Cybercrime is at an all-time high with hackers and malware rampaging across the vast online landscape. Google blacklists over 20,000 websites for having malware and over 50,000 websites as potential phishing websites – every single week! Let the numbers sink in for a moment. And so, for the purpose of this read, we have put together a comprehensive guide to help you improve your WordPress security.
You see, if your website fails to adhere by the best security practices, then you will leave your site and all its content subject to getting hacked. But it’s not just your content that’s on the line, as unsecured websites are also penalized by Google’s search algorithms.
Hackers and malware are not only dangerous to your website content, but these also hold a threat to people visiting your website. And so, if you fail to adhere to the basic security guidelines – which by the way is very simple to do – Google will demote you on the SERP (Search Engine Results Page).
Luckily, WordPress users have access to dedicated plugins and an ultra-intuitive interface which can help crank up your WordPress security by a significant margin. So without keeping you waiting any longer, here are our top 10+ Ways To Improve Your WordPress Security:
Top 10+ Ways to Improve Your WordPress Security
1. Install Backup Plugins
The concept here is pretty simple – it’s better to be safe now, than sorry later!
By backing up your online content and database, everything is kept safe and secure even under the unfortunate event of falling prey to hackers and malware. This makes installing a backup plugin the first chapter WordPress security 101 and puts it at the top of the priority list.
A backup plugin like our WPvivid Backup Plugin can take automatic routine backups of your entire WordPress website including the database. You can configure it to schedule the backups to be either weekly or daily. The backed up data is generally stored in a separate cloud storage platform – either provided by the plugin itself, or among the different already existing platforms like Google Drive, Amazon S3, Dropbox, and so on.
Now, if at a later instance, your site breaks due to malware or hackers, all your data will still be accessible and you can restore the backups to your website to get it back to its previous working condition. Just remember to cover up the security vulnerabilities which the hackers or malware used to get into your website so that it doesn’t happen again.
With all this being said, if you are looking for some recommendation on which backup plugin in addition to our WPvivid Backup Plugin to use for improving your WordPress security, then here are some options:
- UpDraftPlus
- BackWPup
2. Install A Firewall Plugin To Monitor Your WordPress Site
Similar to the firewall software you have set up on your desktop/laptop, a firewall plugin will monitor incoming traffic and block common security threats from reaching your WordPress website.
The plugins generally refer to a database consisting of malicious signature and blacklisted IP addresses to scan out the potential threats coming to your website, and blocks them straight away.
As you can see, it is as simple as installing a WordPress plugin but improves your WordPress security by preventing hackers, malware, worms, and viruses from entering your website.
3. Set A Strong Password for Admin Login
When you think about it, getting access to your WordPress backend dashboard isn’t that big of a deal. This is common knowledge that adding “/wp-admin” at the end of a WordPress site URL takes the user to the admin login page. Here the only thing limiting access to the website’s backend is simply guessing the username and password.
Now, since the username “admin,” is almost always associated with a WordPress website, the only thing the hacker needs to do is guess the password and then they will have direct access to all your website content and data. A scary thing to imagine isn’t it?
With all this in consideration, the most obviously WordPress security enhancement you can employ is to make your password extremely complex and hard to decipher even by brute force. This includes creating longer passwords with at least 10-12 characters. Also remember to use capital letters, small letters, numbers, and special characters in your password.
And just so you don’t end up forgetting it yourself, write it down someplace where you know it will be safe and secure.
4. Customize Admin Username
Similar to changing the password of your WordPress admin login, you should also consider changing the easily predictable default username – admin. So now the hacker needs to decipher the password along with the correct username to get into your site’s backend, which exponentially increases your WordPress security.
But with that being said, changing the default admin username is somewhat difficult. First, you need to login to your WordPress backend > User > Add New User, and then create a new user (with the new username) with the User Role set to – Administrator. Once done, log in with the new user account and delete the default “admin” user account, forcing hackers to not only decipher the correct password but also your new username. Alternative, you can manage and edit user roles using a user role editor plugin.
5. Customize Login URL
Till now we talked about how to make it difficult for the hackers to guess your WordPress backend login credentials. But, an even better WordPress security tactic would be denying the hackers’ access to your login screen altogether.
As mentioned earlier, the default URL for the backend login page of your website involves your website URL followed by “/wp-admin.” However, did you know that you can customize the last part of your website login URL to any different alphanumeric string you can imagine, like – “/zero-hackers-allowed.”
However, do note that this is not a default feature of the CMS (Content Management System), and you will need to install a WordPress plugin like WPS Hide Login to help you. Once installed and activated, the plugin will allow you to change the login URL so that hackers can’t easily access the wp-login.php page and the wp-admin directory.
By now, not only have we made it difficult for the hackers to guess the right password and username combination to access our site, but we have also effectively hidden the login page from prying eyes. As you can imagine, this drastically increases your WordPress security and makes brute force attacks virtually impossible.
6. Set Strong Password For Database User
If your website has multiple users with some of them having direct access to your database or other sensitive information, then make sure they set strong passwords for their accounts. Hackers are equally likely to try and get into your website by exploiting the other users on your website. With this in mind, any loose end is a potential vulnerability and a security threat.
You can make it compulsory for users to assign a strong password with their accounts by following the steps mentioned earlier. Alternatively, you can use third-party plugins to force users to create a strong password to complete their account creation process.
