31+ WordPress Security Tips – Ultimate WordPress Security Guide [2019]

Secure your WordPress website against scripts injections, hacking attempts, and other vulnerabilities. The ultimate WordPress Security Guide [2019]

Last Updated on

Looking for WordPress security tips and the ultimate WordPress Security Guide? Keep reading.

Why Do I Need to Worry About WordPress Security?

WordPress Security is one of the major concerns for everyone right now. Each year thousands of WordPress built websites get hacked, lose data, lose access to the website.

Let’s face it. There is no 100% secured system in the world. That is why you need a WordPress Security Guide!

There will always be some risks in your system. However, you must take preventive actions, mitigate risks to make sure your website is not vulnerable to attacks.

Most websites usually get hacked due to poor system administration, not using the latest WordPress version, using weak username/password among many other cases.

Attacks on WordPress Sites Have Risen Significantly in the last few years

Industry renowned security firm Sucuri has published a detailed analysis of the most attacked Content Management Systems of 2018. Unsurprisingly WordPress came on top by absorbing about 80% of the total attacks.

Infected Websites Stats WordPress Security Guide
Source: Sucuri

So it is wise to concentrate your WordPress security before it is too late. Nothing is worse than waking up in the morning and discovering that you do not have to access your own website. Our WordPress security guide will help you to stop attacks and fix vulnerabilities on your website.

Sucuri CMS Infection Comparison WordPress Security Guide
Source: Sucuri

This post will provide you some of the best WordPress security tips to reduce the vulnerability of your WordPress installation.

Ultimate WordPress Security Guide [2019]

We have divided our WordPress Security Guide into a few parts.

Database Security

A database is the single most important thing when building a new website. So when you are creating a new website, you must rethink about the security measures you are taking to secure your database. Many of us prefer the easiest way to install WordPress from cPanel. If you are concerned about security, we will always recommend you to install WordPress manually by creating the database first and adding a database user.

  • Tip: Use a unique database name. For example, if your website name is “myschool.com” then always choose something that is not related to the domain name.
  • Add number with the database name to make it more secured.

Database User Security

While adding your newly created user, it is wise not to allow ‘Drop’ permission for the database user. Even if someone gets access to your database, they will not be able to drop the table. This will ensure tight security for your website.

WordPress Database User Security - WordPress Security Guide 2018

File Permission

(If you don’t bother about learning what is File Permission, skip to WordPress File Permission)

If you are running any Unix based operating system like Linux based distros like Ubuntu, Linux Mint or macOS you might know that all files and folders of Unix based operating systems have file permission. This permission is written as three digits. If you notice the following image, you can understand what each of this digit does.WordPress File System Security - WordPress Security Guide 2018

See this video to quickly understand about Unix File Permission.

WordPress File Permission

Make sure you follow this file permission structure to harden your file permission on WordPress. You can run the command like the following to change the file permission of your .htaccess file, after locating to its directory. Otherwise, you can just right click on the file and set permission in cPanel File Manager.

chmod 404 .htaccess

File Permission for WordPress Security

Some servers show error when using permission 705 at the root folder. In that case, use permission 750.

Preventing Brute Force Attacks on WordPress Website

A small script can be used to run Brute Force attack on your site. Hackers nowadays use different methods such as Socks/Proxy/VPN/Tor to keep attacking websites. Hence, we need to use CAPTCHA to stop these brute force attacks.

[2018] WordPress Security Guide 101

You will be able to decide where to show captchas.

[2018] WordPress Security Guide 101

After successful installation, the captcha will show on WordPress Login. Login to WordPress Dashboard in 1 Click using this tutorial.

[2018] WordPress Security Guide 101 - Captcha 2018

[Pro WordPress Security Tips: Add Akismet to stop spams]

Use Cloudflare to Setup Free SSL

There’s no reason you shouldn’t take advantage of free SSL as it creates an encrypted connection between you and the server. Please read the following article to implement SSL with WordPress using Cloudflare.

How to Properly Setup Cloudflare with WordPress and Take Advantage of Free SSL and CDN

 

Multifactor Authentication

You can use third-party authenticators if you are not satisfied with your username/password combo. There are a few authenticators available for WordPress. Such as

  • Google Authenticator

You can use the Google Authenticator plugin if use iPhone/Android devices. The plugin will enable the support for you.

  • EMAIL OTP

OTP means One Time Password. If you want that your website will always a one-time password at your email before each login, use the plugin Secure Login

Setup Automatic Database Backups for Safety

If your site ever gets compromised, you need to have a database backup to restore your site to the previous state. Follow our guideline on How to Create Automatic WordPress Database Backup? (With Plugins and WP-CLI) and start taking automatic database backups.

How to Create Automatic WordPress Database Backup? (With Plugins and WP-CLI)

Use WordPress Security Plugins

We picked the best WordPress security plugins at our annual list of best WordPress plugins.

Our picks of the best WordPress security plugins included some of the most popular WordPress security plugins around the web. We picked Wordfence as the best security plugin for WordPress.

We are recommending some other plugins also which we have carefully tested and feel free to recommend to you.

  1. Wordfence – The most popular WordPress firewall and security plugin. Wordfence is always updating its vulnerability database to save you from security vulnerabilities. The plugin automatically blacklists most risky IPs by enabling firewall rules, malware threat sense. The built-in scanner checks WordPress core files, themes, and plugins for malicious codes.
    We recommend using Wordfence. This is one 
  2. Sucuri Security –This is an Auditing, Malware Scanning and Security Hardening plugin for your WordPress installation. Although most of the great features come with the premium version which costs around $199.99/year
  3. Jetpack Security – Jetpack includes some basic security features including IP lockouts, automatic DDoS protection, spam protection and more.
  4. SecuPress Free — WordPress Security – SecuPress is a new WordPress plugin on the market. It is originally developed by the same author of WP Rocket. It is a new plugin in the market and the free version offers many essential security features. The plugin includes a firewall, provides malware scanning and security notifications.
  5. NinjaFirewall (WP Edition) – NinjaFirewall tries to be a full featured firewall plugin. The plugin acts as proactive. The main motto of the plugin is to “prevent an attack before it takes place“. NinjaFirewall can scan, repair and block any HTTP or HTTPS request before it reaches WordPress or any of its plugins.

Other WordPress Security Tips [Always Updated]

Some other security tricks can harden your WordPress website. We will regularly update this section to add more and more tips and tricks to strengthen your WordPress security.

  1. If you want to stop plugin updates from admin panel add this code to your wp-config.php file
define('DISALLOW_FILE_MODS', true);

2. If you want to stop any changes from the admin panel, add this code to your wp-config.php file. This is particularly helpful when a site gets hacked.

define( 'DISALLOW_FILE_EDIT', true);

3. If you want to stop several types of script injections to your website, add this code to your .htaceess file.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

4. Use Strong Username/Password. It is so obvious but still people use WordPress username as “admin” and password as “admin” or “1234456”. Please DO NOT!

If you are using WordPress username admin, then immediately create a new user with a new username, make the new user Administrator and delete the old “admin” account.

Check our other article on WordPress Security to know how you can choose an uncommon and secured password.

Wrapping Up on WordPress Security

You can never be 100% secured online!

We can never finish covering up all the topics for the ultimate WordPress Security Guide. However, we will be updating this article frequently to prevent you from all the known security vulnerabilities.

Ultimate WordPress SEO Guide [2019] | 21+ WordPress SEO Tips

Meanwhile, check our best WordPress plugins for 2019 to make the most out of WordPress. Also, a fast and secured website has great impacts on SEO. Explore 10 ways to improve pagespeed.

Leave a Reply