosting plans have to offer.
While it’s essential that you arm your website with various security measures, regularly backing up the entire site is equally important. When thinking about how to secure WordPress, you won’t need to worry about losing all your hard work in the event of a security breach.
There are a few ways to create backups. You can manually download WordPress files and export the database or use your hosting provider’s backup tool. Various WordPress backup plugins can also help you do the job easily.
Here are several top-notch secure WordPress backup plugins worth considering:
If you don’t know where to start, feel free to check this tutorial on how to create secure WordPress backups in Dropbox with UpdraftPlus. Alternatively, see this article for more information about WordPress backups.
WordPress’ in-built file editor allows you to edit PHP files easily. Despite so, this feature can become a double-edged sword if hackers gain control of it.
For this reason, some WordPress users prefer to deactivate this feature completely. You can disable it by adding the following line of code to the wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
IMPORTANT: In case you want to re-enable this feature on your secure WordPress site, remove the previous code from the wp-config.php file using an FTP client or your hosting provider’s File Manager.
As themes and plugins can potentially have vulnerabilities, it’s not a good idea to pile them up on your site for no reason when considering how to secure WordPress. Furthermore, having outdated yet active plugins increases the risk of cyberattacks as hackers can use them to gain access to your site.
Thus, it’s best to remove unused plugins and themes altogether.
For example, .htaccess allows you to block access from specific IPs or disable PHP execution on specific folders and helps run secure WordPress sites. The examples below show you how to use .htaccess to harden WordPress security.
IMPORTANT: Before making any changes, we strongly advise you to backup the old .htaccess file using either an FTP client or a File Manager. If anything goes wrong, you’ll be able to restore to a secure WordPress site.
The code below grants access to only specific IPs to the administrator area, helping secure WordPress.
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from xx.xx.xx.xxx allow from xx.xx.xx.xxx </LIMIT>
Be sure to change XX.XX.XX.XXX to your IP address. If you’re not sure what your IP address is, WhatIsMyIP can help you identify it.
If you use more than one connection to manage your secure WordPress site, make sure to include all other IPs by repeating the allow from code as many times as necessary.
Hackers like to upload backdoor scripts to the Uploads folder. By default, this folder only hosts uploaded media files. So, it shouldn’t contain any PHP files. To keep a secure WordPress site, you can easily disable PHP execution in the folder by creating a new .htaccess file in /wp-content/uploads/ with these rules:
<Files *.php> deny from all </Files>
The wp-config.php file contains WordPress core settings and MySQL database details, thus making it the most important file in your site. For the same reason, wp-config.php file is also a hacker’s primary target. You can easily protect this file and keep WordPress secure by implementing these .htaccess rules:
<files wp-config.php> order allow,deny deny from all </files>
The database holds and stores all crucial information required for your site to function. Due to this reason, hackers often target it with SQL injection attacks.
SQL injections comprise 80% of cyber-attacks executed on WordPress websites, making it one of the biggest threats. One of the reasons why hackers go with this type of cyberattack is because many users forget to change the default database prefix wp_.
In this step, we will briefly overview how to secure WordPress against such attacks.
IMPORTANT: Make sure to backup your secure WordPress MySQL database before proceeding.
/** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wp_1secure1_';
// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'WordPress database', 'user' );
RENAME table `wp_tablename` TO `wp_1secure1_tablename`;
Be sure to change `wp_tablename` with your current table name, and `wp_1secure1_tablename` with the new prefix and table name to help secure WordPress. Repeat this line of code based on the number of the tables you want to rename, then select Go.
Depending on the number of plugins you installed on the site, you might need to update some values in the database manually to help secure WordPress. You can do it by running separate SQL queries on tables that are likely to have values with the wp_ prefix — Options and Usermeta tables, for example.
Instead of going through all your tables one by one, you can use the syntax below to filter all values that contain the prefix:
SELECT * FROM `wp_1secure1_tablename` WHERE `field_name` LIKE '%wp_%'
`wp_1secure1_tablename` contains the table name in which you want to perform the query. Meanwhile, `field_name` represents the name of the field/column where values with wp_ prefix most likely appear.
Here’s how to manually change the prefix value to one that helps secure WordPress:
If you are planning on installing a fresh site and want to keep a secure WordPress database, you don’t have to perform the above steps. WordPress automatically requires you to decide what table prefix you want to use during the database setup process. Refer to this tutorial for more information on how to set up a secure WordPress database.
As many cyber threats are lurking on the internet, all websites must have an excellent security system. As WordPress is a common target for hackers due to its popularity, webmasters should definitely take extra steps to ensure safety.
Here’s how to secure WordPress with 12 impactful web security practices:
What do you think is the best way to secure WordPress? Let us know in the comments section below!