21 Ways To Keep WordPress Secure

In general, WordPress is secure but from time to time it is vulnerable. You can minimize this vulnerability by following our 21 ways to keep your WordPress installations secure. Keeping everything up to date is essential. It is essential that you do everything possible to reduce security risks.

1. Use WordPress Hosting that is Secure

The most important thing for WordPress security is your hosting. Although web hosting companies will tell you that their servers are very secure, few go the extra mile and offer real protection. At PlusPlus Hosting we go that extra mile for you.
With our WordPress Premium Hosting packages, we provide complete malware and firewall protection. We use Imunify360 which is an AI based, self-learning system to protect all of your websites and files. You get real-time blocking and protection to ensure that your WordPress installations are always malware free.

2. Use the latest version of PHP

WordPress relies on PHP and you need to ensure that your host is providing the latest version. When a new version of PHP is released, there is usually two full years of support to fix any issues and patch any security vulnerabilities. If you are running on an old version of PHP then this support is likely to have expired.

3. Ensure you use HTTPS

We would always recommend that you install an SSL certificate on all of your WordPress installations. The HTTPS protocol is far more secure than the conventional HTTP protocol. Installing an SSL certificate yourself can be tricky. Take advantage of our Enterprise Premium WordPress Hosting package where you get free SSL installations for all your hosted domains.

4. Use an Email Address instead of a Username

To login in to your WordPress dashboard you will need to enter a username and a password. It goes without saying that you need to make these as secure as possible. Guessing what a username could be is a lot simpler than trying to guess an email address. Forget about using “admin” as your username as so many do – use a unique email address instead.

5. Use Failed Login Lockdown

If a hacker is determined to log in to your WordPress installation, then they can use brute force attacks to try and achieve this. To avoid this, you can lockdown your WordPress site if someone attempts to login using the wrong password a specific number of times.

6. Enable two-factor authentication (2FA) for additional Security

It is fairly easy for you to set up two-factor authentication (2FA) for logging in to your WordPress dashboard. To successfully log in you will need to enter 2 different sets of information. There are plugins available to change your login to 2FA.

7. Use a Strong Password

Don’t use “password” or “12345678” as this is just asking for trouble. Use a password that is almost impossible to guess. There are free password generators online that you can use. You can also store your passwords using a password manager service.

8. Use the latest versions of Themes, Plugins and WordPress itself

The WordPress blogging platform is updated fairly regularly and you always need to use the latest version. Themes and plugins can also be changed to fix issues such as security so you need to ensure that you only use the latest versions. You can set WordPress to update automatically which we recommend.

9. Protect your wp-config.php file

You do not want your wp-config.php file falling in to the wrong hands. This is the most critical file for the security of your WordPress installation. It includes security keys and your login information so you need to take good care of it. Move your wp-config.php file to a secret location that is not easily accessible.

10. Use the Sucuri Plugin

There is a free plugin available called the “Sucuri Scanner” and we recommend that you install this on each of your WordPress installations. This plugin will check for failed logins, file integrity, malware and much more.

11. Have a Backup Solution

You just never know when something can go wrong no matter how secure your WordPress website is. There are a number of different backup plugins available which will enable you to make a full backup of your WordPress installation (don’t use your hosting for this).

12. Disable any File Editing

By default, a WordPress installation will allow you to edit theme files and plugin files using a built-in editor. This can be very dangerous in the wrong hands and really make a mess of your website. You can add a line of code to your wp-config.php file to disable this feature.

13. Prevent PHP File Execution in Specific Directories

There is no need for all of your WordPress directories to be able to trigger PHP files. You need to add some simple code to your htaccess files where you want to prevent PHP file execution. This is another good way to make your WordPress installation more secure.

14. Disable Directory Browsing

If a hacker is able to browse your WordPress directories, then they will be able to identify any files that are vulnerable to security attacks. You can turn off directory browsing and we strongly recommend that you do so. It just requires a simple change to your htaccess file.

15. Disable XML-RPC

If you have XML-RPC enabled then you will make it easier for hackers to use brute force attacks. Unless you have a specific use for XML-RPC then we strongly recommend that you disable it. The most effective way to do this is by modifying your htaccess file.

16. Use an FTP Client to change File Permissions

Before you do this, it is a good idea to check with your hosting provider to ensure that this will not affect your ability to operate WordPress. You can use an FTP client such as Core FTP to change the file permissions so that you prevent others on the same server reading them.

17. Change the name of your WordPress Database

When you install WordPress, it is likely that your database associated with it will have a name similar to your site. Let’s say that your site is called “Crypto Tricks” then your database could be called wp_cryptotricks. This is easy for a hacker to guess. Use a different name for your WordPress database.

18. Secure Connections

Your host should allow SFTP or SSH connections. This is a lot more secure than a standard FTP connection. Set your FTP client to use SFTP at all times to ensure that you protect your data.

19. Change your WordPress login URL

You may be unaware that you can change the login URL for your WordPress site. A default installation uses either wp-login.php or you can use wp-admin. Hackers know that these options are available. Use a plugin to change your WP login URL.

20. Hide your WordPress Version Number

With a conventional WordPress installation, it is very easy for anyone to find the version you are using. A hacker can customize an attack on your WordPress site if they know what version it is. Most of the security plugins available will allow you to hide your WordPress version.

21. Change your Password often

Not only should you change your WordPress password often, you should also make them more difficult to crack each time. If you have a complex phrase in mind then this can be more secure than one that has lots of special characters etc. And you will remember a complex phrase a lot more easily.


Table of Contents

Recent Posts

You May also be Interested

Non-Secure Website Alert Even When You Have An SSL Certificate

Non-Secure Website Alert Even When You Have An SSL Certificate

Most of the modern web browsers such as Google Chrome and Mozilla Firefox will show a “not-secure” warning to visitors if you have an element of your site which is not deemed secure. This could be caused by an image or a link to external CSS and more.

Avoid Your WordPress Sites Being Used For Phishing Or Spam

WordPress is the world’s most popular content management system (CMS) for a lot of very good reasons. You can setup a new WordPress site on a domain name very fast these days with the one click installation software that is available in cPanel with your premium web hosting service.

Using Your Domain Emails In The Gmail Interface

Do you have a Gmail account? How would you like to access email addresses for your domains via the Gmail interface? Gmail is very popular and there are millions of users. People like the Gmail interface and are happy to use it to access emails received to their Gmail email addresses.