20 Simple Tricks to Secure Your WordPress Website in 2017

 This is a contribution by Ahmad Awais. 
I’ve seen many website owners nagging about the security of WordPress.

The opinion is that an open source script is vulnerable to all sorts of attacks. But that is mostly not true – sometimes it’s the other way around. Or, okay, let’s say that it’s partially true, but even then you shouldn’t blame WordPress.

Why? Because it’s usually your fault that your site got hacked. There are some responsibilities that you have to take care of as a website owner. So the key question is always, what are *you* doing to save your site from being hacked?

Today, I plan to discuss quite a few simple tricks that can help you secure your WordPress website:

Part (a): Secure the login page and prevent brute force attacks

Everyone knows the standard WordPress login page URL. The backend of the website is accessed from there, and that is the reason why people try to brute force their way in. Just add /wp-login.php or /wp-admin/ at the end of your domain name and there you go.

What I recommend is to customize the login page URL and even the page’s interaction. That’s the first thing I do when I start securing my website.

Here are some suggestions for securing your login page:

1. Set up website lockdown and ban users

A lockdown feature for failed login attempts can solve a huge problem, i.e. no more continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.

I found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. You can specify a certain number of failed login attempts after which the plugin bans the attacker’s IP address.

(Alternatively, you can also use the Login LockDown plugin that was built to help you with this problem only.)

2. Use 2-factor authentication

Introducing the 2-factor authentication (2FA) at the login page is another good security measure. In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, etc.

I prefer using a secret code while deploying 2FA on any of my websites. The Google Authenticator plugin helps me with that in just a few clicks.

3. Use email as login

By default, you have to input your username to log in. Using an email ID instead of a username is a more secure approach. The reasons are quite obvious. Usernames are easy to predict, while email IDs are not. Also, any WordPress user account is always created with a unique email address, making it a valid identifier for logging in.

The WP Email Login plugin works out of the box for this purpose. It starts working right after the activation and it requires no configuration at all.

To test it, just log out of your website and then log back in, but this time use the email address that you created the account with.

4. Rename your login URL

To change the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via wp-login.php or wp-admin added to the site’s main URL.

When hackers know the direct URL of your login page, they can try to brute force their way in. They try to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations).

So, at this point – if you’ve been following along – we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.

This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it. Again, the iThemes Security plugin can help you change your login URLs. Like so:

  • Change wp-login.php to something unique; e.g. my_new_login
  • Change /wp-admin/ to something unique; e.g. my_new_admin
  • Change /wp-login.php?action=register to something unique; e.g. my_new_registeration

5. Adjust your passwords

Play around with the website’s passwords and change them regularly. Improve their strength by adding uppercase and lowercase letters, numbers, and special characters. This password generator is a useful resource.

passwordsgenerator

Part (b): Secure your admin dashboard

For a hacker, the most engaging part of a website is the admin dashboard, which is indeed the most protected section of all. So, attacking the strongest part is the real challenge and, if accomplished, it gives the hacker a moral victory and the access to do a lot of damage.

Here’s what you can do:

6. Protect the wp-admin directory

The wp-admin directory is the heart of any WordPress website. Therefore, if this part of your site gets breached then the entire site can get damaged.

One possible way to prevent this is to password-protect the wp-admin directory. With such security measure, the website owner may access the dashboard by submitting two passwords. One protects the login page, and the other the WordPress admin area. If the website users are required to get access to some particular parts of the wp-admin, you may unblock those parts while locking the rest.

You can use the AskApache Password Protect plugin for securing the admin area. It automatically generates a .htpasswd file, encrypts the password and configures the correct security-enhanced file permissions.

7. Use SSL to encrypt data

Implementing an SSL (Secure Socket Layer) certificate is one smart move to secure the admin panel. SSL ensures secure data transfer between user browsers and the server, making it difficult for hackers to breach the connection or spoof your info.

Getting an SSL certificate for your WordPress website is not an issue. You can purchase one from some dedicated companies or alternatively ask your hosting firm to hook you up with one (it’s often an option with their hosting packages).

