10+ WordPress Security Tips to Protect Your Websites

8 Mins read
8 Tips to Help you Improve your WordPress Website Security

Getting your website hacked is not fun. It’s a serious matter that needs to be handled with care and intelligence. WordPress is gaining popularity with each passing day. Millions of websites are being powered by WP every minute of the day. However it’s popularity is what makes it so vulnerable to hacking and security threats. Hackers find it easy to hack your WordPress websites through a majority of entry points. Thus, it becomes more important than ever to protect your websites from hacking and spamming.

Hacking is something that cannot be stopped but it is something that should be prevented. Therefore, we have compiled a list of  tips that many cloud service providers, including our own, use to prevent websites from being hacked. The article is going to focus on few ways that can be used to protect your website against hacking and ways that aren’t discussed time and time again on the internet because we understand security is a serious issue and should not be taken lightly.

0. Test Your Site For Vulnerabilities 

Most website developers do not pay attention to the security status of a website. It’s relatively easy to do than it looks. Here are some security testing tools to ensure your website does not expose a common vulnerability. 

1. Don’t Use Premium Plugins For Free

There is a reason why premium plugins are not free. Downloading them from anywhere (un-authorized sites) for free put only your website at risk and obviously, you wouldn’t want that. These pirated copies come with many flaws which give hackers’ direct entry into your website.

Though it’s understandable what it’s like to work within a budget, it doesn’t make sense at all to use pirated plugins. There are various free plugins available as well which can be availed without having to spend even a penny. If you are still really in need of that plugin, you should just pay for it and use it.
You can always go to the digital content marketplace like ThemeForest to shop for authentic WordPress plugins at a low cost. Alternatively, you can hire a freelancer or WordPress expert to do a quick feature upgrade on WordPress.

2. Eliminate PHP Error Reporting

Your website’s security has a lot to do with the loopholes and weak spots in your website. As a matter of fact, if your theme or plugin or any function does not respond properly, it will naturally generate an error message. These error messages may help you solve the problem but for hackers, these are some of the entry points to get access to your website. 
These messages contain the server path, that’s what all hackers are always on the lookout for. Therefore, it is always suggested to disable this error message. This can be done by adding a code in the wp-config.php file. Simply copy and paste this code anywhere in your wp-config file. 

@ini_set(‘display_errors’, 0);

3. Disable Dashboard File Editing

By default, WordPress comes with an option to edit your theme and plugin files right from your dashboard i.e. appearance -> editor. In case, a hacker gains access to your site, he/she can easily make changes in the code and execute anything he/she wants.
Therefore, it is always a bright idea to disable file editing option from your dashboard by adding this code snippet to your wp-config.php file. 

define( ‘DISALLOW_FILE_EDIT’, true );

4. Regular Backups

As we discussed earlier, hacking cannot be stopped, it can only be prevented. Thus, if ever any hacker finds an entry point to your website, or hacks it completely, there is no way you can recover without having a secondary copy of your site. Regularly backing up your website offers you an option to recover your site if something goes wrong with it.

5. Always use Security Plugins 

WordPress comes packed with many security plugins that automatically backs up your website on a daily basis as well as secures it against hacking and spamming.
Some of the best plugins are: 
WordFense security plugin, BulletProof security, and Sucuri Security plugin.

6. Hide your WordPress Version

Well, you probably are wondering why? WordPress is growing and every now and then you encounter a new upgrade of WordPress version. If you run a WordPress website, you probably have heard that you should keep your website up-to-date to prevent security threats. 
If in case, you cannot update your WP version for a reason or two, you are giving an open invitation to hackers to hack your website. However, you can keep this threat at bay by hiding your current version. Reason? As the bugs of previous versions are well known to everybody on the web who uses WordPress, hackers can easily use those loopholes and get access to your website. Hiding WordPress version gives you full control over the update of the latest versions while keeping hacking threats at bay. 
There are certain ways to do so:
Using an older theme? Write this code in your theme’s header.php file

(‘version’); ?>” />

For newer themes, use this code instead

<? remove_action(‘wp_head’, ‘wp_generator’); ?>

7. Use 2-Factor Login Authentication

2-Factor login authentication, as the name suggests, is a two level of login to a service or page. WordPress provides many plugins that help you efficiently implement this 2 level login authentication to your website and make your site more secure. Clef and Rublon are two most popular WordPress plugins that help you implement this strategy. 

Clef makes use of your phone camera to set up the login authentication. However, Rublon uses emails for two-factor authentication. 
You may also like to explore more two-factor authentication plugins for WordPress.

8. Protect Your Files: Htaccess

If you have been running a WordPress website for quite some time, you probably are familiar with the .htaccess file. Well, as a matter of fact, it is one of the most important files of your website. .htaccess file directly affects the permalinks of a website and how it deals with the security issues. .htaccess file can help you prevent your site against any hacking by allowing you to add various code snippets in it. However, make sure whatever code you add in the file should be outside #BEGIN WordPress and #END WordPress tags.
First of all, you should hide your wp-config.php file completely since it is responsible for everything on your website and includes plenty of important details such as database details, user details and more.

