Ensuring your WordPress site security should be the key priority for all website owners.
Why? Around 23% of all the sites in the world are powered by WordPress.
Hackers are continuously trying to break the security barrier of the world's most popular CMS.
Cyber-attacks are always painful whether you have a business site, portfolio, or an e-commerce site.
Unfortunately, there is not a single way to protect WordPress websites, as hackers are knocking almost every backdoor that can lead to the control of your admin panel.
So here is the list of the top 27 tips that can help you to secure your WordPress site effectively.
1 – Activate two-factor authentication for WordPress
Activation of two-factor authentication is one of the best ways to minimise brute-force attacks.
In the two-step or two-factor authentication mode, apart from the password, WordPress will also ask for an OTP (one-time password), which can be sent to your personal phone number.
2 – Run scheduled malware scans
Scheduled malware scans help you to stay ahead from malware infections.
You can use different plugins to run scheduled malware scans.
But, stay alerted while downloading plugins, the unauthorised source of plugins can itself cause security issues.
3 – Activate WordPress Brute Force Protection
Activating brute force protection is another way to protect your website from potential brute force attacks.
We suggest you use protection service that can cover both local and network brute force.
4 – Update WordPress on Regular Basis
WordPress releases updates on a regular basis that often includes security patches in the code.
So, try not to miss the updates.
Updating WordPress regularly can solve various security issues automatically.
5 – Use Strong Passwords
Stolen passwords are one of the most common ways used to hack WordPress.
You need to select strong passwords for the database, FTP accounts, professional email addresses, and WordPress hosting accounts.
You can use a password manager to manage complex WordPress passwords.
6 – Upgrade to Secure WordPress Hosting
Your web hosting service plays a crucial role in the security maintenance of WordPress.
A good shared hosting provider takes extra care of the service users, while a poor shared hosting provider takes the users' security issues reluctantly.
So, choose your secure WordPress hosting service wisely.
7 – Use a WordPress Backup Solution
It does not matter how much protection you have set up; your website still has a chance to be hacked.
So, it is smart to keep regular backups.
You can use many paid as well as free WordPress backup plugins to keep your backups in order.
You can even use cloud services (remote locations), such as Dropbox and Amazon to save automatic backups on a regular basis.
8 – Use WordPress Security Plugins
Using WordPress security plugins is common, but a vital step.
With the implementation of the WordPress security plugins, you can easily avoid major security threats and malware.
The use of Sucuri scanner (WordPress plugin) has also gained popularity.
9 – Download Plugins from Reliable Sources
We firmly recommend downloading plugins only from reliable and trusted sources.
You can download plugins as well as themes from WordPress.org.
If you feel that is not enough, you can download plugins from other websites, but be careful about site legitimacy.
10 – Keep plugins up-to-date
It is required to up-to-date your plugins regularly, just as you do for the WordPress Core.
Each of the plugins added to your WordPress website is like the possible attachment of a backdoor into the admin's panel.
In other words, many hackers use plugins as backdoors to enter into the admin's area.
So, if you are not updating plugins regularly, you may be compromising your WordPress security.
11 – Hide Your Plugins
As we have mentioned, each of the plugins can be a backdoor for hackers.
How great would it be if we could hide our plugins?
Yes, it is doable.
Adding a blank index file in the WP-content/folder/plugins can make all of the plugins invisible.
This is an extra layer of security on a WordPress site.
12 – Activation of Web Application Firewall (WAF)
Enabling Web Application Firewall (WAF) is beneficial.
The activated WAF blocks malicious and suspicious traffic before they even reach the website.
In this case, we also ask you to select the best quality security providers like Sucuri.
13 – Change the default Username
To maintain security, it is smart to change the default username “admin.”
WordPress will let you alter the username by default.
So, you can directly modify the username or use a particular plugin to do so.
Since, admin is a default username, not changing the username makes it easier for brute-force attacks.