I use the Let’s Encrypt free open source SSL certificate on most of my sites. Any good hosting company like SiteGround offers free Let’s Encrypt with their hosting packages.

The SSL certificate also affects your website’s rankings at Google. Google ranks sites with SSL higher than those without it. That means more traffic. Now who doesn’t want that?

8. Add user accounts with care

If you run a WordPress blog, or rather a multi-author blog, then you need to deal with multiple people accessing your admin panel. This could make your website more vulnerable to security threats.

You can use a plugin like Force Strong Passwords for your users if you want to make sure that whatever passwords they use are secure. This is just a precautionary measure.

9. Change the admin username

During WordPress installation, you should never choose “admin” as the username for your main administrator account. Such an easy-to-guess username is approachable for hackers. All they need to know is the password, and your entire site gets into the wrong hands.

I can’t tell you how many times I have scrolled through my website logs, and found login attempts with username “admin”.

The iThemes Security plugin can stop such attempts cleverly by immediately banning any IP address that attempts to log in with that username.

10. Monitor your files

If you want some extra added security, you can monitor the changes to the website’s files via plugins like Wordfence, or again, iThemes Security.

Part (c): Secure the database

All of your site’s data and information is stored in the database. Taking care of it is just crucial. Here are a few things you can do to make it more secure:

11. Change the WordPress database table prefix

If you have ever installed WordPress then you are familiar with the wp- table prefix that is used by the WordPress database. I recommend you change it to something unique.

Using the default prefix makes your site database prone to SQL injection attacks. Such attack can be prevented by changing wp- to some other term, e.g. you can make it mywp-, wpnew-, etc.

If you have already installed your WordPress website with the default prefix, then you can use a few plugins to change it. Plugins like WP-DBManager or iThemes Security can help you do the job with just a click of a button. (Make sure you back up your site before doing anything to the database).

12. Back up your site regularly

No matter how secure your website is, there is always room for improvements. But at the end of the day, keeping an off-site backup somewhere is perhaps the best antidote no matter what happens.

If you have a backup, you can always restore your WordPress website to a working state any time you want. There are some plugins that can help you in this respect. For instance, there are all of these.

VaultPress-vs-BlogVault-vs-BackupBuddy-vs-CodeGuard-vs-UpdraftPlus

If you are looking for a premium solution then I recommend VaultPress by Automattic, which is great. I have it set up so it creates backups every 30 minutes. And should anything bad ever happen, I can easily restore the site with just one click. On top of that, it also checks my site for malware, and alerts me if anything shady is going on.

13. Set strong passwords for your database

A strong password for the main database user is a must – the one WordPress uses to access the database.

As always, use uppercase, lowercase, numbers, and special characters for the password. I once again recommend password generator as a useful resource.

Part (d): Secure your hosting setup

Almost all hosting companies claim to provide an optimized environment for WordPress, but we can still go a step further:

14. Protect the wp-config.php file

The wp-config.php file holds crucial information about your WordPress installation, and it’s in fact the most important file in your site’s root directory. Protecting it means protecting the core of your WordPress blog.

It gets difficult for hackers to breach the security of your site if the wp-config.php file becomes inaccessible to them.

The good news is that making this happen is really easy. Just take your wp-config.php file and move it to a higher level than your root directory.

Now the question is, if you store it elsewhere, how does the server access it? In the current WordPress architecture, the configuration file settings are set the highest on the priority list. So, even if it is stored one fold above the root directory, WordPress can still see it.

15. Disallow file editing

If a user has admin access to your WordPress dashboard then they can edit any files that are part of your WordPress installation. This includes all plugins and themes.

However, if you disallow file editing, even if a hacker obtains admin access to your WordPress dashboard, they still won’t be able to modify any file.

Add the following to the wp-config.php file (at the very end):

define('DISALLOW_FILE_EDIT', true);

16. Connect the server correctly

When setting up your site, connect the server only through SFTP or SSH. SFTP is always preferred over the traditional FTP because of its security features that are, of course, not attributed with FTP.

