WordPress Security Guide: 10 Tips to Secure Your WordPress Site

wordpress security
89 / 100

Is your site secured? If not, are you looking to improve your WordPress security?

In this guide, I’ll be sharing tips and strategies that I have learned running this several WordPress blogs. Of late, WordPress has been highly targeted by hackers. A lot of users has asked, “Is WordPress secure?”

Yes, WordPress is secure!!

Though, with the use various plugins, themes and some time it’s the hosting, follows security worst-practices and thus makes our WordPress website vulnerable to different kind of attacks and hacks.

Did you know?

WordPress powers around 33% of the websites in the world, which not only makes it the most popular CMS platform but also is more prone to hacking?

My previous site Shadrackbiwotkeyleafy was hacked and it kept redirecting to a different site. This is why I had to dig in and find ways to harden my WordPress security.

With this guide, you need not worry of loosing your site to hackers.

Why all the trouble if WordPress is secured?

By default, WordPress is secured. But as I mentioned earlier, when you host it on an unsecured server or when you add new codes in the form of themes and plugins, chances are your site might get hacked.

Have you taken your time to visit the help page on hardening WordPress?

It states

Your web host should be making sure that their network is not compromised by attackers, and you should do the same. Network vulnerabilities can allow passwords and other sensitive information to be intercepted.

The web server running WordPress, and the software on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you.

If you’re on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.”

Hackers do primarily compromise sites for personal gains it can be either to add backlinks to some spammy sites or redirecting a WordPress site to other websites.(As for me my previous site was a victim of a redirect hack).

Owner starts losing the traffic over time (SEO penalty) and by the time they realize the actual issue, things are way out of their hands. 

Top tips to harden WordPress security

1. Use the latest WordPress version

This is the most basic WordPress security tip that any WordPress blogger shouldn’t miss.

Each time WordPress sends an update, it’s an indication that they have fixed some bugs, added some features, and most importantly, added some security features and fixes.

wordpress security

Whenever you see the message: “WordPress x.x.x is available!”

Please Update it.

2. Keep your plugins up to date

update plugins

Just as WordPress releases updates to fix bugs and security holes, same goes for plugins.

A vulnerable plugin or 3rd party script can create a security hole in your WordPress website.

At all times use plugins which are continually updated and have good support. If using a plugin which has not been updated for a while, get an alternative to it.

3. Use the latest PHP version

PHP is the backbone of WordPress and currently, the 7.4 is the latest version of PHP.

According to the official PHP stats page, they offer security support to any stable version of PHP for 2 years only. This means if you are using anything below PHP 7.1, you are not going to get security updates.

PHP version

Depending on the hosting environment you are using, you can quickly change your PHP version. I strongly recommend you to first create a staging environment and then test the latest PHP version. This is to ensure the compatibility as at times, outdated plugin and theme could cause an issue.

4. Configure Back ups

The fact that our todays guide is on how to secure your WordPress site, you need to ensure that if something happens, you won’t lose anything.

Not having a proper WordPress backup solution in place is the biggest mistake most beginners make.

You can use the backup system offered by your hosting company or use a 3rd party backup system such as Blogvault, VaultPress or Updraftplus.

Note: If your hosting company offers backups, ensure they store the backup on a different server.

5. Go for a reliable hosting company

The foundation of a secure website is a server that has enough protections that ensure your website is safeguarded against hackers.

A secure WordPress hosting usually has:

  • Server level firewall to mitigate DDOS attacks.
  • Uses the latest hardware and top-notch data center for physical security
  • Regularly update the Operating system and apply the latest security patches
  • Has intrusion detection systems for malicious activity or policy violations

If your existing hosting company is not secure and provides no security-related support, moving to any of the above-listed hosting will make an huge difference.

6. Hide your WordPress version

For instance if you lack those few minutes to update your WordPress core files, the listed WordPress version can attract hackers.

Most theme designers these days get rid of it for you, but just to make sure, go to your functions.php and add this line:

<?php remove_action(‘wp_head’, ‘wp_generator’); ?>

7. Use a strong login passwords

Make your passwords complex, add a couple of special characters (%&*#), and keep changing it every 5 or 6 months.

I’d also recommend using a plugin called Limit login attempt This plugin will record all IPs and time stamps of failed login attempts. After a specific number of failed attempts from a particular IP, the IP will be blacklisted. This helps a lot to prevent any brute-force attack.

Moreover, you should also start using a password manager like Dashlane that will help you further improve your password security.

8. Check WordPress Folders File Permissions

Visit File Manager in your cPanel and check the file attributes of your WordPress folder.

It’s good if it’s 744 (read only). If you find it to be 777, consider yourself extremely lucky that you haven’t gotten hacked yet.

Most bloggers change hosting, but don’t realize how their file permissions also get changed. Make sure you verify all file permissions after migrating your hosting.

9. Hide Plugins directory

The plugins folder /wp-content/plugins/ should not be showing the list of folders and files inside of them.

If you see a list of folders and files, you need to hide them.

To hide these folders, you need to create a new .htaccess file and drop it in your plugins directory.

# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# Prevents directory listing
IndexIgnore *
# END WordPress

10. Delete the default admin user

This is one of the most crucial tips for people who are looking to create a secure WordPress blog. The default “admin” username is prone to brute-force attacks as most people never change it.

When you installing WordPress, ensure you use a custom username and do not use “admin”.

You can create a new user with “Administrator” rights, and give this new administrator a nickname that will be publicly displayed in case he/she writes a post. Now, log out and then log back into the newly created admin account and delete the old “admin” user.

Final Thoughts

I hope this guide helped you to understand the importance of WordPress security and helped you harden it.

Do let us know of other security tips you would like to give to other bloggers for their WordPress security. Share your tips in the comments below!

Don’t forget to bookmark and share this post!

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

side hustle

Online Side Hustles In Kenya That Pay Up To $50 Per Hour.

Kenyans are known for their entrepreneurial spirit, so it’s no surprise that there are many online side hustles you can consider. There’s no time like the present to start making some extra money. Whether you need to pay down debt, save for a rainy day, or just want to have a little more spending money, there are plenty of side hustles that can help you reach your financial goals.

affiliate programs

Should Freelancers Join Affiliate Programs?

As a freelancer, you may be wondering if you should join affiliate programs. The answer is: it depends. Affiliate programs can offer great benefits, but they may or may not be the best option for you.