Important Tips to Secure your WordPress Website (Ultimate Guide)

WordPress is a widely used content management system (CMS) that is used for website building which can be managed easily even by a non-technical who can’t do coding.

Though, it is really essential to keep your WordPress site secure because WordPress is an open source CMS and its code is available online and it can be edited by anyone according to their needs. So anyone who is smart enough to find a loophole can attack your website. Unfortunately, hackers have a bit of an upper an upper hand here which makes it even tough for the developers and website holders to keep it secure and prevent hackers from editing their website or website material.

In this topic, you will learn some of the very basic security techniques and tricks so that you can prevent hackers from attacking your WordPress website.

Techniques and Tip to Secure your WordPress

1. Protecting your WP-Admin Directory

As we know that the most of the websites are made in WordPress as it is very easy to use and manage. As it’s a great feature of WordPress but it also a loophole available for the hackers too. WordPress itself is secured and always up to date with new security features and standards, but Installing the outdated Plugins makes it unsecure.

Furthermore, outdated plugins are easily and usually attacked by the hackers. The best thing you can do to secure your website is to secure the WP-admin directory and I recommend it’s the first thing you should do. In this topic, you will learn how to protect the WP-admin directory by installing the top rated “All in One WP Security & Firewall” plugin.

Installing “All in One WP Security & Firewall” plugin

The widely used “All in One WordPress Security” plugin will take your WordPress website to a new level of security. This plugin is developed by the expert’s developers that’s why it is easy to use, manage and highly secured. It enhances the security level by checking for Bruce force attacks, and by implementing and applying the latest suggested WordPress security plans and techniques.

You can install the required plugin by the following easy steps, which we usually follow to install a plugin. Go to the dashboard and the select the plugin tab from it, and press the add new button in the plugins section. Now just search and install the required plugin

Key features

-All the security features and firewall rules are divide into “Basic“, “Intermediate” and “Advanced”, levels which you can chose according to your security level you need.

-Protect your WP-admin directories by setting a password security.

-You can easily set the default WP prefix to a value of your choice.

-Using this plugin, you can view a list of all locked out users and unblock the individual IP addresses you blocked with bulk option.

-It allows manual approval of WordPress user accounts

-It enforces to logout all users after a given time period which you can select by yourself.

-You can view the failed login attempts with time and date

2. Using SSL to encrypt data

SSL means “Secure Socket Layer” and an SSL certificate encrypts all the communication that happens between the website and its visitors. An SSL certificate is usually needed when you are if you are going to take any kind of payments for anything you sell directly on your website, in order to run it in a secure manner.

You can notice a website with an SSL on when you see the https protocol instead of http at the beginning of the web address.
Your website security is one of top ten ranking factors used by Google, when someone searches 

3. Use plugins like "Force Strong Passwords"

It is a critical thing to ignore the security of your WordPress website when it comes to managing WordPress sites and blogs. In fact, most of the WordPress user’s choose a secure web host for their sites. After that they install a WordPress firewall plugin, and keep a record of what is happening one their site with a complete WordPress activity log plugin.

So, no software can guard your WordPress website from your users’ weak passwords. According to survey, the 35% of users use weak passwords, such as mypass123 and abcd123, and the most of the other use passwords that can be broken. Therefore, as a WordPress site vendor it is your responsibility to implement password policies to force strong passwords on users in order to increase the WordPress password security level of your WordPress Website.

By default, WordPress indorses a strong password every time you forget your password, create a new user or simply want to reset your password.

However the users can and will still use weak passwords, as they are given the option. They can simply use their weak password and tick the option to Confirm use of weak password.

So use a force strong password plugin in order to secure your password policies.

3. Use plugins like "Force Strong Passwords"

As WordPress is one of the most widely used CMS (Content Management Sytem), it can also be hacked through the hackers. There is an amazing solution we have for you that can help you to learn how to monitor files of your WordPress site using Wordfence plugin.

Installing “Wordfence” Plugin

Wordfence security plugin is one of the most widely used WordPress security plugin, and for good cause. This plugin provides the best powerful protection tools, such as the robust login security features and the security incident recovery tools. One of the key advantages of Wordfence is that you can get information about the overall traffic trends and hack attempts.