Connecting the server this way ensures secure transfers of all files. Many hosting providers offer this service as part of their package. If not – you can do it manually (just google for tutorials; there’s a lot of stuff out there).

17. Set directory permissions carefully

Wrong directory permissions can be fatal, especially if you’re working in a shared hosting environment.

In such a case, changing files and directory permissions is a good move to secure the website at the hosting level. Setting the directory permissions to “755” and files to “644” protects the whole filesystem – directories, subdirectories, and individual files.

This can be done either manually via the File Manager inside your hosting control panel, or through the terminal (connected with SSH) – use the “chmod” command.

For more, you can read about correct permission scheme of WordPress or install the iThemes Security plugin to check your current permission settings.

18. Disable directory listing with .htaccess

If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.

For example, if you create a directory called “data”, you can see everything in that directory simply by typing http://www.example.com/data/ in your browser. No password or anything is needed.

You can prevent this by adding the following line of code in your .htaccess file:

Options All -Indexes

Part (e): Secure your WordPress themes and plugins

Themes and plugins are essential ingredients of any WordPress website. Unfortunately, they can also pose serious security threats. Let’s find out how we can secure WordPress themes and plugins the right way:

19. Update regularly

Every good software product is supported by its developers and gets updated now and then, but WordPress is updated very frequently. These updates are meant to fix bugs and sometimes have vital security patches.

Not updating your themes and plugins can mean serious trouble. Many hackers rely on the mere fact that people can’t be bothered to update their plugins and themes. More often than not, those hackers exploit bugs that have already been fixed.

So, if you’re using WordPress products then update them regularly. Plugins, themes, everything.

20. Remove your WordPress version number

Your current WordPress version number can be found very easily. It’s basically sitting right there in your site’s source view.

Here’s the thing, if the hackers know which version of WordPress you use, it’s easier for them to tailor-build the perfect attack.

You can hide your version number with almost every security plugin that I mentioned above.

Final words

If you are a beginner then that was a lot to take in. Everything that I mentioned in this article is a step in the right direction. The more you care about your WordPress site security, the harder it gets for a hacker to break in.

As usual, don’t hesitate to leave any questions or comments below, and I’ll try to respond to each of them.

About the author: Ahmad Awais is a full stack WordPress developer, WP core contributor, front-end fanatic and a designer by night. Follow him on his blog and reach out via Twitter @mrahmadawais.
  • Youssef Bitar

    Such great ressources , I really appreciate it, thank you

  • Anton VS

    Thanks.

  • For me you just added every possible entity for the security fix.Well Done!

  • krinalmehta

    Is it possible to do this without installing 15 new plugins? Adding more plugins will make the site more vulnerable ?

    • Just go ahead with what you need! Not all of them!

  • Whole article is just for promoting iThemes Security. I know iThemes security is good one but it’s useless on bigger websites.

    • Karol K.

      Useless on bigger sites? Please elaborate. 🙂

    • Hassan it’s an opinionated piece. I am sharing my personal opinion. You can agree with it or not. I think iThemes Security is a great resource. And this article is not targeted towards enterprise sites.

  • This is great article to secure wordpress I am going to follow some of these tips. Thanks for sharing

  • Nover Domingo

    Hi Karol K,

    Thanks for the tricks!

    • I wrote this, not Karol! But hey, thanks 🙂

  • Sure!

  • singh rajendar prasad

    Thank you so much ….. i have learned many things from your article….now i should go back and correct them.

  • anjansantoshi

    It means Word Press itself is not secured, it needs some security protection. Why Word Press is not thinking about it and provide all kinds of protection in single bundle.

  • Hey Ahmed
    That’s a good checklist..Thanks for the same!

  • I really loved your article, It’s always been great to read a good stuff because we learn a lot thing from a good article.

    As we know WordPress is the most popular CMS. So from this point of view, your article is more important to secure our WordPress websites. Thanks for sharing valuable information with us and keep writing and sharing such a great tips for us.

