Looking for WordPress security tips and the ultimate WordPress Security Guide? Keep reading.
Why Do I Need to Worry About WordPress Security?
WordPress Security is one of the major concerns for everyone right now. Each year thousands of WordPress built websites get hacked, lose data, lose access to the website.
Let’s face it. There is no 100% secured system in the world. That is why you need a WordPress Security Guide!
There will always be some risks in your system. However, you must take preventive actions, mitigate risks to make sure your website is not vulnerable to attacks.
Most websites usually get hacked due to poor system administration, not using the latest WordPress version, using weak username/password among many other cases.
Quick Navigation
Attacks on WordPress Sites Have Risen Significantly in the last few years
Industry renowned security firm Sucuri has published a detailed analysis of the most attacked Content Management Systems. Unsurprisingly WordPress came on top by absorbing about 80% of the total attacks.
So it is wise to concentrate on your WordPress security before it is too late. Nothing is worse than waking up in the morning and discovering that you do not have to access your own website. Our WordPress security guide will help you to stop attacks and fix vulnerabilities on your website.
This post will provide you some of the best WordPress security tips to reduce the vulnerability of your WordPress installation.
Ultimate WordPress Security Guide
We have divided our WordPress Security Guide into a few parts.
Quick Navigation
Database Security
A database is the single most important thing when building a new website. So when you are creating a new website, you must rethink about the security measures you are taking to secure your database. Many of us prefer the easiest way to install WordPress from cPanel. If you are concerned about security, we will always recommend you to install WordPress manually by creating the database first and adding a database user.
https://i.imgur.com/7eD2mJv.png
- Tip: Use a unique database name. For example, if your website name is “myschool.com” then always choose something that is not related to the domain name.
- Add number with the database name to make it more secured.
Database User Security
While adding your newly created user, it is wise not to allow ‘Drop’ permission for the database user. Even if someone gets access to your database, they will not be able to drop the table. This will ensure tight security for your website.
File Permission
(If you don’t bother about learning what is File Permission, skip to WordPress File Permission)
If you are running any Unix based operating system like Linux based distros like Ubuntu, Linux Mint or macOS you might know that all files and folders of Unix based operating systems have file permission. This permission is written as three digits. If you notice the following image, you can understand what each of this digit does.
See this video to quickly understand about Unix File Permission.
WordPress File Permission
Make sure you follow this file permission structure to harden your file permission on WordPress. You can run the command like the following to change the file permission of your .htaccess file, after locating to its directory. Otherwise, you can just right click on the file and set permission in cPanel File Manager.
chmod 404 .htaccess
Some servers show error when using permission 705 at the root folder. In that case, use permission 750.
Preventing Brute Force Attacks on WordPress Website
A small script can be used to run Brute Force attack on your site. Hackers nowadays use different methods such as Socks/Proxy/VPN/Tor to keep attacking websites. Hence, we need to use CAPTCHA to stop these brute force attacks.
- Install the plugin No CAPTCHA reCAPTCHA from WordPress Repository. If you do not know how to install a plugin, see our easy guide to install plugins on WordPress website
You will be able to decide where to show captchas.
After successful installation, the captcha will show on WordPress Login. Login to WordPress Dashboard in 1 Click using this tutorial.
[Pro WordPress Security Tips: Add Akismet to stop spams]
Use Cloudflare to Setup Free SSL
There’s no reason you shouldn’t take advantage of free SSL as it creates an encrypted connection between you and the server. Please read the following article to implement SSL with WordPress using Cloudflare.
Multifactor Authentication
You can use third-party authenticators if you are not satisfied with your username/password combo. There are a few authenticators available for WordPress. Such as
-
Google Authenticator
You can use the Google Authenticator plugin if use iPhone/Android devices. The plugin will enable the support for you.
-
EMAIL OTP
OTP means One Time Password. If you want that your website will always a one-time password at your email before each login, use the plugin Secure Login
Setup Automatic Database Backups for Safety
If your site ever gets compromised, you need to have a database backup to restore your site to the previous state. Follow our guideline on How to Create Automatic WordPress Database Backup? (With Plugins and WP-CLI) and start taking automatic database backups.
Use WordPress Security Plugins
We picked the best WordPress security plugins at our annual list of best WordPress plugins.
Our picks of the best WordPress security plugins included some of the most popular WordPress security plugins around the web. We picked Wordfence as the best security plugin for WordPress.
We are recommending some other plugins also which we have carefully tested and feel free to recommend to you.
- Wordfence – The most popular WordPress firewall and security plugin. Wordfence is always updating its vulnerability database to save you from security vulnerabilities. The plugin automatically blacklists most risky IPs by enabling firewall rules, malware threat sense. The built-in scanner checks WordPress core files, themes, and plugins for malicious codes.
We recommend using Wordfence. This is one - Sucuri Security –This is an Auditing, Malware Scanning and Security Hardening plugin for your WordPress installation. Although most of the great features come with the premium version which costs around $199.99/year
- Jetpack Security – Jetpack includes some basic security features including IP lockouts, automatic DDoS protection, spam protection and more.
- SecuPress Free — WordPress Security – SecuPress is a new WordPress plugin on the market. It is originally developed by the same author of WP Rocket. It is a new plugin in the market and the free version offers many essential security features. The plugin includes a firewall, provides malware scanning and security notifications.
- NinjaFirewall (WP Edition) – NinjaFirewall tries to be a full featured firewall plugin. The plugin acts as proactive. The main motto of the plugin is to “prevent an attack before it takes place“. NinjaFirewall can scan, repair and block any HTTP or HTTPS request before it reaches WordPress or any of its plugins.
Other WordPress Security Tips [Always Updated]
Some other security tricks can harden your WordPress website. We will regularly update this section to add more and more tips and tricks to strengthen your WordPress security.
- If you want to stop plugin updates from admin panel add this code to your wp-config.php file
define('DISALLOW_FILE_MODS', true);
2. If you want to stop any changes from the admin panel, add this code to your wp-config.php file. This is particularly helpful when a site gets hacked.
define( 'DISALLOW_FILE_EDIT', true);
3. If you want to stop several types of script injections to your website, add this code to your .htaceess file.
Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index.php [F,L]
4. Use Strong Username/Password. It is so obvious but still people use WordPress username as “admin” and password as “admin” or “1234456”. Please DO NOT!
If you are using WordPress username admin, then immediately create a new user with a new username, make the new user Administrator and delete the old “admin” account.
Check our other article on WordPress Security to know how you can choose an uncommon and secured password.
Wrapping Up on WordPress Security
You can never be 100% secured online!
We can never finish covering up all the topics for the ultimate WordPress Security Guide. However, we will be updating this article frequently to prevent you from all the known security vulnerabilities.
Meanwhile, check our best WordPress plugins to make the most out of WordPress. Also, a fast and secured website has great impact on SEO. Explore 10 ways to improve pagespeed.
Thanks for listing down such useful tips for securing WordPress, I agree that a secured password really helps, though I would like to add that a secured hosting really helps too. I got this awesome tips from wphive and it really help securing my website.
Glad you liked it.
Very helpful information. I would like to know your thoughts on the following, if i were to implement all of those security situations, particuarly those that were involving code etc does it effect Google to be able to pull up the site and for SEO to work effectively?
Hi Andy, thanks for the comment.
No, it wouldn’t affect negatively on Google to crawl your site properly. You can safely use all these codes.
Cheers,
Faisal.