14 – Disable file editing
WordPress has a built-in code editor helps the user to edit plugins and themes directly from the admin area.
If your site is compromised, then this feature could prove fatal.
We recommend you to add the following code in the wp-config.php file to disable file editing:
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT', true );
15 – Disable PHP File extension
Disabling PHP extensions is also a good idea.
To do so, paste the following code in a notepad and save it as .htaccess.
Then upload it to /wp-content/uploads/ folders.
deny from all
16 – Change File Permissions
We strongly advise you not to configure directories with 777 permissions.
According to WordPress.org, it is better to opt for 750 or 755 instead of 777.
When you are working on the site, you can set files to 644 or 640.
17 – Use HTTPS
An SSL certificate cannot secure you from hackers itself.
An SSL certificate is only meaningful when your site has a payment system or deals with personal information of the users.
It is easy to shift from HTTP to HTTPS, and there are tonnes of guidelines available on online.
However, we ask you take help or consult with the technical support before and during the shifting of the site from HTTP to HTTPS.
18 – Put Limit on Login Attempts
WordPress offers countless attempts to try to log in, which makes it vulnerable to Brute Force attacks.
Using WAF can solve this issue automatically.
But, if you are not using WAF, then you can use plugins like Login LockDown.
19 – Change WordPress Database Prefix
The WordPress users by default carry the “wp_” WordPress database prefix.
Using this default prefix can reveal your table name to hackers.
We strongly suggest you change the WordPress Database Prefix.
20 – Disable Directory Indexing and Browsing
Hackers can use directory browsing to identify any file kept by the admin that has known vulnerabilities.
This particular file with vulnerabilities could be utilised by hackers to access the website.
In order to disable Directory indexing, you have to add following texts to the .htaccess file.
21 – Use Password Protect WP-Admin and Login
Hackers can access wp-admin folder and login page without much difficulty.
Using password protected WP-Admin and Login can block these requests.
22 – Automatically log out Idle Users
The Idle User Logout plugin is a user that you can use to logout when the user is inactive, and not working.
With this plugin, you can set an ideal time, after which the user is automatically logged out.
23 – Use CDN Service
CDN is a Content Delivery Network that offers you alternative server nodes.
These alternative server nodes are perfect for improving the response time and download speed of the users globally.
On the other hand, the CDN network requires meeting specific security regulations to protect the users' data and others who are using cloud systems.
Many WordPress users compromise speed to ensure security.
With CDN services, you can have both speed and security.
24 – Hide the Admin Page
The first and foremost step taken by a hacker is to find your login page.
Hiding the login page URL could be a shrewd move from your end.
For this, you just have to modify your login page URL.
Alternatively, you can use WPS Hide Login Plugin and Protect WP-Admin Plugin to change the login page URL.
25 – Disable XML-RPC in WordPress
The XML-RPC is a popular plugin used to connect a WordPress site with the web and mobile apps.
On the other hand, XML-RPC can also allow for brute-force attacks.
While XML-RPC is active, the hackers can use hundreds of passwords by using the system.multi-call function.
Therefore, we strongly recommend disabling this feature.
26 – Fixing a Hacked WordPress Site
When or if your website is hacked, hackers can install a backdoor.
If the WP maintenance provider failed to fix this backdoor, there is a chance of another hacking incident.
So, while securing your WordPress website, be careful.
27 – Add Security Questions to WordPress Login
This is a simple but efficient method to make it harder for the hackers to control your website.
You can set a security question with the help of the WP Security Questions plugin.
It is recommended that you should not ask any question which has an obvious answer and the hacker can easily find it.
Offer personal and odd questions to perplex the hackers.
All of the 27 steps discussed in this article are capable of cutting the leads that could lead to the WordPress security breaching.
However, it is unwise to claim that the methods discussed here can make your WordPress site 100% secure.
Hackers are getting more creative with time.
So, try to follow all of these steps to secure your WordPress site as far as you can and ask for help as soon as you encounter any security breaches.