  • Thanks for this article I really enjoyed to read

  • changing login url is good option. but what if we upgrade wordpress then, upgraded WordPress will have default login url and we created custom url, does it will create problems after upgrade?

    • Android123

      Sagar, Very good question – did you ever find the answer to your question?

  • ALI

    Hy Ahmad! Thanks for great post. I have a question.

    Let us we have two website in one cpanel hosting…. One as main website and the other as addon domain.
    How can I place the wp-config file for addon domain wp site on level up.

    If I do so, Will not it become the config file for the main website.

    I hope I am clear?

    Thanks

  • Details article on WordPress security. Quite enjoyed it! Thanks for sharing!

  • Stephen Norman

    Very informative and comprehensive article on WordPress Security!

    Personally I use a combination of Sucuri Security, WPS Hide Login, Login LockDown and a number of code added to the htaccess and functions.php file. This combination of plugins and code pretty much covers all you discuss.

    If you’re a beginner then its also good to know that there are WordPress Support services out there who will do all of this for you as well as continually monitoring and managing your website.

  • I am using security plugin. But it make my site slower. So now I am searching a way which is better and not cause of slow speed. By the way this is a great article regarding site security.
    Keep sharing like this.
    -Humna

  • Mr. Summers B

    Thanks man!!!

  • Bill

    I have wordpress 4.7.1 and moving the wp-config one level above root did not work. On a earlier version of WP however it did. So I’m not sure if something has change.d

    • Android123

      Bill, How did you test it? What happened when you moved the wp-config file in 4.7.1 (we’re up to 4.7.3 as I write this) ?

  • It is just an Amazing article Brother I hope it will make my Blog Secure. Thanks

  • Love for two factor authentication, because this is great plugin and resolve all type brute force attack.

  • hi, Ahmad, Thanks for providing almost every possible way to protect our site from unwanted risks. Very Informative post 🙂

  • Ultimately the best tips for security

  • glad i found these tips. will apply them

  • Learn so many new things . Thanks !

  • Heather Brown

    I was lucky enough to have my hosting site Ecomlane handle my front and back end security for me. Can’t beat free SSL from them!

  • Thanks for this post, I just installed the limit login
    attempts plugin you suggested. However, I don’t see where to fill in the
    number of attempts to be allowed. Ideas?

  • Maximilian Bayer

    Is it possible that Ask Apache Password Protect is preventing Google Authenticator to work? I had the 2 way Authentification setup up working fine until i activated Ask Apache Password Protect, now i have a password for my admin panel but the 2 way Authentification is gone. Do you know of any conflict of those two plugins?

  • Hey, thats a really good and helpful checklist. Thanks.

  • Thats really a great checklist. Thanks

  • A visitor

    Very helpful article. thank you Ahmad.

  • Great! It’s very helpful blog for WordPress users.

  • very informative!

  • Paul Megan

    I’ve come to understand that genuine hackers always have tools handy to work with, no
    genuine hacker will ask you to pay for tools before your work is done, don’t fall for their
    lies, I have been jacked several times by all these fake assholes. So i met pavelnovakbreach@gmail.com
    he actually solved my problem, i was in dire need of a hacker to monitor my wife’s activities online,
    Pavel was able to reveal my infidel wife’s activities, for that I am grateful to him, he offers services
    ranging from Facebook, whatsapp, emails, Twitter, Kik, imo, cell phone, website hacks, changing DMV records,
    background checks, locating individuals, expunging criminal records and so much more, if you are in dire need
    of a hacker you should contact this man, he is smart with his services and takes payment at the point of delivery,
    i had to write this about him, tell him Wayne reviewed him when he starts asking questions.
    nnnnnnnnnnnnnnnnnnnn

  • Thx for all the tricks.
    I would love to change the name of wp-login.php. But I’m using plesk and this will break the possibility to login to WP bei clicking login within Plesk.
    I didn’t found a way to tell Plesk another name instead wp-login.php – someone know how??

  • It’s also worthwhile disabling access to xmlrpc.php through .htaccess if you aren’t using it. It can be used to submit like 500 login requests at a time. With 1Gb memory VPS hosting this brute-force attack through xmlrpc.php regularly would cause mysql process to run out of memory and the whole site would crash. Disabling access to xmlrpc.php fix it.