7. Enable SSL (HTTP to HTTPS)
SSL, short for Secure Sockets Layer is the standard security protocol on the internet that creates an encrypted connection between the client and the server. Once activated, you will notice that HTTP text at the start of your URL is replaced with HTTPS or HTTP secured. By enabling an SSL certificate, you make it harder for hackers to siphon data while it’s being transmitted between the server and the client.
Google also takes SSL certification very seriously. For example, websites that are still on HTTP are shown as “not secure” on Google Chrome browser. Furthermore, they are also penalized by their search engine algorithm. While on the flipside, SSL certified websites’ HTTPS are awarded by the search engine. Therefore, we have put installing an SSL as the first step to seo a new WordPress blog.
These two points should be enough reason for you to install an SSL certificate on your website – especially when you consider it isn’t that big of a hassle. First of all, mostly all the popular web hosting services include an SSL certificate for free. And in case you didn’t get one for free, you can do so easily by using Let’s Encrypt.
You even have access to a dedicated WordPress SSL plugin – Really Simple SSL to turn HTTP into HTTPS and improve your WordPress security.
8. Move wp-config To A Higher Level Than Root Directory
By default, the wp-config.php is located inside the same folder as your WordPress blog/website. This can be a security nightmare as the file contains your MySQL database username, password, WordPress authentication keys, and other sensitive data.
If someone gets a hold of this file, then they basically have complete control over every nitty gritty of your website. This is why even the WordPress codex recommends that users should move the wp-config.php away from the default root directory to a higher level folder which doesn’t have public access.
This can be easily achieved by including the following code snippet in the .htaccess folder:
<files wp-config.php> order allow, deny deny from all </files>
As you can see, it does involve messing around with the core files of your WordPress website, and so it is advised that you take a backup before going forward with this step.
9. Prevent to List Directory with .htaccess When A Folder Has No index.php File
Directory listing, also known as directory browsing allows any user to view the content of individual folders (directories) on your website. As you can imagine, this calls for great security concerns as hackers can effortlessly surf through all your different files and locate potential vulnerabilities to break into your website.
Now, in defense of the WordPress CMS, certain directories do contain an index.php files which the server instantly runs/loads when someone enters the folder. This prevents the onlookers from browsing your directories and getting access to your site structure.
But what if the index.php file is not present?
Even then, the issues can be easily resolved by making a minor tweak to the .htaccess file. All you have to do is simply add the following line at the end of the .htaccess and save it.
Options All -Indexes
Once done, if a user tries to access any of your directories that lacks an index.php file, it will show a 403 access forbidden or 404 page not found error to the user.
10. Update WordPress Regularly
WordPress is immensely popular, powering over 30% of all websites on the World Wide Web. This makes the CMS the prime target of hackers and malicious actors. They are always busy finding security vulnerabilities and loopholes in the code which they can exploit to gain access to your site’s data.
Likewise, the WordPress development team is also actively searching for bugs and security flaws, so that they can patch them before the hackers exploit them. Therefore, upgrading to the latest version of WordPress, isn’t simply about accessing new features and functionalities, but also about making sure that the code doesn’t have any flaws which hackers can exploit.
Now, once a new WordPress update releases, the whole world, including the hackers can learn about the security vulnerabilities that were present in the previous version. If you procrastinate on upgrading your site quickly to the latest iteration, then hackers can take advantage of the now known security vulnerabilities on your site making your WordPress security much weaker than before. Besides, since WordPress is built with PHP, it’s also important to upgrade your WordPress site to the latest PHP version to improve your website performance and security. Do remember to make a full backup of your site before doing any update!
11. Remove WordPress Version Number
Although you should always upgrade your WordPress website as soon as a new CMS update is released, but sometimes, it isn’t the best decision you can take. Some possible reasons for delaying site upgradation might be because of a buggy update, compatibility issues with your present plugins and themes, and so on.
However, as we just discussed, postponing the upgrade does open you up to a plethora of security threats and hack attempts. But this can be avoided if you can remove the WordPress version number from your website. That’s why hackers won’t imminently know that your site is running on an older version which reduces your chances of getting exploited by the newly discovered security flaws.
Now, to remove the WordPress version number from your website, you need to head on over to the functions.php file and enter the following code snippet:
function remove_wordpress_version() { return ''; } add_filter('the_generator', 'remove_wordpress_version');
This will remove the WordPress version number from both your head file and RSS feed making sure there is no way for hackers to guess which version of WordPress you are using.
In Conclusion
So these were some of our recommended tips and tricks for improving your WordPress security. We hope you found this read to be helpful and that it was a useful resource in making your site more safe and secure.
As you can see, much of the improvements can be made by simply following some basic one or two steps and installing some security plugins. Now there are some technical aspects you should take care of as well. However, you don’t need to worry about it that much if you’re just starting out with your WordPress blog/website.
But as your site keeps growing, do realize that the hackers will try harder to break in and cause trouble. As such, always keep up to date with the latest security trends, not to mention covering all the technical steps discussed above like moving your wp-config file and password protecting your database.
With all this in context, experienced users are encouraged to lean into the conversation and add their personal tactics for ensuring their site is free from hackers and malware. Your fellow readers will be highly benefited by your insights, and it might help them safeguard their site from potential cyber threats.
In case you may also be interested, here is our comprehensive guide on how to monetize a blog.