It has one of the most inspiring free solutions, with everything from firewall blocks to guard from brute force attacks. However, a premium version is sold starting at around $99 per year for one site. So, purchase the Wordfence if you’re developing many websites and want to protect them all.

Go to the dashboard and the select the plugin tab from it, and press the add new button in the plugins section. Now just search and install the required plugin.

Some key Features of WordFence Security

-The free version is powerful enough for smaller websites.

-Developers can save lots of money when they sign up for multiple site keys.

-It has a full firewall suite with tools for country blocking, manual blocking, brute force protection, real-time threat defense, and a web application firewall.

-The scan portion of the plugin fights off malware, real-time threats, and spam.

-The plugin monitors live traffic by viewing things like Google crawl activity, logins and logouts, human visitors, and bots.

-You get access to some unique tools like the option to sign in with your cell phone and password auditing.

-The comment spam filter removes the need to install a separate plugin for this.

5. Changing the WordPress Database Tables Prefix

As we mentioned previously WordPress is a content management system (CMS), so it stores your website’s data like posts, pages, themes, and plugins in a database. While the database contains key information such as your login details, so that it can be hacked by the hackers.

Hackers make SQL injections, automated scripts, and other malicious code to hack your databases, break into websites, or publish spam comments.

Due to this reason, it’s very important to protect your database and create regular backups of it. So you can easily protect your site’s database from the hackers simply by changing its default table prefix.

In this topic, you can learn how to the change your database table prefix.

Easiest way to change the WordPress database prefix

The easiest way to change the WordPress database prefix is before installing the content management system (CMS) to your website.

Before you install the WordPress, navigate to the wp-config.php file and scroll down until you find the following line of code $table_prefix = ‘wp_’;. When you find the following code change it by the following way. You can change it by appending the code something like

$table_prefix = ‘wp_acbdie12233’;

6. ALWAYS make regular backups

Taking regular WordPress backups is the best thing by which you can secure your website. Backups give you the facility so that you can save your website as when your site gets hacked or you accidentally lock yourself out.

In the market there are several plugins available which you can use to backup your website. From the following list of plugins you can select the one by its ranking.

Top 1-UpdraftPlus
Top 2-VaultPress (Jetpack Backups)
Top 3-BackupBuddy
Top 4-BoldGrid Backup
Top 5-BlogVault

If you find some difficulty in finding the best one among the above mentioned plugin’s. Check our detailed topic about the best backup plugins.

7. Set strong passwords for the site database

If you’re currently using a week password that contains less than 6 characters that are combination of letters, numbers and symbols (@, #, $, %, etc.) if allowed, change it very fast.

Passwords are usually case-sensitive, so a strong password contains characters in both uppercase and lowercase.

Use one password for only one website that means always use different passwords for different purposes. Always change your password after 3 months regularly.

8. Protect the wp-config.php file

Protecting the WordPress wp-config.php file is another way to enhance your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, like WordPress security keys and the database connection details. You surely do not want the data of this file to fall in the wrong hands, so WordPress wp-config.php security is so much important for you.

In this topic you will find the easiest way to protect the wp-config.php file by just following a few simple steps,

Connect to your website using an FTP client and download the .htaccess file from the root directory of your website.

Open the .htaccess file using a text editor such as Notepad.

Copy the below lines of code to your .htaccess file to deny access to your wp-config.php file at the bottom of your .htaccess file.

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all

Make sure the extension of file is not changed.

Once you’ve added the above text to the .htaccess file, upload it back to the root of your website and remove the old one file.

9. Disable file editing

By default, WordPress allows users to edit the theme and plugin files from the dashboard area. As it is great feature, but it can be also very unsafe as well. In this topic you will find the easiest way to disable the file editing so that no one can change it. All you have to do is open your wp-config.php file and paste the following code:

define( 'DISALLOW_FILE_EDIT', true );

After adding this line of code, save the file and you are done with it. You can also add this code to your function.php file also so that no one change the files.