  • yuvanish skyrocker

    hello, is it possible to lockdown the ip address of the failed user login permanently such that in order to unblock his account, the latter is obliged to send an email address to the admin.

    • George

      use wordfence plugin for that

  • Eromosele frank

    I want to let the world know about Doctor otata the Great spell caster that brought back my husband to me when i thought all hope was lost. Doctor otata used his powerful spell to put a smile on my face by bringing back my man with his spell, at first i thought i was dreaming when my husband came back to me on his knees begging me to forgive him and accept him back and even since then he loves me more than i ever expected so i made a vow to my self the i will let the World know about Doctor otata because he is a God on earth. Do you have problems in your relationship ? have your partner broke up with you and you still love and want him back ? Do you have problem with your finance ? or do you need help of any kind then contact Doctor otata today for i give you 100% guarantee that he will help you just as he helped me.Contact him via betterlife994@gmai.com or WhatsApp +2348119020900

  • Very breif guide, Thanks

  • radikaze

    Dude your website is very slow

  • Android123

    I wonder how many of these security plug-ins will play well together. How many of you are running multiple security plug-ins, what are they? Why are you using them?
    Thanks

  • For security purpose, you have explain it very well enough, no doubt. I got some thing new from this article. Thanks for sharing!

  • Kassandra Walker

    This was VERY helpful! My site was recently attacked and used to send spam emails through a cron job.

  • we been sending our customers and free theme users to this article for ages when they mention they have WP security challenges or get hacked due to poor hosting etc.
    if only people implemented 20% of these simple tips… WP reputation would be so much better.

  • FlyNavy

    Ahmad

    Thank you for this excellent post on WordPress security. If I had paid $20 for the info you shared in this post, I’d feel I got my monies worth.

    I prefer to manually do things on my site, as opposed to installing a plugin. Frequently, I’ve found security plugins can play havoc with code on different themes.

    Since I didn’t pay for your knowledge in this post, and I can’t buy you an adult beverage…I promise to hoist one in your honor.

    Cheers

    dubito ergo cogito
    cogito ergo sum

  • Brandon Graves

    Amazing security tutorial to prevent from any kind of malicious activity. It will help to secure the WordPress site in a proper way to avoid any kind of cyber attack.

  • Did any one test these tricks, I would like to know about it. Few of them well know, but do we need to follow all of above given tricks?

  • Great sharing. These tricks are really helpful for the WordPress users. We are under threat of the hackers so increasing security is a big issue. You have dome a good job.

  • Susan Barrett

    Hi people!! When an attacker took down our site we were devastated, We did not have a backup and the hosting company did not care. We paid a recovery fee to {ZEUSHACKERS01 At OUTLOOK dot COM} and they had the site working again the next day, and even fixed another issue that existed with the website before the hacking. They were great, reliable and very fast. They offer lots of hacking services like social media hacks like facebook hacks,improve credit score, upgrading school grades and so many hacking services. Thank me later!

  • Rarely people share such upto date information,
    i would like to say in simple words, you need to update everything, plugins, theme and your self to update your WordPress security.
    A good hosting provide you 50% security, backup etc.

  • Emily Miller

    Comprehensive list! As a CMS, a lot of WordPress’ value and awesomeness comes from the ability to choose and use various open source plugins. This means that although WordPress core itself is actually very secure, when you add in these third party plugins, WordPress’s self-updating abilities add complexity and vulnerability to the situation.

    The only tried and true method to harden your installation is to get rid of WordPress’s ability to self-update, at least in production. Pantheon bakes this level of security directly into the platform—without sacrificing developer productivity. Every site has a Dev, Test, and Live environment, plus developers can use Multidev to collaborate across environments and merge changes. Changes to the codebase are tracked in the dashboard and can be shared with other team members, or moved to the Test environment for final review before going Live.

    End result? A secure production website, freedom for developers to operate, and a standardized method to review changes before they go live.