1. Use WordPress Hosting that is Secure
The most important thing for WordPress security is your hosting. Although web hosting companies will tell you that their servers are very secure, few go the extra mile and offer real protection. At PlusPlus Hosting we go that extra mile for you.
With our WordPress Premium Hosting packages, we provide complete malware and firewall protection. We use Imunify360 which is an AI based, self-learning system to protect all of your websites and files. You get real-time blocking and protection to ensure that your WordPress installations are always malware free.
2. Use the latest version of PHP
WordPress relies on PHP and you need to ensure that your host is providing the latest version. When a new version of PHP is released, there is usually two full years of support to fix any issues and patch any security vulnerabilities. If you are running on an old version of PHP then this support is likely to have expired.
3. Ensure you use HTTPS
We would always recommend that you install an SSL certificate on all of your WordPress installations. The HTTPS protocol is far more secure than the conventional HTTP protocol. Installing an SSL certificate yourself can be tricky. Take advantage of our Enterprise Premium WordPress Hosting package where you get free SSL installations for all your hosted domains.
4. Use an Email Address instead of a Username
To login in to your WordPress dashboard you will need to enter a username and a password. It goes without saying that you need to make these as secure as possible. Guessing what a username could be is a lot simpler than trying to guess an email address. Forget about using “admin” as your username as so many do – use a unique email address instead.
5. Use Failed Login Lockdown
If a hacker is determined to log in to your WordPress installation, then they can use brute force attacks to try and achieve this. To avoid this, you can lockdown your WordPress site if someone attempts to login using the wrong password a specific number of times.
6. Enable two-factor authentication (2FA) for additional Security
It is fairly easy for you to set up two-factor authentication (2FA) for logging in to your WordPress dashboard. To successfully log in you will need to enter 2 different sets of information. There are plugins available to change your login to 2FA.
7. Use a Strong Password
Don’t use “password” or “12345678” as this is just asking for trouble. Use a password that is almost impossible to guess. There are free password generators online that you can use. You can also store your passwords using a password manager service.
8. Use the latest versions of Themes, Plugins and WordPress itself
The WordPress blogging platform is updated fairly regularly and you always need to use the latest version. Themes and plugins can also be changed to fix issues such as security so you need to ensure that you only use the latest versions. You can set WordPress to update automatically which we recommend.
9. Protect your wp-config.php file
You do not want your wp-config.php file falling in to the wrong hands. This is the most critical file for the security of your WordPress installation. It includes security keys and your login information so you need to take good care of it. Move your wp-config.php file to a secret location that is not easily accessible.
10. Use the Sucuri Plugin
There is a free plugin available called the “Sucuri Scanner” and we recommend that you install this on each of your WordPress installations. This plugin will check for failed logins, file integrity, malware and much more.
11. Have a Backup Solution
You just never know when something can go wrong no matter how secure your WordPress website is. There are a number of different backup plugins available which will enable you to make a full backup of your WordPress installation (don’t use your hosting for this).
12. Disable any File Editing
By default, a WordPress installation will allow you to edit theme files and plugin files using a built-in editor. This can be very dangerous in the wrong hands and really make a mess of your website. You can add a line of code to your wp-config.php file to disable this feature.
13. Prevent PHP File Execution in Specific Directories
There is no need for all of your WordPress directories to be able to trigger PHP files. You need to add some simple code to your htaccess files where you want to prevent PHP file execution. This is another good way to make your WordPress installation more secure.
14. Disable Directory Browsing
If a hacker is able to browse your WordPress directories, then they will be able to identify any files that are vulnerable to security attacks. You can turn off directory browsing and we strongly recommend that you do so. It just requires a simple change to your htaccess file.
15. Disable XML-RPC
If you have XML-RPC enabled then you will make it easier for hackers to use brute force attacks. Unless you have a specific use for XML-RPC then we strongly recommend that you disable it. The most effective way to do this is by modifying your htaccess file.
16. Use an FTP Client to change File Permissions
Before you do this, it is a good idea to check with your hosting provider to ensure that this will not affect your ability to operate WordPress. You can use an FTP client such as Core FTP to change the file permissions so that you prevent others on the same server reading them.
17. Change the name of your WordPress Database
When you install WordPress, it is likely that your database associated with it will have a name similar to your site. Let’s say that your site is called “Crypto Tricks” then your database could be called wp_cryptotricks. This is easy for a hacker to guess. Use a different name for your WordPress database.
18. Secure Connections
Your host should allow SFTP or SSH connections. This is a lot more secure than a standard FTP connection. Set your FTP client to use SFTP at all times to ensure that you protect your data.
19. Change your WordPress login URL
You may be unaware that you can change the login URL for your WordPress site. A default installation uses either wp-login.php or you can use wp-admin. Hackers know that these options are available. Use a plugin to change your WP login URL.
20. Hide your WordPress Version Number
With a conventional WordPress installation, it is very easy for anyone to find the version you are using. A hacker can customize an attack on your WordPress site if they know what version it is. Most of the security plugins available will allow you to hide your WordPress version.
21. Change your Password often
Not only should you change your WordPress password often, you should also make them more difficult to crack each time. If you have a complex phrase in mind then this can be more secure than one that has lots of special characters etc. And you will remember a complex phrase a lot more easily.