Add this code to hide it:

order allow, deny
from all

By adding the following code snippet into a new .htaccess file and upload it to the wp-admin, you can restrict admin access.

order deny, allow
deny from all

You can also restrict wp-login.php in the almost same way.
Add the following code to your .htaccess file.

Deny from all
# access from my IP address

There are various other ways in which you can modify your .htaccess file and secure your website against hackers and spammers.

9. Use SSL Certificates to Encrypt Data.

Using a Secure Socket Layer (SSL) certificate is a very smart move to secure the admin panel of your WordPress website. The SSL certificate always ensures a safe data transfer between the server and user browser. This makes it difficult for the hacker to spoof into your information or breach the connection.

For a WordPress website, it is very easy to set up an SSL certificate. You can either purchase it from the dedicated and authorized SSL reseller like at a huge discount price or you can also ask your hosting service provider to provide you with one. Most of the hosting service provider arranges it as a part of their service.

The SSL certificates also give a boost to your Google ranking. If a website doesn’t have SSL certificate then it will be ranked lower than the one which has the certificate. This will definitely increase traffic on your WordPress website.

10. Change the WordPress database table prefix.

Do you know that the files in the WordPress database table have a prefix “wp-”? Why am I telling this in public, the hackers will get benefited right? They already know that it is just you who didn’t know this (If that’s a shocker to you). Any hacker can hack into your database files just by simple SQL injection.

Hackers and spammers run automated codes for SQL injections. Most of you didn’t bother that all the files in the WordPress database start with the initials “wp-”. You need to change the prefix as this can potentially harm your website.

In order to change the prefix of the WordPress database table, you can either do it manually or with the help of WordPress plugins. In either way, you can easily change the WordPress database table prefix. Plugins like WP-DBManager or iThemes Security can help you do the job with just a click of a button. (Make sure you backup your site before doing anything to the database).

11. Set Directory Permissions Carefully

Most of the websites are hosted on the shared hosting network. This is where wrong directory permissions can be not just harmful but fatal. So, in a shared hosting network, it is wiser to change files and directory permissions to secure the website at the hosting level.

Set the directory permissions to “755” and files to “644” protects the whole file system – directories, subdirectories, and individual files.

You can easily do it with the help of either the file manager in your hosting control panel or through the terminal via the “chmod” command.

You can also use the iTheme Security plugin to check the current permission setting.

12. Conduct The Website Security Audit Regularly 

It doesn’t matter how clever you are, expert hackers always search for new ways to annihilate your website/blog. So, don’t be careless when it comes to your site security. Just conduct the website security audit from time-to-time, find loopholes, and eliminate them as soon as possible. If you can’t do that, consult a reputed tech-company to perform the action.

13. Always Be Prepared For Emergency Situations

Don’t sit idle even if your website is safe and you are implementing the website security practices regularly. Just prepare yourself for unexpected situations, such as,

Unexpected Situations Possible solutions
Your website is hacked
  • Don’t get panic at all,
  • Ask your hosting provider to backup your site,
  • Retrieve your site using backup files,
  • Do the malware removal work.

14. Open Your Website On Virus-Free Computers/Laptops

There are many individuals who own and operate several websites to increase their earnings. Successful website management and operation tasks keep them busy at all the times. So, they tend to access their sites on any available computer/laptop to keep it up-to-date. This is a dangerous practice that can provide a backdoor for hackers to compromise your website.

When you open your website on a computer/laptop (infected with harmful Virus/malware), it is exposed to online security vulnerabilities. Even a single security lapse in your website can enable hackers to bring it down and cause limitless damage to you.

Make sure your computers/laptops are free from harmful programs/data grabbing applications/viruses, etc. Format the infected systems and install the recommended OS, Antivirus, web-browsers, etc. This will reduce the scale of your site’s exposure to online security threats up to a great extent.

Wrapping up

WordPress security is certainly so much more than merely installing a security plugin and keeping strong login passwords. You need to follow a particular strategy and make sure you work on every aspect that may break down your WordPress website.

We hope you find these tips useful and help you protect your site against hacking and spamming.

Article Updates

  • Updated on Aug 2017 with more useful tips.
  • Updated on Dec 2017 with more useful tips.
  • Updated on July 2018 with more useful tips.

This article is contributed by Emily Johns and Lauren McLaren.

Emily Johns is a WordPress developer by profession and a writer by hobby. She works for Wordsuccor Ltd., which is a leading custom WordPress plugin development company based in the USA. If you need to hire a WordPress developer you can connect with them through Google+, Facebook, and Twitter.

Lauren McLaren was born and raised in Australia. She is working as blogger and professional Digital Marketer for Digital Muscle Limited- An SEO Company in Australia providing affordable seo services. She’s hardworking, competent and trustworthy. Her role within the company is to manage team of SEO Experts. In her spare time, she loves to read, cook and watch movies.

Leave a Reply

Your email address will not be published. Required fields are marked *