10. Disable directory listing

In WordPress, when your web server does not find any page of your website like index.php, it automatically shows an index page showing the data of the page. This could make your website unsecure by revealing important information needed in a WordPress plugin, theme. This information can be useful for the hackers. So you should disable the directory listings. In this topic, you will learn how to disable directory browsing in WordPress.

Now just follow a few easy steps,

Connect to your website using an FTP client and download the .htaccess file from the root directory of your website.

Open the .htaccess file using a text editor such as Notepad.

Copy the below line to your .htaccess file at the bottom of your .htaccess file.

Options -Indexes

11. Block hotlinking

Firstly you have to know what is Block Hotlinking. Let me explain by a simple example, let you find an image on the internet somewhere and use the URL of the image in your website so that you can use it for a purpose. This image will be displayed on your website but it will show the original location from where it was downloaded or captured. This is very suitable for the hotlinker but it’s actually theft as it is using the hotlinked site’s resources. So it is very important to block the hotlinking. In this topic, you will learn how to block the hotlinking in a very easy steps using a best plugin.

Installing “Prevent Content Theft” plugin

By installing this plugin you can disable the right click function on your website. Whenever anyone wants to right click, it will show a message which means that you are not allowed to right click on the website.

Go to the dashboard and the select the plugin tab from it, and press the add new button in the plugins section. Now just search and install the required plugin.

Key Feature of this plugin

-Uses beautiful alert box to show the disable message which automatically hides after few seconds Disable Cut/Copy Shortcut Keys
-Disable Save Shortcut Key
-Disable Text/Image Selection
-Disable Image Drag-n-Drop
-Exclude Pages option to allow right click on the pages you want

12. Remove WordPress Version

By default, WordPress can track your site, because of the footprints it leaves and due to which
the hackers know that what version of WordPress you are using. So you need to hide the version of your WordPress, and in this topic you will learn how to get rid of this problem in a very easy way.

If you are running the most updated version of WordPress 5.0, then you do not have to worry about this problem at all. But for some reason you are not using this version, Just follow a few steps.

Find and download the function.php file from the root directory of your website.

Open the function.php file using a text editor such as Notepad.

Copy and paste the below lines of code to your function.php file.

function wpbeginner_remove_version() {
return ''; }
add_filter('the_generator', 'wpbeginner_remove_version');

By adding these lines of code, you can remove the WordPress version number from all different areas on your site.

13. Limit Login Attempts

By default, WordPress provides users to try different passwords as many times as they want. This is also known as brute force attack. Your site has many chances are that you’re getting hundreds or thousands of malicious attacks on it per month. So to get rid of this problem, in this topic you will learn to fix this problem by installing the top rated plugin which is widely used for this purpose.

Installing ‘WP Limit Login Attempts’ Plugin

This plugin is widely used to limit the login attempts of your WordPress website. It temporarily blocks the IP address of the user which is trying to crack the password of your website by attempting again. The plugin was designed specifically for brute force attacks. It works by detecting bots through CAPTCHA verification that allows seven attempts by default which you change from the settings.

Go to the dashboard and the select the plugin tab from it, and press the add new button in the plugins section. Now just search and install the required plugin.

Key Features

-Allows site owners to track user login attempts.
-Temporarily blocks IP address of malicious user.
-Built-in CAPTCHA verification module.

14. Add Security Questions to WordPress Login Screen

Securing your WordPress admin area is of a main concern. However, on a multi-user website, one usually has to select between user-experience and security. That is where security questions arise to play. When you add security questions to WordPress login screen, a new layer of protection is added. The security question acts as an identity verification as well as an extra password.

The users can choose from a list of questions and add an answer to that question which is always unique. Adding security questions greatly reduce the chances of your website being hacked. In this topic, you will learn how to add security questions by installing widely used plugin.

Installing ‘WP Security Question’ Plugin

It is most wide used plugin to add the security questions, which enables security question feature on admin area of your wordpress website. You can protect your website by asking security question on login screen.

Go to the dashboard and the select the plugin tab from it, and press the add new button in the plugins section. Now just search and install the required plugin.

Key feature

-You can add an unlimited number of security questions.
-You can Show/ Hide security question on registration page, login page and forgot password page.
-Users can set security answer from their profile page.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch

Leave us a message here and we'll get back to you as quick as possible!